[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Tue Jan 15 01:22:38 MST 2013
The branch, master has been updated
via 54d54b2 Announce Samba 4.0.1.
from 0c1d1cd Add itsd.de
http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 54d54b266be6477438a7f5e8bdb56112eba5f814
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Jan 15 09:19:33 2013 +0100
Announce Samba 4.0.1.
Karolin
-----------------------------------------------------------------------
Summary of changes:
generated_news/latest_10_bodies.html | 25 ++++++----
generated_news/latest_10_headlines.html | 4 +-
generated_news/latest_2_bodies.html | 29 ++++++-----
history/header_history.html | 1 +
history/samba-4.0.1.html | 50 ++++++++++++++++++++
history/security.html | 11 ++++
latest_stable_release.html | 6 +-
security/CVE-2013-0172.html | 77 +++++++++++++++++++++++++++++++
8 files changed, 176 insertions(+), 27 deletions(-)
create mode 100755 history/samba-4.0.1.html
create mode 100644 security/CVE-2013-0172.html
Changeset truncated at 500 lines:
diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index a9721d7..7b52fb4 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,19 @@
+ <h5><a name="4.0.1">15 January 2013</a></h5>
+ <p class="headline">Samba 4.0.1 Available for Download</p>
+ <p>This is a <b>security release</b>.</p>
+
+<p>This is a <b>security release</b> in order to address <a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0172">
+CVE-2013-0172</a> (Samba 4.0 as an AD DC may provide authenticated users with write
+access to LDAP directory objects).</p>
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA). The source code can be
+<a href="http://samba.org/samba/ftp/stable/samba-4.0.1.tar.gz">downloaded
+now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.0-4.0.1.diffs.gz">
+patch against Samba 4.0.0</a> is also available. See
+<a href="http://samba.org/samba/history/samba-4.0.1.html">
+the release notes for more info</a>.</p>
+
<h5><a name="3.5.20">17 December 2012</a></h5>
<p class="headline">Samba 3.5.20 Available for Download</p>
<p>This is the latest stable release of the Samba 3.5 series.</p>
@@ -90,12 +106,3 @@ the release notes for more info</a>.</p>
using GnuPG (ID 6568B7EA). The source code can be
<a href="https://download.samba.org/pub/samba/rc/samba-4.0.0rc3.tar.gz">downloaded now</a>.
See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4-0-0rc3.txt">the release notes for more info</a>.</p>
-
- <h5><a name="4.0.0rc2">02 October 2012</a></h5>
- <p class="headline">Samba 4.0.0rc2 Available for Download</p>
- <p>This is the second release candidate of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="https://download.samba.org/pub/samba/rc/samba-4.0.0rc2.tar.gz">downloaded now</a>.
-See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4-0-0rc2.txt">the release notes for more info</a>.</p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index f28f7ee..760b026 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,6 @@
<ul>
+ <li> 15 January 2013 <a href="#4.0.1">Samba 4.0.1 Available for Download</a></li>
+
<li> 17 December 2012 <a href="#3.5.20">Samba 3.5.20 Available for Download</a></li>
<li> 11 December 2012 <a href="#4.0.0">Samba 4.0.0 Available for Download</a></li>
@@ -16,6 +18,4 @@
<li> 29 October 2012 <a href="#3.6.9">Samba 3.6.9 Available for Download</a></li>
<li> 16 October 2012 <a href="#4.0.0rc3">Samba 4.0.0rc3 Available for Download</a></li>
-
- <li> 02 October 2012 <a href="#4.0.0rc2">Samba 4.0.0rc2 Available for Download</a></li>
</ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index d38ae2f..8a646aa 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,19 @@
+ <h5><a name="4.0.1">15 January 2013</a></h5>
+ <p class="headline">Samba 4.0.1 Available for Download</p>
+ <p>This is a <b>security release</b>.</p>
+
+<p>This is a <b>security release</b> in order to address <a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0172">
+CVE-2013-0172</a> (Samba 4.0 as an AD DC may provide authenticated users with write
+access to LDAP directory objects).</p>
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA). The source code can be
+<a href="http://samba.org/samba/ftp/stable/samba-4.0.1.tar.gz">downloaded
+now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.0-4.0.1.diffs.gz">
+patch against Samba 4.0.0</a> is also available. See
+<a href="http://samba.org/samba/history/samba-4.0.1.html">
+the release notes for more info</a>.</p>
+
<h5><a name="3.5.20">17 December 2012</a></h5>
<p class="headline">Samba 3.5.20 Available for Download</p>
<p>This is the latest stable release of the Samba 3.5 series.</p>
@@ -9,16 +25,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.5.19-3.5.20.diffs
patch against Samba 3.5.19</a> is also available. See
<a href="http://samba.org/samba/history/samba-3.5.20.html">
the release notes for more info</a>.</p>
-
-
- <h5><a name="4.0.0">11 December 2012</a></h5>
- <p class="headline">Samba 4.0.0 Available for Download</p>
- <p>This is the first stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.0.tar.gz">downloaded
-now</a>. See <a href="http://samba.org/samba/history/samba-4.0.0.html">
-the release notes for more info</a> and the
-<a href= "https://www.samba.org/samba/news/releases/4.0.0.html">
-press release</a>.</p>
diff --git a/history/header_history.html b/history/header_history.html
index 5ab2bf7..8379be6 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
<li><a href="samba-4.0.0.html">samba-4.0.0</a></li>
<li><a href="samba-3.6.10.html">samba-3.6.10</a></li>
<li><a href="samba-3.6.9.html">samba-3.6.9</a></li>
diff --git a/history/samba-4.0.1.html b/history/samba-4.0.1.html
new file mode 100755
index 0000000..597bd0c
--- /dev/null
+++ b/history/samba-4.0.1.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.0.1 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.0.1
+ January 15, 2013
+ =============================
+
+
+This is a security release in order to address CVE-2013-0172.
+
+o CVE-2013-0172:
+ Samba 4.0.0 as an AD DC may provide authenticated users with write access
+ to LDAP directory objects.
+
+ In AD, Access Control Entries can be assigned based on the objectClass
+ of the object. If a user or a group the user is a member of has any
+ access based on the objectClass, then that user has write access to that
+ object.
+
+ Additionally, if a user has write access to any attribute on the object,
+ they may have access to write to all attributes.
+
+ An important mitigation is that anonymous access is totally disabled by
+ default. The second important mitigation is that normal users are
+ typically only given the problematic per-objectClass right via the
+ "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+ does not make "authenticated users" part of this group.
+
+Changes since 4.0.0:
+====================
+
+o Andrew Bartlett <abartlet at samba.org>
+ * Bug 9554 - CVE-2013-0172 - Samba 4.0 as an AD DC may provide authenticated
+ users with write access to LDAP directory objects.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 231a49a..5c290ce 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,17 @@ link to full release notes for each release.</p>
</tr>
<tr>
+ <td>15 Jan 2013</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.0.0-CVE-2013-0172.patch">
+ patch for Samba 4.0.0</a>
+ <td>Samba 4.0 as an AD DC may provide authenticated users with write
+ access to LDAP directory objects.</td>
+ <td>4.0.0</td>
+ <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0172">CVE-2013-0172</a></td>
+ <td><a href="/samba/security/CVE-2013-0172">Announcement</a></td>
+ </tr>
+
+ <tr>
<td>30 Apr 2012</td>
<td><a href="/samba/ftp/patches/security/samba-3.4.16-CVE-2012-2111.patch">
patch for Samba 3.4.16</a>
diff --git a/latest_stable_release.html b/latest_stable_release.html
index 64cdba6..3703d5d 100644
--- a/latest_stable_release.html
+++ b/latest_stable_release.html
@@ -1,5 +1,5 @@
<p>
- <a href="/samba/ftp/stable/samba-4.0.0.tar.gz">Samba 4.0.0 (gzipped)</a><br>
- <a href="/samba/history/samba-4.0.0.html">Release Notes</a> ·
- <a href="/samba/ftp/stable/samba-4.0.0.tar.asc">Signature</a>
+ <a href="/samba/ftp/stable/samba-4.0.1.tar.gz">Samba 4.0.1 (gzipped)</a><br>
+ <a href="/samba/history/samba-4.0.1.html">Release Notes</a> ·
+ <a href="/samba/ftp/stable/samba-4.0.1.tar.asc">Signature</a>
</p>
diff --git a/security/CVE-2013-0172.html b/security/CVE-2013-0172.html
new file mode 100644
index 0000000..9b9ec92
--- /dev/null
+++ b/security/CVE-2013-0172.html
@@ -0,0 +1,77 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2013-0172:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: A Samba AD DC may provide authenticated users with
+== write access to LDAP directory objects.
+==
+== CVE ID#: CVE-2013-0172
+==
+== Versions: 4.0.0
+==
+== Summary: Samba 4.0.0 as an AD DC may provide authenticated users with
+== write access to LDAP directory objects.
+===========================================================
+
+===========
+Description
+===========
+
+In AD, Access Control Entries can be assigned based on the objectClass
+of the object. If a user or a group the user is a member of has any
+access based on the objectClass, then that user has write access to that
+object.
+
+Additionally, if a user has write access to any attribute on the object,
+they may have access to write to all attributes.
+
+An important mitigation is that anonymous access is totally disabled by
+default. The second important mitigation is that normal users are
+typically only given the problematic per-objectClass right via the
+"pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+does not make "authenticated users" part of this group.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issues have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.0.1 has been issued as security releases to correct
+the defect. Samba administrators are advised to upgrade to this releases
+or apply the patch as soon as possible.
+
+==========
+Workaround
+==========
+
+There is no workaround available at this time.
+
+=======
+Credits
+=======
+
+This issue was found by Andrew Bartlett <abartlet at samba.org> as part of
+normal code auditing activities in Samba.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list