Release Announcements --------------------- This is a security release in order to address the following CVEs:
o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability). o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in trusted realms). o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege elevation). Please note that the patch for CVE-2016-2126 breaks the build with MIT Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected. A patch for this issue is available for Samba 4.4 and 4.3 here: https://bugzilla.samba.org/show_bug.cgi?id=12471 Additionally, you might run into severe issues when running an AD DC with idmap settings for member servers (by mistake) and you are upgrading from the last security release. This invalid configuration (e.g. idmap config * : range = 100000 - 33554431 and similar lines) was ignored formerly and leads to errors now. The typical error you see is NT_STATUS_INVALID_SID. For more details, please see the following bug: https://bugzilla.samba.org/show_bug.cgi?id=12410 If you're a vendor and would like to ignore this again via a source code change, also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=12155#c20 ======= Details ======= o CVE-2016-2123: The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation. o CVE-2016-2125 Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. o CVE-2016-2126 A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the arcfour-hmac-md5 PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html The release notes are available online at: https://www.samba.org/samba/history/samba-4.5.3.html https://www.samba.org/samba/history/samba-4.4.8.html https://www.samba.org/samba/history/samba-4.3.13.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
signature.asc
Description: Digital signature
