[SCM] Samba Shared Repository - branch v4-6-stable updated

Stefan Metzmacher metze at samba.org
Wed Jul 12 11:32:00 UTC 2017


The branch, v4-6-stable has been updated
       via  55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103
       via  64a40b5 WHATSNEW: Add release notes for Samba 4.6.6.
       via  9b0972c CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
       via  553433a VERSION: Bump version up to 4.6.6...
      from  1d13a64 VERSION: Disable GIT_SNAPSHOTS for the 4.6.5 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable


- Log -----------------------------------------------------------------
commit 55d71509595075a17eb2baf0d89c4801ba2f03f3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 12 15:07:52 2017 +1200

    VERSION: Release Samba 4.6.6 for CVE-2017-11103
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 64a40b5f64a849c754cfd3ef9d3d59b9ccf67013
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 12 15:06:31 2017 +1200

    WHATSNEW: Add release notes for Samba 4.6.6.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 9b0972c8e429fee8e15f23ab508a9f0729a4e0b6
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date:   Wed Apr 12 15:40:42 2017 -0400

    CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
    
    In _krb5_extract_ticket() the KDC-REP service name must be obtained from
    encrypted version stored in 'enc_part' instead of the unencrypted version
    stored in 'ticket'.  Use of the unecrypted version provides an
    opportunity for successful server impersonation and other attacks.
    
    Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
    
    Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
    (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                           |  2 +-
 WHATSNEW.txt                      | 57 +++++++++++++++++++++++++++++++++++++--
 source4/heimdal/lib/krb5/ticket.c |  4 +--
 3 files changed, 58 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 8ed646d..8fc1d16 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ab2182c..75d90b7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,57 @@
                    =============================
+                   Release Notes for Samba 4.6.6
+                            July 12, 2017
+                   =============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass)
+
+=======
+Details
+=======
+
+o  CVE-2017-11103 (Heimdal):
+   All versions of Samba from 4.0.0 onwards using embedded Heimdal
+   Kerberos are vulnerable to a man-in-the-middle attack impersonating
+   a trusted server, who may gain elevated access to the domain by
+   returning malicious replication or authorization data.
+
+   Samba binaries built against MIT Kerberos are not vulnerable.
+
+
+Changes since 4.6.5:
+---------------------
+
+o  Jeffrey Altman <jaltman at secure-endpoints.com>
+   * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.6.5
                             June 6, 2017
                    =============================
@@ -78,8 +131,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.6.4
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 064bbfb..5a317c7 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){


-- 
Samba Shared Repository



More information about the samba-cvs mailing list