[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Mon Nov 11 02:54:17 MST 2013


The branch, master has been updated
       via  4d083d7 Announce Samba 4.1.1, 4.0.11 and 3.6.20.
      from  c400091 Remove Google Checkout as it is being discontinued.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4d083d77ec08f0b407e6e4c7968a77029e9b9d29
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 11 10:35:15 2013 +0100

    Announce Samba 4.1.1, 4.0.11 and 3.6.20.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 generated_news/latest_10_bodies.html    |   33 +++++---
 generated_news/latest_10_headlines.html |    7 +-
 generated_news/latest_2_bodies.html     |   36 ++++++---
 history/header_history.html             |    3 +
 history/samba-3.6.20.html               |   56 +++++++++++++
 history/samba-4.0.11.html               |   66 +++++++++++++++
 history/samba-4.1.1.html                |   66 +++++++++++++++
 history/security.html                   |   19 +++++
 latest_stable_release.html              |    6 +-
 security/CVE-2013-4475.html             |   96 ++++++++++++++++++++++
 security/CVE-2013-4476.html             |  135 +++++++++++++++++++++++++++++++
 11 files changed, 495 insertions(+), 28 deletions(-)
 create mode 100755 history/samba-3.6.20.html
 create mode 100755 history/samba-4.0.11.html
 create mode 100755 history/samba-4.1.1.html
 create mode 100644 security/CVE-2013-4475.html
 create mode 100644 security/CVE-2013-4476.html


Changeset truncated at 500 lines:

diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index e9145b7..64f11d8 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,26 @@
+	<h5><a name="4.1.1">11 November 2013</a></h5>
+	<p class="headline">Samba 4.1.1, 4.0.11 and 3.6.20 <b>Security
+	Releases</b> Available for Download</p>
+	<p>These are security releases in order to address
+	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>
+	(<b>ACLs are not checked on opening an alternate data stream on a file
+		or directory)</b> and
+	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+	(<b>Private key in key.pem world readable</b>).
+	</p>
+
+	<p>The uncompressed tarballs and patch files have been signed
+	using GnuPG (ID 6568B7EA).</p>
+	<p>
+	The source code can be downloaded here:
+	<li><a href="http://samba.org/samba/ftp/stable/samba-4.1.1.tar.gz">download
+	Samba 4.1.1</a>,</li>
+	<li><a href="http://samba.org/samba/ftp/stable/samba-4.0.11.tar.gz">download
+	Samba 4.0.11</a>,</li>
+	<li><a href="http://samba.org/samba/ftp/stable/samba-3.6.20.tar.gz">download
+	Samba 3.6.20</a>.</li>
+	</p>
+
 	<h5><a name="4.1.0">11 October 2013</a></h5>
 	<p class="headline">Samba 4.1.0 Available for Download</p>
 	<p>This is the first stable release of the Samba 4.1 series.</p>
@@ -139,13 +162,3 @@ Please see the release notes for more info:
 <li><a href="http://samba.org/samba/history/samba-3.5.22.html">release notes
 	Samba 3.5.22</a>.</li>
 </p>
-
-       <h5><a name="4.1.0rc1">11 July 2013</a></h5>
-       <p class="headline">Samba 4.1.0rc1 Available for Download</p>
-       <p>This is the first release candidate of the upcoming Samba 4.1 release series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA).  The source code can be
-<a href="https://download.samba.org/pub/samba/rc/samba-4.1.0rc1.tar.gz">downloaded
-now</a>. See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc1.txt">the
-release notes for more info</a>.</p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index 8b64db9..95e864b 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,8 @@
 <ul>
+	<li> 11 November 2013 <a href="#4.1.1">Samba 4.1.1, 4.0.11
+	(CVE-2013-4475 and CVE-2013-4475) and 3.6.20 (CVE-2013-4475)
+	Security Releases Available for Download</a></li>
+
 	<li> 11 October 2013 <a href="#4.1.0">Samba 4.1.0 Available for Download</a></li>
 
 	<li> 08 October 2013 <a href="#4.0.10">Samba 4.0.10 Available for Download</a></li>
@@ -20,7 +24,4 @@
 
 	<li> 05 August 2013 <a href="#4.0.8">Samba 4.0.8, 3.6.17 and 3.5.22
 	Security Releases Available for Download (CVE-2013-4124)</a></li>
-
-	<li> 11 July 2013 <a href="4.1.0rc1">Samba 4.1.0rc1 Available for
-	Download</a></li>
 </ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index 638df61..9812122 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,27 @@
+	<h5><a name="4.1.1">11 November 2013</a></h5>
+	<p class="headline">Samba 4.1.1, 4.0.11 and 3.6.20 <b>Security
+	Releases</b> Available for Download</p>
+	<p>These are security releases in order to address
+	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>
+	(<b>ACLs are not checked on opening an alternate data stream on a file
+		or directory)</b> and
+	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+	(<b>Private key in key.pem world readable</b>).
+	</p>
+
+	<p>The uncompressed tarballs and patch files have been signed
+	using GnuPG (ID 6568B7EA).</p>
+	<p>
+	The source code can be downloaded here:
+	<li><a href="http://samba.org/samba/ftp/stable/samba-4.1.1.tar.gz">download
+	Samba 4.1.1</a>,</li>
+	<li><a href="http://samba.org/samba/ftp/stable/samba-4.0.11.tar.gz">download
+	Samba 4.0.11</a>,</li>
+	<li><a href="http://samba.org/samba/ftp/stable/samba-3.6.20.tar.gz">download
+	Samba 3.6.20</a>.</li>
+	</p>
+
+
 	<h5><a name="4.1.0">11 October 2013</a></h5>
 	<p class="headline">Samba 4.1.0 Available for Download</p>
 	<p>This is the first stable release of the Samba 4.1 series.</p>
@@ -9,15 +33,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.10-4.1.0.diffs.
 patch against Samba 4.0.10</a> is also available. See
 <a href="http://samba.org/samba/history/samba-4.1.0.html"> the release notes
  for more info</a>.</p>
-
-	<h5><a name="4.0.10">08 October 2013</a></h5>
-	<p class="headline">Samba 4.0.10 Available for Download</p>
-	<p>This is the latest stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA).  The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.10.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.9-4.0.10.diffs.gz">
-patch against Samba 4.0.9</a> is also available. See
-<a href="http://samba.org/samba/history/samba-4.0.10.html"> the release notes
- for more info</a>.</p>
diff --git a/history/header_history.html b/history/header_history.html
index 27e2673..fed3038 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -10,7 +10,9 @@
 		<li class="navSub">
 			<ul>
 			<li><a href="/samba/security/CVE-2013-0454.html">CVE-2013-0454</a></li>
+			<li><a href="samba-4.1.1.html">samba-4.1.1</a></li>
 			<li><a href="samba-4.1.0.html">samba-4.1.0</a></li>
+			<li><a href="samba-4.0.11.html">samba-4.0.11</a></li>
 			<li><a href="samba-4.0.10.html">samba-4.0.10</a></li>
 			<li><a href="samba-4.0.9.html">samba-4.0.9</a></li>
 			<li><a href="samba-4.0.8.html">samba-4.0.8</a></li>
@@ -22,6 +24,7 @@
 			<li><a href="samba-4.0.2.html">samba-4.0.2</a></li>
 			<li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
 			<li><a href="samba-4.0.0.html">samba-4.0.0</a></li>
+			<li><a href="samba-3.6.20.html">samba-3.6.20</a></li>
 			<li><a href="samba-3.6.19.html">samba-3.6.19</a></li>
 			<li><a href="samba-3.6.18.html">samba-3.6.18</a></li>
 			<li><a href="samba-3.6.17.html">samba-3.6.17</a></li>
diff --git a/history/samba-3.6.20.html b/history/samba-3.6.20.html
new file mode 100755
index 0000000..5666288
--- /dev/null
+++ b/history/samba-3.6.20.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+   <H2>Samba 3.6.20 Available for Download</H2>
+
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 3.6.20
+                         November 11, 2013
+                   ==============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory).
+
+o  CVE-2013-4475:
+   Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+   3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+   file or directory ACL when opening an alternate data stream.
+
+   According to the SMB1 and SMB2+ protocols the ACL on an underlying
+   file or directory should control what access is allowed to alternate
+   data streams that are associated with the file or directory.
+
+   By default no version of Samba supports alternate data streams
+   on files or directories.
+
+   Samba can be configured to support alternate data streams by loading
+   either one of two virtual file system modues (VFS) vfs_streams_depot or
+   vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+   servers configured this way.
+
+   To determine if your server is vulnerable, check for the strings
+   "streams_depot" or "streams_xattr" inside your smb.conf configuration
+   file.
+
+
+Changes since 3.6.19:
+---------------------
+
+o   Jeremy Allison <jra at samba.org>
+    * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+      files.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.0.11.html b/history/samba-4.0.11.html
new file mode 100755
index 0000000..b721e9d
--- /dev/null
+++ b/history/samba-4.0.11.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+   <H2>Samba 4.0.11 Available for Download</H2>
+
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.0.11
+                          November 11, 2013
+                   ==============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory) and
+CVE-2013-4476 (Private key in key.pem world readable).
+
+o  CVE-2013-4475:
+   Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+   3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+   file or directory ACL when opening an alternate data stream.
+
+   According to the SMB1 and SMB2+ protocols the ACL on an underlying
+   file or directory should control what access is allowed to alternate
+   data streams that are associated with the file or directory.
+
+   By default no version of Samba supports alternate data streams
+   on files or directories.
+
+   Samba can be configured to support alternate data streams by loading
+   either one of two virtual file system modues (VFS) vfs_streams_depot or
+   vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+   servers configured this way.
+
+   To determine if your server is vulnerable, check for the strings
+   "streams_depot" or "streams_xattr" inside your smb.conf configuration
+   file.
+
+o  CVE-2013-4476:
+   In setups which provide ldap(s) and/or https services, the private
+   key for SSL/TLS encryption might be world readable. This typically
+   happens in active directory domain controller setups.
+
+
+Changes since 4.0.10:
+---------------------
+
+o   Jeremy Allison <jra at samba.org>
+    * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+      files.
+
+
+o   Björn Baumbach <bb at sernet.de>
+    * BUG 10234: CVE-2013-4476: Private key in key.pem world readable.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.1.1.html b/history/samba-4.1.1.html
new file mode 100755
index 0000000..c247cb9
--- /dev/null
+++ b/history/samba-4.1.1.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+   <H2>Samba 4.1.1 Available for Download</H2>
+
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.1.1
+                         November 11, 2013
+                   =============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory) and
+CVE-2013-4476 (Private key in key.pem world readable).
+
+o  CVE-2013-4475:
+   Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+   3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+   file or directory ACL when opening an alternate data stream.
+
+   According to the SMB1 and SMB2+ protocols the ACL on an underlying
+   file or directory should control what access is allowed to alternate
+   data streams that are associated with the file or directory.
+
+   By default no version of Samba supports alternate data streams
+   on files or directories.
+
+   Samba can be configured to support alternate data streams by loading
+   either one of two virtual file system modues (VFS) vfs_streams_depot or
+   vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+   servers configured this way.
+
+   To determine if your server is vulnerable, check for the strings
+   "streams_depot" or "streams_xattr" inside your smb.conf configuration
+   file.
+
+o  CVE-2013-4476:
+   In setups which provide ldap(s) and/or https services, the private
+   key for SSL/TLS encryption might be world readable. This typically
+   happens in active directory domain controller setups.
+
+
+Changes since 4.1.0:
+--------------------
+
+o   Jeremy Allison <jra at samba.org>
+    * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+      files.
+
+
+o   Björn Baumbach <bb at sernet.de>
+    * BUG 10234: CVE-2013-4476: Private key in key.pem world readable.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index d25032d..af0dd43 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,25 @@ link to full release notes for each release.</p>
       </tr>
 
     <tr>
+	<td>11 Nov 2013</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.1.0-CVE-2013-4475-CVE-2013-4476.patch">
+	patch for Samba 4.1.0</a>
+	<a href="/samba/ftp/patches/security/samba-4.0.10-CVE-2013-4475-CVE-2013-4476.patch">
+	patch for Samba 4.0.10</a>
+	<a href="/samba/ftp/patches/security/samba-3.6.19-CVE-2013-4475.patch">
+	patch for Samba 3.6.19</a>
+	<td>ACLs are not checked on opening an alternate data stream on a file
+      	    or directory, Private key in key.pem world readable.</td>
+	<td>3.2.0 - 4.1.0, 4.0.0 - 4.0.10, 4.1.0</td>
+	<td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>, 
+	    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+	</td>
+	<td><a href="/samba/security/CVE-2013-4475">Announcement</a>
+	    <a href="/samba/security/CVE-2013-4476">Announcement</a>
+	</td>
+    </tr>
+
+    <tr>
 	<td>05 Aug 2013</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.0.7-CVE-2013-4124.patch">
 	patch for Samba 4.0.7</a>
diff --git a/latest_stable_release.html b/latest_stable_release.html
index 0331baf..612bf7c 100644
--- a/latest_stable_release.html
+++ b/latest_stable_release.html
@@ -1,5 +1,5 @@
 <p>
-	<a href="/samba/ftp/stable/samba-4.1.0.tar.gz">Samba 4.1.0 (gzipped)</a><br>
-	<a href="/samba/history/samba-4.1.0.html">Release Notes</a> ·
-	<a href="/samba/ftp/stable/samba-4.1.0.tar.asc">Signature</a>
+	<a href="/samba/ftp/stable/samba-4.1.1.tar.gz">Samba 4.1.1 (gzipped)</a><br>
+	<a href="/samba/history/samba-4.1.1.html">Release Notes</a> ·
+	<a href="/samba/ftp/stable/samba-4.1.1.tar.asc">Signature</a>
 </p>
diff --git a/security/CVE-2013-4475.html b/security/CVE-2013-4475.html
new file mode 100644
index 0000000..4f62afe
--- /dev/null
+++ b/security/CVE-2013-4475.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2013-4475.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject:     ACLs are not checked on opening an alternate
+==		data stream on a file or directory.
+==
+== CVE ID#:     CVE-2013-4475
+==
+== Versions:    All versions of Samba later than 3.2.0
+==
+== Summary:     When opening an alternate data stream on a file
+==		or directory, any Windows ACL present on that
+==		underlying file or directory is not used to
+==		control access to the alternate data stream.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+file or directory ACL when opening an alternate data stream.
+
+According to the SMB1 and SMB2+ protocols the ACL on an underlying
+file or directory should control what access is allowed to alternate
+data streams that are associated with the file or directory.
+
+By default no version of Samba supports alternate data streams
+on files or directories.
+
+Samba can be configured to support alternate data streams by loading
+either one of two virtual file system modues (VFS) vfs_streams_depot or
+vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+servers configured this way.
+
+To determine if your server is vulnerable, check for the strings
+"streams_depot" or "streams_xattr" inside your smb.conf configuration
+file.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+    http://www.samba.org/samba/security/
+
+Samba versions 3.6.20, 4.0.11, and 4.1.1 have been released to
+address this issue.
+
+==========
+Workaround
+==========
+
+Remove all uses of:
+
+vfs objects = streams_depot
+
+and:
+
+vfs objects = streams_xattr
+
+from the [global] section of your smb.conf file, and from
+all share definitions in your smb.conf file.
+
+=======
+Credits
+=======
+
+This issue was discovered by Hemanth Thummala <hemanth.thummala at gmail.com>,
+and the Samba Team would like to thank Hemanth for bringing this to
+our attention.
+
+Patches provided by Jeremy Allison of the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2013-4476.html b/security/CVE-2013-4476.html
new file mode 100644
index 0000000..1d1bc68
--- /dev/null
+++ b/security/CVE-2013-4476.html
@@ -0,0 +1,135 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>


-- 
Samba Website Repository


More information about the samba-cvs mailing list