[Announce] Samba 4.1.6, 4.0.16 and 3.6.23 Security Releases Available

Tue Mar 11 12:11:10 MDT 2014

Release Announcements
---------------------

Samba 4.1.6, 4.0.16 and 3.6.23 have been issued as security releases in order
to address CVE-2013-4496 (Password lockout not enforced for SAMR password
changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by
mistake). Please note that Samba 3.6.23 is not affected by CVE-2013-6442.

o  CVE-2013-4496:
   Samba versions 3.4.0 and above allow the administrator to implement
   locking out Samba accounts after a number of bad password attempts.

   However, all released versions of Samba did not implement this check for
   password changes, such as are available over multiple SAMR and RAP
   interfaces, allowing password guessing attacks.

   For more details, please refer to
   http://www.samba.org/samba/security/CVE-2013-4496.

o  CVE-2013-6442:
   Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
   smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
   command options it will remove the existing ACL on the object being
   modified, leaving the file or directory unprotected.

   For more details, please refer to
   http://www.samba.org/samba/security/CVE-2013-6442.

Changes:
========

o   Jeremy Allison <jra at samba.org>
    * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
      setting owner or group owner.

o   Andrew Bartlett <abartlet at samba.org>
    * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
      changes.

o   Stefan Metzmacher <metze at samba.org>
    * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
      changes.

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the proper product in the project's Bugzilla
database (https://bugzilla.samba.org/).

======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================

================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/stable/

The release notes are available online at:

	http://www.samba.org/samba/history/samba-4.1.6.html
	http://www.samba.org/samba/history/samba-4.0.16.html
	http://www.samba.org/samba/history/samba-3.6.23.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team