[SCM] Samba Shared Repository - branch v4-19-test updated

Jule Anger janger at samba.org
Mon Nov 27 12:08:39 UTC 2023


The branch, v4-19-test has been updated
       via  f45acdafa90 VERSION: Bump version up to Samba 4.19.4...
       via  fcd094b208f VERSION: Disable GIT_SNAPSHOT for the 4.19.3 release.
       via  e4a8049f7d9 WHATSNEW: Add release notes for Samba 4.19.3.
      from  5897f213e11 vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -----------------------------------------------------------------
commit f45acdafa90d1f873e07180f34b5906c7860c202
Author: Jule Anger <janger at samba.org>
Date:   Mon Nov 27 13:05:29 2023 +0100

    VERSION: Bump version up to Samba 4.19.4...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit fcd094b208f9db4ad77ad75061446099b5ea26cf
Author: Jule Anger <janger at samba.org>
Date:   Mon Nov 27 13:04:53 2023 +0100

    VERSION: Disable GIT_SNAPSHOT for the 4.19.3 release.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit e4a8049f7d9baa64e4e6009ef45ff2abf1d8abb7
Author: Jule Anger <janger at samba.org>
Date:   Mon Nov 27 13:04:13 2023 +0100

    WHATSNEW: Add release notes for Samba 4.19.3.
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION      |   2 +-
 WHATSNEW.txt | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 125 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 0a59ad9f423..398208fb3fa 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b9b3205212c..2d098c61f18 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,126 @@
+                   ==============================
+                   Release Notes for Samba 4.19.3
+                         November 27, 2023
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+    allow read of object tombstones over LDAP
+    (Administrator action required!)
+    https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+        Owner mismatch: SY (in ref) DA(in current)
+        Group mismatch: SY (in ref) DA(in current)
+        Part dacl is different between reference and current here is the detail:
+                (A;;LCRPLORC;;;AU) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+                (A;;LCRP;;;BA) ACE is not present in the current
+   [y/N/all/none] y
+  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.19.2
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 15487: smbd crashes if asked to return full information on close of a
+     stream handle with delete on close disposition set.
+   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+     smb_fname_fsp_destructor().
+
+o  Pavel Filipenský <pfilipensky at samba.org>
+   * BUG 15499: Improve logging for failover scenarios.
+
+o  Björn Jacke <bj at sernet.de>
+   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+     listed in directories.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+     AD LDAP to normal users.
+   * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
+     accounts.
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15513: Samba doesn't build with Python 3.12.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.2
                           October 16, 2023
@@ -58,8 +181,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.1
                           October 10, 2023


-- 
Samba Shared Repository



More information about the samba-cvs mailing list