[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Mon Apr 8 07:46:25 UTC 2019
The branch, master has been updated
via 8c610e9 Announce Samba 4.10.2, 4.9.6 and 4.8.11 security releases.
from 9d7be7c Add Samba 4.8.10.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8c610e9b7043eac634a80582395c85b8393f2a67
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Apr 8 09:05:03 2019 +0200
Announce Samba 4.10.2, 4.9.6 and 4.8.11 security releases.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.10.2.html | 61 +++++++++++++
history/samba-4.8.11.html | 53 +++++++++++
history/samba-4.9.6.html | 61 +++++++++++++
history/security.html | 20 +++++
posted_news/20190408-073430.4.10.2.body.html | 23 +++++
posted_news/20190408-073430.4.10.2.headline.html | 4 +
security/CVE-2019-3870.html | 100 +++++++++++++++++++++
security/CVE-2019-3880.html | 110 +++++++++++++++++++++++
9 files changed, 435 insertions(+)
create mode 100644 history/samba-4.10.2.html
create mode 100644 history/samba-4.8.11.html
create mode 100644 history/samba-4.9.6.html
create mode 100644 posted_news/20190408-073430.4.10.2.body.html
create mode 100644 posted_news/20190408-073430.4.10.2.headline.html
create mode 100644 security/CVE-2019-3870.html
create mode 100644 security/CVE-2019-3880.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index e4d6dd5..0751325 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,14 +9,17 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.10.2.html">samba-4.10.2</a></li>
<li><a href="samba-4.10.1.html">samba-4.10.1</a></li>
<li><a href="samba-4.10.0.html">samba-4.10.0</a></li>
+ <li><a href="samba-4.9.6.html">samba-4.9.6</a></li>
<li><a href="samba-4.9.5.html">samba-4.9.5</a></li>
<li><a href="samba-4.9.4.html">samba-4.9.4</a></li>
<li><a href="samba-4.9.3.html">samba-4.9.3</a></li>
<li><a href="samba-4.9.2.html">samba-4.9.2</a></li>
<li><a href="samba-4.9.1.html">samba-4.9.1</a></li>
<li><a href="samba-4.9.0.html">samba-4.9.0</a></li>
+ <li><a href="samba-4.8.11.html">samba-4.8.11</a></li>
<li><a href="samba-4.8.10.html">samba-4.8.10</a></li>
<li><a href="samba-4.8.9.html">samba-4.8.9</a></li>
<li><a href="samba-4.8.8.html">samba-4.8.8</a></li>
diff --git a/history/samba-4.10.2.html b/history/samba-4.10.2.html
new file mode 100644
index 0000000..a5b5caa
--- /dev/null
+++ b/history/samba-4.10.2.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.10.2 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.10.2 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.2.tar.gz">Samba 4.10.2 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.2.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.1-4.10.2.diffs.gz">Patch (gzipped) against Samba 4.10.1</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.1-4.10.2.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.10.2
+ April 8, 2019
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
+o CVE-2019-3880 (Save registry file outside share as unprivileged user)
+
+
+=======
+Details
+=======
+
+o CVE-2019-3870:
+ During the provision of a new Active Directory DC, some files in the private/
+ directory are created world-writable.
+
+o CVE-2019-3880:
+ Authenticated users with write permission can trigger a symlink traversal to
+ write or detect files outside the Samba share.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.10.1:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
+ smbd.mkdir().
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.8.11.html b/history/samba-4.8.11.html
new file mode 100644
index 0000000..5be432b
--- /dev/null
+++ b/history/samba-4.8.11.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.8.11 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.8.11 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.8.11.tar.gz">Samba 4.8.11 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.8.11.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.8.10-4.8.11.diffs.gz">Patch (gzipped) against Samba 4.8.10</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.8.10-4.8.11.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.8.11
+ April 8, 2019
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2019-3880 (Save registry file outside share as unprivileged user)
+
+
+=======
+Details
+=======
+
+o CVE-2018-14629:
+ Authenticated users with write permission
+ can trigger a symlink traversal to write
+ or detect files outside the Samba share.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.8.10:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.9.6.html b/history/samba-4.9.6.html
new file mode 100644
index 0000000..0d5d5f9
--- /dev/null
+++ b/history/samba-4.9.6.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.9.6 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.9.6 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.6.tar.gz">Samba 4.9.6 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.6.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.5-4.9.6.diffs.gz">Patch (gzipped) against Samba 4.9.5</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.5-4.9.6.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.9.6
+ April 8, 2019
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
+o CVE-2019-3880 (Save registry file outside share as unprivileged user)
+
+
+=======
+Details
+=======
+
+o CVE-2019-3870:
+ During the provision of a new Active Directory DC, some files in the private/
+ directory are created world-writable.
+
+o CVE-2019-3880:
+ Authenticated users with write permission can trigger a symlink traversal to
+ write or detect files outside the Samba share.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.9.5:
+--------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
+ smbd.mkdir().
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 014857e..8a422f5 100755
--- a/history/security.html
+++ b/history/security.html
@@ -21,6 +21,26 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>08 Apr 2019</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.10.1-security-2019-04-08.patch">
+ patch for Samba 4.10.1 (both CVEs)</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.9.5-security-2019-04-08.patch">
+ patch for Samba 4.9.5 (both CVEs)</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.8.10-security-2019-04-08.patch">
+ patch for Samba 4.8.10 (CVE-2019-3880 only)</a><br />
+ </td>
+ <td>CVE-2019-3870 and CVE-2019-3880. Please see the announcements for details.
+ </td>
+ <td>please refer to the advisories</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3870">CVE-2019-3870</a>,
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3880">CVE-2019-3880</a>
+ </td>
+ <td><a href="/samba/security/CVE-2019-3870.html">Announcement</a>,
+ <a href="/samba/security/CVE-2019-3880.html">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>27 Nov 2018</td>
<td><a href="/samba/ftp/patches/security/samba-4.9.2-security-2018-11-27.patch">
diff --git a/posted_news/20190408-073430.4.10.2.body.html b/posted_news/20190408-073430.4.10.2.body.html
new file mode 100644
index 0000000..56bb9bf
--- /dev/null
+++ b/posted_news/20190408-073430.4.10.2.body.html
@@ -0,0 +1,23 @@
+<!-- BEGIN: posted_news/20190408-073430.4.10.2.body.html -->
+<h5><a name="4.10.2">08 April 2019</a></h5>
+<p class=headline>Samba 4.10.2, 4.9.6 and 4.8.11 Security Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2019-3870.html">CVE-2019-3870</a>
+ (World writable files in Samba AD DC private/ dir) and
+<a href="/samba/security/CVE-2019-3880.html">CVE-2019-3880</a>
+ (Save registry file outside share as unprivileged user).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
+The 4.10.2 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.10.2.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.10.1-4.10.2.diffs.gz">patch against Samba 4.10.1</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.10.2.html">the release notes for more info</a>.
+The 4.9.6 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.9.6.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.9.5-4.9.6.diffs.gz">patch against Samba 4.9.5</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.9.6.html">the release notes for more info</a>.
+The 4.8.11 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.8.11.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.8.10-4.8.11.diffs.gz">patch against Samba 4.8.10</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.8.11.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20190408-073430.4.10.2.body.html -->
diff --git a/posted_news/20190408-073430.4.10.2.headline.html b/posted_news/20190408-073430.4.10.2.headline.html
new file mode 100644
index 0000000..5fb9d95
--- /dev/null
+++ b/posted_news/20190408-073430.4.10.2.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20190408-073430.4.10.2.headline.html -->
+<li> 08 April 2019 <a href="#4.10.2">Samba 4.10.2, 4.9.6 and 4.8.11 Security
+Releases Available</a></li>
+<!-- END: posted_news/20190408-073430.4.10.2.headline.html -->
diff --git a/security/CVE-2019-3870.html b/security/CVE-2019-3870.html
new file mode 100644
index 0000000..78fb2f6
--- /dev/null
+++ b/security/CVE-2019-3870.html
@@ -0,0 +1,100 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-3870.html
+
+<p>
+<pre>
+===========================================================
+== Subject: World writable files in Samba AD DC private/ dir
+==
+== CVE ID#: CVE-2019-3870
+==
+== Versions: Samba 4.9 and later
+==
+== Summary: During the provision of a new Active Directory
+ DC, some files in the private/ directory are
+ created world-writable.
+===========================================================
+
+===========
+Description
+===========
+
+During the creation of a new Samba AD DC, files are created in a the
+private/ subdirectory of our install location. This directory is
+typically mode 0700, that is owner (root) only access. However in
+some upgraded installations it will have other permissions, such as
+0755, because this was the default before Samba 4.8.
+
+Within this directory files are created with mode 0666,
+that is world-writable, including a sample krb5.conf and the list of
+DNS names and servicePrincipalName values to update.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.9.6 and 4.10.2 have been issued as security
+releases to correct the defect. Samba administrators are advised to
+upgrade to these releases or apply the patch as soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)
+
+This score is calculated based on modification to the dns_update_list
+or spn_update_list files in a default configuration.
+
+Administrators who rely on these files in other ways might have a
+higher score. For example, the sample krb5.conf might be read as
+input to Kerberos tools or used as the system-wide krb5.conf
+(potentially via a symlink).
+
+===============================
+Required steps (and workaround)
+===============================
+
+Upgrading Samba will not change the file or directory permissions for
+an existing installation, it will just avoid the issue for new
+installations.
+
+Assuming Samba is installed in the default location as root run:
+
+ chmod 0700 /usr/local/samba/private
+
+The private directory can be found in the listing from
+ smbd -b| grep PRIVATE_DIR
+
+Alternatively remove world-write permission from any files with:
+ chmod o-w /usr/local/samba/private/*
+
+=======
+Credits
+=======
+
+Originally reported by Björn Baumbach of the Samba Team and SerNet.
+
+Patches provided by Andrew Bartlett of the Samba Team and Catalyst,
+advisory written by Andrew Bartlett of the Samba Team and Catalyst.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2019-3880.html b/security/CVE-2019-3880.html
new file mode 100644
index 0000000..872d887
--- /dev/null
+++ b/security/CVE-2019-3880.html
@@ -0,0 +1,110 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-3880.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Save registry file outside share as unprivileged user
+==
+== CVE ID#: CVE-2019-3880
+==
+== Versions: All versions of Samba since Samba 3.2.0
+==
+== Summary: Authenticated users with write permission
+ can trigger a symlink traversal to write
+ or detect files outside the Samba share.
+===========================================================
+
+===========
+Description
+===========
+
+Samba contains an RPC endpoint emulating the Windows registry service
+API. One of the requests, "winreg_SaveKey", is susceptible to a
+path/symlink traversal vulnerability. Unprivileged users can use it to
+create a new registry hive file anywhere they have unix permissions to
+create a new file within a Samba share. If they are able to create
+symlinks on a Samba share, they can create a new registry hive file
+anywhere they have write access, even outside a Samba share
+definition.
+
+Note - existing share restrictions such as "read only" or share ACLs
+do *not* prevent new registry hive files being written to the
+filesystem. A file may be written under any share definition wherever
+the user has unix permissions to create a file.
+
+Existing files cannot be overwritten using this vulnerability, only
+new registry hive files can be created, however the presence of
+existing files with a specific name can be detected.
+
+Samba writes or detects the file as the authenticated user, not as root.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (6.3)
+
+==========
+Workaround
+==========
+
+If the areas of the filesystem being exported by all share definitions
+have no symlinks pointing outside the shared areas, the attacker can
+only create new files inside the shared areas.
+
+Is the server is exporting SMB1 shares, and the global parameter 'unix
+extensions = yes' is set (the default value), then an attacker can
+create symbolic links that point outside the share definitions to
+allow registry hive files to be created wherever the symlink points to
+(so long as no existing file is present).
+
+Either turn off SMB1 by setting the global parameter:
+
+'min protocol = SMB2'
+
+or if SMB1 is required turn off unix extensions by setting the global
+parameter:
+
+'unix extensions = no'
+
+in the smb.conf file.
+
+=======
+Credits
+=======
+
+Originally reported by Michael Hanselmann.
+
+Patches provided by Jeremy Allison of the Samba Team and Google.
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
+
--
Samba Website Repository
More information about the samba-cvs
mailing list