[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Tue Mar 19 03:45:52 MDT 2013 

The branch, master has been updated
       via  c0a3c0f Announce Samba 4.0.4.
      from  85fb760 Announce Samba 3.6.13.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c0a3c0f759eddbffcb1a8b775625ca62a8325065
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Mar 19 10:43:28 2013 +0100

    Announce Samba 4.0.4.
    
    Karolin

-----------------------------------------------------------------------

Summary of changes:
 generated_news/latest_10_bodies.html    |   28 ++++---
 generated_news/latest_10_headlines.html |    4 +-
 generated_news/latest_2_bodies.html     |   28 ++++----
 history/header_history.html             |    1 +
 history/samba-4.0.4.html                |   41 +++++++++++
 history/security.html                   |   13 ++++
 security/CVE-2013-1863.html             |  120 +++++++++++++++++++++++++++++++
 7 files changed, 208 insertions(+), 27 deletions(-)
 create mode 100755 history/samba-4.0.4.html
 create mode 100644 security/CVE-2013-1863.html


Changeset truncated at 500 lines:

diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index e12b879..a7755ea 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,19 @@
+	<h5><a name="4.0.4">19 March 2013</a></h5>
+	<p class="headline">Samba 4.0.4 Available for Download</p>
+
+<p>This is a <b>security release</b> in order to address <a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1863">
+CVE-2013-1863</a> (World-writeable files may be created in additional
+shares on a Samba 4.0 AD DC).</p>
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA).  The source code can be
+<a href="http://download.samba.org/samba/ftp/stable/samba-4.0.4.tar.gz">downloaded
+now</a>.  A <a href="http://download.samba.org/samba/ftp/patches/patch-4.0.3-4.0.4.diffs.gz">
+patch against Samba 4.0.3</a> is also available. See
+<a href="http://samba.org/samba/history/samba-4.0.4.html">
+the release notes for more info</a>.</p>
+
+
 	<h5><a name="3.6.13">18 March 2013</a></h5>
 	<p class="headline">Samba 3.6.13 Available for Download</p>
 	<p>This is the latest stable release of the Samba 3.6 series.</p>
@@ -124,15 +140,3 @@ now</a>. See <a href="http://samba.org/samba/history/samba-4.0.0.html">
 the release notes for more info</a> and the
 <a href= "https://www.samba.org/samba/news/releases/4.0.0.html">
 press release</a>.</p>
-
-	<h5><a name="3.6.10">10 December 2012</a></h5>
-	<p class="headline">Samba 3.6.10 Available for Download</p>
-	<p>This is the latest stable release of the Samba 3.6 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA).  The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-3.6.10.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.9-3.6.10.diffs.gz">
-patch against Samba 3.6.9</a> is also available.
-See <a href="http://samba.org/samba/history/samba-3.6.10.html">
-the release notes for more info</a>.</p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index 7b3f7c8..be4dd41 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,6 @@
 <ul>
+	<li> 19 March 2013 <a href="#4.0.4">Samba 4.0.4 Available for Download</a></li>
+
 	<li> 18 March 2013 <a href="#3.6.13">Samba 3.6.13 Available for Download</a></li>
 
 	<li> 05 February 2013 <a href="#4.0.3">Samba 4.0.3 Available for Download</a></li>
@@ -16,6 +18,4 @@
 	<li> 11 December 2012 <a href="#4.0.0">Samba 4.0.0 Available for Download</a></li>
 
 	<li> 10 December 2012 <a href="#3.6.10">Samba 3.6.10 Available for Download</a></li>
-
-	<li> 04 December 2012 <a href="#4.0.0rc6">Samba 4.0.0rc6 Available for Download</a></li>
 </ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index 840b30d..4cf9b5e 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,18 @@
+	<h5><a name="4.0.4">19 March 2013</a></h5>
+	<p class="headline">Samba 4.0.4 Available for Download</p>
+
+<p>This is a <b>security release</b> in order to address <a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1863">
+CVE-2013-1863</a> (World-writeable files may be created in additional
+shares on a Samba 4.0 AD DC).</p>
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA).  The source code can be
+<a href="http://download.samba.org/samba/ftp/stable/samba-4.0.4.tar.gz">downloaded
+now</a>.  A <a href="http://download.samba.org/samba/ftp/patches/patch-4.0.3-4.0.4.diffs.gz">
+patch against Samba 4.0.3</a> is also available. See
+<a href="http://samba.org/samba/history/samba-4.0.4.html">
+the release notes for more info</a>.</p>
+
 	<h5><a name="3.6.13">18 March 2013</a></h5>
 	<p class="headline">Samba 3.6.13 Available for Download</p>
 	<p>This is the latest stable release of the Samba 3.6 series.</p>
@@ -9,16 +24,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.12-3.6.13.diffs
 patch against Samba 3.6.12</a> is also available.
 See <a href="http://samba.org/samba/history/samba-3.6.13.html">
 the release notes for more info</a>.</p>
-
-	<h5><a name="4.0.3">05 February 2013</a></h5>
-	<p class="headline">Samba 4.0.3 Available for Download</p>
-	<p>This is the latest stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA).  The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.3.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.2-4.0.3.diffs.gz">
-patch against Samba 4.0.2</a> is also available. See
-<a href="http://samba.org/samba/history/samba-4.0.3.html"> the release notes
- for more info</a>.</p>
-</p>
diff --git a/history/header_history.html b/history/header_history.html
index 302255e..f1f8b02 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.0.4.html">samba-4.0.4</a></li>
 			<li><a href="samba-4.0.3.html">samba-4.0.3</a></li>
 			<li><a href="samba-4.0.2.html">samba-4.0.2</a></li>
 			<li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
diff --git a/history/samba-4.0.4.html b/history/samba-4.0.4.html
new file mode 100755
index 0000000..765b353
--- /dev/null
+++ b/history/samba-4.0.4.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+   <H2>Samba 4.0.4 Available for Download</H2>
+
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.0.4
+                          March 19, 2013
+                   =============================
+
+
+This is a security release in order to address CVE-2013-1863
+(World-writeable files may be created in additional shares on a
+Samba 4.0 AD DC).
+
+o  CVE-2013-1863:
+   Administrators of the Samba 4.0 Active Directory Domain
+   Controller might unexpectedly find files created world-writeable
+   if additional CIFS file shares are created on the AD DC.
+   Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
+   defect.
+
+
+Changes since 4.0.3:
+--------------------
+
+o   Andrew Bartlett <abartlet at samba.org>
+    * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 06a3257..dbbfe99 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,19 @@ link to full release notes for each release.</p>
       </tr>
 
     <tr>
+	<td>19 Mar 2013</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.0.3-CVE-2013-1863.patch">
+	patch for Samba 4.0.3</a>
+	<td>World-writeable files may be created in additional shares on a Samba
+	4.0 AD DC.</td>
+	<td>4.0.0rc6-4.0.3</td>
+	<td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1863">CVE-2013-1863</a>
+	</td>
+	<td><a href="/samba/security/CVE-2013-1863">Announcement</a>
+	</td>
+    </tr>
+
+    <tr>
 	<td>30 Jan 2013</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.0.1-CVE-2013-0213-CVE-2013-0214.patch">
 	patch for Samba 4.0.1</a>
diff --git a/security/CVE-2013-1863.html b/security/CVE-2013-1863.html
new file mode 100644
index 0000000..144aac3
--- /dev/null
+++ b/security/CVE-2013-1863.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2013-1863.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject:     World-writeable files may be created in additional shares on a
+==		Samba 4.0 AD DC
+==
+== CVE ID#:     CVE-2013-1863
+==
+== Versions:    Samba 4.0.0rc6 - 4.0.3 (inclusive)
+==
+== Summary:	Administrators of the Samba 4.0 Active Directory Domain
+==		Controller might unexpectedly find files created world-writeable
+==		if additional CIFS file shares are created on the AD DC.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Administrators of the Samba 4.0 Active Directory Domain Controller might
+unexpectedly find files created world-writeable if additional CIFS file shares
+are created on the AD DC.
+
+By default the AD DC is not vulnerable to this issue, as a specific inheritable
+ACL is set on the files in the [sysvol] and [netlogon] shares.
+
+However, on other shares, when only configured with simple unix
+user/group/other permissions, the forced setting of 'create mask' and
+'directory mask' on AD DC installations would apply, resulting in
+world-writable file permissions being set.
+
+These permissions are visible with the standard tools, and only the initial
+file creation is affected.  As Samba honours the unix permissions, the security
+of files where explicit permissions have been set are not affected.
+
+Administrators will need to manually correct the permissions of any
+world-writable files and directories.  After upgrading, either recursively set
+correct permissions using the Windows ACL editor, or run something like e.g.:
+
+sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R /path/to/share
+(Please note that this command might need to be adapted to your needs).
+
+This will remove all the ACLs (a reasonable step as this only impacts on shares
+without an ACL set), including a problematic default posix ACL on
+subdirectories.
+
+==================
+Mitigating factors
+==================
+
+By default the AD DC is not vulnerable to this issue, as a specific inheritable
+ACL is set on the files in the default [sysvol] and [netlogon] shares.
+
+Users of our file server when configured in any other mode, such as a
+standalone server, domain member (including of a Samba 4.0 AD Domain), file
+server or classic (NT4-like) domain controller are not impacted.  Many Samba
+4.0 AD DC installations have followed the Team's advise to split their
+installation in this way, and so are not affected.
+
+Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are
+not impacted.  This is not the default in upstream Samba, but importantly it is
+the only available configuration in samba4 packages of Samba 4.0 in Debian
+(including experimental) and Ubuntu supplied packages.
+
+Likewise, packages and installations built --without-ad-dc are not impacted, as
+only AD DC installations will set this configuration.  We understand Red Hat
+and Fedora installations are built in this mode.
+
+Unless guest access has been explicitly allowed (guest ok = yes), only
+authenticated users would be able to read/write any of accidentally
+world-writable files.  Similarly, the 'read only = no' default in the smb.conf
+still applies.
+
+==========
+Workaround
+==========
+
+Set a recursive and inherited ACL on the root of the share (for example, using
+the ACL editor on a Windows client)
+
+==================
+Patch Availability
+==================
+
+Patches addressing this defect have been posted to
+
+  http://www.samba.org/samba/security/
+
+Additionally, Samba 4.0.4, has been issued as security
+releases to correct the defect.  Samba administrators running affected versions
+are advised to upgrade to 4.0.4 or apply the patch as soon as
+possible.
+
+=======
+Credits
+=======
+
+The vulnerability was noticed by a number of observant administrators,
+including Ricky Nance <ricky.nance at weaubleau.k12.mo.us>.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>


-- 
Samba Website Repository

More information about the samba-cvs mailing list