[SCM] Samba Shared Repository - branch v4-18-stable updated
Jule Anger
janger at samba.org
Tue Oct 10 15:07:13 UTC 2023
The branch, v4-18-stable has been updated
via 3dc0412a79f Merge tag 'samba-4.18.8' into v4-18-stable
via f1c0d4f1feb VERSION: Disable GIT_SNAPSHOT for the 4.18.8 release.
via 0bf0250e358 WHATSNEW: Add release notes for Samba 4.18.8.
via eb6f2d92e8a CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
via 4eba269b1ba CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
via 2ef556473bd CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
via e652fbe8525 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
via 4b3da3a97d1 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via e691257c618 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
via 9d249db44c7 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via ebc2796a029 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
via 3e7bdcd0e48 CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
via 23031057e86 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
via 87ff4f57bf7 CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
via 8ad21108f88 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
via 570e892a0e8 CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
via 7ebf51dd8b5 CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
via da9bdf36c35 CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 217b30b05e2 CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
via 8a2b11fda30 CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
via 8ebcfe5599c CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
via b65b141ed75 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
via 704fadfb60e CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
via e8df1a60866 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 5ca0ee6f111 CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
via 582f4f2e844 CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via 3c432b14469 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
via bfe8e10bf3b CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
via 3e64edae781 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
via d1a26b4f46b CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
via 84b5d3640f7 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
via 2576c0275dc VERSION: Bump version up to Samba 4.18.8...
from 85475a0cb20 CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable
- Log -----------------------------------------------------------------
commit 3dc0412a79fdbba02dc1c729c13c8ebff9aa6a85
Merge: 85475a0cb20 f1c0d4f1feb
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 17:04:24 2023 +0200
Merge tag 'samba-4.18.8' into v4-18-stable
samba: tag release samba-4.18.8
commit f1c0d4f1feb8105d22307e29150e0b7d59b5fed9
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 10:58:39 2023 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.18.8 release.
Signed-off-by: Jule Anger <janger at samba.org>
commit 0bf0250e358b3084d6c4c28df31b92fdaded9557
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 10:58:08 2023 +0200
WHATSNEW: Add release notes for Samba 4.18.8.
Signed-off-by: Jule Anger <janger at samba.org>
commit eb6f2d92e8af60d67334a94ab5df56785a1508f2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 16:23:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4eba269b1ba4ce6e9f71efed9f537249d1bd2c5d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 12:28:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 2ef556473bd858fc3dbcd6372835ded48f75135d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 19:01:03 2023 +1200
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e652fbe8525dfaa5b7d794cac90f9d216432e78c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 18:59:44 2023 +1200
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4b3da3a97d1cbfd17a4eef466eb3bc1fc4887a34
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 17:58:27 2023 +1200
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e691257c61813f2cf9513d149ba82b021ec824ee
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 22 15:08:17 2023 +1200
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9d249db44c7c8feb1c4e8719739a5cee60b25842
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 14:30:19 2023 +1200
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit ebc2796a029b4dbe803457db0de9e999d1203460
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 11:18:46 2023 +1200
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 3e7bdcd0e488fe0788ca537ca9894f0c4fda6be6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:56:56 2023 +1200
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 23031057e8626e61994bf833226c196e0d966e63
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 14:44:28 2023 +1200
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 87ff4f57bf7a1980f2f6299115e35ab12483a150
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 13:15:40 2023 +1200
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8ad21108f88be4fcabc1919757eed2ed06c06fba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:55:55 2023 +1200
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 570e892a0e811b1c90b7fe6b065b16591d38f7ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:03:44 2023 +0100
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)
commit 7ebf51dd8b57b5932bb6f923d513e3f84c653567
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:00:11 2023 +0100
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
commit da9bdf36c357826f4dd25cf1121dfdbba3ed1dd2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 09:57:43 2023 +0100
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
commit 217b30b05e24b66a427d9cc605141f917b88745c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 14:08:34 2023 +0100
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)
commit 8a2b11fda30eef3883bbe9ea538dae6f68216fd9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:11:05 2023 +0100
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
commit 8ebcfe5599c5540da2fdd161d5108275d22c959e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 18:03:10 2023 +0100
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)
commit b65b141ed7572503fc896b5efd46b3a48ef847d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 10 18:25:18 2023 +0100
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)
commit 704fadfb60e74bbaee41f0e37415c1f31734fb34
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 14 17:19:27 2023 +1300
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
commit e8df1a60866651678ce99d730f6a5e4bcc671b1d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 2 10:44:32 2023 +0200
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
commit 5ca0ee6f111e63ef92bbb8fc94b81a08b490854f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:43:40 2023 +1300
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)
commit 582f4f2e844d95e48444d2b98c7397cac32ad6d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 14:49:06 2023 +1300
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)
commit 3c432b144690353b7c86daf38612a2e19eb82084
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 13:04:36 2023 +0200
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit bfe8e10bf3b5dafecd0b19ef8ea163327f73a531
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 12:30:00 2023 +0200
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit 3e64edae781fe8cdec33b68b00f5daa51bb74b5d
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:54:41 2023 -0700
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit d1a26b4f46b4f27d01c90a71b9bbd065c2d0efd1
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:49:21 2023 -0700
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 84b5d3640f7103dcc8984df7be679967bc06fd44
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:41:04 2023 -0700
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 2576c0275dc9dcb4ca1cfb6a6a323f4e30651bd0
Author: Jule Anger <janger at samba.org>
Date: Wed Sep 27 10:09:45 2023 +0200
VERSION: Bump version up to Samba 4.18.8...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
(cherry picked from commit ca1b7c185edf67b1ceb988a8015396351c5ac240)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 80 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 305add2b815..8fa17dff606 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fd11954058e..53fe4eafa72 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,81 @@
+ ==============================
+ Release Notes for Samba 4.18.8
+ October 10, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
+ existing unix domain sockets on the file system.
+ https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
+ OVERWRITE disposition when using the acl_xattr Samba VFS
+ module with the smb.conf setting
+ "acl_xattr:ignore system acls = yes"
+ https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
+ attributes, including secrets and passwords. Additionally,
+ the access check fails open on error conditions.
+ https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+ server block for a user-defined amount of time, denying
+ service.
+ https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+ https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.18.7
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15422: CVE-2023-3961.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15424: CVE-2023-4154.
+ * BUG 15473: CVE-2023-42670.
+ * BUG 15474: CVE-2023-42669.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15439: CVE-2023-4091.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15424: CVE-2023-4154.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.18.7
September 27, 2023
@@ -72,8 +150,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.18.6
August 16, 2023
--
Samba Shared Repository
More information about the samba-cvs
mailing list