[SCM] Samba Shared Repository - branch v4-17-stable updated
Jule Anger
janger at samba.org
Tue Oct 10 15:01:11 UTC 2023
The branch, v4-17-stable has been updated
via 1006203e495 Merge tag 'samba-4.17.12' into v4-17-stable
via 7ec207cd414 VERSION: Disable GIT_SNAPSHOT for the 4.17.12 release.
via a59469b2a87 WHATSNEW: Add release notes for Samba 4.17.12.
via 2acdaf9860f CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
via 51bc79f85a8 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
via d4d49635247 CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
via a16b210ec65 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
via 8f87277b4e9 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via 4c897f5b854 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
via b586f8cc9c7 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via d30349ac4cf CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
via e0cec7f7908 CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
via c18f819f8ce CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
via 23b867c70bd CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
via d7ab8d4c2ea CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
via 3de5d8a0116 CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
via 3c34a51da12 CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
via 2c7710bd5bc CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 92cf3328a00 CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
via ebd421306e7 CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
via d038ac36c13 CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
via 60baeea804a CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
via c7fba7218cd CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
via 76091f35016 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 38d62aa3b2b CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
via bea7fd5eadc CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via d7034c4194a CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
via 8c0be1d17a5 CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
via 8b26f634372 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
via b08a60160e6 CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
via 4b3e5c2f036 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
via 125ce23115b CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
via e5a1c1cfb0a CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
via 1fdc51ffec9 VERSION: Bump version up to Samba 4.17.12...
from 0e746c02f6c CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
commit 1006203e495dfb7ca2969f113aeffda3ea660d92
Merge: 0e746c02f6c 7ec207cd414
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 16:54:15 2023 +0200
Merge tag 'samba-4.17.12' into v4-17-stable
samba: tag release samba-4.17.12
commit 7ec207cd4146919e4ee88e5522647c169baf6922
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 10:42:49 2023 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.17.12 release.
Signed-off-by: Jule Anger <janger at samba.org>
commit a59469b2a87cf297b96dc110714feddaba2a1f86
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 10:41:53 2023 +0200
WHATSNEW: Add release notes for Samba 4.17.12.
Signed-off-by: Jule Anger <janger at samba.org>
commit 2acdaf9860f127c179a3d2e2adb18f901854aebf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 16:23:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 51bc79f85a8d63ed5428c2975f60094157dda2e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 12:28:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit d4d49635247ab4bc580899d7c5fb54484b806225
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 19:01:03 2023 +1200
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit a16b210ec651b535b43c21574ca439238e2f8772
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 18:59:44 2023 +1200
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8f87277b4e926035d825e81c4f8381d917e9d229
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 17:58:27 2023 +1200
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4c897f5b8542ad29b51ffc9eb219fcb9eaf7754b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 22 15:08:17 2023 +1200
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit b586f8cc9c797b3dd89d32d12921e2820dbcf1ce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 14:30:19 2023 +1200
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit d30349ac4cfa27c5950c54b7c083cb2c53300a0f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 11:18:46 2023 +1200
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e0cec7f7908ecbdd6a2d9785352279416cae1ece
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:56:56 2023 +1200
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit c18f819f8ce285e014cfb51279e144eb4d141d9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 14:44:28 2023 +1200
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 23b867c70bd995ca6eedcf0b72a24c043e8e7fb0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 13:15:40 2023 +1200
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit d7ab8d4c2ea390d4d4f9be55f7072fa875457721
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:55:55 2023 +1200
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 3de5d8a01163bfa70464d7532069ed467e4ffd10
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:03:44 2023 +0100
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)
commit 3c34a51da12c4b1fb446f9a384ff57cdc6019632
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:00:11 2023 +0100
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
commit 2c7710bd5bc979d5fa601d2ee841592694bb14df
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 09:57:43 2023 +0100
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
commit 92cf3328a00cacb07fe7c6b7abf5335dc8235e86
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 14:08:34 2023 +0100
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)
commit ebd421306e7b1ec37e7a477937d04a27de838cff
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:11:05 2023 +0100
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
commit d038ac36c13b5eb8f17491c9c066d3111a8f7d79
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 18:03:10 2023 +0100
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)
commit 60baeea804aeaf9a2ea618d14985a9b7560e03a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 10 18:25:18 2023 +0100
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)
commit c7fba7218cd2c271e53268fc857e206aec4f98d7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 14 17:19:27 2023 +1300
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
commit 76091f35016bd6e642237973981b1c88a9e44062
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 2 10:44:32 2023 +0200
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
commit 38d62aa3b2b202d2080b8814f6d9acd8bf99f226
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:43:40 2023 +1300
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)
commit bea7fd5eadccb670d3cfc233fd5cbc6c80d5cf95
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 14:49:06 2023 +1300
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)
commit d7034c4194a2cec0a88870ea3c7709d2a323653a
Author: Christian Merten <christian at merten.dev>
Date: Mon Sep 19 23:01:34 2022 +0200
CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78)
commit 8c0be1d17a5f4e700fe38b5f58d1caa359e8c383
Author: Christian Merten <christian at merten.dev>
Date: Mon Sep 19 22:47:10 2022 +0200
CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7efe673fbdcd27ddd23f36281c5f5338681a68fe)
commit 8b26f634372f11edcbea33dfd68a3d57889dfcc5
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 13:04:36 2023 +0200
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit b08a60160e6ab8d982d31844bcbf7ab67ff3a8de
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 12:30:00 2023 +0200
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit 4b3e5c2f036f868e38ad5da7faba05db32f624f4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:54:41 2023 -0700
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 125ce23115b92045a1584f5654669180bea83067
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:49:21 2023 -0700
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
[abartlet at samba.org backported to Samba 4.17 due to conflicts from
context of other new torture tests missing in this version and
changes in smb2cli_create() arguments]
commit e5a1c1cfb0a73a37001afee530ae09bf5c58b515
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:41:04 2023 -0700
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 1fdc51ffec991d18546904d89d31029b2bcff1f5
Author: Jule Anger <janger at samba.org>
Date: Thu Sep 7 10:54:42 2023 +0200
VERSION: Bump version up to Samba 4.17.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
(cherry picked from commit b0b25f067ba3a6ef0e1e76ea7d18a67c0d5b6edd)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 86 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 095b267f389..367b3aa9255 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0b12f34e798..66ef45dd1b2 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,87 @@
+ ===============================
+ Release Notes for Samba 4.17.12
+ October 10, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
+ existing unix domain sockets on the file system.
+ https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
+ OVERWRITE disposition when using the acl_xattr Samba VFS
+ module with the smb.conf setting
+ "acl_xattr:ignore system acls = yes"
+ https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
+ attributes, including secrets and passwords. Additionally,
+ the access check fails open on error conditions.
+ https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+ server block for a user-defined amount of time, denying
+ service.
+ https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+ https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.17.11
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15422: CVE-2023-3961.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15424: CVE-2023-4154.
+ * BUG 15473: CVE-2023-42670.
+ * BUG 15474: CVE-2023-42669.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15439: CVE-2023-4091.
+
+o Christian Merten <christian at merten.dev>
+ * BUG 15424: CVE-2023-4154.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15424: CVE-2023-4154.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.17.11
September 07, 2023
@@ -85,8 +169,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
Release Notes for Samba 4.17.10
July 19, 2023
--
Samba Shared Repository
More information about the samba-cvs
mailing list