[SCM] Samba Website Repository - branch master updated

Jule Anger janger at samba.org
Mon Nov 27 12:18:48 UTC 2023 

The branch, master has been updated
       via  a6c387d NEWS[4.19.3]: Samba 4.19.3 Available for Download
      from  4ce4e3e NEWS[4.19.2]: Samba 4.19.2 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a6c387d97d24de18a023465777e35dadeb47013b
Author: Jule Anger <janger at samba.org>
Date:   Mon Nov 27 13:10:28 2023 +0100

    NEWS[4.19.3]: Samba 4.19.3 Available for Download
    
    Signed-off-by: Jule Anger <janger at samba.org>
    
    tmp

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                      |   1 +
 history/samba-4.19.3.html                        | 122 +++++++++++++++++++++++
 posted_news/20231127-121657.4.19.3.body.html     |  13 +++
 posted_news/20231127-121657.4.19.3.headline.html |   3 +
 security/CVE-2018-14628.html                     | 121 ++++++++++++++++++++++
 5 files changed, 260 insertions(+)
 create mode 100644 history/samba-4.19.3.html
 create mode 100644 posted_news/20231127-121657.4.19.3.body.html
 create mode 100644 posted_news/20231127-121657.4.19.3.headline.html
 create mode 100644 security/CVE-2018-14628.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index ef2d992..05d409d 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.19.3.html">samba-4.19.3.</a></li>
 			<li><a href="samba-4.19.2.html">samba-4.19.2</a></li>
 			<li><a href="samba-4.19.1.html">samba-4.19.1</a></li>
 			<li><a href="samba-4.19.0.html">samba-4.19.0</a></li>
diff --git a/history/samba-4.19.3.html b/history/samba-4.19.3.html
new file mode 100644
index 0000000..584e293
--- /dev/null
+++ b/history/samba-4.19.3.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.19.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.19.3 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.gz">Samba 4.19.3 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.gz">Patch (gzipped) against Samba 4.19.2</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.19.3
+                         November 27, 2023
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+    allow read of object tombstones over LDAP
+    (Administrator action required!)
+    https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+        Owner mismatch: SY (in ref) DA(in current)
+        Group mismatch: SY (in ref) DA(in current)
+        Part dacl is different between reference and current here is the detail:
+                (A;;LCRPLORC;;;AU) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+                (A;;LCRP;;;BA) ACE is not present in the current
+   [y/N/all/none] y
+  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.19.2
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 15487: smbd crashes if asked to return full information on close of a
+     stream handle with delete on close disposition set.
+   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+     smb_fname_fsp_destructor().
+
+o  Pavel Filipenský <pfilipensky at samba.org>
+   * BUG 15499: Improve logging for failover scenarios.
+
+o  Björn Jacke <bj at sernet.de>
+   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+     listed in directories.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+     AD LDAP to normal users.
+   * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
+     accounts.
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15513: Samba doesn't build with Python 3.12.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20231127-121657.4.19.3.body.html b/posted_news/20231127-121657.4.19.3.body.html
new file mode 100644
index 0000000..03afe16
--- /dev/null
+++ b/posted_news/20231127-121657.4.19.3.body.html
@@ -0,0 +1,13 @@
+<!-- BEGIN: posted_news/20231127-121657.4.19.3.body.html -->
+<h5><a name="4.19.3">27 November 2023</a></h5>
+<p class=headline>Samba 4.19.3 Available for Download</p>
+<p>
+This is the latest stable release of the Samba 4.19 release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.gz">patch against Samba 4.19.2</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.19.3.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20231127-121657.4.19.3.body.html -->
diff --git a/posted_news/20231127-121657.4.19.3.headline.html b/posted_news/20231127-121657.4.19.3.headline.html
new file mode 100644
index 0000000..b1f889c
--- /dev/null
+++ b/posted_news/20231127-121657.4.19.3.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20231127-121657.4.19.3.headline.html -->
+<li> 27 November 2023 <a href="#4.19.3">Samba 4.19.3 Available for Download</a></li>
+<!-- END: posted_news/20231127-121657.4.19.3.headline.html -->
diff --git a/security/CVE-2018-14628.html b/security/CVE-2018-14628.html
new file mode 100644
index 0000000..0264d04
--- /dev/null
+++ b/security/CVE-2018-14628.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2018-14628.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject:     Unprivileged read of deleted object tombstones
+==              in AD LDAP server
+==
+== CVE ID#:     CVE-2018-14628
+==
+== Versions:    All versions of Samba from 4.0.0 onwards.
+==
+== Summary:     Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+==              allow read of object tombstones over LDAP
+==              (Administrator action required!)
+==
+====================================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft&#x27;s Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+===================================================
+Action required in order to resolve CVE-2018-14628!
+===================================================
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+        Owner mismatch: SY (in ref) DA(in current)
+        Group mismatch: SY (in ref) DA(in current)
+        Part dacl is different between reference and current here is the detail:
+                (A;;LCRPLORC;;;AU) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+                (A;;LCRP;;;BA) ACE is not present in the current
+   [y/N/all/none] y
+  Fixed attribute &#x27;nTSecurityDescriptor&#x27; of &#x27;CN=Deleted Objects,DC=samba,DC=org&#x27;
+
+The change should be confirmed with &#x27;y&#x27; for all objects starting with
+&#x27;CN=Deleted Objects&#x27;.
+
+==================
+Patch Availability
+==================
+
+The Samba Team decided not to issue a dedicated security release,
+see https://wiki.samba.org/index.php/Samba_Security_Process.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=13595
+
+==========
+Workaround
+==========
+
+The administrator can manually change the ntSecurityDescriptor
+attribute for the "CN=Deleted Objects" containers to the
+following SDDL:
+
+  O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA)
+
+It basically means System has FullAccess, while Builtin\Administrators
+has ReadProperty and ListChildren rights.
+
+There&#x27;s a separate "CN=Deleted Objects" container in the root
+of each naming context/partition (expect the schema partition).
+The fix should be applied to all (typically 4) partitions,
+while the domain partition is the most important one.
+
+=======
+Credits
+=======
+
+The initial bugs were found by the Andrew Bartlett of Catalyst.
+Andrew Bartlett of Catalyst and the Samba Team did the investigation
+and Stefan Metzmacher of SerNet provided the final fix.
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file


-- 
Samba Website Repository

More information about the samba-cvs mailing list