The branch, master has been updated via 53f2f82 NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download via 782d9c0 history/security: add missing </tr> from 81dfaa6 news: html syntax error due to duplicate <p> tag, This breaks Feed Readers
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 53f2f82216254c6be5e813c514a5c8464841d2ba Author: Jule Anger <jan...@samba.org> Date: Thu Dec 15 17:11:24 2022 +0100 NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download Signed-off-by: Jule Anger <jan...@samba.org> commit 782d9c0743c4ed1d495454f7b4b8e4bb3c6c598f Author: Jule Anger <jan...@samba.org> Date: Thu Dec 15 14:57:01 2022 +0100 history/security: add missing </tr> Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.15.13.html | 147 ++++++++++++++ history/samba-4.16.8.html | 147 ++++++++++++++ history/samba-4.17.4.html | 154 +++++++++++++++ history/security.html | 28 ++- posted_news/20221215-161202.4.15.13.body.html | 34 ++++ posted_news/20221215-161202.4.15.13.headline.html | 3 + security/CVE-2022-37966.html | 180 ++++++++++++++++++ security/CVE-2022-37967.html | 127 +++++++++++++ security/CVE-2022-38023.html | 221 ++++++++++++++++++++++ security/CVE-2022-45141.html | 95 ++++++++++ 11 files changed, 1138 insertions(+), 1 deletion(-) create mode 100644 history/samba-4.15.13.html create mode 100644 history/samba-4.16.8.html create mode 100644 history/samba-4.17.4.html create mode 100644 posted_news/20221215-161202.4.15.13.body.html create mode 100644 posted_news/20221215-161202.4.15.13.headline.html create mode 100644 security/CVE-2022-37966.html create mode 100644 security/CVE-2022-37967.html create mode 100644 security/CVE-2022-38023.html create mode 100644 security/CVE-2022-45141.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 945c471..0c748da 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,10 +9,12 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.17.4.html">samba-4.17.4</a></li> <li><a href="samba-4.17.3.html">samba-4.17.3</a></li> <li><a href="samba-4.17.2.html">samba-4.17.2</a></li> <li><a href="samba-4.17.1.html">samba-4.17.1</a></li> <li><a href="samba-4.17.0.html">samba-4.17.0</a></li> + <li><a href="samba-4.16.8.html">samba-4.16.8</a></li> <li><a href="samba-4.16.7.html">samba-4.16.7</a></li> <li><a href="samba-4.16.6.html">samba-4.16.6</a></li> <li><a href="samba-4.16.5.html">samba-4.16.5</a></li> @@ -21,6 +23,7 @@ <li><a href="samba-4.16.2.html">samba-4.16.2</a></li> <li><a href="samba-4.16.1.html">samba-4.16.1</a></li> <li><a href="samba-4.16.0.html">samba-4.16.0</a></li> + <li><a href="samba-4.15.13.html">samba-4.15.13</a></li> <li><a href="samba-4.15.12.html">samba-4.15.12</a></li> <li><a href="samba-4.15.11.html">samba-4.15.11</a></li> <li><a href="samba-4.15.10.html">samba-4.15.10</a></li> diff --git a/history/samba-4.15.13.html b/history/samba-4.15.13.html new file mode 100644 index 0000000..fa2c68f --- /dev/null +++ b/history/samba-4.15.13.html @@ -0,0 +1,147 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.15.13 - Release Notes</title> +</head> +<body> +<H2>Samba 4.15.13 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.gz">Samba 4.15.13 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.gz">Patch (gzipped) against Samba 4.15.12</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.15.13 + December 15, 2022 + =============================== + + +This is the latest stable release of the Samba 4.15 release series. +It also contains security changes in order to address the following defects: + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege + Vulnerability was disclosed by Microsoft on Nov 8 2022 + and per RFC8429 it is assumed that rc4-hmac is weak, + + Vulnerable Samba Active Directory DCs will issue rc4-hmac + encrypted tickets despite the target server supporting + better encryption (eg aes256-cts-hmac-sha1-96). + + https://www.samba.org/samba/security/CVE-2022-45141.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.15.12 +--------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + +o Luke Howard <lu...@padl.com> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@cryptonector.com> + * BUG 15214: CVE-2022-45141. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.16.8.html b/history/samba-4.16.8.html new file mode 100644 index 0000000..157cc3a --- /dev/null +++ b/history/samba-4.16.8.html @@ -0,0 +1,147 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.16.8 - Release Notes</title> +</head> +<body> +<H2>Samba 4.16.8 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.8.tar.gz">Samba 4.16.8 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.8.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.7-4.16.8.diffs.gz">Patch (gzipped) against Samba 4.16.7</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.7-4.16.8.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.16.8 + December 15, 2022 + ============================== + + +This is the latest stable release of the Samba 4.16 release series. +It also contains security changes in order to address the following defects + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.16.7 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented + atomically. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15230: Memory leak in snprintf replacement functions. + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC + (CVE-2021-20251 regression). + +o Noel Power <noel.po...@suse.com> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + * BUG 15243: %U for include directive doesn't work for share listing + (netshareenum). + * BUG 15257: Stack smashing in net offlinejoin requestodj. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.17.4.html b/history/samba-4.17.4.html new file mode 100644 index 0000000..325440a --- /dev/null +++ b/history/samba-4.17.4.html @@ -0,0 +1,154 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.17.4 - Release Notes</title> +</head> +<body> +<H2>Samba 4.17.4 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.gz">Samba 4.17.4 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.gz">Patch (gzipped) against Samba 4.17.3</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.17.4 + December 15, 2022 + ============================== + + +This is the latest stable release of the Samba 4.17 release series. +It also contains security changes in order to address the following defects: + + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.17.3 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented + atomically. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15206: libnet: change_password() doesn't work with + dcerpc_samr_ChangePasswordUser4(). + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15230: Memory leak in snprintf replacement functions. + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC + (CVE-2021-20251 regression). + +o Noel Power <noel.po...@suse.com> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Anoop C S <anoo...@samba.org> + * BUG 15198: Prevent EBADF errors with vfs_glusterfs. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + * BUG 15243: %U for include directive doesn't work for share listing + (netshareenum). + * BUG 15257: Stack smashing in net offlinejoin requestodj. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 64c9dec..5545d6b 100755 --- a/history/security.html +++ b/history/security.html @@ -32,6 +32,29 @@ link to full release notes for each release.</p> <td><em>Details</em></td> </tr> + <tr> -- Samba Website Repository