[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Tue Dec 10 08:38:00 UTC 2019
The branch, master has been updated
via 2edcdd8 NEWS[4.11.3]: Samba 4.11.3 Available for Download
from 7f9b2f0 Add Samba 4.9.16.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2edcdd8eccf15058e7261918c9a7efe0f8b4c7fe
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 10 09:07:41 2019 +0100
NEWS[4.11.3]: Samba 4.11.3 Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.10.11.html | 61 ++++++++++++++++
history/samba-4.11.3.html | 61 ++++++++++++++++
history/samba-4.9.17.html | 61 ++++++++++++++++
history/security.html | 22 ++++++
posted_news/20191210-081835.4.11.3.body.html | 31 ++++++++
posted_news/20191210-081835.4.11.3.headline.html | 4 ++
security/CVE-2019-14861.html | 89 +++++++++++++++++++++++
security/CVE-2019-14870.html | 91 ++++++++++++++++++++++++
9 files changed, 423 insertions(+)
create mode 100644 history/samba-4.10.11.html
create mode 100644 history/samba-4.11.3.html
create mode 100644 history/samba-4.9.17.html
create mode 100644 posted_news/20191210-081835.4.11.3.body.html
create mode 100644 posted_news/20191210-081835.4.11.3.headline.html
create mode 100644 security/CVE-2019-14861.html
create mode 100644 security/CVE-2019-14870.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 21b3518..2fc4ab6 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,9 +9,11 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.11.3.html">samba-4.11.3</a></li>
<li><a href="samba-4.11.2.html">samba-4.11.2</a></li>
<li><a href="samba-4.11.1.html">samba-4.11.1</a></li>
<li><a href="samba-4.11.0.html">samba-4.11.0</a></li>
+ <li><a href="samba-4.10.11.html">samba-4.10.11</a></li>
<li><a href="samba-4.10.10.html">samba-4.10.10</a></li>
<li><a href="samba-4.10.9.html">samba-4.10.9</a></li>
<li><a href="samba-4.10.8.html">samba-4.10.8</a></li>
@@ -23,6 +25,7 @@
<li><a href="samba-4.10.2.html">samba-4.10.2</a></li>
<li><a href="samba-4.10.1.html">samba-4.10.1</a></li>
<li><a href="samba-4.10.0.html">samba-4.10.0</a></li>
+ <li><a href="samba-4.9.17.html">samba-4.9.17</a></li>
<li><a href="samba-4.9.16.html">samba-4.9.16</a></li>
<li><a href="samba-4.9.15.html">samba-4.9.15</a></li>
<li><a href="samba-4.9.14.html">samba-4.9.14</a></li>
diff --git a/history/samba-4.10.11.html b/history/samba-4.10.11.html
new file mode 100644
index 0000000..388c54d
--- /dev/null
+++ b/history/samba-4.10.11.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.10.11 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.10.11 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.11.tar.gz">Samba 4.10.11 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.11.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.10-4.10.11.diffs.gz">Patch (gzipped) against Samba 4.10.10</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.10-4.10.11.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.10.11
+ December 10, 2019
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
+ management server (dnsserver).
+o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
+ on Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14861:
+ An authenticated user can crash the DCE/RPC DNS management server by creating
+ records with matching the zone name.
+
+o CVE-2019-14870:
+ The DelegationNotAllowed Kerberos feature restriction was not being applied
+ when processing protocol transition requests (S4U2Self), in the AD DC KDC.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.10.10:
+----------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14187: CVE-2019-14870: DelegationNotAllowed not being enforced.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.11.3.html b/history/samba-4.11.3.html
new file mode 100644
index 0000000..01c81e4
--- /dev/null
+++ b/history/samba-4.11.3.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.11.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.11.3 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.3.tar.gz">Samba 4.11.3 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.3.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.2-4.11.3.diffs.gz">Patch (gzipped) against Samba 4.11.2</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.2-4.11.3.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.11.3
+ December 10, 2019
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
+ management server (dnsserver).
+o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
+ on Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14861:
+ An authenticated user can crash the DCE/RPC DNS management server by creating
+ records with matching the zone name.
+
+o CVE-2019-14870:
+ The DelegationNotAllowed Kerberos feature restriction was not being applied
+ when processing protocol transition requests (S4U2Self), in the AD DC KDC.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.11.2:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14187: CVE-2019-14870: DelegationNotAllowed not being enforced.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.9.17.html b/history/samba-4.9.17.html
new file mode 100644
index 0000000..7e719af
--- /dev/null
+++ b/history/samba-4.9.17.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.9.17 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.9.17 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.17.tar.gz">Samba 4.9.17 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.17.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.16-4.9.17.diffs.gz">Patch (gzipped) against Samba 4.9.16</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.16-4.9.17.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.9.17
+ December 10, 2019
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
+ management server (dnsserver).
+o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
+ on Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14861:
+ An authenticated user can crash the DCE/RPC DNS management server by creating
+ records with matching the zone name.
+
+o CVE-2019-14870:
+ The DelegationNotAllowed Kerberos feature restriction was not being applied
+ when processing protocol transition requests (S4U2Self), in the AD DC KDC.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.9.16:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14187: CVE-2019-14870: DelegationNotAllowed not being enforced.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 7588064..f8ad8e5 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,28 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>10 Dec 2019</td>
+ <td><a
+href="/samba/ftp/patches/security/samba-4.11.2-security-2019-12-10.patch">
+ patch for Samba 4.11.2</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.10.10-security-2019-10-29.patch">
+ patch for Samba 4.10.10</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.9.16-security-2019-10-29.patch">
+ patch for Samba 4.9.16</a><br />
+ </td>
+ <td>CVE-2019-14861 and CVE-2019-14870. Please see announcements for
+ details.
+ </td>
+ <td>All versions since Samba 4.0</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14861">CVE-2019-14861</a>,
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14870">CVE-2019-14870</a>.
+ </td>
+ <td><a href="/samba/security/CVE-2019-14861.html">Announcement</a>,
+ <a href="/samba/security/CVE-2019-14870.html">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>29 Oct 2019</td>
<td><a href="/samba/ftp/patches/security/samba-4.11.1-security-2019-10-29.patch">
diff --git a/posted_news/20191210-081835.4.11.3.body.html b/posted_news/20191210-081835.4.11.3.body.html
new file mode 100644
index 0000000..648819b
--- /dev/null
+++ b/posted_news/20191210-081835.4.11.3.body.html
@@ -0,0 +1,31 @@
+<!-- BEGIN: posted_news/20191210-081835.4.11.3.body.html -->
+<h5><a name="4.11.3">10 December 2019</a></h5>
+<p class=headline>Samba 4.11.3, 4.10.11 and 4.9.17 Security Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2019-14861.html">CVE-2019-14861</a>
+(Samba AD DC zone-named record Denial of Service in DNS management server (dnsserver)).
+<a href="/samba/security/CVE-2019-14870.html">CVE-2019-14870</a>
+(DelegationNotAllowed not being enforced in protocol transition on Samba AD DC).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).</br>
+The 4.11.3 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.11.3.tar.gz">downloaded now</a>.</br>
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.11.2-4.11.3.diffs.gz">patch
+against Samba 4.11.2</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.11.3.html">4.11.3 release notes</a> for more info.</br>
+The 4.10.11 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.10.11.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.10.10-4.10.11.diffs.gz">patch
+against Samba 4.10.10</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.10.11.html">4.10.11 release notes</a> for more info.
+The 4.9.17 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.9.17.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.9.16-4.9.17.diffs.gz">patch
+against Samba 4.9.16</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.9.17.html">4.9.17 release notes</a> for more info.
+</p>
+<!-- END: posted_news/20191210-081835.4.11.3.body.html -->
diff --git a/posted_news/20191210-081835.4.11.3.headline.html b/posted_news/20191210-081835.4.11.3.headline.html
new file mode 100644
index 0000000..55cadc8
--- /dev/null
+++ b/posted_news/20191210-081835.4.11.3.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20191210-081835.4.11.3.headline.html -->
+<li> 10 December 2019 <a href="#4.11.3">Samba 4.11.3, 4.10.11 and 4.9.17
+Security Releases Available</a></li>
+<!-- END: posted_news/20191210-081835.4.11.3.headline.html -->
diff --git a/security/CVE-2019-14861.html b/security/CVE-2019-14861.html
new file mode 100644
index 0000000..54f2c7e
--- /dev/null
+++ b/security/CVE-2019-14861.html
@@ -0,0 +1,89 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-14861.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC zone-named record Denial of
+== Service in DNS management server (dnsserver)
+==
+== CVE ID#: CVE-2019-14861
+==
+== Versions: All Samba versions since Samba 4.0
+==
+== Summary: An authenticated user can crash the DCE/RPC DNS
+== management server by creating records with matching
+== the zone name
+===========================================================
+
+===========
+Description
+===========
+
+The (poorly named) dnsserver RPC pipe provides administrative
+facilities to modify DNS records and zones.
+
+Samba, when acting as an AD DC, stores DNS records in LDAP.
+
+In AD, the default permissions on the DNS partition allow creation of
+new records by authenticated users. This is used for example to allow
+machines to self-register in DNS.
+
+If a DNS record was created that case-insensitively matched the name
+of the zone, the ldb_qsort() and dns_name_compare() routines could be
+confused into reading memory prior to the list of DNS entries when
+responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so
+following invalid memory as a pointer.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3)
+
+==========
+Workaround
+==========
+
+The dnsserver task can be stopped by setting
+ 'dcerpc endpoint servers = -dnsserver'
+in the smb.conf and restarting Samba.
+
+=======
+Credits
+=======
+
+Originally reported by Andreas Oster.
+
+Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2019-14870.html b/security/CVE-2019-14870.html
new file mode 100644
index 0000000..b1e4b34
--- /dev/null
+++ b/security/CVE-2019-14870.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-14870.html
+
+<p>
+<pre>
+===========================================================
+== Subject: DelegationNotAllowed not being enforced
+== in protocol transition on Samba AD DC.
+==
+== CVE ID#: CVE-2019-14870
+==
+== Versions: All Samba versions since Samba 4.0
+==
+== Summary: The DelegationNotAllowed Kerberos feature restriction
+== was not being applied when processing protocol
+== transition requests (S4U2Self), in the AD DC KDC.
+===========================================================
+
+===========
+Description
+===========
+
+The S4U (MS-SFU) Kerberos delegation model includes a feature allowing
+for a subset of clients to be opted out of constrained delegation in
+any way, either S4U2Self or regular Kerberos authentication, by
+forcing all tickets for these clients to be non-forwardable. In AD
+this is implemented by a user attribute delegation_not_allowed (aka
+not-delegated), which translates to disallow-forwardable.
+
+However the Samba AD DC does not do that for S4U2Self and does set the
+forwardable flag even if the impersonated client has the not-delegated
+flag set.
+
+Note: while the experimental MIT AD-DC build does not support S4U, it
+should still be patched due to a related bug in regular authentication.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
+
+=========================
+Workaround and mitigation
+=========================
+
+Only clients configured directly in LDAP or via a Windows tools
+could have been marked as sensitive and so have been expected to have
+this protection. Therefore most Samba sites will not have been using
+this feature and so are not impacted either way.
+
+=======
+Credits
+=======
+
+Originally reported by Isaac Boukris of Red Hat and the Samba Team.
+
+Patches provided by Isaac Boukris of Red Hat and the Samba Team.
+
+Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of
+Red Hat and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list