[Samba] [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
Ralph Boehme
slow at samba.org
Thu Dec 15 17:31:43 UTC 2022
Woohoo, finally! :)
Thanks everyone who has been involved in this security release, either
in research, coding, testing, documentation or getting it out the door!
Especially Andrew, Joseph and metze!
Thanks!!
-slow
--
Ralph Boehme, Samba Team https://samba.org/
SerNet Samba Team Lead https://sernet.de/en/team-samba
On 12/15/22 17:49, Jule Anger via samba wrote:
> Release Announcements
> ---------------------
>
> This are security releases in order to address the following defects:
>
>
> o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
> RC4-HMAC Elevation of Privilege Vulnerability
> disclosed by Microsoft on Nov 8 2022.
>
> A Samba Active Directory DC will issue weak rc4-hmac
> session keys for use between modern clients and servers
> despite all modern Kerberos implementations supporting
> the aes256-cts-hmac-sha1-96 cipher.
>
> On Samba Active Directory DCs and members
> 'kerberos encryption types = legacy' would force
> rc4-hmac as a client even if the server supports
> aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
>
> https://www.samba.org/samba/security/CVE-2022-37966.html
>
> o CVE-2022-37967: This is the Samba CVE for the Windows
> Kerberos Elevation of Privilege Vulnerability
> disclosed by Microsoft on Nov 8 2022.
>
> A service account with the special constrained
> delegation permission could forge a more powerful
> ticket than the one it was presented with.
>
> https://www.samba.org/samba/security/CVE-2022-37967.html
>
> o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel
> uses the
> same algorithms as rc4-hmac cryptography in Kerberos,
> and so must also be assumed to be weak.
>
> https://www.samba.org/samba/security/CVE-2022-38023.html
>
> o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of
> Privilege
> Vulnerability was disclosed by Microsoft on Nov 8 2022
> and per RFC8429 it is assumed that rc4-hmac is weak,
>
> Vulnerable Samba Active Directory DCs will issue
> rc4-hmac
> encrypted tickets despite the target server supporting
> better encryption (eg aes256-cts-hmac-sha1-96).
>
> https://www.samba.org/samba/security/CVE-2022-45141.html
>
> Changes
> -------
>
> o Jeremy Allison <jra at samba.org>
> * BUG 15224: pam_winbind uses time_t and pointers assuming they are
> of the
> same size.
>
> o Andrew Bartlett <abartlet at samba.org>
> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
> user-controlled pointer in FAST.
> * BUG 15219: Heimdal session key selection in AS-REQ examines wrong
> entry.
> * BUG 15237: CVE-2022-37966.
> * BUG 15258: filter-subunit is inefficient with large numbers of
> knownfails.
>
> o Ralph Boehme <slow at samba.org>
> * BUG 15240: CVE-2022-38023.
> * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on
> directories.
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes
> differs from
> Windows.
> * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not
> incremented
> atomically.
> * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
> vulnerability.
> * BUG 15206: libnet: change_password() doesn't work with
> dcerpc_samr_ChangePasswordUser4().
> * BUG 15219: Heimdal session key selection in AS-REQ examines wrong
> entry.
> * BUG 15230: Memory leak in snprintf replacement functions.
> * BUG 15237: CVE-2022-37966.
> * BUG 15240: CVE-2022-38023.
> * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
> (CVE-2021-20251 regression).
>
> o Noel Power <noel.power at suse.com>
> * BUG 15224: pam_winbind uses time_t and pointers assuming they are
> of the
> same size.
>
> o Anoop C S <anoopcs at samba.org>
> * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
>
> o Andreas Schneider <asn at samba.org>
> * BUG 15237: CVE-2022-37966.
> * BUG 15243: %U for include directive doesn't work for share listing
> (netshareenum).
> * BUG 15257: Stack smashing in net offlinejoin requestodj.
>
> o Joseph Sutton <josephsutton at catalyst.net.nz>
> * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
> * BUG 15219: Heimdal session key selection in AS-REQ examines wrong
> entry.
> * BUG 15231: CVE-2022-37967.
> * BUG 15237: CVE-2022-37966.
>
> o Nicolas Williams <nico at twosigma.com>
> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
> user-controlled pointer in FAST.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.libera.chat or the
> #samba-technical:matrix.org matrix channel.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored. All bug reports should
> be filed under the Samba 4.1 and newer product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
>
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620). The source code can be downloaded
> from:
>
> https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
> https://www.samba.org/samba/history/samba-4.17.4.html
> https://www.samba.org/samba/history/samba-4.16.8.html
> https://www.samba.org/samba/history/samba-4.15.13.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20221215/f39aff66/OpenPGP_signature.sig>
More information about the samba
mailing list