1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.17.4 - Release Notes</title>
8 <H2>Samba 4.17.4 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.gz">Samba 4.17.4 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.asc">Signature</a>
14 <a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.gz">Patch (gzipped) against Samba 4.17.3</a><br>
15 <a href="https://download.samba.org/pub/samba/patches/samba-4.17.3-4.17.4.diffs.asc">Signature</a>
19 ==============================
20 Release Notes for Samba 4.17.4
22 ==============================
25 This is the latest stable release of the Samba 4.17 release series.
26 It also contains security changes in order to address the following defects:
29 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
30 RC4-HMAC Elevation of Privilege Vulnerability
31 disclosed by Microsoft on Nov 8 2022.
33 A Samba Active Directory DC will issue weak rc4-hmac
34 session keys for use between modern clients and servers
35 despite all modern Kerberos implementations supporting
36 the aes256-cts-hmac-sha1-96 cipher.
38 On Samba Active Directory DCs and members
39 'kerberos encryption types = legacy' would force
40 rc4-hmac as a client even if the server supports
41 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
43 https://www.samba.org/samba/security/CVE-2022-37966.html
45 o CVE-2022-37967: This is the Samba CVE for the Windows
46 Kerberos Elevation of Privilege Vulnerability
47 disclosed by Microsoft on Nov 8 2022.
49 A service account with the special constrained
50 delegation permission could forge a more powerful
51 ticket than the one it was presented with.
53 https://www.samba.org/samba/security/CVE-2022-37967.html
55 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
56 same algorithms as rc4-hmac cryptography in Kerberos,
57 and so must also be assumed to be weak.
59 https://www.samba.org/samba/security/CVE-2022-38023.html
61 Note that there are several important behavior changes
62 included in this release, which may cause compatibility problems
63 interacting with system still expecting the former behavior.
64 Please read the advisories of CVE-2022-37966,
65 CVE-2022-37967 and CVE-2022-38023 carefully!
67 samba-tool got a new 'domain trust modify' subcommand
68 -----------------------------------------------------
70 This allows "msDS-SupportedEncryptionTypes" to be changed
71 on trustedDomain objects. Even against remote DCs (including Windows)
72 using the --local-dc-ipaddress= (and other --local-dc-* options).
73 See 'samba-tool domain trust modify --help' for further details.
78 Parameter Name Description Default
79 -------------- ----------- -------
80 allow nt4 crypto Deprecated no
81 allow nt4 crypto:COMPUTERACCOUNT New
82 kdc default domain supported enctypes New (see manpage)
83 kdc supported enctypes New (see manpage)
84 kdc force enable rc4 weak session keys New No
85 reject md5 clients New Default, Deprecated Yes
86 reject md5 servers New Default, Deprecated Yes
87 server schannel Deprecated Yes
88 server schannel require seal New, Deprecated Yes
89 server schannel require seal:COMPUTERACCOUNT New
90 winbind sealed pipes Deprecated Yes
95 o Jeremy Allison <jra@samba.org>
96 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
99 o Andrew Bartlett <abartlet@samba.org>
100 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
101 user-controlled pointer in FAST.
102 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
103 * BUG 15237: CVE-2022-37966.
104 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
106 o Ralph Boehme <slow@samba.org>
107 * BUG 15240: CVE-2022-38023.
108 * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
110 o Stefan Metzmacher <metze@samba.org>
111 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
113 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
115 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
117 * BUG 15206: libnet: change_password() doesn't work with
118 dcerpc_samr_ChangePasswordUser4().
119 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
120 * BUG 15230: Memory leak in snprintf replacement functions.
121 * BUG 15237: CVE-2022-37966.
122 * BUG 15240: CVE-2022-38023.
123 * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
124 (CVE-2021-20251 regression).
126 o Noel Power <noel.power@suse.com>
127 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
130 o Anoop C S <anoopcs@samba.org>
131 * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
133 o Andreas Schneider <asn@samba.org>
134 * BUG 15237: CVE-2022-37966.
135 * BUG 15243: %U for include directive doesn't work for share listing
137 * BUG 15257: Stack smashing in net offlinejoin requestodj.
139 o Joseph Sutton <josephsutton@catalyst.net.nz>
140 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
141 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
142 * BUG 15231: CVE-2022-37967.
143 * BUG 15237: CVE-2022-37966.
145 o Nicolas Williams <nico@twosigma.com>
146 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
147 user-controlled pointer in FAST.