[SCM] Samba Website Repository - branch master updated
Jule Anger
janger at samba.org
Thu Dec 15 16:32:46 UTC 2022
The branch, master has been updated
via 53f2f82 NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
via 782d9c0 history/security: add missing </tr>
from 81dfaa6 news: html syntax error due to duplicate <p> tag, This breaks Feed Readers
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 53f2f82216254c6be5e813c514a5c8464841d2ba
Author: Jule Anger <janger at samba.org>
Date: Thu Dec 15 17:11:24 2022 +0100
NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
Signed-off-by: Jule Anger <janger at samba.org>
commit 782d9c0743c4ed1d495454f7b4b8e4bb3c6c598f
Author: Jule Anger <janger at samba.org>
Date: Thu Dec 15 14:57:01 2022 +0100
history/security: add missing </tr>
Signed-off-by: Jule Anger <janger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.15.13.html | 147 ++++++++++++++
history/samba-4.16.8.html | 147 ++++++++++++++
history/samba-4.17.4.html | 154 +++++++++++++++
history/security.html | 28 ++-
posted_news/20221215-161202.4.15.13.body.html | 34 ++++
posted_news/20221215-161202.4.15.13.headline.html | 3 +
security/CVE-2022-37966.html | 180 ++++++++++++++++++
security/CVE-2022-37967.html | 127 +++++++++++++
security/CVE-2022-38023.html | 221 ++++++++++++++++++++++
security/CVE-2022-45141.html | 95 ++++++++++
11 files changed, 1138 insertions(+), 1 deletion(-)
create mode 100644 history/samba-4.15.13.html
create mode 100644 history/samba-4.16.8.html
create mode 100644 history/samba-4.17.4.html
create mode 100644 posted_news/20221215-161202.4.15.13.body.html
create mode 100644 posted_news/20221215-161202.4.15.13.headline.html
create mode 100644 security/CVE-2022-37966.html
create mode 100644 security/CVE-2022-37967.html
create mode 100644 security/CVE-2022-38023.html
create mode 100644 security/CVE-2022-45141.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 945c471..0c748da 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,10 +9,12 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.17.4.html">samba-4.17.4</a></li>
<li><a href="samba-4.17.3.html">samba-4.17.3</a></li>
<li><a href="samba-4.17.2.html">samba-4.17.2</a></li>
<li><a href="samba-4.17.1.html">samba-4.17.1</a></li>
<li><a href="samba-4.17.0.html">samba-4.17.0</a></li>
+ <li><a href="samba-4.16.8.html">samba-4.16.8</a></li>
<li><a href="samba-4.16.7.html">samba-4.16.7</a></li>
<li><a href="samba-4.16.6.html">samba-4.16.6</a></li>
<li><a href="samba-4.16.5.html">samba-4.16.5</a></li>
@@ -21,6 +23,7 @@
<li><a href="samba-4.16.2.html">samba-4.16.2</a></li>
<li><a href="samba-4.16.1.html">samba-4.16.1</a></li>
<li><a href="samba-4.16.0.html">samba-4.16.0</a></li>
+ <li><a href="samba-4.15.13.html">samba-4.15.13</a></li>
<li><a href="samba-4.15.12.html">samba-4.15.12</a></li>
<li><a href="samba-4.15.11.html">samba-4.15.11</a></li>
<li><a href="samba-4.15.10.html">samba-4.15.10</a></li>
diff --git a/history/samba-4.15.13.html b/history/samba-4.15.13.html
new file mode 100644
index 0000000..fa2c68f
--- /dev/null
+++ b/history/samba-4.15.13.html
@@ -0,0 +1,147 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.15.13 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.15.13 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.gz">Samba 4.15.13 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.gz">Patch (gzipped) against Samba 4.15.12</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.15.13
+ December 15, 2022
+ ===============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
+ Vulnerability was disclosed by Microsoft on Nov 8 2022
+ and per RFC8429 it is assumed that rc4-hmac is weak,
+
+ Vulnerable Samba Active Directory DCs will issue rc4-hmac
+ encrypted tickets despite the target server supporting
+ better encryption (eg aes256-cts-hmac-sha1-96).
+
+ https://www.samba.org/samba/security/CVE-2022-45141.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.15.12
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at cryptonector.com>
+ * BUG 15214: CVE-2022-45141.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.16.8.html b/history/samba-4.16.8.html
new file mode 100644
index 0000000..157cc3a
--- /dev/null
+++ b/history/samba-4.16.8.html
@@ -0,0 +1,147 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.16.8 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.16.8 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.8.tar.gz">Samba 4.16.8 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.8.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.7-4.16.8.diffs.gz">Patch (gzipped) against Samba 4.16.7</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.7-4.16.8.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.16.8
+ December 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.16 release series.
+It also contains security changes in order to address the following defects
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.16.7
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15230: Memory leak in snprintf replacement functions.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
+ (CVE-2021-20251 regression).
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15257: Stack smashing in net offlinejoin requestodj.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.17.4.html b/history/samba-4.17.4.html
new file mode 100644
index 0000000..325440a
--- /dev/null
+++ b/history/samba-4.17.4.html
@@ -0,0 +1,154 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.17.4 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.17.4 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.gz">Samba 4.17.4 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.gz">Patch (gzipped) against Samba 4.17.3</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.17.4
+ December 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+It also contains security changes in order to address the following defects:
+
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.17.3
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15206: libnet: change_password() doesn't work with
+ dcerpc_samr_ChangePasswordUser4().
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15230: Memory leak in snprintf replacement functions.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
+ (CVE-2021-20251 regression).
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Anoop C S <anoopcs at samba.org>
+ * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15257: Stack smashing in net offlinejoin requestodj.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 64c9dec..5545d6b 100755
--- a/history/security.html
+++ b/history/security.html
@@ -32,6 +32,29 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
--
Samba Website Repository
More information about the samba-cvs
mailing list