[Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download

Thu Dec 15 16:49:08 UTC 2022

Release Announcements
---------------------

This are security releases in order to address the following defects:

o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
                   RC4-HMAC Elevation of Privilege Vulnerability
                   disclosed by Microsoft on Nov 8 2022.

                   A Samba Active Directory DC will issue weak rc4-hmac
                   session keys for use between modern clients and servers
                   despite all modern Kerberos implementations supporting
                   the aes256-cts-hmac-sha1-96 cipher.

                   On Samba Active Directory DCs and members
                   'kerberos encryption types = legacy' would force
                   rc4-hmac as a client even if the server supports
                   aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

https://www.samba.org/samba/security/CVE-2022-37966.html

o CVE-2022-37967: This is the Samba CVE for the Windows
                   Kerberos Elevation of Privilege Vulnerability
                   disclosed by Microsoft on Nov 8 2022.

                   A service account with the special constrained
                   delegation permission could forge a more powerful
                   ticket than the one it was presented with.

https://www.samba.org/samba/security/CVE-2022-37967.html

o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel 
uses the
                   same algorithms as rc4-hmac cryptography in Kerberos,
                   and so must also be assumed to be weak.

https://www.samba.org/samba/security/CVE-2022-38023.html

o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
                   Vulnerability was disclosed by Microsoft on Nov 8 2022
                   and per RFC8429 it is assumed that rc4-hmac is weak,

                   Vulnerable Samba Active Directory DCs will issue rc4-hmac
                   encrypted tickets despite the target server supporting
                   better encryption (eg aes256-cts-hmac-sha1-96).

https://www.samba.org/samba/security/CVE-2022-45141.html

Changes
-------

o  Jeremy Allison <jra at samba.org>
    * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
of the
      same size.

o  Andrew Bartlett <abartlet at samba.org>
    * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
      user-controlled pointer in FAST.
    * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.
    * BUG 15237: CVE-2022-37966.
    * BUG 15258: filter-subunit is inefficient with large numbers of 
knownfails.

o  Ralph Boehme <slow at samba.org>
    * BUG 15240: CVE-2022-38023.
    * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on 
directories.

o  Stefan Metzmacher <metze at samba.org>
    * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes 
differs from
      Windows.
    * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented
      atomically.
    * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
      vulnerability.
    * BUG 15206: libnet: change_password() doesn't work with
      dcerpc_samr_ChangePasswordUser4().
    * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.
    * BUG 15230: Memory leak in snprintf replacement functions.
    * BUG 15237: CVE-2022-37966.
    * BUG 15240: CVE-2022-38023.
    * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
      (CVE-2021-20251 regression).

o  Noel Power <noel.power at suse.com>
    * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
of the
      same size.

o  Anoop C S <anoopcs at samba.org>
    * BUG 15198: Prevent EBADF errors with vfs_glusterfs.

o  Andreas Schneider <asn at samba.org>
    * BUG 15237: CVE-2022-37966.
    * BUG 15243: %U for include directive doesn't work for share listing
      (netshareenum).
    * BUG 15257: Stack smashing in net offlinejoin requestodj.

o  Joseph Sutton <josephsutton at catalyst.net.nz>
    * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
    * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.
    * BUG 15231: CVE-2022-37967.
    * BUG 15237: CVE-2022-37966.

o  Nicolas Williams <nico at twosigma.com>
    * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
      user-controlled pointer in FAST.

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).

======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================

================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.17.4.html
https://www.samba.org/samba/history/samba-4.16.8.html
https://www.samba.org/samba/history/samba-4.15.13.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                         --Enjoy
                         The Samba Team