[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Mon Dec 19 09:04:17 UTC 2016


The branch, master has been updated
       via  2619c79 NEWS[4.5.3]: Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
      from  f6f51dc header_history.html: Add Samba 4.5.2.

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2619c7913be269cdef2e7f5c28467fe77f58244a
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Dec 9 10:41:36 2016 +0100

    NEWS[4.5.3]: Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                     |   4 +
 history/samba-4.3.13.html                       |  81 +++++++++++++++
 history/samba-4.4.8.html                        |  81 +++++++++++++++
 history/samba-4.5.3.html                        |  81 +++++++++++++++
 history/security.html                           |  21 ++++
 posted_news/20161219-081451.4.5.3.body.html     |  29 ++++++
 posted_news/20161219-081451.4.5.3.headline.html |   4 +
 security/CVE-2016-2123.html                     |  71 +++++++++++++
 security/CVE-2016-2125.html                     | 131 ++++++++++++++++++++++++
 security/CVE-2016-2126.html                     | 101 ++++++++++++++++++
 10 files changed, 604 insertions(+)
 create mode 100644 history/samba-4.3.13.html
 create mode 100644 history/samba-4.4.8.html
 create mode 100644 history/samba-4.5.3.html
 create mode 100644 posted_news/20161219-081451.4.5.3.body.html
 create mode 100644 posted_news/20161219-081451.4.5.3.headline.html
 create mode 100644 security/CVE-2016-2123.html
 create mode 100644 security/CVE-2016-2125.html
 create mode 100644 security/CVE-2016-2126.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 9f7a699..cbbb7a8 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,9 +9,12 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.5.3.html">samba-4.5.3</a></li>
 			<li><a href="samba-4.5.2.html">samba-4.5.2</a></li>
 			<li><a href="samba-4.5.1.html">samba-4.5.1</a></li>
 			<li><a href="samba-4.5.0.html">samba-4.5.0</a></li>
+			<li><a href="samba-4.4.8.html">samba-4.4.8</a></li>
+			<li><a href="samba-4.4.7.html">samba-4.4.7</a></li>
 			<li><a href="samba-4.4.6.html">samba-4.4.6</a></li>
 			<li><a href="samba-4.4.5.html">samba-4.4.5</a></li>
 			<li><a href="samba-4.4.4.html">samba-4.4.4</a></li>
@@ -19,6 +22,7 @@
 			<li><a href="samba-4.4.2.html">samba-4.4.2</a></li>
 			<li><a href="samba-4.4.1.html">samba-4.4.1 (do not use)</a></li>
 			<li><a href="samba-4.4.0.html">samba-4.4.0</a></li>
+			<li><a href="samba-4.3.13.html">samba-4.3.13</a></li>
 			<li><a href="samba-4.3.12.html">samba-4.3.12</a></li>
 			<li><a href="samba-4.3.11.html">samba-4.3.11</a></li>
 			<li><a href="samba-4.3.10.html">samba-4.3.10</a></li>
diff --git a/history/samba-4.3.13.html b/history/samba-4.3.13.html
new file mode 100644
index 0000000..e0acc4c
--- /dev/null
+++ b/history/samba-4.3.13.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.3.13 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.3.13 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.3.13.tar.gz">Samba 4.3.13 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.3.13.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.3.12-4.3.13.diffs.gz">Patch (gzipped) against Samba 4.3.12</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.3.12-4.3.13.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.3.13
+                          December 19, 2016
+                   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+   Overflow Remote Code Execution Vulnerability).
+o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+   trusted realms).
+o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+   elevation).
+
+=======
+Details
+=======
+
+o  CVE-2016-2123:
+   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+   parses data from the Samba Active Directory ldb database.  Any user
+   who can write to the dnsRecord attribute over LDAP can trigger this
+   memory corruption.
+
+   By default, all authenticated LDAP users can write to the dnsRecord
+   attribute on new DNS objects. This makes the defect a remote privilege
+   escalation.
+
+o  CVE-2016-2125
+   Samba client code always requests a forwardable ticket
+   when using Kerberos authentication. This means the
+   target server, which must be in the current or trusted
+   domain/realm, is given a valid general purpose Kerberos
+   "Ticket Granting Ticket" (TGT), which can be used to
+   fully impersonate the authenticated user or service.
+
+o  CVE-2016-2126
+   A remote, authenticated, attacker can cause the winbindd process
+   to crash using a legitimate Kerberos ticket due to incorrect
+   handling of the arcfour-hmac-md5 PAC checksum.
+
+   A local service with access to the winbindd privileged pipe can
+   cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.3.12:
+---------------------
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+     check_pac_checksum().
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.4.8.html b/history/samba-4.4.8.html
new file mode 100644
index 0000000..9cf85bd
--- /dev/null
+++ b/history/samba-4.4.8.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.4.8 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.4.8 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.8.tar.gz">Samba 4.4.8 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.8.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.7-4.4.8.diffs.gz">Patch (gzipped) against Samba 4.4.7</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.7-4.4.8.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.4.8
+                         December 19, 2016
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+   Overflow Remote Code Execution Vulnerability).
+o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+   trusted realms).
+o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+   elevation).
+
+=======
+Details
+=======
+
+o  CVE-2016-2123:
+   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+   parses data from the Samba Active Directory ldb database.  Any user
+   who can write to the dnsRecord attribute over LDAP can trigger this
+   memory corruption.
+
+   By default, all authenticated LDAP users can write to the dnsRecord
+   attribute on new DNS objects. This makes the defect a remote privilege
+   escalation.
+
+o  CVE-2016-2125
+   Samba client code always requests a forwardable ticket
+   when using Kerberos authentication. This means the
+   target server, which must be in the current or trusted
+   domain/realm, is given a valid general purpose Kerberos
+   "Ticket Granting Ticket" (TGT), which can be used to
+   fully impersonate the authenticated user or service.
+
+o  CVE-2016-2126
+   A remote, authenticated, attacker can cause the winbindd process
+   to crash using a legitimate Kerberos ticket due to incorrect
+   handling of the arcfour-hmac-md5 PAC checksum.
+
+   A local service with access to the winbindd privileged pipe can
+   cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.4.7:
+--------------------
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+     check_pac_checksum().
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.5.3.html b/history/samba-4.5.3.html
new file mode 100644
index 0000000..71be68d
--- /dev/null
+++ b/history/samba-4.5.3.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.5.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.5.3 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.5.3.tar.gz">Samba 4.5.3 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.5.3.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.5.2-4.5.3.diffs.gz">Patch (gzipped) against Samba 4.5.2</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.5.2-4.5.3.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.5.3
+                          December 19, 2016
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+   Overflow Remote Code Execution Vulnerability).
+o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+   trusted realms).
+o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+   elevation).
+
+=======
+Details
+=======
+
+o  CVE-2016-2123:
+   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+   parses data from the Samba Active Directory ldb database.  Any user
+   who can write to the dnsRecord attribute over LDAP can trigger this
+   memory corruption.
+
+   By default, all authenticated LDAP users can write to the dnsRecord
+   attribute on new DNS objects. This makes the defect a remote privilege
+   escalation.
+
+o  CVE-2016-2125
+   Samba client code always requests a forwardable ticket
+   when using Kerberos authentication. This means the
+   target server, which must be in the current or trusted
+   domain/realm, is given a valid general purpose Kerberos
+   "Ticket Granting Ticket" (TGT), which can be used to
+   fully impersonate the authenticated user or service.
+
+o  CVE-2016-2126
+   A remote, authenticated, attacker can cause the winbindd process
+   to crash using a legitimate Kerberos ticket due to incorrect
+   handling of the arcfour-hmac-md5 PAC checksum.
+
+   A local service with access to the winbindd privileged pipe can
+   cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.5.2:
+--------------------
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+     check_pac_checksum().
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 72df46b..c484c78 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,27 @@ link to full release notes for each release.</p>
       </tr>
 
     <tr>
+	<td>19 Dec 2016</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.5.2-security-20016-12-19.patch">
+	patch for Samba 4.5.2</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.4.7-security-20016-12-19.patch">
+	patch for Samba 4.4.7</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.3.12-security-20016-12-19.patch">
+	patch for Samba 4.3.12</a><br />
+	<td>Numerous CVEs. Please see the announcements for details.
+	</td>
+	<td>please refer to the advisories</td>
+	<td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2123">CVE-2016-2123</a>, 
+	    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125">CVE-2016-2125</a>, 
+	    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126">CVE-2016-2126</a>
+	</td>
+	<td><a href="/samba/security/CVE-2016-2123.html">Announcement</a>, 
+	    <a href="/samba/security/CVE-2016-2125.html">Announcement</a>, 
+	    <a href="/samba/security/CVE-2016-2126.html">Announcement</a>
+	</td>
+    </tr>
+
+    <tr>
 	<td>07 Jul 2016</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.4.4-CVE-2016-2119.patch">
 	patch for Samba 4.4.4</a><br />
diff --git a/posted_news/20161219-081451.4.5.3.body.html b/posted_news/20161219-081451.4.5.3.body.html
new file mode 100644
index 0000000..8e5065b
--- /dev/null
+++ b/posted_news/20161219-081451.4.5.3.body.html
@@ -0,0 +1,29 @@
+<!-- BEGIN: posted_news/20161219-081451.4.5.3.body.html -->
+<h5><a name="4.5.3">19 December 2016</a></h5>
+<p class=headline>Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2016-2123.html">CVE-2016-2123</a>
+(Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability), 
+<a href="/samba/security/CVE-2016-2125.html">CVE-2016-2125</a>
+(Unconditional privilege delegation to Kerberos servers in trusted realms), 
+<a href="/samba/security/CVE-2016-2126.html">CVE-2016-2126</a>
+(Flaws in Kerberos PAC validation can trigger privilege elevation).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
+<br>
+The 4.5.3 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.5.3.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.5.2-4.5.3.diffs.gz">patch against Samba 4.5.2</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.5.3.html">the 4.5.3 release notes for more info</a>.
+<br>
+The 4.4.8 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.4.8.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.4.7-4.4.8.diffs.gz">patch against Samba 4.4.7</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.4.8.html">the 4.4.8 release notes for more info</a>.
+<br>
+The 4.3.13 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.3.13.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/patch-4.3.12-4.3.13.diffs.gz">patch against Samba 4.3.12</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.3.13.html">the 4.3.13 release notes for more info</a>.
+</p>
+<!-- END: posted_news/20161219-081451.4.5.3.body.html -->
diff --git a/posted_news/20161219-081451.4.5.3.headline.html b/posted_news/20161219-081451.4.5.3.headline.html
new file mode 100644
index 0000000..2d5acf0
--- /dev/null
+++ b/posted_news/20161219-081451.4.5.3.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20161219-081451.4.5.3.headline.html -->
+<li> 19 December 2016 <a href="#4.5.3">Samba 4.5.3, 4.4.8 and 4.3.13 Security
+Releases Available for Download</a></li>
+<!-- END: posted_news/20161219-081451.4.5.3.headline.html -->
diff --git a/security/CVE-2016-2123.html b/security/CVE-2016-2123.html
new file mode 100644
index 0000000..142d3ee
--- /dev/null
+++ b/security/CVE-2016-2123.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2016-2123.html:</H2>
+
+<p>
+<pre>
+======================================================================
+== Subject:     Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+==              Overflow Remote Code Execution Vulnerability
+==
+== CVE ID#:     CVE-2016-2123
+== ZDE ID#:     ZDI-CAN-3995
+==
+== Versions:    Samba 4.0.0 to 4.5.2
+==
+== Summary:     Authenicated users can supply malicious dnsRecord attributes
+==              on DNS objects and trigger a controlled memory corruption.
+==
+======================================================================
+
+===========
+Description
+===========
+
+The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+parses data from the Samba Active Directory ldb database.  Any user
+who can write to the dnsRecord attribute over LDAP can trigger this
+memory corruption.
+
+By default, all authenticated LDAP users can write to the dnsRecord
+attribute on new DNS objects. This makes the defect a remote privilege
+escalation.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+  https://www.samba.org/samba/security/
+
+Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as
+security releases to correct the defect. Samba vendors and administrators
+running affected versions are advised to upgrade or apply the patch as
+soon as possible.
+
+==========
+Workaround
+==========
+
+It is possible to change the ntSecurityDescriptor on DNS zones, but
+this will impact on the expected behaviour of the AD Domain.
+
+=======
+Credits
+=======
+
+This vulnerability was detected and reported to the Samba developers
+by Trend Micro's Zero Day Initiative and Frederic Besler.
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2016-2125.html b/security/CVE-2016-2125.html
new file mode 100644
index 0000000..c46e3aa
--- /dev/null
+++ b/security/CVE-2016-2125.html
@@ -0,0 +1,131 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2016-2125.html:</H2>
+
+<p>
+<pre>
+===============================================================================
+== Subject:     Unconditional privilege delegation to Kerberos servers in trusted realms
+==
+== CVE ID#:     CVE-2016-2125
+==
+== Versions:    Samba 3.0.25 to 4.5.2
+==
+== Summary:     Samba client code always requests a forwardable ticket
+==              when using Kerberos authentication. This means the
+==              target server, which must be in the current or trusted
+==              domain/realm, is given a valid general purpose Kerberos
+==              "Ticket Granting Ticket" (TGT), which can be used to
+==              fully impersonate the authenticated user or service.
+==
+================================================================================
+
+===========
+Description
+===========
+
+The Samba client code always requests a forwardable Kerberos ticket when
+performing Kerberos authentication by passing the GSS_C_DELEG_FLAG to the
+gss_init_sec_context() GSSAPI function.
+
+The use of GSS_C_DELEG_FLAG, if accepted by the Kerberos KDC, results in
+passing the forwardable TGT to the remote target service via Kerberos AP-REQ.
+The target service by design must be part of the same or a trusted Kerberos
+realm (a domain in the same or trusted Active Directory forest).
+
+The service that accepts the AP-REQ from the client can thus do whatever the
+client is also able to achieve with the Kerberos TGT.
+
+The risks of impersonation of the client are similar to the well known risks
+from forwarding of NTLM credentials, with two important differences:
+ - NTLM forwarding can and should be mitigated with packet signing
+ - Kerberos forwarding can only be attempted after the trusted
+   destination server decrypts the ticket.
+
+Finally, it should be noted that typically the connections involved
+are either explicitly requested, or are between or to Domain


-- 
Samba Website Repository



More information about the samba-cvs mailing list