The branch, master has been updated via 0e65e3e NEWS[4.17.2]: Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases Available for Download from b820158 NEWS[4.17.1]: Samba 4.17.1 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0e65e3e7b4928125ba981e0d6987d415e80f5969 Author: Jule Anger <jan...@samba.org> Date: Tue Oct 25 09:06:52 2022 +0200 NEWS[4.17.2]: Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases Available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.15.11.html | 50 ++++++++++++ history/samba-4.16.6.html | 42 ++++++++++ history/samba-4.17.2.html | 49 ++++++++++++ history/security.html | 22 ++++++ posted_news/20221024-105707.4.17.2.body.html | 31 ++++++++ posted_news/20221024-105707.4.17.2.headline.html | 3 + security/CVE-2022-3437.html | 98 ++++++++++++++++++++++++ security/CVE-2022-3592.html | 87 +++++++++++++++++++++ 9 files changed, 385 insertions(+) create mode 100644 history/samba-4.15.11.html create mode 100644 history/samba-4.16.6.html create mode 100644 history/samba-4.17.2.html create mode 100644 posted_news/20221024-105707.4.17.2.body.html create mode 100644 posted_news/20221024-105707.4.17.2.headline.html create mode 100644 security/CVE-2022-3437.html create mode 100644 security/CVE-2022-3592.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 840b27e..9348c26 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,14 +9,17 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.17.2.html">samba-4.17.2</a></li> <li><a href="samba-4.17.1.html">samba-4.17.1</a></li> <li><a href="samba-4.17.0.html">samba-4.17.0</a></li> + <li><a href="samba-4.16.6.html">samba-4.16.6</a></li> <li><a href="samba-4.16.5.html">samba-4.16.5</a></li> <li><a href="samba-4.16.4.html">samba-4.16.4</a></li> <li><a href="samba-4.16.3.html">samba-4.16.3</a></li> <li><a href="samba-4.16.2.html">samba-4.16.2</a></li> <li><a href="samba-4.16.1.html">samba-4.16.1</a></li> <li><a href="samba-4.16.0.html">samba-4.16.0</a></li> + <li><a href="samba-4.15.11.html">samba-4.15.11</a></li> <li><a href="samba-4.15.10.html">samba-4.15.10</a></li> <li><a href="samba-4.15.9.html">samba-4.15.9</a></li> <li><a href="samba-4.15.8.html">samba-4.15.8</a></li> diff --git a/history/samba-4.15.11.html b/history/samba-4.15.11.html new file mode 100644 index 0000000..b01a1e3 --- /dev/null +++ b/history/samba-4.15.11.html @@ -0,0 +1,50 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.15.11 - Release Notes</title> +</head> +<body> +<H2>Samba 4.15.11 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.11.tar.gz">Samba 4.15.11 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.11.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.10-4.15.11.diffs.gz">Patch (gzipped) against Samba 4.15.10</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.10-4.15.11.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.15.11 + October 25, 2022 + =============================== + + +This is a security release in order to address the following defect: + +o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI + unwrap_des() and unwrap_des3() routines of Heimdal (included + in Samba). + https://www.samba.org/samba/security/CVE-2022-3437.html + +Changes since 4.15.10 +--------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba + 4.15. + +o Andreas Schneider <a...@samba.org> + * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba + 4.15. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15134: CVE-2022-3437. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.16.6.html b/history/samba-4.16.6.html new file mode 100644 index 0000000..4423bf2 --- /dev/null +++ b/history/samba-4.16.6.html @@ -0,0 +1,42 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.16.6 - Release Notes</title> +</head> +<body> +<H2>Samba 4.16.6 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.6.tar.gz">Samba 4.16.6 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.6.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.5-4.16.6.diffs.gz">Patch (gzipped) against Samba 4.16.5</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.5-4.16.6.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.16.6 + October 25, 2022 + ============================== + + +This is a security release in order to address the following defect: + +o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI + unwrap_des() and unwrap_des3() routines of Heimdal (included + in Samba). + https://www.samba.org/samba/security/CVE-2022-3437.html + +Changes since 4.16.5 +--------------------- + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15134: CVE-2022-3437. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.17.2.html b/history/samba-4.17.2.html new file mode 100644 index 0000000..cb19766 --- /dev/null +++ b/history/samba-4.17.2.html @@ -0,0 +1,49 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.17.2 - Release Notes</title> +</head> +<body> +<H2>Samba 4.17.2 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.2.tar.gz">Samba 4.17.2 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.2.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.1-4.17.2.diffs.gz">Patch (gzipped) against Samba 4.17.1</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.1-4.17.2.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.17.2 + October 25, 2022 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI + unwrap_des() and unwrap_des3() routines of Heimdal (included + in Samba). + https://www.samba.org/samba/security/CVE-2022-3437.html + +o CVE-2022-3592: A malicious client can use a symlink to escape the exported + directory. + https://www.samba.org/samba/security/CVE-2022-3592.html + +Changes since 4.17.1 +-------------------- + +o Volker Lendecke <v...@samba.org> + * BUG 15207: CVE-2022-3592. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15134: CVE-2022-3437. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 2b9ed15..5bbfad7 100755 --- a/history/security.html +++ b/history/security.html @@ -33,6 +33,28 @@ link to full release notes for each release.</p> </tr> <tr> + <td>25 October 2022</td> + <td><a href="/samba/ftp/patches/security/samba-4.17.2-security-2022-10-25.patch"> + patch for Samba 4.17.2</a><br /> + <a href="/samba/ftp/patches/security/samba-4.16.6-security-2022-10-25.patch"> + patch for Samba 4.16.6</a><br /> + <a href="/samba/ftp/patches/security/samba-4.15.11-security-2022-10-25.patch"> + patch for Samba 4.15.11</a><br /> + </td> + <td>CVE-2022-3437 and CVE-2022-3592. + Please see announcements for details. + </td> + <td>Please refer to the advisories.</td> + <td> +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3437">CVE-2022-3437</a>, +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3592">CVE-2022-3592</a>. + </td> + <td> +<a href="/samba/security/CVE-2022-3437.html">Announcement</a>, +<a href="/samba/security/CVE-2022-3592.html">Announcement</a>. + </td> + <tr> + <td>27 July 2022</td> <td><a href="/samba/ftp/patches/security/samba-4.16.4-security-2022-07-27.patch"> patch for Samba 4.16.4</a><br /> diff --git a/posted_news/20221024-105707.4.17.2.body.html b/posted_news/20221024-105707.4.17.2.body.html new file mode 100644 index 0000000..2dac3b0 --- /dev/null +++ b/posted_news/20221024-105707.4.17.2.body.html @@ -0,0 +1,31 @@ +<!-- BEGIN: posted_news/20221024-105707.4.17.2.body.html --> +<h5><a name="4.17.2">25 October 2022</a></h5> +<p class=headline>Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases are available for Download</p> +<p> +These are Security Releases in order to address +<a href="/samba/security/CVE-2022-3437.html">CVE-2022-3437</a> and +<a href="/samba/security/CVE-2022-3592.html">CVE-2022-3592</a>. +</p> + +<p> +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +</p> + +<p> +The 4.17.2 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.17.2.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.17.1-4.17.2.diffs.gz">patch against Samba 4.17.1</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.17.2.html">the release notes for more info</a>. +</p> + +<p> +The 4.16.6 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.16.6.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.5-4.16.6.diffs.gz">patch against Samba 4.16.5</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.16.6.html">the release notes for more info</a>. +</p> + +<p> +The 4.15.11 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.15.11.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.15.10-4.15.11.diffs.gz">patch against Samba 4.15.10</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.15.11.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20221024-105707.4.17.2.body.html --> diff --git a/posted_news/20221024-105707.4.17.2.headline.html b/posted_news/20221024-105707.4.17.2.headline.html new file mode 100644 index 0000000..b98f46b --- /dev/null +++ b/posted_news/20221024-105707.4.17.2.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20221024-105707.4.17.2.headline.html --> +<li> 25 October 2022 <a href="#4.17.2">Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases are available for Download</a></li> +<!-- END: posted_news/20221024-105707.4.17.2.headline.html --> diff --git a/security/CVE-2022-3437.html b/security/CVE-2022-3437.html new file mode 100644 index 0000000..19ec46f --- /dev/null +++ b/security/CVE-2022-3437.html @@ -0,0 +1,98 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2022-3437.html:</H2> + +<p> +<pre> +=========================================================== +== Subject: Buffer overflow in Heimdal unwrap_des3() +== +== CVE ID#: CVE-2022-3437 +== +== Versions: All versions of Samba since Samba 4.0 compiled +== with Heimdal Kerberos +== +== Summary: There is a limited write heap buffer overflow +== in the GSSAPI unwrap_des() and unwrap_des3() +== routines of Heimdal (included in Samba). +=========================================================== + +=========== +Description +=========== + +The DES (for Samba 4.11 and earlier) and Triple-DES decryption +routines in the Heimdal GSSAPI library allow a length-limited write +buffer overflow on malloc() allocated memory when presented with a +maliciously small packet. + +Examples of where Samba can use GSSAPI include the client and +fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and +LDAP in the Active Directory Domain Controller. + +However not all Samba installations are impacted! Samba is often +compiled to use the system MIT Kerberos using the +--with-system-mitkrb5 argument and these installations are not +impacted, as the vulnerable code is not compiled into Samba. + +However when, as is the default, Samba is compiled to use the internal +Heimdal Kerberos library the vulnerable unwrap_des3() is used. + +(The single-DES use case, along with the equally vulnerable +unwrap_des() is only compiled into Samba 4.11 and earlier). + +The primary use of Samba's internal Heimdal is for the Samba AD DC, +but this vulnerability does impact fileserver deployments built with +the default build options. + +================== +Patch Availability +================== + +Patches addressing both these issues have been posted to: + + https://www.samba.org/samba/security/ + +Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued +as security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon +as possible. + +================== +CVSSv3 calculation +================== + +CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9) + +========== +Workaround +========== + +Compiling Samba with --with-system-mitkrb5 will avoid this issue. + +======= +Credits +======= + +Originally reported by Evgeny Legerov of Intevydis. + +Patches provided by Joseph Sutton of Catalyst and the Samba Team, +advisory written by Andrew Bartlett of Catalyst and the Samba Team. + +========================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +========================================================== + + +</pre> +</body> +</html> diff --git a/security/CVE-2022-3592.html b/security/CVE-2022-3592.html new file mode 100644 index 0000000..d9b7ad2 --- /dev/null +++ b/security/CVE-2022-3592.html @@ -0,0 +1,87 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2022-3592.html:</H2> + +<p> +<pre> +=========================================================== +== Subject: Wide links protection broken +== +== CVE ID#: CVE-2022-3592 +== +== Versions: All versions of Samba since 4.17.0 +== +== Summary: A malicious client can use a symlink to escape +== the exported directory +=========================================================== + +=========== +Description +=========== + +Samba 4.17 introduced following symlinks in user space with the intent +to properly check symlink targets to stay within the share that was +configured by the administrator. The check does not properly cover a +corner case, so that a user can create a symbolic link that will make +smbd escape the configured share path. + +Clients that have write access to the exported part of the file system +under a share via SMB1 unix extensions or NFS can create symlinks can +use the vulnerability to get access to all of the server's file +system. + +================== +Patch Availability +================== + +Patches addressing this issue has been posted to: + + https://www.samba.org/samba/security/ + +Samba 4.17.2 has been issued as a security releases to correct the +defect. Samba administrators are advised to upgrade to this release as +soon as possible. + +================== +CVSSv3.1 calculation +================== + +CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) + +================================= +Workaround and mitigating factors +================================= + +Do not enable SMB1 (please note SMB1 is disabled by default in Samba +from version 4.11.0 and onwards). This prevents the creation of +symbolic links via SMB1. If SMB1 must be enabled for backwards +compatibility then add the parameter: + +unix extensions = no + +to the [global] section of your smb.conf and restart smbd. This +prevents SMB1 clients from creating symlinks on the exported file +system. + +However, if the same region of the file system is also exported using +NFS, NFS clients can create symlinks that potentially can also hit the +race condition. For non-patched versions of Samba we recommend only +exporting areas of the file system by either SMB2 or NFS, not both. + +========================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +========================================================== + + +</pre> +</body> +</html> \ No newline at end of file -- Samba Website Repository