The branch, v4-16-test has been updated via cb4cbfc83fc VERSION: Bump version up to Samba 4.16.9... via 6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release. via 64d7270f282 WHATSNEW: Add release notes for Samba 4.16.8. from d5a8e41313d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log ----------------------------------------------------------------- commit cb4cbfc83fc6b69a4e47f382aac3e66d1bb851d1 Author: Jule Anger <jan...@samba.org> Date: Thu Dec 15 17:04:23 2022 +0100 VERSION: Bump version up to Samba 4.16.9... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <jan...@samba.org> commit 6cc6e233b5ceb2a579400f020b61c67ca7bbeb78 Author: Jule Anger <jan...@samba.org> Date: Thu Dec 15 17:03:50 2022 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release. Signed-off-by: Jule Anger <jan...@samba.org> commit 64d7270f282ffaa64d8f016b00f46cd4ac827020 Author: Jule Anger <jan...@samba.org> Date: Thu Dec 15 17:03:15 2022 +0100 WHATSNEW: Add release notes for Samba 4.16.8. Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 152 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 151 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f277d2b2850..1109ccfc4e4 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=16 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4f085269066..c2aeab4afbe 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,152 @@ + ============================== + Release Notes for Samba 4.16.8 + December 15, 2022 + ============================== + + +This is the latest stable release of the Samba 4.16 release series. +It also contains security changes in order to address the following defects + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.16.7 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented + atomically. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15230: Memory leak in snprintf replacement functions. + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC + (CVE-2021-20251 regression). + +o Noel Power <noel.po...@suse.com> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + * BUG 15243: %U for include directive doesn't work for share listing + (netshareenum). + * BUG 15257: Stack smashing in net offlinejoin requestodj. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.16.7 November 15, 2022 @@ -43,8 +192,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.16.6 October 25, 2022 -- Samba Shared Repository