[Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

Evgeny Sinelnikov sin at altlinux.ru
Mon Dec 19 14:20:08 UTC 2016 

Hello,

we got a build problem for 4.3.13 and 4.4.8:
../auth/kerberos/kerberos_pac.c: In function 'check_pac_checksum':
../auth/kerberos/kerberos_pac.c:46:7: error:
'CKSUMTYPE_HMAC_SHA1_96_AES_256' undeclared (first use in this
function)
../auth/kerberos/kerberos_pac.c:46:7: note: each undeclared identifier
is reported only once for each function it appears in
../auth/kerberos/kerberos_pac.c:52:7: error:
'CKSUMTYPE_HMAC_SHA1_96_AES_128' undeclared (first use in this
function)

due patch bb64c550 not applied.

commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jul 19 16:31:01 2016 +0200

    krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*

    MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
    while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.

    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>


2016-12-19 13:18 GMT+04:00 Karolin Seeger <kseeger at samba.org>:
> Release Announcements
> ---------------------
>
> This is a security release in order to address the following CVEs:
>
> o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
>    Overflow Remote Code Execution Vulnerability).
> o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
>    trusted realms).
> o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
>    elevation).
>
> Please note that the patch for CVE-2016-2126 breaks the build with MIT
> Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected.
> A patch for this issue is available for Samba 4.4 and 4.3 here:
>
>   https://bugzilla.samba.org/show_bug.cgi?id=12471
>
> Additionally, you might run into severe issues when running an AD DC with idmap
> settings for member servers (by mistake) and you are upgrading from the last
> security release. This invalid configuration (e.g. idmap config * : range =
> 100000 - 33554431 and similar lines) was ignored formerly and leads to errors
> now. The typical error you see is NT_STATUS_INVALID_SID.
> For more details, please see the following bug:
>
>   https://bugzilla.samba.org/show_bug.cgi?id=12410
>
> If you're a vendor and would like to ignore this again
> via a source code change, also have a look at:
>
>   https://bugzilla.samba.org/show_bug.cgi?id=12155#c20
>
> =======
> Details
> =======
>
> o  CVE-2016-2123:
>    The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
>    leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
>    parses data from the Samba Active Directory ldb database.  Any user
>    who can write to the dnsRecord attribute over LDAP can trigger this
>    memory corruption.
>
>    By default, all authenticated LDAP users can write to the dnsRecord
>    attribute on new DNS objects. This makes the defect a remote privilege
>    escalation.
>
> o  CVE-2016-2125
>    Samba client code always requests a forwardable ticket
>    when using Kerberos authentication. This means the
>    target server, which must be in the current or trusted
>    domain/realm, is given a valid general purpose Kerberos
>    "Ticket Granting Ticket" (TGT), which can be used to
>    fully impersonate the authenticated user or service.
>
> o  CVE-2016-2126
>    A remote, authenticated, attacker can cause the winbindd process
>    to crash using a legitimate Kerberos ticket due to incorrect
>    handling of the arcfour-hmac-md5 PAC checksum.
>
>    A local service with access to the winbindd privileged pipe can
>    cause winbindd to cache elevated access permissions.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> from:
>
>         https://download.samba.org/pub/samba/stable/
>
> Patches addressing this defect have been posted to
>
>         https://www.samba.org/samba/history/security.html
>
> The release notes are available online at:
>
>         https://www.samba.org/samba/history/samba-4.5.3.html
>         https://www.samba.org/samba/history/samba-4.4.8.html
>         https://www.samba.org/samba/history/samba-4.3.13.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
>                         --Enjoy
>                         The Samba Team



-- 
Sin (Sinelnikov Evgeny)

More information about the samba-technical mailing list