1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.11.13 - Release Notes</title>
8 <H2>Samba 4.11.13 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.11.13.tar.gz">Samba 4.11.13 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.11.13.tar.asc">Signature</a>
14 <a href="https://download.samba.org/pub/samba/patches/samba-4.11.12-4.11.13.diffs.gz">Patch (gzipped) against Samba 4.11.12</a><br>
15 <a href="https://download.samba.org/pub/samba/patches/samba-4.11.12-4.11.13.diffs.asc">Signature</a>
19 ===============================
20 Release Notes for Samba 4.11.13
22 ===============================
25 This is a security release in order to address the following defect:
27 o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
29 The following applies to Samba used as domain controller only (most
30 seriously the Active Directory DC, but also the classic/NT4-style DC).
32 Installations running Samba as a file server only are not directly
33 affected by this flaw, though they may need configuration changes to
34 continue to talk to domain controllers (see "file servers and domain
37 The netlogon protocol contains a flaw that allows an authentication
38 bypass. This was reported and patched by Microsoft as CVE-2020-1472.
39 Since the bug is a protocol level flaw, and Samba implements the
40 protocol, Samba is also vulnerable.
42 However, since version 4.8 (released in March 2018), the default
43 behaviour of Samba has been to insist on a secure netlogon channel,
44 which is a sufficient fix against the known exploits. This default is
45 equivalent to having 'server schannel = yes' in the smb.conf.
47 Therefore versions 4.8 and above are not vulnerable unless they have
48 the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
50 Samba versions 4.7 and below are vulnerable unless they have 'server
51 schannel = yes' in the smb.conf.
53 Note each domain controller needs the correct settings in its smb.conf.
55 Vendors supporting Samba 4.7 and below are advised to patch their
56 installations and packages to add this line to the [global] section if
59 The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
60 'FullSecureChannelProtection=1' registry key, the introduction of
61 which we understand forms the core of Microsoft's fix.
63 Some domains employ third-party software that will not work with a
64 'server schannel = yes'. For these cases patches are available that
65 allow specific machines to use insecure netlogon. For example, the
69 server require schannel:triceratops$ = no
70 server require schannel:greywacke$ = no
72 will allow only "triceratops$" and "greywacke$" to avoid schannel.
74 More details can be found here:
75 https://www.samba.org/samba/security/CVE-2020-1472.html
81 o Jeremy Allison <jra@samba.org>
82 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
83 netr_ServerPasswordSet2 against unencrypted passwords.
85 o Günther Deschner <gd@samba.org>
86 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
87 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
89 o Gary Lockyer <gary@catalyst.net.nz>
90 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
93 o Stefan Metzmacher <metze@samba.org>
94 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
95 challenges in netlogon_creds_server_init()
96 "server require schannel:WORKSTATION$ = no".
git.samba.org / samba-web.git / blob