[Samba] Notice on VanBelle repo and the Samba 4.15.2, 4.14.10, 4.13.14 Security Releases

L. van Belle belle at samba.org
Tue Nov 9 21:16:35 UTC 2021 

Hai, 

Due the impact of (the possible impact of) these changes,
im not putting these on the currenlty running production repo's 
to make sure everything keeps running so we dont kill 
setups in the nights where autoupgrades are enabled. 
(as in the office where im at)

As soon these are up, i'll post the added repo's so people
can test these before the put them on production and check
if these changes effect your environment.

Later on i'll move these to the normal repo's off course.
I'll keep an eye on the list also. 

Builds will be done in this order. 
            run1 run2 run3
Focal       413  414  415 (amd64 only)
Buster      413  414  415 (amd64 i386 armhf)
Bullseye    413  414  415 (amd64 i386 armhf arm64)

Keep in mind building them all takes time, its 24 version in total.

As strongly adviced by the Samba team, Please read the changes (links)
below.


So far, 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan Metzmacher via samba
> Verzonden: dinsdag 9 november 2021 19:26
> Aan: samba-announce at lists.samba.org; samba at lists.samba.org; 
> samba-technical at lists.samba.org
> Onderwerp: [Samba] [Announce] Samba 4.15.2, 4.14.10, 4.13.14 
> Security Releases are available for Download
> 
> 
> 
> Release Announcements
> ---------------------
> 
> These are security releases in order to address the following defects:
> 
> o CVE-2016-2124:  SMB1 client connections can be downgraded 
> to plaintext
>                   authentication.
>                   
> https://www.samba.org/samba/security/CVE-2016-2124.html
> 
> o CVE-2020-25717: A user on the domain can become root on 
> domain members.
>                   
> https://www.samba.org/samba/security/CVE-2020-25717.html
>                   (PLEASE READ! There are important behaviour 
> changes described)
> 
> o CVE-2020-25718: Samba AD DC did not correctly sandbox 
> Kerberos tickets issued
>                   by an RODC.
>                   
> https://www.samba.org/samba/security/CVE-2020-25718.html
> 
> o CVE-2020-25719: Samba AD DC did not always rely on the SID 
> and PAC in Kerberos
>                   tickets.
>                   
> https://www.samba.org/samba/security/CVE-2020-25719.html
> 
> o CVE-2020-25721: Kerberos acceptors need easy access to 
> stable AD identifiers
>                   (eg objectSid).
>                   
> https://www.samba.org/samba/security/CVE-2020-25721.html
> 
> o CVE-2020-25722: Samba AD DC did not do suffienct access and 
> conformance
>                   checking of data stored.
>                   
> https://www.samba.org/samba/security/CVE-2020-25722.html
> 
> o CVE-2021-3738:  Use after free in Samba AD DC RPC server.
>                   
> https://www.samba.org/samba/security/CVE-2021-3738.html
> 
> o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
>                   
> https://www.samba.org/samba/security/CVE-2021-23192.html
> 
> There's sadly a regression that "allow trusted domains = no" 
> prevents winbindd
> from starting, we'll try to provide a follow up fix as soon 
> as possible.
> 
> Changes:
> --------------------
> 
> o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>    * CVE-2020-25722
> 
> o  Andrew Bartlett <abartlet at samba.org>
>    * CVE-2020-25718
>    * CVE-2020-25719
>    * CVE-2020-25721
>    * CVE-2020-25722
> 
> o  Ralph Boehme <slow at samba.org>
>    * CVE-2020-25717
> 
> o  Alexander Bokovoy <ab at samba.org>
>    * CVE-2020-25717
> 
> o  Samuel Cabrero <scabrero at samba.org>
>    * CVE-2020-25717
> 
> o  Nadezhda Ivanova <nivanova at symas.com>
>    * CVE-2020-25722
> 
> o  Stefan Metzmacher <metze at samba.org>
>    * CVE-2016-2124
>    * CVE-2020-25717
>    * CVE-2020-25719
>    * CVE-2020-25722
>    * CVE-2021-23192
>    * CVE-2021-3738
>    * ldb release 2.3.2 (for Samba 4.14.10)
>    * ldb release 2.2.3 (for Samba 4.13.14)
> 
> o  Andreas Schneider <asn at samba.org>
>    * CVE-2020-25719
> 
> o  Joseph Sutton <josephsutton at catalyst.net.nz>
>    * CVE-2020-17049
>    * CVE-2020-25718
>    * CVE-2020-25719
>    * CVE-2020-25721
>    * CVE-2020-25722
>    * MS CVE-2020-17049
> 
> 
> #######################################
> Reporting bugs & Development Discussion
> #######################################
> 
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.libera.chat or the
> #samba-technical:matrix.org matrix channel.
> 
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the Samba 4.1 and newer product in the 
> project's Bugzilla
> database (https://bugzilla.samba.org/).
> 
> 
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
> 
> 
> 
> ================
> Download Details
> ================
> 
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
> from:
> 
>         https://download.samba.org/pub/samba/stable/
> 
> The release notes are available online at:
> 
>         https://www.samba.org/samba/history/samba-4.15.2.html
>         https://www.samba.org/samba/history/samba-4.14.10.html
>         https://www.samba.org/samba/history/samba-4.13.14.html
> 
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
> 
>                         --Enjoy
>                         The Samba Team
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list