[Samba] [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download

Ralph Boehme slow at samba.org
Thu Dec 15 17:31:43 UTC 2022 

Woohoo, finally! :)

Thanks everyone who has been involved in this security release, either 
in research, coding, testing, documentation or getting it out the door!

Especially Andrew, Joseph and metze!

Thanks!!
-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba

On 12/15/22 17:49, Jule Anger via samba wrote:
> Release Announcements
> ---------------------
> 
> This are security releases in order to address the following defects:
> 
> 
> o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
>                    RC4-HMAC Elevation of Privilege Vulnerability
>                    disclosed by Microsoft on Nov 8 2022.
> 
>                    A Samba Active Directory DC will issue weak rc4-hmac
>                    session keys for use between modern clients and servers
>                    despite all modern Kerberos implementations supporting
>                    the aes256-cts-hmac-sha1-96 cipher.
> 
>                    On Samba Active Directory DCs and members
>                    'kerberos encryption types = legacy' would force
>                    rc4-hmac as a client even if the server supports
>                    aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
> 
> https://www.samba.org/samba/security/CVE-2022-37966.html
> 
> o CVE-2022-37967: This is the Samba CVE for the Windows
>                    Kerberos Elevation of Privilege Vulnerability
>                    disclosed by Microsoft on Nov 8 2022.
> 
>                    A service account with the special constrained
>                    delegation permission could forge a more powerful
>                    ticket than the one it was presented with.
> 
> https://www.samba.org/samba/security/CVE-2022-37967.html
> 
> o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel 
> uses the
>                    same algorithms as rc4-hmac cryptography in Kerberos,
>                    and so must also be assumed to be weak.
> 
> https://www.samba.org/samba/security/CVE-2022-38023.html
> 
> o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of 
> Privilege
>                    Vulnerability was disclosed by Microsoft on Nov 8 2022
>                    and per RFC8429 it is assumed that rc4-hmac is weak,
> 
>                    Vulnerable Samba Active Directory DCs will issue 
> rc4-hmac
>                    encrypted tickets despite the target server supporting
>                    better encryption (eg aes256-cts-hmac-sha1-96).
> 
> https://www.samba.org/samba/security/CVE-2022-45141.html
> 
> Changes
> -------
> 
> o  Jeremy Allison <jra at samba.org>
>     * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
> of the
>       same size.
> 
> o  Andrew Bartlett <abartlet at samba.org>
>     * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
>       user-controlled pointer in FAST.
>     * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
> entry.
>     * BUG 15237: CVE-2022-37966.
>     * BUG 15258: filter-subunit is inefficient with large numbers of 
> knownfails.
> 
> o  Ralph Boehme <slow at samba.org>
>     * BUG 15240: CVE-2022-38023.
>     * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on 
> directories.
> 
> o  Stefan Metzmacher <metze at samba.org>
>     * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes 
> differs from
>       Windows.
>     * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
> incremented
>       atomically.
>     * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
>       vulnerability.
>     * BUG 15206: libnet: change_password() doesn't work with
>       dcerpc_samr_ChangePasswordUser4().
>     * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
> entry.
>     * BUG 15230: Memory leak in snprintf replacement functions.
>     * BUG 15237: CVE-2022-37966.
>     * BUG 15240: CVE-2022-38023.
>     * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
>       (CVE-2021-20251 regression).
> 
> o  Noel Power <noel.power at suse.com>
>     * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
> of the
>       same size.
> 
> o  Anoop C S <anoopcs at samba.org>
>     * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
> 
> o  Andreas Schneider <asn at samba.org>
>     * BUG 15237: CVE-2022-37966.
>     * BUG 15243: %U for include directive doesn't work for share listing
>       (netshareenum).
>     * BUG 15257: Stack smashing in net offlinejoin requestodj.
> 
> o  Joseph Sutton <josephsutton at catalyst.net.nz>
>     * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
>     * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
> entry.
>     * BUG 15231: CVE-2022-37967.
>     * BUG 15237: CVE-2022-37966.
> 
> o  Nicolas Williams <nico at twosigma.com>
>     * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
>       user-controlled pointer in FAST.
> 
> 
> #######################################
> Reporting bugs & Development Discussion
> #######################################
> 
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.libera.chat or the
> #samba-technical:matrix.org matrix channel.
> 
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the Samba 4.1 and newer product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
> 
> 
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
> 
> 
> 
> ================
> Download Details
> ================
> 
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
> from:
> 
> https://download.samba.org/pub/samba/stable/
> 
> The release notes are available online at:
> 
> https://www.samba.org/samba/history/samba-4.17.4.html
> https://www.samba.org/samba/history/samba-4.16.8.html
> https://www.samba.org/samba/history/samba-4.15.13.html
> 
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
> 
>                          --Enjoy
>                          The Samba Team
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20221215/f39aff66/OpenPGP_signature.sig>

More information about the samba mailing list