NEWS[4.18.3]: Samba 4.18.3 Available for Download

[samba-web.git] / history / samba-4.12.13.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Samba 4.12.13 - Release Notes</title>
</head>
<body>
<H2>Samba 4.12.13 Available for Download</H2>
<p>
<a href="https://download.samba.org/pub/samba/stable/samba-4.12.13.tar.gz">Samba 4.12.13 (gzipped)</a><br>
<a href="https://download.samba.org/pub/samba/stable/samba-4.12.13.tar.asc">Signature</a>
</p>
<p>
<a href="https://download.samba.org/pub/samba/patches/samba-4.12.12-4.12.13.diffs.gz">Patch (gzipped) against Samba 4.12.12</a><br>
<a href="https://download.samba.org/pub/samba/patches/samba-4.12.12-4.12.13.diffs.asc">Signature</a>
</p>
<p>
<pre>
                   ===============================
                   Release Notes for Samba 4.12.13
                           March 24, 2021
                   ===============================


This is a security release in order to address the following defects:

o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.


=======
Details
=======

o  CVE-2020-27840:
   An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
   crafted DNs as part of a bind request. More serious heap corruption is likely
   also possible.

o  CVE-2021-20277:
   User-controlled LDAP filter strings against the AD DC LDAP server may crash
   the LDAP server.

For more details, please refer to the security advisories.


Changes since 4.12.12
---------------------

o  Andrew Bartlett &lt;abartlet@samba.org&gt;
   * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.

o  Douglas Bagnall &lt;douglas.bagnall@catalyst.net.nz&gt;
   * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
     bad DNs.
   * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.


</pre>
</p>
</body>
</html>