<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.18.5.html">samba-4.18.5</a></li>
<li><a href="samba-4.18.4.html">samba-4.18.4</a></li>
<li><a href="samba-4.18.3.html">samba-4.18.3</a></li>
<li><a href="samba-4.18.2.html">samba-4.18.2</a></li>
<li><a href="samba-4.18.1.html">samba-4.18.1</a></li>
<li><a href="samba-4.18.0.html">samba-4.18.0</a></li>
+ <li><a href="samba-4.17.10.html">samba-4.17.10</a></li>
<li><a href="samba-4.17.9.html">samba-4.17.9</a></li>
<li><a href="samba-4.17.8.html">samba-4.17.8</a></li>
<li><a href="samba-4.17.7.html">samba-4.17.7</a></li>
<li><a href="samba-4.17.2.html">samba-4.17.2</a></li>
<li><a href="samba-4.17.1.html">samba-4.17.1</a></li>
<li><a href="samba-4.17.0.html">samba-4.17.0</a></li>
+ <li><a href="samba-4.16.11.html">samba-4.16.11</a></li>
<li><a href="samba-4.16.10.html">samba-4.16.10</a></li>
<li><a href="samba-4.16.9.html">samba-4.16.9</a></li>
<li><a href="samba-4.16.8.html">samba-4.16.8</a></li>
<a href="https://wiki.samba.org/index.php/Samba_Release_Planning">
supported Samba versions</a>.</p>
+ <tr>
+ <td>19 July 2023</td>
+ <td>
+ <a href="/samba/ftp/patches/security/samba-4.18.5-security-2023-07-19.patch">
+ patch for Samba 4.18.5</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.17.10-security-2023-07-19.patch">
+ patch for Samba 4.17.10</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.16.11-security-2023-07-19.patch">
+ patch for Samba 4.16.11</a><br/>
+ </td>
+ <td>
+ CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967 and CVE-2023-34968.
+ Please see announcements for details.
+ </td>
+ <td>All versions of Samba since 4.0 prior to 4.16.11, 4.17.10, 4.18.5.</td>
+ <td>
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2127">CVE-2022-2127</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3347">CVE-2023-3347</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34966">CVE-2023-34966</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34967">CVE-2023-34967</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34968">CVE-2023-34968</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2022-2031.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-3347.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-34966.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-34967.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-34968.html">Announcement</a>.
+ </td>
+ </tr>
+
<p>A list of public <a href="https://bugzilla.samba.org/buglist.cgi?f1=alias&o1=regexp&order=Last Changed&product=PIDL&product=Samba 2.2&product=Samba 3.0&product=Samba 3.2&product=Samba 3.3&product=Samba 3.4&product=Samba 3.5&product=Samba 3.6&product=Samba 4.0&product=Samba 4.1 and newer&query_format=advanced&v1=^CVE-.*">
Samba Security Bugs</a> is available. Some minor issues will
only be listed in <a href="https://bugzilla.samba.org">
--- /dev/null
+<!-- BEGIN: posted_news/20230719-160002.4.18.5.body.html -->
+<h5><a name="4.18.5">19 July 2023</a></h5>
+<p class=headline>Samba 4.18.5, 4.17.10 and 4.16.11 Security Releases are available for Download</p>
+<p>
+<a href="/samba/security/CVE-2023-34967.html">CVE-2023-34967</a>,
+<a href="/samba/security/CVE-2022-2127.html">CVE-2022-2127</a>,
+<a href="/samba/security/CVE-2023-34968.html">CVE-2023-34968</a>,
+<a href="/samba/security/CVE-2023-34966.html">CVE-2023-34966</a> and
+<a href="/samba/security/CVE-2023-3347.html">CVE-2023-3347</a>.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID AA99442FB680B620).
+</p>
+
+<p>
+The Samba 4.18.5 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.18.5.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.18.4-4.18.5.diffs.gz">patch against Samba 4.18.4</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.18.5.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.17.10 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.10.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.17.9-4.17.10.diffs.gz">patch against Samba 4.17.9</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.17.10.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.16.11 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.11.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.10-4.16.11.diffs.gz">patch against Samba 4.16.10</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.16.11.html">the release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20230719-160002.4.18.5.body.html -->
--- /dev/null
+<!-- BEGIN: posted_news/20230719-160002.4.18.5.headline.html -->
+<li> 19 July 2023 <a href="#4.18.5">Samba 4.18.5, 4.17.10 and 4.16.11 Security Releases are available for Download</a></li>
+<!-- END: posted_news/20230719-160002.4.18.5.headline.html -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-2127.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Out-Of-Bounds read in winbind AUTH_CRAP
+==
+== CVE ID#: CVE-2022-2127
+==
+== Versions: All versions up to 4.18.4, 4.17.9 and 4.16.10.
+==
+== Summary: When winbind is used for NTLM
+ authentication, a maliciously crafted
+ request can trigger an out-of-bounds read
+ in winbind and possibly crash it.
+===========================================================
+
+===========
+Description
+===========
+
+When doing NTLM authentication, the client sends replies to
+cryptographic challenges back to the server. These replies
+have variable length. Winbind did not properly bounds-check
+the lan manager response length, which despite the lan
+manager version no longer being used is still part of the
+protocol.
+
+If the system is running Samba's ntlm_auth as authentication backend
+for services like Squid (or a very unusual configuration with
+FreeRADIUS), the vulnarebility is remotely exploitable
+
+If not so configured, or to exploit this vulnerability locally, the
+user must have access to the privileged winbindd UNIX domain
+socket (a subdirectory with name 'winbindd_privileged' under "state
+directory", as set in the smb.conf).
+
+This access is normally only given so special system services like
+Squid or FreeRADIUS, that use this feature.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+A local exploit, for systems without ntlm_auth configured:
+
+CVSS3.1:AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.4)
+
+The remote exploit With ntlm_auth configured:
+
+CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9)
+
+==========
+Workaround
+==========
+
+Delegated access to this facility is done via group ownership and
+group membership.
+
+The group owner of the 'winbindd_privileged' subfolder under the path
+given by
+ testparm -s /path/to/smb.conf --parameter-name='state directory'
+can be changed to root, or the group members reduced, if the NTLM
+authentication feature of tools like Squid and FreeRADIUS is not in
+use.
+
+The 0750 permissions must however be retained, as winbindd will
+otherwise fail to start.
+
+As reassurance, smbd will continue to use this feature and will
+always access this path as root.
+
+=======
+Credits
+=======
+
+Found through a coverity finding, fixed by the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-3347.html:</H2>
+
+<p>
+<pre>
+============================================================
+== Subject: SMB2 packet signing not enforced
+==
+== CVE ID#: CVE-2023-3347
+==
+== Versions: All versions starting with 4.17.0.
+==
+== Summary: SMB2 packet signing is not enforced if an
+== admin configured "server signing = required"
+== or for SMB2 connections to Domain Controllers
+== where SMB2 packet signing is mandatory.
+============================================================
+
+===========
+Description
+===========
+
+SMB2 packet signing is not enforced if an admin configured
+"server signing = required" or for SMB2 connections to Domain
+Controllers where SMB2 packet signing is mandatory.
+
+SMB2 packet signing is a mechanism that ensures the integrity
+and authenticity of data exchanged between a client and a
+server using the SMB2 protocol.
+
+It provides protection against certain types of attacks, such
+as man-in-the-middle attacks, where an attacker intercepts
+network traffic and modifies the SMB2 messages.
+
+Both client and server of an SMB2 connection can require that
+signing is being used. The server-side setting in Samba to
+configure signing to be required is "server signing =
+required". Note that on an Samba AD DCs this is also the
+default for all SMB2 connections.
+
+Unless the client requires signing which would result in
+signing being used on the SMB2 connection, sensitive data
+might have been modified by an attacker.
+
+Clients connecting to IPC$ on an AD DC will require signed
+connections being used, so the integrity of these connections
+was not affected.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8)
+
+==========
+Workaround
+==========
+
+
+=======
+Credits
+=======
+
+Originally reported by Andreas Schneider of the Samba team.
+
+Patches provided by Ralph Boehme of the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-34966.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba Spotlight mdssvc RPC Request Infinite
+== Loop Denial-of-Service Vulnerability
+==
+== CVE ID#: CVE-2023-34966
+==
+== Versions: All versions of Samba prior to 4.18.5,
+ 4.17.10 and 4.16.11.
+==
+== Summary: An infinite loop bug in Samba's mdssvc RPC
+== service for Spotlight can be triggered
+== by an unauthenticated attacker by issuing a
+== malformed RPC request.
+===========================================================
+
+===========
+Description
+===========
+
+When parsing Spotlight mdssvc RPC packets sent by the
+client, the core unmarshalling function sl_unpack_loop()
+did not validate a field in the network packet that
+contains the count of elements in an array-like
+structure. By passing 0 as the count value, the attacked
+function will run in an endless loop consuming 100% CPU.
+
+This bug only affects servers where Spotlight is
+explicitly enabled globally or on individual shares with
+"spotlight = yes".
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been
+issued as security releases to correct the defect. Samba
+administrators are advised to upgrade to these releases or
+apply the patch as soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
+
+==========
+Workaround
+==========
+
+As a possible workaround disable Spotlight by removing all
+configuration stanzas that enable Spotlight ("spotlight =
+yes|true").
+
+=======
+Credits
+=======
+
+Originally reported by Florent Saudel of the Thalium team
+working with Trend Micro Zero Day Initiative.
+
+Patches provided by Ralph Boehme of SerNet and the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-34967.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba Spotlight mdssvc RPC Request Type
+== Confusion Denial-of-Service Vulnerability
+==
+== CVE ID#: CVE-2023-34967
+==
+== Versions: All versions of Samba prior to 4.18.5,
+ 4.17.10 and 4.16.11.
+==
+== Summary: Missing type validation in Samba's mdssvc
+== RPC service for Spotlight can be used by
+== an unauthenticated attacker to trigger
+== a process crash in a shared RPC mdssvc
+== worker process.
+===========================================================
+
+===========
+Description
+===========
+
+When parsing Spotlight mdssvc RPC packets, one encoded data
+structure is a key-value style dictionary where the keys
+are character strings and the values can be any of the
+supported types in the mdssvc protocol. Due to a lack of
+type checking in callers of the function
+dalloc_value_for_key(), which returns the object associated
+with a key, a caller may trigger a crash in
+talloc_get_size() when talloc detects that the passed in
+pointer is not a valid talloc pointer.
+
+As RPC worker processes are shared among multiple client
+connections, a malicious client can crash the worker process
+affecting all other clients that are also served by this worker.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
+as security releases to correct the defect. Samba administrators
+are advised to upgrade to these releases or apply the patch as
+soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3)
+
+==========
+Workaround
+==========
+
+As a possible workaround disable Spotlight by removing all
+configuration stanzas that enable Spotlight ("spotlight =
+yes|true").
+
+=======
+Credits
+=======
+
+Originally reported by Florent Saudel and Arnaud Gatignolof
+the Thalium team working with Trend Micro Zero Day
+Initiative.
+
+Patches provided by Ralph Boehme of SerNet and the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-34968.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Spotlight server-side Share Path Disclosure
+==
+== CVE ID#: CVE-2023-34968
+==
+== Versions: All versions of Samba prior to 4.18.5,
+ 4.17.10 and 4.16.11.
+==
+== Summary: As part of the Spotlight protocol Samba
+== discloses the server-side absolute path of
+== shares and files and directories in search
+== results.
+===========================================================
+
+===========
+Description
+===========
+
+As part of the Spotlight protocol, the initial request
+returns a path associated with the sharename targeted by
+the RPC request. Samba returns the real server-side share
+path at this point, as well as returning the absolute
+server-side path of results in search queries by clients.
+
+Known server side paths could be used to mount subsequent
+more serious security attacks or could disclose confidential
+information that is part of the path.
+
+To mitigate the issue, Samba will replace the real server-side
+path with a fake path constructed from the sharename.
+
+Important change in mdscli RPC library and mdsearch command
+-----------------------------------------------------------
+
+As the absolute paths starting with the sharename prefix are
+not usable on the client side, the mdscli RPC library and
+hence the mdsearch command will from now on report paths of
+search results as relative paths relative to the root of the
+SMB share.
+
+Given a share
+
+ [spotlight]
+ path = /foo/bar
+ spotlight = yes
+
+and a file inside this share with a full server-side path of
+
+ /foo/bar/dir/file
+
+previously a search that matched this file would return the
+absolute server-side path of the file
+
+ /foo/bar/dir/file
+
+which is now changed to
+
+ dir/file
+
+by this patchset.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
+as security releases to correct the defect. Samba administrators
+are advised to upgrade to these releases or apply the patch as
+soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
+
+==========
+Workaround
+==========
+
+As a possible workaround disable Spotlight by removing all
+configuration stanzas that enable Spotlight ("spotlight =
+yes|true").
+
+=======
+Credits
+=======
+
+Originally reported by Ralph Boehme and Stefan Metzmacher
+of SerNet and the Samba team.
+
+Patches provided by Ralph Boehme of SerNet and the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file