[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Thu Mar 23 08:50:37 UTC 2017


The branch, master has been updated
       via  358e1a3 NEWS[4.6.1]: Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
      from  68ec05c update archives site

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 358e1a36512d38b5acc4fb4dbc390a621d3f6b83
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Mar 23 09:20:22 2017 +0100

    NEWS[4.6.1]: Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                     |  3 +
 history/samba-4.4.12.html                       | 70 +++++++++++++++++++
 history/samba-4.5.7.html                        | 70 +++++++++++++++++++
 history/samba-4.6.1.html                        | 70 +++++++++++++++++++
 history/security.html                           | 17 +++++
 posted_news/20170323-082106.4.6.1.body.html     | 22 ++++++
 posted_news/20170323-082106.4.6.1.headline.html |  4 ++
 security/CVE-2017-2619.html                     | 93 +++++++++++++++++++++++++
 8 files changed, 349 insertions(+)
 create mode 100644 history/samba-4.4.12.html
 create mode 100644 history/samba-4.5.7.html
 create mode 100644 history/samba-4.6.1.html
 create mode 100644 posted_news/20170323-082106.4.6.1.body.html
 create mode 100644 posted_news/20170323-082106.4.6.1.headline.html
 create mode 100644 security/CVE-2017-2619.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 46b504a..ffb1956 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,7 +9,9 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.6.1.html">samba-4.6.1</a></li>
 			<li><a href="samba-4.6.0.html">samba-4.6.0</a></li>
+			<li><a href="samba-4.5.7.html">samba-4.5.7</a></li>
 			<li><a href="samba-4.5.6.html">samba-4.5.6</a></li>
 			<li><a href="samba-4.5.5.html">samba-4.5.5</a></li>
 			<li><a href="samba-4.5.4.html">samba-4.5.4</a></li>
@@ -17,6 +19,7 @@
 			<li><a href="samba-4.5.2.html">samba-4.5.2</a></li>
 			<li><a href="samba-4.5.1.html">samba-4.5.1</a></li>
 			<li><a href="samba-4.5.0.html">samba-4.5.0</a></li>
+			<li><a href="samba-4.4.12.html">samba-4.4.12</a></li>
 			<li><a href="samba-4.4.11.html">samba-4.4.11</a></li>
 			<li><a href="samba-4.4.10.html">samba-4.4.10</a></li>
 			<li><a href="samba-4.4.9.html">samba-4.4.9</a></li>
diff --git a/history/samba-4.4.12.html b/history/samba-4.4.12.html
new file mode 100644
index 0000000..935090e
--- /dev/null
+++ b/history/samba-4.4.12.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.4.12 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.4.12 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.12.tar.gz">Samba 4.4.12 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.4.12.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.11-4.4.12.diffs.gz">Patch (gzipped) against Samba 4.4.11</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.4.11-4.4.12.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.4.12
+                           March 23, 2017
+                   ==============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2017-2619 (Symlink race allows access outside share definition)
+
+=======
+Details
+=======
+
+o  CVE-2017-2619:
+   All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
+   a malicious client using a symlink race to allow access to areas of
+   the server file system not exported under the share definition.
+
+   Samba uses the realpath() system call to ensure when a client requests
+   access to a pathname that it is under the exported share path on the
+   server file system.
+
+   Clients that have write access to the exported part of the file system
+   via SMB1 unix extensions or NFS to create symlinks can race the server
+   by renaming a realpath() checked path and then creating a symlink. If
+   the client wins the race it can cause the server to access the new
+   symlink target after the exported share path check has been done. This
+   new symlink target can point to anywhere on the server file system.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race reliably only when
+   the server is slowed down using the strace utility running on the
+   server. Exploitation of this bug has not been seen in the wild.
+
+
+Changes since 4.4.11:
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.5.7.html b/history/samba-4.5.7.html
new file mode 100644
index 0000000..48a72d3
--- /dev/null
+++ b/history/samba-4.5.7.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.5.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.5.7 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.5.7.tar.gz">Samba 4.5.7 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.5.7.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.5.6-4.5.7.diffs.gz">Patch (gzipped) against Samba 4.5.6</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.5.6-4.5.7.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.5.7
+                           March 23, 2017
+                   =============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2017-2619 (Symlink race allows access outside share definition)
+
+=======
+Details
+=======
+
+o  CVE-2017-2619:
+   All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
+   a malicious client using a symlink race to allow access to areas of
+   the server file system not exported under the share definition.
+
+   Samba uses the realpath() system call to ensure when a client requests
+   access to a pathname that it is under the exported share path on the
+   server file system.
+
+   Clients that have write access to the exported part of the file system
+   via SMB1 unix extensions or NFS to create symlinks can race the server
+   by renaming a realpath() checked path and then creating a symlink. If
+   the client wins the race it can cause the server to access the new
+   symlink target after the exported share path check has been done. This
+   new symlink target can point to anywhere on the server file system.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race reliably only when
+   the server is slowed down using the strace utility running on the
+   server. Exploitation of this bug has not been seen in the wild.
+
+
+Changes since 4.5.6:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.6.1.html b/history/samba-4.6.1.html
new file mode 100644
index 0000000..82f903d
--- /dev/null
+++ b/history/samba-4.6.1.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.6.1 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.6.1 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.6.1.tar.gz">Samba 4.6.1 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.6.1.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.6.0-4.6.1.diffs.gz">Patch (gzipped) against Samba 4.6.0</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.6.0-4.6.1.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   =============================
+                   Release Notes for Samba 4.6.1
+                           March 23, 2017
+                   =============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2017-2619 (Symlink race allows access outside share definition)
+
+=======
+Details
+=======
+
+o  CVE-2017-2619:
+   All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
+   a malicious client using a symlink race to allow access to areas of
+   the server file system not exported under the share definition.
+
+   Samba uses the realpath() system call to ensure when a client requests
+   access to a pathname that it is under the exported share path on the
+   server file system.
+
+   Clients that have write access to the exported part of the file system
+   via SMB1 unix extensions or NFS to create symlinks can race the server
+   by renaming a realpath() checked path and then creating a symlink. If
+   the client wins the race it can cause the server to access the new
+   symlink target after the exported share path check has been done. This
+   new symlink target can point to anywhere on the server file system.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race reliably only when
+   the server is slowed down using the strace utility running on the
+   server. Exploitation of this bug has not been seen in the wild.
+
+
+Changes since 4.6.0:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index c484c78..13e743d 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,23 @@ link to full release notes for each release.</p>
       </tr>
 
     <tr>
+	<td>23 Mar 2017</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.6.0-CVE-2017-2619.patch">
+	patch for Samba 4.6.0</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.5.6-CVE-2017-2619.patch">
+	patch for Samba 4.5.6</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.4.11-CVE-2017-2619.patch">
+	patch for Samba 4.4.11</a><br />
+	<td>Symlink race allows access outside share definition.
+	</td>
+	<td>All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12</td>
+	<td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619">CVE-2017-2619</a>
+	</td>
+	<td><a href="/samba/security/CVE-2017-2619.html">Announcement</a>
+	</td>
+    </tr>
+
+    <tr>
 	<td>19 Dec 2016</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.5.2-security-20016-12-19.patch">
 	patch for Samba 4.5.2</a><br />
diff --git a/posted_news/20170323-082106.4.6.1.body.html b/posted_news/20170323-082106.4.6.1.body.html
new file mode 100644
index 0000000..dec66e5
--- /dev/null
+++ b/posted_news/20170323-082106.4.6.1.body.html
@@ -0,0 +1,22 @@
+<!-- BEGIN: posted_news/20170323-082106.4.6.1.body.html -->
+<h5><a name="4.6.1">23 March 2017</a></h5>
+<p class=headline>Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download</p>
+<p>
+These are Security Releases in order to address 
+<a href="/samba/security/CVE-2017-2619.html">CVE-2017-2619</a> (Symlink race allows access outside share definition).
+</p>
+<p>
+The uncompressed Samba tarballs have been signed using GnuPG (ID 6568B7EA).<br>
+The 4.6.1 source code can be <a	href="https://download.samba.org/pub/samba/stable/samba-4.6.1.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.6.0-4.6.1.diffs.gz">patch against Samba 4.6.0</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.6.1.html">the 4.6.1 release notes for more info</a>.
+<br>
+The 4.5.7 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.5.7.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/patch-4.5.6-4.5.7.diffs.gz">patch against Samba 4.5.6</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.5.7.html">the 4.5.7 release notes for more info</a>.
+<br>
+The 4.4.12 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.4.12.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/patch-4.4.11-4.4.12.diffs.gz">patch against Samba 4.4.11</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.4.11.html">the 4.4.11 release notes for more info</a>.
+</p>
+<!-- END: posted_news/20170323-082106.4.6.1.body.html -->
diff --git a/posted_news/20170323-082106.4.6.1.headline.html b/posted_news/20170323-082106.4.6.1.headline.html
new file mode 100644
index 0000000..203e774
--- /dev/null
+++ b/posted_news/20170323-082106.4.6.1.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20170323-082106.4.6.1.headline.html -->
+<li> 23 March 2017 <a href="#4.6.1">Samba 4.6.1, 4.5.7 and 4.4.12 Security
+	Releases Available for Download</a></li>
+<!-- END: posted_news/20170323-082106.4.6.1.headline.html -->
diff --git a/security/CVE-2017-2619.html b/security/CVE-2017-2619.html
new file mode 100644
index 0000000..db8fc8f
--- /dev/null
+++ b/security/CVE-2017-2619.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2017-2619.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject:     Symlink race allows access outside share definition.
+==
+== CVE ID#:     CVE-2017-2619
+==
+== Versions:    All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12
+==
+== Summary:     A time-of-check, time-of-use race condition
+==		can allow clients to access non-exported parts
+==		of the file system via symlinks.
+==
+====================================================================
+
+===========
+Description
+===========
+
+All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
+a malicious client using a symlink race to allow access to areas of
+the server file system not exported under the share definition.
+
+Samba uses the realpath() system call to ensure when a client requests
+access to a pathname that it is under the exported share path on the
+server file system.
+
+Clients that have write access to the exported part of the file system
+via SMB1 unix extensions or NFS to create symlinks can race the server
+by renaming a realpath() checked path and then creating a symlink. If
+the client wins the race it can cause the server to access the new
+symlink target after the exported share path check has been done. This
+new symlink target can point to anywhere on the server file system.
+
+This is a difficult race to win, but theoretically possible. Note that
+the proof of concept code supplied wins the race reliably only when
+the server is slowed down using the strace utility running on the
+server. Exploitation of this bug has not been seen in the wild.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+  http://www.samba.org/samba/security/
+
+Additionally, Samba 4.6.1, 4.5.7 and 4.4.12 have been issued as
+security releases to correct the defect. Patches against older Samba
+versions are available at http://samba.org/samba/patches/. Samba
+vendors and administrators running affected versions are advised to
+upgrade or apply the patch as soon as possible.
+
+==========
+Workaround
+==========
+
+Add the parameter:
+
+unix extensions = no
+
+to the [global] section of your smb.conf and restart smbd. This
+prevents SMB1 clients from creating symlinks on the exported file
+system using SMB1.
+
+However, if the same region of the file system is also exported using
+NFS, NFS clients can create symlinks that potentially can also hit the
+race condition. For non-patched versions of Samba we recommend only
+exporting areas of the file system by either SMB or NFS, not both.
+
+=======
+Credits
+=======
+
+This problem was found by Jann Horn of Google. Jeremy Allison, of
+Google and the Samba Team, and Ralph Boehme of SerNet and the Samba
+Team provided the fix. Code review was performed by Uri Simchoni of
+CTERA Networks and the Samba Team.
+</pre>
+</body>
+</html>


-- 
Samba Website Repository



More information about the samba-cvs mailing list