[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Tue Apr 28 07:47:02 UTC 2020


The branch, master has been updated
       via  ca69b30 NEWS[4.12.2]: Samba 4.12.2, 4.11.8 and 4.10.15 Security Releases Available
      from  116369d clean up urls and tools that went away

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ca69b306115e4abf2ebf3852a947301511b6d2d6
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Apr 22 12:57:18 2020 +0200

    NEWS[4.12.2]: Samba 4.12.2, 4.11.8 and 4.10.15 Security Releases Available
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                      |   3 +
 history/samba-4.10.15.html                       |  60 +++++++++++
 history/samba-4.11.8.html                        |  60 +++++++++++
 history/samba-4.12.2.html                        |  60 +++++++++++
 history/security.html                            |  21 ++++
 posted_news/20200428-071935.4.12.2.body.html     |  32 ++++++
 posted_news/20200428-071935.4.12.2.headline.html |   4 +
 security/CVE-2020-10700.html                     |  88 ++++++++++++++++
 security/CVE-2020-10704.html                     | 129 +++++++++++++++++++++++
 9 files changed, 457 insertions(+)
 create mode 100644 history/samba-4.10.15.html
 create mode 100644 history/samba-4.11.8.html
 create mode 100644 history/samba-4.12.2.html
 create mode 100644 posted_news/20200428-071935.4.12.2.body.html
 create mode 100644 posted_news/20200428-071935.4.12.2.headline.html
 create mode 100644 security/CVE-2020-10700.html
 create mode 100644 security/CVE-2020-10704.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 6691a15..41dbb23 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,8 +9,10 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.12.2.html">samba-4.12.2</a></li>
 			<li><a href="samba-4.12.1.html">samba-4.12.1</a></li>
 			<li><a href="samba-4.12.0.html">samba-4.12.0</a></li>
+			<li><a href="samba-4.11.8.html">samba-4.11.8</a></li>
 			<li><a href="samba-4.11.7.html">samba-4.11.7</a></li>
 			<li><a href="samba-4.11.6.html">samba-4.11.6</a></li>
 			<li><a href="samba-4.11.5.html">samba-4.11.5</a></li>
@@ -19,6 +21,7 @@
 			<li><a href="samba-4.11.2.html">samba-4.11.2</a></li>
 			<li><a href="samba-4.11.1.html">samba-4.11.1</a></li>
 			<li><a href="samba-4.11.0.html">samba-4.11.0</a></li>
+			<li><a href="samba-4.10.15.html">samba-4.10.15</a></li>
 			<li><a href="samba-4.10.14.html">samba-4.10.14</a></li>
 			<li><a href="samba-4.10.13.html">samba-4.10.13</a></li>
 			<li><a href="samba-4.10.12.html">samba-4.10.12</a></li>
diff --git a/history/samba-4.10.15.html b/history/samba-4.10.15.html
new file mode 100644
index 0000000..946da1a
--- /dev/null
+++ b/history/samba-4.10.15.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.10.15 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.10.15 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.15.tar.gz">Samba 4.10.15 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.15.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.14-4.10.15.diffs.gz">Patch (gzipped) against Samba 4.10.14</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.14-4.10.15.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ===============================
+                   Release Notes for Samba 4.10.15
+                           April 28, 2020
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ 
+o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
+
+
+=======
+Details
+=======
+
+o  CVE-2020-10700:
+   A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
+   use-after-free in Samba's AD DC LDAP server.
+o  CVE-2020-10704:
+   A deeply nested filter in an un-authenticated LDAP search can exhaust the
+   LDAP server's stack memory causing a SIGSEGV.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.10.14
+---------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
+     ASQ and paged_results combined.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
+     Samba AD DC.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.11.8.html b/history/samba-4.11.8.html
new file mode 100644
index 0000000..4255c25
--- /dev/null
+++ b/history/samba-4.11.8.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.11.8 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.11.8 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.8.tar.gz">Samba 4.11.8 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.8.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.7-4.11.8.diffs.gz">Patch (gzipped) against Samba 4.11.7</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.7-4.11.8.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.11.8
+                           April 28, 2020
+		   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ 
+o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
+
+
+=======
+Details
+=======
+
+o  CVE-2020-10700:
+   A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
+   use-after-free in Samba's AD DC LDAP server.
+o  CVE-2020-10704:
+   A deeply nested filter in an un-authenticated LDAP search can exhaust the
+   LDAP server's stack memory causing a SIGSEGV.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.11.7
+--------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
+     ASQ and paged_results combined.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
+     Samba AD DC.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.12.2.html b/history/samba-4.12.2.html
new file mode 100644
index 0000000..63578b5
--- /dev/null
+++ b/history/samba-4.12.2.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.12.2 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.12.2 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.12.2.tar.gz">Samba 4.12.2 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.12.2.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.12.1-4.12.2.diffs.gz">Patch (gzipped) against Samba 4.12.1</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.12.1-4.12.2.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.12.2
+                           April 28, 2020
+		   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
+o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
+
+
+=======
+Details
+=======
+
+o  CVE-2020-10700:
+   A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
+   use-after-free in Samba's AD DC LDAP server.
+o  CVE-2020-10704:
+   A deeply nested filter in an un-authenticated LDAP search can exhaust the
+   LDAP server's stack memory causing a SIGSEGV.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.12.1
+--------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
+     ASQ and paged_results combined.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
+     Samba AD DC.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index cd5311b..c4be490 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,27 @@ link to full release notes for each release.</p>
 	<td><em>Details</em></td>
       </tr>
 
+    <tr>
+	<td>28 Apr 2020</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.12.1-security-2020-04-28.patch">
+	patch for Samba 4.12.1</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.11.7-security-2020-04-28.patch">
+	patch for Samba 4.11.7</a><br />
+	<a href="/samba/ftp/patches/security/samba-4.10.14-security-2020-04-28.patch">
+	patch for Samba 4.10.14</a><br />
+	</td>
+	<td>CVE-2020-10700 and CVE-2020-10704. Please see announcements for
+        details.
+	</td>
+	<td>Please refer to the advisories.</td>
+	<td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10700">CVE-2020-10700</a>,
+	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10704">CVE-2020-10704</a>.
+	</td>
+	<td><a href="/samba/security/CVE-2020-10700.html">Announcement</a>,
+	<a href="/samba/security/CVE-2020-10704.html">Announcement</a>
+	</td>
+    </tr>
+
     <tr>
 	<td>21 Jan 2020</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.11.4-security-2020-01-21.patch">
diff --git a/posted_news/20200428-071935.4.12.2.body.html b/posted_news/20200428-071935.4.12.2.body.html
new file mode 100644
index 0000000..c4849a4
--- /dev/null
+++ b/posted_news/20200428-071935.4.12.2.body.html
@@ -0,0 +1,32 @@
+<!-- BEGIN: posted_news/20200428-071935.4.12.2.body.html -->
+<h5><a name="4.12.2">28 April 2020</a></h5>
+<p class=headline>Samba 4.12.2, 4.11.8 and 4.10.15 Security  
+Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2020-10700.html">CVE-2020-10700</a>
+(Use-after-free in Samba AD DC LDAP Server with ASQ).
+<a href="/samba/security/CVE-2020-10704.html">CVE-2020-10704</a>
+(LDAP Denial of Service (stack overflow) in Samba AD DC).
+</p>
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
+The 4.12.2 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.12.2.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.12.1-4.12.2.diffs.gz">patch against Samba 4.12.1</a> is also available.
+See the <a href="https://www.samba.org/samba/history/samba-4.12.2.html">4.12.2 release notes</a> for more info.</br>
+The 4.11.8 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.11.8.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.11.7-4.11.8.diffs.gz">patch
+against Samba 4.11.7</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.10.12.html">4.11.8 release notes</a> for more info.
+The 4.10.15 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.10.15.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.10.14-4.10.15.diffs.gz">patch
+against Samba 4.10.14</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.10.15.html">4.10.15 release notes</a> for more info.
+</p>
+<!-- END: posted_news/20200428-071935.4.12.2.body.html -->
diff --git a/posted_news/20200428-071935.4.12.2.headline.html b/posted_news/20200428-071935.4.12.2.headline.html
new file mode 100644
index 0000000..bfde832
--- /dev/null
+++ b/posted_news/20200428-071935.4.12.2.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20200428-071935.4.12.2.headline.html -->
+<li> 28 April 2020 <a href="#4.12.2">Samba 4.12.2, 4.11.8 and 4.10.15 Security
+Releases Available</a></li>
+<!-- END: posted_news/20200428-071935.4.12.2.headline.html -->
diff --git a/security/CVE-2020-10700.html b/security/CVE-2020-10700.html
new file mode 100644
index 0000000..70573af
--- /dev/null
+++ b/security/CVE-2020-10700.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2020-10700.html
+
+<p>
+<pre>
+===========================================================
+== Subject:     Use-after-free in Samba AD DC LDAP Server with ASQ
+==
+== CVE ID#:     CVE-2020-10700
+==
+== Versions:    Samba 4.10.0 and later
+==
+== Summary:     A client combining the 'ASQ' and 'Paged Results' LDAP
+                controls can cause a use-after-free in Samba's AD DC
+		LDAP server
+===========================================================
+
+===========
+Description
+===========
+
+Samba has, since Samba 4.0, supported the Paged Results LDAP feature,
+to allow clients to obtain pages of search results against a Samba AD
+DC using an LDAP control.
+
+Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been
+in place in this module, to age out old client requests if more than
+10 such requests are outstanding.
+
+A rewrite of the module for more efficient memory handling in Samba
+4.11 changed the module behaviour, and combined with the above to
+introduce the use-after-free.  The use-after-free occurs when the
+'Paged Results' control is combined with the 'ASQ' control, another
+Active Directory LDAP feature.
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing both of these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba 4.10.15, 4.11.8 and 4.12.2 have been issued
+as security releases to correct the defect.  Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3)
+
+================================
+Workaround or mitigating factors
+================================
+
+The crash is hard to trigger, and relies in particular on the chain of
+child and grandchild links being queried with ASQ.  Malicious users
+without write access will need to find a suitable chain within the
+existing directory layout.
+
+=======
+Credits
+=======
+
+Originally reported by Andrei Popa <andrei.popa at next-gen.ro>.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2020-10704.html b/security/CVE-2020-10704.html
new file mode 100644
index 0000000..1328097
--- /dev/null
+++ b/security/CVE-2020-10704.html
@@ -0,0 +1,129 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2020-10704.html
+
+<p>
+<pre>
+===========================================================
+== Subject:     LDAP Denial of Service (stack overflow) in
+==              Samba AD DC
+==
+== CVE ID#:     CVE-2020-10704
+==
+== Versions:    All versions of Samba since Samba 4.0.0
+==
+== Summary:     A deeply nested filter in an un-authenticated
+==              LDAP search can exhaust the LDAP server's stack
+==              memory causing a SIGSEGV.
+===========================================================
+
+===========
+Description
+===========
+
+LDAP is encoded as ASN.1, and LDAP filters are defined recursively as
+   Filter ::= CHOICE {
+                and             [0] SET OF Filter,
+                or              [1] SET OF Filter,
+                not             [2] Filter,
+		
+This recursion is mirrored in Samba's recursive decent parser, which
+consumes around 600 bytes of stack per filter sent by the client.
+
+In Samba, LDAP packets are parsed pre-authentication.
+
+As an example on Linux x86_64, a LDAP search expression of (|(|(x=y)))
+will consume over 1k of stack (600 bytes or so per OR).  Therefore,
+even a fairly small, un-authenticated LDAP packet can cause the server
+to fault with SIGSEGV as the stack reaches the OS-imposed limit (8MB
+in this case).
+
+If the network architecture allows a CLDAP packet (to UDP port 389) of
+over 13,000 bytes (the maximum UDP packet size is 65,535) this
+would also fit enough ASN.1 to crash the CLDAP server.
+
+Samba 4.11 and later use the 'prefork' process model by default for
+LDAP, and all versions use single process for CLDAP.
+
+This shares one process between multiple network clients.  By crashing
+one worker, legitimate service is disrupted to other clients.  The
+process is restarted in all supported versions, but with a back-off.
+
+NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single
+process for the (C)LDAP servers.  All versions of Samba before Samba
+4.10 do not restart that process.
+
+To address further concerns about resource use from LDAP packets, new
+pre-parse limits are placed on LDAP searches (250k packet size limit),
+all un-authenticated packets (250k packet size limit) other
+authenticated packets (16MB) and CLDAP packets (4k).
+
+* For authenticated connections the maximum packet size is controlled by
+  the smb.conf parameter "ldap max authenticated request size"
+
+* For anonymous connections the maximum packet size is controlled by
+  the smb.conf parameter "ldap max anonymous request size"
+
+* For searches, the maximum packet size is controlled by
+  the smb.conf parameter "ldap max search request size"
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba 4.10.15, 4.11.8 and 4.12.2 have been issued
+as security releases to correct the defect.  Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
+
+================================
+Workaround and mitigating factors
+================================


-- 
Samba Website Repository



More information about the samba-cvs mailing list