[SCM] Samba Website Repository - branch master updated
Jule Anger
janger at samba.org
Mon Jan 10 11:58:40 UTC 2022
The branch, master has been updated
via 7cf0fef NEWS[4.13.16]: Samba 4.13.16 Security Release is available for Download
from 31b3f67 Add Samba 4.14.11
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7cf0fef56a31362acf54d5961033997bef87806c
Author: Jule Anger <janger at samba.org>
Date: Mon Jan 10 11:00:59 2022 +0100
NEWS[4.13.16]: Samba 4.13.16 Security Release is available for Download
Signed-off-by: Jule Anger <janger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.13.16.html | 68 +++++++++++++++++
history/security.html | 16 ++++
posted_news/20220110-100103.4.13.16.body.html | 14 ++++
posted_news/20220110-100103.4.13.16.headline.html | 4 +
security/CVE-2021-43566.txt | 93 +++++++++++++++++++++++
6 files changed, 196 insertions(+)
create mode 100644 history/samba-4.13.16.html
create mode 100644 posted_news/20220110-100103.4.13.16.body.html
create mode 100644 posted_news/20220110-100103.4.13.16.headline.html
create mode 100644 security/CVE-2021-43566.txt
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 54db929..a5dc2d4 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -25,6 +25,7 @@
<li><a href="samba-4.14.2.html">samba-4.14.2</a></li>
<li><a href="samba-4.14.1.html">samba-4.14.1</a></li>
<li><a href="samba-4.14.0.html">samba-4.14.0</a></li>
+ <li><a href="samba-4.13.16.html">samba-4.13.16</a></li>
<li><a href="samba-4.13.15.html">samba-4.13.15</a></li>
<li><a href="samba-4.13.14.html">samba-4.13.14</a></li>
<li><a href="samba-4.13.13.html">samba-4.13.13</a></li>
diff --git a/history/samba-4.13.16.html b/history/samba-4.13.16.html
new file mode 100644
index 0000000..8e85d8b
--- /dev/null
+++ b/history/samba-4.13.16.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.13.16 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.13.16 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.gz">Samba 4.13.16 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.gz">Patch (gzipped) against Samba 4.13.15</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.13.16
+ January 10, 2022
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x.
+ https://www.samba.org/samba/security/CVE-2021-43566.html
+
+
+=======
+Details
+=======
+
+o CVE-2021-43566:
+ All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+ client using an SMB1 or NFS symlink race to allow a directory to be
+ created in an area of the server file system not exported under the
+ share definition. Note that SMB1 has to be enabled, or the share
+ also available via NFS in order for this attack to succeed.
+
+ Clients that have write access to the exported part of the file system
+ under a share via SMB1 unix extensions or NFS can create symlinks that
+ can race the server by renaming an existing path and then replacing it
+ with a symlink. If the client wins the race it can cause the server to
+ create a directory under the new symlink target after the exported
+ share path check has been done. This new symlink target can point to
+ anywhere on the server file system. The authenticated user must have
+ permissions to create a directory under the target directory of the
+ symlink.
+
+ This is a difficult race to win, but theoretically possible. Note that
+ the proof of concept code supplied wins the race only when the server
+ is slowed down and put under heavy load. Exploitation of this bug has
+ not been seen in the wild.
+
+
+Changes since 4.13.15
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index ecc3213..0606900 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,22 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>10 January 2022</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.13.16-security-2022-01-10.patch">
+ patch for Samba 4.13.16</a><br />
+ </td>
+ <td>Symlink race error can allow directory creation outside of the exported share.
+ </td>
+ <td>All versions of the Samba file server prior to 4.13.16</td>
+ <td>
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43566">CVE-2021-43566</a>.
+ </td>
+ <td>
+ <a href="/samba/security/CVE-2021-43566.html">Announcement</a>.
+ </td>
+ </tr>
+
<tr>
<td>9 November 2021</td>
<td><a href="/samba/ftp/patches/security/samba-4.15.1-security-2021-11-09.patch">
diff --git a/posted_news/20220110-100103.4.13.16.body.html b/posted_news/20220110-100103.4.13.16.body.html
new file mode 100644
index 0000000..cedcc5a
--- /dev/null
+++ b/posted_news/20220110-100103.4.13.16.body.html
@@ -0,0 +1,14 @@
+<!-- BEGIN: posted_news/20220110-100103.4.13.16.body.html -->
+<h5><a name="4.13.16">10 January 2022</a></h5>
+<p class=headline>Samba 4.13.16 Security Release is available for Download
+<p>
+These is a Security Release in order to address
+<a href="/samba/security/CVE-2021-43566.html">CVE-2021-43566</a>.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.13.16.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.13.15-4.13.16.diffs.gz">patch against Samba 4.13.15</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.13.16.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20220110-100103.4.13.16.body.html -->
diff --git a/posted_news/20220110-100103.4.13.16.headline.html b/posted_news/20220110-100103.4.13.16.headline.html
new file mode 100644
index 0000000..33836fa
--- /dev/null
+++ b/posted_news/20220110-100103.4.13.16.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20220110-100103.4.13.16.headline.html -->
+<li> 10 January 2022 <a href="#4.13.16">Samba 4.13.16 Security Release is
+available for Download</a></li>
+<!-- END: posted_news/20220110-100103.4.13.16.headline.html -->
diff --git a/security/CVE-2021-43566.txt b/security/CVE-2021-43566.txt
new file mode 100644
index 0000000..6dfa957
--- /dev/null
+++ b/security/CVE-2021-43566.txt
@@ -0,0 +1,93 @@
+===========================================================
+== Subject: Symlink race error can allow directory creation
+== outside of the exported share.
+==
+== CVE ID#: CVE-2021-43566
+==
+==
+== Versions: All versions of the Samba file server prior to
+== 4.13.16
+==
+== Summary: A malicious client can use a symlink race to
+== create a directory in a part of the server file
+== system not exported under the share definition.
+== The user must have permissions to create the
+== directory in the target directory.
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+client using an SMB1 or NFS symlink race to allow a directory to be
+created in an area of the server file system not exported under the
+share definition. Note that SMB1 has to be enabled, or the share
+also available via NFS in order for this attack to succeed.
+
+Clients that have write access to the exported part of the file system
+under a share via SMB1 unix extensions or NFS can create symlinks that
+can race the server by renaming an existing path and then replacing it
+with a symlink. If the client wins the race it can cause the server to
+create a directory under the new symlink target after the exported
+share path check has been done. This new symlink target can point to
+anywhere on the server file system. The authenticated user must have
+permissions to create a directory under the target directory of the
+symlink.
+
+This is a difficult race to win, but theoretically possible. Note that
+the proof of concept code supplied wins the race only when the server
+is slowed down and put under heavy load. Exploitation of this bug has
+not been seen in the wild.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue has been posted to:
+
+ https://www.samba.org/samba/security/
+
+Samba 4.13.16 has been issued as a security releases to correct the
+defect. Samba administrators are advised to upgrade to this release as
+soon as possible.
+
+==================
+CVSSv3.1 calculation
+==================
+
+CVSS:2.2/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N
+
+base score of 2.6.
+
+=================================
+Workaround and mitigating factors
+=================================
+
+Do not enable SMB1 (please note SMB1 is disabled by default in Samba
+from version 4.11.0 and onwards). This prevents the creation of
+symbolic links via SMB1. If SMB1 must be enabled for backwards
+compatibility then add the parameter:
+
+unix extensions = no
+
+to the [global] section of your smb.conf and restart smbd. This
+prevents SMB1 clients from creating symlinks on the exported file
+system.
+
+However, if the same region of the file system is also exported using
+NFS, NFS clients can create symlinks that potentially can also hit the
+race condition. For non-patched versions of Samba we recommend only
+exporting areas of the file system by either SMB2 or NFS, not both.
+
+=======
+Credits
+=======
+
+Reported by Michael Hanselmann of Google.
+Jeremy Allison of Google and the Samba Team provided the fix.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
--
Samba Website Repository
More information about the samba-cvs
mailing list