1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.7.12 - Release Notes</title>
8 <H2>Samba 4.7.12 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.7.12.tar.gz">Samba 4.7.12 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.7.12.tar.asc">Signature</a>
14 <a href="https://download.samba.org/pub/samba/patches/samba-4.7.11-4.7.12.diffs.gz">Patch (gzipped) against Samba 4.7.11</a><br>
15 <a href="https://download.samba.org/pub/samba/patches/samba-4.7.11-4.7.12.diffs.asc">Signature</a>
19 ==============================
20 Release Notes for Samba 4.7.12
22 ==============================
25 This is a security release in order to address the following defects:
27 o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
29 o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
30 o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
31 o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
32 configuration (unsupported))
40 All versions of Samba from 4.0.0 onwards are vulnerable to infinite
41 query recursion caused by CNAME loops. Any dns record can be added via
42 ldap by an unprivileged user using the ldbadd tool, so this is a
46 When configured to accept smart-card authentication, Samba's KDC will call
47 talloc_free() twice on the same memory if the principal in a validly signed
48 certificate does not match the principal in the AS-REQ.
50 This is only possible after authentication with a trusted certificate.
52 talloc is robust against further corruption from a double-free with
53 talloc_free() and directly calls abort(), terminating the KDC process.
55 There is no further vulnerability associated with this issue, merely a
59 During the processing of an LDAP search before Samba's AD DC returns
60 the LDAP entries to the client, the entries are cached in a single
61 memory object with a maximum size of 256MB. When this size is
62 reached, the Samba process providing the LDAP service will follow the
63 NULL pointer, terminating the process.
65 There is no further vulnerability associated with this issue, merely a
69 A user in a Samba AD domain can crash the KDC when Samba is built in the
70 non-default MIT Kerberos configuration.
72 With this advisory we clarify that the MIT Kerberos build of the Samba
73 AD DC is considered experimental. Therefore the Samba Team will not
74 issue security patches for this configuration.
76 For more details and workarounds, please refer to the security advisories.
82 o Andrew Bartlett <abartlet@samba.org>
83 * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
84 mis-matching principal.
85 * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
86 Kerberos is experimental
88 o Aaron Haslett <aaronhaslett@catalyst.net.nz>
89 * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.
91 o Garming Sam <garming@catalyst.net.nz>
92 * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.