[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Thu Jul 7 08:52:07 UTC 2016
The branch, master has been updated
via 04fdfc9 NEWS[4.4.5]: Samba 4.4.5, 4.3.11 and 4.2.14 Security Releases Available for Download
from 2b8aaa8 um support site: add some space for beauty
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 04fdfc98b8e1dca82fe63c0f8e528612ad618f9d
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Jul 5 09:39:28 2016 +0200
NEWS[4.4.5]: Samba 4.4.5, 4.3.11 and 4.2.14 Security Releases Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.2.14.html | 91 +++++++++++++++++++++++
history/samba-4.3.11.html | 72 +++++++++++++++++++
history/samba-4.4.5.html | 72 +++++++++++++++++++
history/security.html | 17 +++++
posted_news/20160706-094231.4.4.5.body.html | 25 +++++++
posted_news/20160706-094231.4.4.5.headline.html | 3 +
posted_news/20160706-094241.4.3.11.body.html | 13 ++++
posted_news/20160706-094241.4.3.11.headline.html | 3 +
security/CVE-2016-2119.html | 92 ++++++++++++++++++++++++
10 files changed, 391 insertions(+)
create mode 100755 history/samba-4.2.14.html
create mode 100644 history/samba-4.3.11.html
create mode 100644 history/samba-4.4.5.html
create mode 100644 posted_news/20160706-094231.4.4.5.body.html
create mode 100644 posted_news/20160706-094231.4.4.5.headline.html
create mode 100644 posted_news/20160706-094241.4.3.11.body.html
create mode 100644 posted_news/20160706-094241.4.3.11.headline.html
create mode 100644 security/CVE-2016-2119.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index a95423d..ffc0cc2 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,11 +9,13 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.4.5.html">samba-4.4.5</a></li>
<li><a href="samba-4.4.4.html">samba-4.4.4</a></li>
<li><a href="samba-4.4.3.html">samba-4.4.3</a></li>
<li><a href="samba-4.4.2.html">samba-4.4.2</a></li>
<li><a href="samba-4.4.1.html">samba-4.4.1 (do not use)</a></li>
<li><a href="samba-4.4.0.html">samba-4.4.0</a></li>
+ <li><a href="samba-4.3.11.html">samba-4.3.11</a></li>
<li><a href="samba-4.3.10.html">samba-4.3.10</a></li>
<li><a href="samba-4.3.9.html">samba-4.3.9</a></li>
<li><a href="samba-4.3.8.html">samba-4.3.8</a></li>
@@ -25,6 +27,7 @@
<li><a href="samba-4.3.2.html">samba-4.3.2</a></li>
<li><a href="samba-4.3.1.html">samba-4.3.1</a></li>
<li><a href="samba-4.3.0.html">samba-4.3.0</a></li>
+ <li><a href="samba-4.2.14.html">samba-4.2.14</a></li>
<li><a href="samba-4.2.13.html">samba-4.2.13</a></li>
<li><a href="samba-4.2.12.html">samba-4.2.12</a></li>
<li><a href="samba-4.2.11.html">samba-4.2.11</a></li>
diff --git a/history/samba-4.2.14.html b/history/samba-4.2.14.html
new file mode 100755
index 0000000..950d4c1
--- /dev/null
+++ b/history/samba-4.2.14.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.2.14 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.2.14
+ July 07, 2016
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the default
+ is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota, smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.2.13:
+---------------------
+
+o Amitay Isaacs <amitay at gmail.com>
+ * BUG 11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel).
+ * BUG 11770: ctdb-common: For AF_PACKET socket types, protocol is in network
+ order.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.3.11.html b/history/samba-4.3.11.html
new file mode 100644
index 0000000..2c5bb93
--- /dev/null
+++ b/history/samba-4.3.11.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.3.11 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.3.11 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.3.11.tar.gz">Samba 4.3.11 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.3.11.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.3.10-4.3.11.diffs.gz">Patch (gzipped) against Samba 4.3.10</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.3.10-4.3.11.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.3.11
+ July 07, 2016
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the default
+ is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota, smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.3.10:
+--------------------
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.4.5.html b/history/samba-4.4.5.html
new file mode 100644
index 0000000..cbc2929
--- /dev/null
+++ b/history/samba-4.4.5.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.4.5 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.4.5 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.5.tar.gz">Samba 4.4.5 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.5.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.4-4.4.5.diffs.gz">Patch (gzipped) against Samba 4.4.4</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.4-4.4.5.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.4.5
+ July 7, 2016
+ =============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the default
+ is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota, smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.4.4:
+--------------------
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index ce0e040..72df46b 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,23 @@ link to full release notes for each release.</p>
</tr>
<tr>
+ <td>07 Jul 2016</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.4.4-CVE-2016-2119.patch">
+ patch for Samba 4.4.4</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.3.10-CVE-2016-2119.patch">
+ patch for Samba 4.3.10</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.2.13-CVE-2016-2119.patch">
+ patch for Samba 4.2.13</a><br />
+ <td>Client side SMB2/3 required signing can be downgraded.
+ </td>
+ <td>4.0.0 - 4.4.4</td>
+ <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2119">CVE-2016-2119</a>
+ </td>
+ <td><a href="/samba/security/CVE-2016-2119.html">Announcement</a>
+ </td>
+ </tr>
+
+ <tr>
<td>12 Apr 2016</td>
<td><a href="/samba/ftp/patches/security/samba-4.4.0-security-2016-04-12-final.patch">
patch for Samba 4.4.0</a><br />
diff --git a/posted_news/20160706-094231.4.4.5.body.html b/posted_news/20160706-094231.4.4.5.body.html
new file mode 100644
index 0000000..0afd5e3
--- /dev/null
+++ b/posted_news/20160706-094231.4.4.5.body.html
@@ -0,0 +1,25 @@
+<!-- BEGIN: posted_news/20160706-094231.4.4.5.body.html -->
+<h5><a name="4.4.5">07 July 2016</a></h5>
+<p class=headline>Samba 4.4.5, 4.3.11 and 4.2.14 Security Releases Available for Download</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2016-2119.html">CVE-2016-2119</a>
+(Client side SMB2/3 required signing can be downgraded).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6568B7EA).
+<br>
+The 4.4.5 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.4.5.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.4.4-4.4.5.diffs.gz">patch against Samba 4.4.4</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.4.5.html">the release notes for more info</a>.
+<br>
+The 4.3.11 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.3.11.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.3.10-4.3.11.diffs.gz">patch against Samba 4.3.10</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.3.11.html">the release notes for more info</a>.
+<br>
+The 4.2.14 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.2.14.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.2.13-4.2.14.diffs.gz">patch against Samba 4.2.13</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.2.14.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20160706-094231.4.4.5.body.html -->
diff --git a/posted_news/20160706-094231.4.4.5.headline.html b/posted_news/20160706-094231.4.4.5.headline.html
new file mode 100644
index 0000000..70970b3
--- /dev/null
+++ b/posted_news/20160706-094231.4.4.5.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20160706-094231.4.4.5.headline.html -->
+<li> 06 July 2016 <a href="#4.4.5">Samba 4.4.5 Available for Download</a></li>
+<!-- END: posted_news/20160706-094231.4.4.5.headline.html -->
diff --git a/posted_news/20160706-094241.4.3.11.body.html b/posted_news/20160706-094241.4.3.11.body.html
new file mode 100644
index 0000000..1c56347
--- /dev/null
+++ b/posted_news/20160706-094241.4.3.11.body.html
@@ -0,0 +1,13 @@
+<!-- BEGIN: posted_news/20160706-094241.4.3.11.body.html -->
+<h5><a name="4.3.11">06 July 2016</a></h5>
+<p class=headline>Samba 4.3.11 Available for Download</p>
+<p>
+This is the latest stable release of the Samba 4.3 release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID 6568B7EA).
+The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.3.11.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.3.10-4.3.11.diffs.gz">patch against Samba 4.3.10</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.3.11.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20160706-094241.4.3.11.body.html -->
diff --git a/posted_news/20160706-094241.4.3.11.headline.html b/posted_news/20160706-094241.4.3.11.headline.html
new file mode 100644
index 0000000..cae3d3c
--- /dev/null
+++ b/posted_news/20160706-094241.4.3.11.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20160706-094241.4.3.11.headline.html -->
+<li> 06 July 2016 <a href="#4.3.11">Samba 4.3.11 Available for Download</a></li>
+<!-- END: posted_news/20160706-094241.4.3.11.headline.html -->
diff --git a/security/CVE-2016-2119.html b/security/CVE-2016-2119.html
new file mode 100644
index 0000000..9c061b6
--- /dev/null
+++ b/security/CVE-2016-2119.html
@@ -0,0 +1,92 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2016-2119.html:</H2>
+
+<p>
+<pre>
+=====================================================================
+== Subject: Client side SMB2/3 required signing can be downgraded
+==
+== CVE ID#: CVE-2016-2119
+==
+== Versions: Samba 4.0.0 to 4.4.4
+==
+== Summary: A man in the middle attack can disable client signing
+== over SMB2/3, even if enforced by configuration
+== parameters.
+==
+=====================================================================
+
+===========
+Description
+===========
+
+It's possible for an attacker to downgrade the required signing for
+an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+or SMB2_SESSION_FLAG_IS_NULL flags.
+
+This means that the attacker can impersonate a server being connected to by
+Samba, and return malicious results.
+
+The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+to domain controllers as a member server, and trusted domains as a domain
+controller. These DCE/RPC connections were intended to protected by the
+combination of "client ipc signing" and
+"client ipc max protocol" in their effective default settings
+("mandatory" and "SMB3_11").
+
+Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+over SMB2/3 connections.
+
+By default, other tools in Samba are unprotected, but rarely they are
+configured to use smb signing, via the "client signing" parameter (the default
+is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+rather than the NT1 default.
+
+If both these conditions are met, then this issue would also apply to these
+other tools, including command line tools like smbcacls, smbcquota, smbclient,
+smbget and applications using libsmbclient.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.4.5, 4.3.11 and 4.2.14 have been issued as
+security releases to correct the defect. Samba vendors and administrators
+running affected versions are advised to upgrade or apply the patch as
+soon as possible.
+
+==========
+Workaround
+==========
+
+Setting "client ipc max protocol = NT1".
+
+If "client signing" is set to "mandatory"/"required",
+remove an explicit setting of "client max protocol", which will default
+to "NT1".
+
+These changes should be reverted once the security fixes are applied.
+
+=======
+Credits
+=======
+
+This vulnerability was discovered and researched by Stefan Metzmacher of
+SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
+he also provides the fixes.
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list