1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <H2>Samba 4.2.14 Available for Download</H2>
15 ==============================
16 Release Notes for Samba 4.2.14
18 ==============================
21 This is a security release in order to address the following defect:
23 o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
30 It's possible for an attacker to downgrade the required signing for
31 an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
32 or SMB2_SESSION_FLAG_IS_NULL flags.
34 This means that the attacker can impersonate a server being connected to by
35 Samba, and return malicious results.
37 The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
38 to domain controllers as a member server, and trusted domains as a domain
39 controller. These DCE/RPC connections were intended to protected by the
40 combination of "client ipc signing" and
41 "client ipc max protocol" in their effective default settings
42 ("mandatory" and "SMB3_11").
44 Additionally, management tools like net, samba-tool and rpcclient use DCERPC
45 over SMB2/3 connections.
47 By default, other tools in Samba are unprotected, but rarely they are
48 configured to use smb signing, via the "client signing" parameter (the default
49 is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
50 rather than the NT1 default.
52 If both these conditions are met, then this issue would also apply to these
53 other tools, including command line tools like smbcacls, smbcquota, smbclient,
54 smbget and applications using libsmbclient.
60 o Amitay Isaacs <amitay@gmail.com>
61 * BUG 11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel).
62 * BUG 11770: ctdb-common: For AF_PACKET socket types, protocol is in network
66 o Stefan Metzmacher <metze@samba.org>
67 * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
68 * BUG 11948: Total dcerpc response payload more than 0x400000.
70 #######################################
71 Reporting bugs & Development Discussion
72 #######################################
74 Please discuss this release on the samba-technical mailing list or by
75 joining the #samba-technical IRC channel on irc.freenode.net.
77 If you do report problems then please try to send high quality
78 feedback. If you don't provide vital information to help us track down
79 the problem then you will probably be ignored. All bug reports should
80 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
81 database (https://bugzilla.samba.org/).
84 ======================================================================
85 == Our Code, Our Bugs, Our Responsibility.
87 ======================================================================