[Samba] [Announce] Samba 4.18.5, 4.17.10., 4.16.11 Security Releases are available for Download
Michael Tokarev
mjt at tls.msk.ru
Wed Jul 19 15:51:47 UTC 2023
19.07.2023 17:55, Jule Anger via samba weote:
> Release Announcements
> ---------------------
>
> This are security releases in order to address the following defects:
>
> o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
> crafted request can trigger an out-of-bounds read in winbind
> and possibly crash it.
> https://www.samba.org/samba/security/CVE-2022-2127.html
>
> o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
> "server signing = required" or for SMB2 connections to Domain
> Controllers where SMB2 packet signing is mandatory.
> https://www.samba.org/samba/security/CVE-2023-3347.html
>
> o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
> Spotlight can be triggered by an unauthenticated attacker by
> issuing a malformed RPC request.
> https://www.samba.org/samba/security/CVE-2023-34966.html
>
> o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
> Spotlight can be used by an unauthenticated attacker to
> trigger a process crash in a shared RPC mdssvc worker process.
> https://www.samba.org/samba/security/CVE-2023-34967.html
>
> o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
> side absolute path of shares and files and directories in
> search results.
> https://www.samba.org/samba/security/CVE-2023-34968.html
>
>
> Changes
> -------
>
> o Ralph Boehme <slow at samba.org>
> * BUG 15072: CVE-2022-2127.
> * BUG 15340: CVE-2023-34966.
> * BUG 15341: CVE-2023-34967.
> * BUG 15388: CVE-2023-34968.
> * BUG 15397: CVE-2023-3347.
>
> o Samuel Cabrero <scabrero at samba.org>
> * BUG 15072: CVE-2022-2127.
>
> o Volker Lendecke <vl at samba.org>
> * BUG 15072: CVE-2022-2127.
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Thank you for the good work!
Updated binary packages for samba 4.18.5, 4.17.10 and 4.16.11 for
actual Debian and Ubuntu releases are available in my apt repository at
http://www.corpit.ru/mjt/packages/samba/
as usual.
Thanks,
/mjt
More information about the samba
mailing list