1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.3.13 - Release Notes</title>
8 <H2>Samba 4.3.13 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.3.13.tar.gz">Samba 4.3.13 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.3.13.tar.asc">Signature</a>
14 <a href="https://download.samba.org/pub/samba/patches/samba-4.3.12-4.3.13.diffs.gz">Patch (gzipped) against Samba 4.3.12</a><br>
15 <a href="https://download.samba.org/pub/samba/patches/samba-4.3.12-4.3.13.diffs.asc">Signature</a>
19 ==============================
20 Release Notes for Samba 4.3.13
22 ==============================
25 This is a security release in order to address the following defects:
27 o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
28 Overflow Remote Code Execution Vulnerability).
29 o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
31 o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
39 The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
40 leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
41 parses data from the Samba Active Directory ldb database. Any user
42 who can write to the dnsRecord attribute over LDAP can trigger this
45 By default, all authenticated LDAP users can write to the dnsRecord
46 attribute on new DNS objects. This makes the defect a remote privilege
50 Samba client code always requests a forwardable ticket
51 when using Kerberos authentication. This means the
52 target server, which must be in the current or trusted
53 domain/realm, is given a valid general purpose Kerberos
54 "Ticket Granting Ticket" (TGT), which can be used to
55 fully impersonate the authenticated user or service.
58 A remote, authenticated, attacker can cause the winbindd process
59 to crash using a legitimate Kerberos ticket due to incorrect
60 handling of the arcfour-hmac-md5 PAC checksum.
62 A local service with access to the winbindd privileged pipe can
63 cause winbindd to cache elevated access permissions.
69 o Volker Lendecke <vl@samba.org>
70 * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
72 o Stefan Metzmacher <metze@samba.org>
73 * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
74 * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in