[Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
Karolin Seeger
kseeger at samba.org
Mon Dec 19 09:18:12 UTC 2016
Release Announcements
---------------------
This is a security release in order to address the following CVEs:
o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
Overflow Remote Code Execution Vulnerability).
o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
trusted realms).
o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
elevation).
Please note that the patch for CVE-2016-2126 breaks the build with MIT
Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected.
A patch for this issue is available for Samba 4.4 and 4.3 here:
https://bugzilla.samba.org/show_bug.cgi?id=12471
Additionally, you might run into severe issues when running an AD DC with idmap
settings for member servers (by mistake) and you are upgrading from the last
security release. This invalid configuration (e.g. idmap config * : range =
100000 - 33554431 and similar lines) was ignored formerly and leads to errors
now. The typical error you see is NT_STATUS_INVALID_SID.
For more details, please see the following bug:
https://bugzilla.samba.org/show_bug.cgi?id=12410
If you're a vendor and would like to ignore this again
via a source code change, also have a look at:
https://bugzilla.samba.org/show_bug.cgi?id=12155#c20
=======
Details
=======
o CVE-2016-2123:
The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
parses data from the Samba Active Directory ldb database. Any user
who can write to the dnsRecord attribute over LDAP can trigger this
memory corruption.
By default, all authenticated LDAP users can write to the dnsRecord
attribute on new DNS objects. This makes the defect a remote privilege
escalation.
o CVE-2016-2125
Samba client code always requests a forwardable ticket
when using Kerberos authentication. This means the
target server, which must be in the current or trusted
domain/realm, is given a valid general purpose Kerberos
"Ticket Granting Ticket" (TGT), which can be used to
fully impersonate the authenticated user or service.
o CVE-2016-2126
A remote, authenticated, attacker can cause the winbindd process
to crash using a legitimate Kerberos ticket due to incorrect
handling of the arcfour-hmac-md5 PAC checksum.
A local service with access to the winbindd privileged pipe can
cause winbindd to cache elevated access permissions.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
================
Download Details
================
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
Patches addressing this defect have been posted to
https://www.samba.org/samba/history/security.html
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.5.3.html
https://www.samba.org/samba/history/samba-4.4.8.html
https://www.samba.org/samba/history/samba-4.3.13.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-announce/attachments/20161219/6b4e9e37/signature.sig>
More information about the samba-announce
mailing list