1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2019-19344.html
15 ===========================================================
16 == Subject: Use after free during DNS zone scavenging
19 == CVE ID#: CVE-2019-19344
21 == Versions: Samba 4.9 and later versions
23 == Summary: During DNS zone scavenging (of expired dynamic
24 == entries) there is a read of memory after it has
26 ===========================================================
32 Samba 4.9 introduced an off-by-default feature to tombstone
33 dynamically created DNS records that had reached their expiry time.
35 This feature is controlled by the smb.conf option:
36 dns zone scavenging = yes
38 There is a use-after-free issue in this code, essentially due to a
39 call to realloc() while other local variables still point at the
42 The use is a read, but in quite unlikely conditions (due to NDR
43 validation unpacking the buffer) that read memory might be saved back
50 Patches addressing both these issues have been posted to:
52 https://www.samba.org/samba/security/
54 Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
55 as security releases to correct the defect. Samba administrators are
56 advised to upgrade to these releases or apply the patch as soon
63 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
69 The code in question is not run in the default configuration, so
70 the workaround is simply to not set
71 dns zone scavenging = yes
77 Originally reported by Christian Naumer.
79 Patches provided by Andrew Bartlett of the Samba team and Catalyst.
81 ==========================================================
82 == Our Code, Our Bugs, Our Responsibility.
84 ==========================================================