[SCM] Samba Website Repository - branch master updated

Jule Anger janger at samba.org
Mon Jan 10 11:58:40 UTC 2022 

The branch, master has been updated
       via  7cf0fef NEWS[4.13.16]: Samba 4.13.16 Security Release is available for Download
      from  31b3f67 Add Samba 4.14.11

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7cf0fef56a31362acf54d5961033997bef87806c
Author: Jule Anger <janger at samba.org>
Date:   Mon Jan 10 11:00:59 2022 +0100

    NEWS[4.13.16]: Samba 4.13.16 Security Release is available for Download
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                       |  1 +
 history/samba-4.13.16.html                        | 68 +++++++++++++++++
 history/security.html                             | 16 ++++
 posted_news/20220110-100103.4.13.16.body.html     | 14 ++++
 posted_news/20220110-100103.4.13.16.headline.html |  4 +
 security/CVE-2021-43566.txt                       | 93 +++++++++++++++++++++++
 6 files changed, 196 insertions(+)
 create mode 100644 history/samba-4.13.16.html
 create mode 100644 posted_news/20220110-100103.4.13.16.body.html
 create mode 100644 posted_news/20220110-100103.4.13.16.headline.html
 create mode 100644 security/CVE-2021-43566.txt


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 54db929..a5dc2d4 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -25,6 +25,7 @@
 			<li><a href="samba-4.14.2.html">samba-4.14.2</a></li>
 			<li><a href="samba-4.14.1.html">samba-4.14.1</a></li>
 			<li><a href="samba-4.14.0.html">samba-4.14.0</a></li>
+			<li><a href="samba-4.13.16.html">samba-4.13.16</a></li>
 			<li><a href="samba-4.13.15.html">samba-4.13.15</a></li>
 			<li><a href="samba-4.13.14.html">samba-4.13.14</a></li>
 			<li><a href="samba-4.13.13.html">samba-4.13.13</a></li>
diff --git a/history/samba-4.13.16.html b/history/samba-4.13.16.html
new file mode 100644
index 0000000..8e85d8b
--- /dev/null
+++ b/history/samba-4.13.16.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.13.16 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.13.16 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.gz">Samba 4.13.16 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.gz">Patch (gzipped) against Samba 4.13.15</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ===============================
+                   Release Notes for Samba 4.13.16
+                          January 10, 2022
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-43566:  mkdir race condition allows share escape in Samba 4.x.
+                   https://www.samba.org/samba/security/CVE-2021-43566.html
+
+
+=======
+Details
+=======
+
+o  CVE-2021-43566:
+   All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+   client using an SMB1 or NFS symlink race to allow a directory to be
+   created in an area of the server file system not exported under the
+   share definition. Note that SMB1 has to be enabled, or the share
+   also available via NFS in order for this attack to succeed.
+
+   Clients that have write access to the exported part of the file system
+   under a share via SMB1 unix extensions or NFS can create symlinks that
+   can race the server by renaming an existing path and then replacing it
+   with a symlink. If the client wins the race it can cause the server to
+   create a directory under the new symlink target after the exported
+   share path check has been done. This new symlink target can point to
+   anywhere on the server file system. The authenticated user must have
+   permissions to create a directory under the target directory of the
+   symlink.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race only when the server
+   is slowed down and put under heavy load. Exploitation of this bug has
+   not been seen in the wild.
+
+
+Changes since 4.13.15
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index ecc3213..0606900 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,22 @@ link to full release notes for each release.</p>
 	<td><em>Details</em></td>
       </tr>
 
+	<tr>
+	<td>10 January 2022</td>
+	<td><a href="/samba/ftp/patches/security/samba-4.13.16-security-2022-01-10.patch">
+	patch for Samba 4.13.16</a><br />
+	</td>
+	<td>Symlink race error can allow directory creation outside of the exported share.
+	</td>
+	<td>All versions of the Samba file server prior to 4.13.16</td>
+	<td>
+	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43566">CVE-2021-43566</a>.
+	</td>
+	<td>
+	<a href="/samba/security/CVE-2021-43566.html">Announcement</a>.
+	</td>
+	</tr>
+
     <tr>
 	<td>9 November 2021</td>
 	<td><a href="/samba/ftp/patches/security/samba-4.15.1-security-2021-11-09.patch">
diff --git a/posted_news/20220110-100103.4.13.16.body.html b/posted_news/20220110-100103.4.13.16.body.html
new file mode 100644
index 0000000..cedcc5a
--- /dev/null
+++ b/posted_news/20220110-100103.4.13.16.body.html
@@ -0,0 +1,14 @@
+<!-- BEGIN: posted_news/20220110-100103.4.13.16.body.html -->
+<h5><a name="4.13.16">10 January 2022</a></h5>
+<p class=headline>Samba 4.13.16 Security Release is available for Download
+<p>
+These is a Security Release in order to address
+<a href="/samba/security/CVE-2021-43566.html">CVE-2021-43566</a>.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.gz">patch against Samba 4.13.15</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.13.16.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20220110-100103.4.13.16.body.html -->
diff --git a/posted_news/20220110-100103.4.13.16.headline.html b/posted_news/20220110-100103.4.13.16.headline.html
new file mode 100644
index 0000000..33836fa
--- /dev/null
+++ b/posted_news/20220110-100103.4.13.16.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20220110-100103.4.13.16.headline.html -->
+<li> 10 January 2022 <a href="#4.13.16">Samba 4.13.16 Security Release is
+available for Download</a></li>
+<!-- END: posted_news/20220110-100103.4.13.16.headline.html -->
diff --git a/security/CVE-2021-43566.txt b/security/CVE-2021-43566.txt
new file mode 100644
index 0000000..6dfa957
--- /dev/null
+++ b/security/CVE-2021-43566.txt
@@ -0,0 +1,93 @@
+===========================================================
+== Subject:     Symlink race error can allow directory creation
+==              outside of the exported share.
+==
+== CVE ID#:     CVE-2021-43566
+==
+==
+== Versions:    All versions of the Samba file server prior to
+==              4.13.16
+==
+== Summary:     A malicious client can use a symlink race to
+==              create a directory in a part of the server file
+==              system not exported under the share definition.
+==              The user must have permissions to create the
+==              directory in the target directory.
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+client using an SMB1 or NFS symlink race to allow a directory to be
+created in an area of the server file system not exported under the
+share definition. Note that SMB1 has to be enabled, or the share
+also available via NFS in order for this attack to succeed.
+
+Clients that have write access to the exported part of the file system
+under a share via SMB1 unix extensions or NFS can create symlinks that
+can race the server by renaming an existing path and then replacing it
+with a symlink. If the client wins the race it can cause the server to
+create a directory under the new symlink target after the exported
+share path check has been done. This new symlink target can point to
+anywhere on the server file system. The authenticated user must have
+permissions to create a directory under the target directory of the
+symlink.
+
+This is a difficult race to win, but theoretically possible. Note that
+the proof of concept code supplied wins the race only when the server
+is slowed down and put under heavy load. Exploitation of this bug has
+not been seen in the wild.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue has been posted to:
+
+    https://www.samba.org/samba/security/
+
+Samba 4.13.16 has been issued as a security releases to correct the
+defect. Samba administrators are advised to upgrade to this release as
+soon as possible.
+
+==================
+CVSSv3.1 calculation
+==================
+
+CVSS:2.2/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N
+
+base score of 2.6.
+
+=================================
+Workaround and mitigating factors
+=================================
+
+Do not enable SMB1 (please note SMB1 is disabled by default in Samba
+from version 4.11.0 and onwards). This prevents the creation of
+symbolic links via SMB1. If SMB1 must be enabled for backwards
+compatibility then add the parameter:
+
+unix extensions = no
+
+to the [global] section of your smb.conf and restart smbd. This
+prevents SMB1 clients from creating symlinks on the exported file
+system.
+
+However, if the same region of the file system is also exported using
+NFS, NFS clients can create symlinks that potentially can also hit the
+race condition. For non-patched versions of Samba we recommend only
+exporting areas of the file system by either SMB2 or NFS, not both.
+
+=======
+Credits
+=======
+
+Reported by Michael Hanselmann of Google.
+Jeremy Allison of Google and the Samba Team provided the fix.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================


-- 
Samba Website Repository

More information about the samba-cvs mailing list