[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Tue Mar 11 11:55:56 MDT 2014
The branch, master has been updated
via 1145d5b Announce Samba 4.1.6, 4.0.16 and 3.6.23.
from f75d82b Add cwrap.org.
http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1145d5b473781e575cb443a6d3422a901304801f
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Mar 11 18:46:38 2014 +0100
Announce Samba 4.1.6, 4.0.16 and 3.6.23.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
generated_news/latest_10_bodies.html | 48 +++++++-------
generated_news/latest_10_headlines.html | 8 +-
generated_news/latest_2_bodies.html | 36 +++++++----
history/header_history.html | 3 +
history/samba-3.6.23.html | 47 ++++++++++++++
history/samba-4.0.16.html | 59 +++++++++++++++++
history/samba-4.1.6.html | 59 +++++++++++++++++
history/security.html | 22 ++++++-
latest_stable_release.html | 6 +-
security/CVE-2013-4496.html | 107 +++++++++++++++++++++++++++++++
security/CVE-2013-6442.html | 71 ++++++++++++++++++++
11 files changed, 421 insertions(+), 45 deletions(-)
create mode 100755 history/samba-3.6.23.html
create mode 100755 history/samba-4.0.16.html
create mode 100755 history/samba-4.1.6.html
create mode 100644 security/CVE-2013-4496.html
create mode 100644 security/CVE-2013-6442.html
Changeset truncated at 500 lines:
diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index e3a280d..4aa0378 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,27 @@
+ <h5><a name="4.1.6">11 March 2014</a></h5>
+ <p class="headline">Samba 4.1.6, 4.0.16 and 3.6.23 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496">CVE-2013-4496</a>
+ (<b>Password lockout not enforced for SAMR password changes</b>) and
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442">CVE-2013-6442</a>
+ (<b>smbcacls will remove the ACL on a file or directory when changing owner or group
+ owner.</b>).
+ </p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.1.6.tar.gz">download
+ Samba 4.1.6</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.16.tar.gz">download
+ Samba 4.0.16</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.23.tar.gz">download
+ Samba 3.6.23</a>.</li>
+ </p>
+
+
<h5><a name="4.1.5">21 February 2014</a></h5>
<p class="headline">Samba 4.1.5 Available for Download</p>
<p>This is the latest stable release of the Samba 4.1 series.</p>
@@ -122,27 +146,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.11-4.0.12.diffs
patch against Samba 4.0.11</a> is also available. See
<a href="http://samba.org/samba/history/samba-4.0.12.html"> the release notes
for more info</a>.</p>
-
-
- <h5><a name="4.1.1">11 November 2013</a></h5>
- <p class="headline">Samba 4.1.1, 4.0.11 and 3.6.20 <b>Security
- Releases</b> Available for Download</p>
- <p>These are security releases in order to address
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>
- (<b>ACLs are not checked on opening an alternate data stream on a file
- or directory)</b> and
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
- (<b>Private key in key.pem world readable</b>).
- </p>
-
- <p>The uncompressed tarballs and patch files have been signed
- using GnuPG (ID 6568B7EA).</p>
- <p>
- The source code can be downloaded here:
- <li><a href="http://samba.org/samba/ftp/stable/samba-4.1.1.tar.gz">download
- Samba 4.1.1</a>,</li>
- <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.11.tar.gz">download
- Samba 4.0.11</a>,</li>
- <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.20.tar.gz">download
- Samba 3.6.20</a>.</li>
- </p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index 846d13e..5cac83d 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,8 @@
<ul>
+ <li> 11 March 2014 <a href="#4.1.6">Samba 4.1.6, 4.0.16
+ and 3.6.23 Security Releases Available for Download (CVE-2013-4496 and
+ CVE-2013-6442)</a></li>
+
<li> 21 February 2014 <a href="#4.1.5">Samba 4.1.5 Available for Download</a></li>
<li> 18 February 2014 <a href="#4.0.15">Samba 4.0.15 Available for Download</a></li>
@@ -18,8 +22,4 @@
<li> 22 November 2013 <a href="#4.1.2">Samba 4.1.2 Available for Download</a></li>
<li> 19 November 2013 <a href="#4.0.12">Samba 4.0.12 Available for Download</a></li>
-
- <li> 11 November 2013 <a href="#4.1.1">Samba 4.1.1, 4.0.11
- (CVE-2013-4475 and CVE-2013-4476) and 3.6.20 (CVE-2013-4475)
- Security Releases Available for Download</a></li>
</ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index 4b6fd30..16c1166 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,26 @@
+ <h5><a name="4.1.6">11 March 2014</a></h5>
+ <p class="headline">Samba 4.1.6, 4.0.16 and 3.6.23 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496">CVE-2013-4496</a>
+ (<b>Password lockout not enforced for SAMR password changes</b>) and
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442">CVE-2013-6442</a>
+ (<b>smbcacls will remove the ACL on a file or directory when changing owner or group
+ owner.</b>).
+ </p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.1.6.tar.gz">download
+ Samba 4.1.6</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.16.tar.gz">download
+ Samba 4.0.16</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.23.tar.gz">download
+ Samba 3.6.23</a>.</li>
+ </p>
+
<h5><a name="4.1.5">21 February 2014</a></h5>
<p class="headline">Samba 4.1.5 Available for Download</p>
<p>This is the latest stable release of the Samba 4.1 series.</p>
@@ -9,16 +32,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.1.4-4.1.5.diffs.g
patch against Samba 4.1.4</a> is also available. See
<a href="http://samba.org/samba/history/samba-4.1.5.html"> the release notes
for more info</a>.</p>
-
-
- <h5><a name="4.0.15">18 February 2014</a></h5>
- <p class="headline">Samba 4.0.15 Available for Download</p>
- <p>This is the latest stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.15.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.14-4.0.15.diffs.gz">
-patch against Samba 4.0.14</a> is also available. See
-<a href="http://samba.org/samba/history/samba-4.0.15.html"> the release notes
- for more info</a>.</p>
diff --git a/history/header_history.html b/history/header_history.html
index d1fac61..8d9ee11 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -10,12 +10,14 @@
<li class="navSub">
<ul>
<li><a href="/samba/security/CVE-2013-0454.html">CVE-2013-0454</a></li>
+ <li><a href="samba-4.1.6.html">samba-4.1.6</a></li>
<li><a href="samba-4.1.5.html">samba-4.1.5</a></li>
<li><a href="samba-4.1.4.html">samba-4.1.4</a></li>
<li><a href="samba-4.1.3.html">samba-4.1.3</a></li>
<li><a href="samba-4.1.2.html">samba-4.1.2</a></li>
<li><a href="samba-4.1.1.html">samba-4.1.1</a></li>
<li><a href="samba-4.1.0.html">samba-4.1.0</a></li>
+ <li><a href="samba-4.0.16.html">samba-4.0.16</a></li>
<li><a href="samba-4.0.15.html">samba-4.0.15</a></li>
<li><a href="samba-4.0.14.html">samba-4.0.14</a></li>
<li><a href="samba-4.0.13.html">samba-4.0.13</a></li>
@@ -32,6 +34,7 @@
<li><a href="samba-4.0.2.html">samba-4.0.2</a></li>
<li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
<li><a href="samba-4.0.0.html">samba-4.0.0</a></li>
+ <li><a href="samba-3.6.23.html">samba-3.6.23</a></li>
<li><a href="samba-3.6.22.html">samba-3.6.22</a></li>
<li><a href="samba-3.6.21.html">samba-3.6.21</a></li>
<li><a href="samba-3.6.20.html">samba-3.6.20</a></li>
diff --git a/history/samba-3.6.23.html b/history/samba-3.6.23.html
new file mode 100755
index 0000000..90389db
--- /dev/null
+++ b/history/samba-3.6.23.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.6.23 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.6.23
+ March 11, 2014
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
+
+o CVE-2013-4496:
+ Samba versions 3.4.0 and above allow the administrator to implement
+ locking out Samba accounts after a number of bad password attempts.
+
+ However, all released versions of Samba did not implement this check for
+ password changes, such as are available over multiple SAMR and RAP
+ interfaces, allowing password guessing attacks.
+
+
+Changes since 3.6.22:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.0.16.html b/history/samba-4.0.16.html
new file mode 100755
index 0000000..0e50c00
--- /dev/null
+++ b/history/samba-4.0.16.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.0.16 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.0.16
+ March 11, 2014
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and
+CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake).
+
+o CVE-2013-4496:
+ Samba versions 3.4.0 and above allow the administrator to implement
+ locking out Samba accounts after a number of bad password attempts.
+
+ However, all released versions of Samba did not implement this check for
+ password changes, such as are available over multiple SAMR and RAP
+ interfaces, allowing password guessing attacks.
+
+o CVE-2013-6442:
+ Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
+ smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
+ command options it will remove the existing ACL on the object being
+ modified, leaving the file or directory unprotected.
+
+
+Changes since 4.0.15:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
+ setting owner or group owner.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.1.6.html b/history/samba-4.1.6.html
new file mode 100755
index 0000000..46b9fdd
--- /dev/null
+++ b/history/samba-4.1.6.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.1.6 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.1.6
+ March 11, 2014
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and
+CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake).
+
+o CVE-2013-4496:
+ Samba versions 3.4.0 and above allow the administrator to implement
+ locking out Samba accounts after a number of bad password attempts.
+
+ However, all released versions of Samba did not implement this check for
+ password changes, such as are available over multiple SAMR and RAP
+ interfaces, allowing password guessing attacks.
+
+o CVE-2013-6442:
+ Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
+ smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
+ command options it will remove the existing ACL on the object being
+ modified, leaving the file or directory unprotected.
+
+
+Changes since 4.1.5:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
+ setting owner or group owner.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 9bb5f9a..b805614 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,10 +22,30 @@ link to full release notes for each release.</p>
</tr>
<tr>
+ <td>11 Mar 2014</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.1.5-CVE-2013-4496-CVE-2013-6442.patch">
+ patch for Samba 4.1.5</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.0.15-CVE-2013-4496-CVE-2013-6442.patch">
+ patch for Samba 4.0.15</a><br />
+ <a href="/samba/ftp/patches/security/samba-3.6.22-CVE-2013-4496.patch">
+ patch for Samba 3.6.22</a><br />
+ <td>Password lockout not enforced for SAMR password changes, smbcacls can remove a file
+ or directory ACL by mistake.
+ </td>
+ <td>please refer to the advisories</td>
+ <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496">CVE-2013-4496</a>,
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442">CVE-2013-6442</a>
+ </td>
+ <td><a href="/samba/security/CVE-2013-4496">Announcement</a>
+ <a href="/samba/security/CVE-2013-6442">Announcement</a>
+ </td>
+ </tr>
+
+ <tr>
<td>09 Dec 2013</td>
<td><a href="/samba/ftp/patches/security/samba-4.1.2-CVE-2013-4408-CVE-2012-6150.patch">
patch for Samba 4.1.2</a><br />
- <a href="/samba/ftp/patches/security/amba-4.0.12-CVE-2013-4408-CVE-2012-6150.patch">
+ <a href="/samba/ftp/patches/security/samba-4.0.12-CVE-2013-4408-CVE-2012-6150.patch">
patch for Samba 4.0.12</a><br />
<a href="/samba/ftp/patches/security/samba-3.6.21-CVE-2013-4408-CVE-2012-6150.patch">
patch for Samba 3.6.21</a><br />
diff --git a/latest_stable_release.html b/latest_stable_release.html
index bcf07a5..2ad5e61 100644
--- a/latest_stable_release.html
+++ b/latest_stable_release.html
@@ -1,5 +1,5 @@
<p>
- <a href="/samba/ftp/stable/samba-4.1.5.tar.gz">Samba 4.1.5 (gzipped)</a><br>
- <a href="/samba/history/samba-4.1.5.html">Release Notes</a> ·
- <a href="/samba/ftp/stable/samba-4.1.5.tar.asc">Signature</a>
+ <a href="/samba/ftp/stable/samba-4.1.6.tar.gz">Samba 4.1.6 (gzipped)</a><br>
+ <a href="/samba/history/samba-4.1.6.html">Release Notes</a> ·
+ <a href="/samba/ftp/stable/samba-4.1.6.tar.asc">Signature</a>
</p>
diff --git a/security/CVE-2013-4496.html b/security/CVE-2013-4496.html
new file mode 100644
index 0000000..867ba7c
--- /dev/null
+++ b/security/CVE-2013-4496.html
@@ -0,0 +1,107 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2013-4496.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: CVE-2013-4496: Password lockout not enforced for SAMR password changes
+==
+== CVE ID#: CVE-2013-4496
+==
+== Versions: All versions of Samba later than 3.4.0
+==
+== Summary: In Samba's SAMR server we neglect to ensure that
+== attempted password changes will update the bad password
+== count, nor set the lockout flags.
+== This would allow a user unlimited attempts against the
+== password by simply calling ChangePasswordUser2
+== repeatedly.
+==
+== This is available without any other authentication.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba versions 3.4.0 and above allow the administrator to implement
+locking out Samba accounts after a number of bad password attempts.
+
+However, all released versions of Samba did not implement this check for
+password changes, such as are available over multiple SAMR and RAP
+interfaces, allowing password guessing attacks.
+
+As this was found during an internal audit of the Samba code there are
+no currently known exploits for this problem (as of March 11th 2014).
+
+=======
+Caveats
+=======
+
+Most sites do not configure the bad password lockout feature. Typically
+it is only enabled when Samba is configured as a Domain Controller, so
+most file server deployments are not impacted.
+
+Additionally, for this feature to be effective Samba must be the sole
+source of authentication on the network. (Otherwise synchronised
+services such as an LDAP backend or the UNIX /etc/shadow file could be
+the weak point instead).
+
+This patch does not implement bad password lockout for the Active
+Directory Domain Controller. The bad password lockout feature is not
+implemented at all in that configuration. The Samba Team plans to
+address this deficiency as feature in a future release of the AD DC.
+
+The patch to remove the samr_ChangePasswordUser call is not strictly
+required, as this call is only available to administrators already able
+to reset passwords. We include it to avoid a future well-meaning patch
+that might restore it as a valid password-change mechanism. If used, it
+would also bypass restrictions on password complexity, history and any
+restriction defined via the 'unix passwd sync', 'pam password change'
+and 'ldap password sync' smb.conf options.
+
+==================
+Patch Availability
+==================
+
+Patches addressing all these issues have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Samba versions 3.6.23, 4.0.16, and 4.1.6 have been released to
+address this issue. Patches for 3.4.17 and 3.5.22 have not been
+provided as these are now beyond our security support window.
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+This problem was found by an internal audit of the Samba code by
+Andrew Bartlett of Catalyst IT. Special thanks also go to Univention GmbH.
+
+Patches provided by Andrew Bartlett, Stefan Metzmacher of SerNet and Jeremy Allison of the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
--
Samba Website Repository
More information about the samba-cvs
mailing list