<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.19.1.html">samba-4.19.1</a></li>
<li><a href="samba-4.19.0.html">samba-4.19.0</a></li>
+ <li><a href="samba-4.18.8.html">samba-4.18.8</a></li>
<li><a href="samba-4.18.7.html">samba-4.18.7</a></li>
<li><a href="samba-4.18.6.html">samba-4.18.6</a></li>
<li><a href="samba-4.18.5.html">samba-4.18.5</a></li>
<li><a href="samba-4.18.2.html">samba-4.18.2</a></li>
<li><a href="samba-4.18.1.html">samba-4.18.1</a></li>
<li><a href="samba-4.18.0.html">samba-4.18.0</a></li>
+ <li><a href="samba-4.17.12.html">samba-4.17.12</a></li>
<li><a href="samba-4.17.11.html">samba-4.17.11</a></li>
<li><a href="samba-4.17.10.html">samba-4.17.10</a></li>
<li><a href="samba-4.17.9.html">samba-4.17.9</a></li>
<td><em>CVE ID #</em></td>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>10 October 2023</td>
+ <td>
+ <a href="/samba/ftp/patches/security/samba-4.19.1-security-2023-10-10.patch">
+ patch for Samba 4.19.1</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.18.8-security-2023-10-10.patch">
+ patch for Samba 4.18.8</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch">
+ patch for Samba 4.17.12</a><br/>
+ </td>
+ <td>
+ CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, and CVE-2023-42670.
+ Please see announcements for details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td>
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3961">CVE-2023-3961</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4154">CVE-2023-4154</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4091">CVE-2023-4091</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42669">CVE-2023-42669</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42670">CVE-2023-42670</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2023-3961.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-4154.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-4091.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-42669.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-42670.html">Announcement</a>.
+ </td>
+ </tr>
<tr>
<td>19 July 2023</td>
--- /dev/null
+<!-- BEGIN: posted_news/20231009-222505.4.19.1.body.html -->
+<h5><a name="4.19.1">10 October 2023</a></h5>
+<p class=headline>Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download</p>
+<p>
+<a href="/samba/security/CVE-2023-3961.html">CVE-2023-3961</a>,
+<a href="/samba/security/CVE-2023-4091.html">CVE-2023-4091</a>,
+<a href="/samba/security/CVE-2023-4154.html">CVE-2023-4154</a>,
+<a href="/samba/security/CVE-2023-42669.html">CVE-2023-42669</a> and
+<a href="/samba/security/CVE-2023-42670.html">CVE-2023-42670</a>.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID AA99442FB680B620).
+</p>
+
+<p>
+The Samba 4.19.1 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.19.1.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.19.0-4.19.1.diffs.gz">patch against Samba 4.19.0</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.19.1.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.18.8 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.18.8.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.18.7-4.18.8.diffs.gz">patch against Samba 4.18.7</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.18.8.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.17.12 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.12.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.17.11-4.17.12.diffs.gz">patch against Samba 4.17.11</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.17.12.html">the release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20231009-222505.4.19.1.body.html -->
--- /dev/null
+<!-- BEGIN: posted_news/20231009-222505.4.19.1.headline.html -->
+<li> 10 October 2023 <a href="#4.19.1">Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download</a></li>
+<!-- END: posted_news/20231009-222505.4.19.1.headline.html -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-3961.html:</H2>
+
+<p>
+<pre>
+============================================================
+== Subject: smbd allows client access to unix domain sockets
+== on the file system.
+==
+== CVE ID#: CVE-2023-3961
+==
+== Versions: All versions starting with 4.16.0
+==
+== Summary: Unsanitized pipe names allow SMB clients to connect
+== as root to existing unix domain sockets on the
+== file system.
+============================================================
+
+===========
+Description
+===========
+
+The SMB 1/2/3 protocols allow clients to connect to named
+pipes via the IPC$ (Inter-Process Communication) share
+for the process of inter-process communication between
+SMB clients and servers.
+
+Since Samba 4.16.0, Samba internally connects client pipe names
+to unix domain sockets within a private directory, allowing clients
+to connect to services listening on those sockets. This is
+usually used to connect SMB clients to remote proceedure
+call (RPC) services, such as SAMR LSA, or SPOOLSS, which Samba
+starts on demand.
+
+However, insufficient sanitization was done on the incoming
+client pipe name, meaning that a client sending a pipe name
+containing unix directory traversal characters (../)
+could cause Samba to connect to unix domain sockets
+outside of the private directory meant to restrict the
+services a client could connect to. Samba connects
+to the unix domain sockets as root, meaning if a client
+could send a pipe name that resolved to an external
+service using an existing unix domain socket, the client would
+be able to connect to it without filesystem permissions
+restricting access.
+
+Depending on the service the client can connect to,
+the client may be able to trigger adverse events such
+as denial of service, crashing the service, or potentially
+compromising it.
+
+There are no current known exploits for this bug.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally discovered by Jeremy Allison of the Samba team
+and CIQ. Inc.
+
+Patches provided by Jeremy Allison of the Samba team and
+CIQ. Inc.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-4091.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: SMB clients can truncate files with
+== read-only permissions
+==
+== CVE ID#: CVE-2023-4091
+==
+== Versions: All Samba versions
+==
+== Summary: SMB client can truncate files to 0 bytes
+== by opening files with OVERWRITE disposition
+== when using the acl_xattr Samba VFS module
+== with the smb.conf setting
+== "acl_xattr:ignore system acls = yes"
+===========================================================
+
+===========
+Description
+===========
+
+The SMB protocol allows opening files where the client
+requests read-only access, but then implicitly truncating
+the opened file if the client specifies a separate OVERWRITE
+create disposition.
+
+This operation requires write access to the file, and in the
+default Samba configuration the operating system kernel will
+deny access to open a read-only file for read/write (which
+the truncate operation requires).
+
+However, when Samba has been configured to ignore kernel
+file system permissions, Samba will truncate a file when the
+underlying operating system kernel would deny the operation.
+
+Affected Samba configurations are the ones where kernel
+file-system permission checks are bypassed, relying on
+Samba's own permission enforcement. The error is that this
+check is done against the client request for read-only
+access, and not the implicitly requested read-write (for
+truncate) one.
+
+The widely used Samba VFS module "acl_xattr" when configured
+with the module configuration parameter "acl_xattr:ignore
+system acls = yes" is the only upstream Samba module that
+allows this behavior and is the only known method of
+reproducing this security flaw.
+
+If (as is the default) the module configuration parameter
+"acl_xattr:ignore system acls=no", then the Samba server is
+not vulnerable to this attack.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
+been issued as security releases to correct the defect.
+Samba administrators are advised to upgrade to these
+releases or apply the patch as soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com>
+from Nasuni.
+
+Patches provided by Ralph Böhme of SerNet and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-4154.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC password exposure to privileged
+== users and RODCs
+==
+== CVE ID#: CVE-2023-4154
+==
+== Versions: All versions since Samba 4.0.0
+==
+== Summary: An RODC and a user with the GET_CHANGES
+== right can view all attributes, including
+== secrets and passwords.
+==
+== Additionally, the access check fails open
+== on error conditions.
+===========================================================
+
+===========
+Description
+===========
+
+In normal operation, passwords and (most) secrets are never disclosed
+over LDAP in Active Directory.
+
+However, due to a design flaw in Samba's implementation of the DirSync
+control, Active Directory accounts authorized to do some replication,
+but not to replicate sensitive attributes, can instead replicate
+critical domain passwords and secrets.
+
+In a default installation, this means that RODC DC accounts (which
+should only be permitted to replicate some passwords) can instead
+obtain all domain secrets, including the core AD secret: the krbtgt
+password.
+
+RODCs are given this permission as part of their installation for DRS
+replication. This vulnerability removes the RODC / DC distinction.
+
+Secondly, and just as problematically, the access check for this
+functionality did not account for error conditions - errors like
+out of memory were regarded as success. This is sometimes described
+as "fail open". In these error conditions, some of which (eg out of
+memory) may be influenced by a low-privileged attacker, access to the
+secret attributes could be obtained!
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+For password disclosure to RODCs and other privileged accounts:
+CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
+
+For the fail open on the DirSync access check:
+CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=================================
+Workaround and mitigating factors
+=================================
+
+If no RODC accounts are in use in the domain, and DirSync users set
+LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right
+to any users. If only privileged accounts have this right, only the
+error path vulnerability exists.
+
+Since Windows 2003 and in all versions of Samba, it has not been
+required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES
+right to use LDAP DirSync, provided that the
+LDAP_DIRSYNC_OBJECT_SECURITY it set in the control.
+
+If any unprivileged accounts do have this right, and either no longer
+use DirSync or use LDAP_DIRSYNC_OBJECT_SECURITY, this should be
+removed.
+
+GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an
+extended right set in the ntSecurityDescriptor on the NC root (the DN
+at the top of each partition). These are for example the domain DN,
+configuration DN etc. The domain DN is the most important.
+
+=======
+Credits
+=======
+
+Originally reported by Andrew Bartlett of Catalyst and the Samba Team
+during routine code review.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-42669.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: "rpcecho" development server allows Denial
+ of Service via sleep() call on AD DC
+==
+== CVE ID#: CVE-2023-42669
+==
+== Versions: All versions of Samba since Samba 4.0.0
+==
+== Summary: Calls to the rpcecho server on the AD DC can request
+ that the server block for a user-defined amount of
+ time, denying service.
+===========================================================
+
+===========
+Description
+===========
+
+Samba developers have built a non-Windows RPC server known as
+"rpcecho" to test elements of the Samba DCE/RPC stack under their full
+control.
+
+One RPC function provided by "rpcecho" can block, essentially
+indefinitely, and because the "rpcecho" service is provided from the
+main RPC task, which has only one worker, this denies essentially all
+service on the AD DC.
+
+To address this problem, the rpcecho server is removed from our
+production binaries and is restricted to selftest builds only.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
+
+==========
+Workaround
+==========
+
+Setting "dcerpc endpoint servers = -rpcecho" will disable the rpcecho
+service on the AD DC.
+
+=======
+Credits
+=======
+
+Originally reported by Andrew Bartlett of Catalyst and the Samba Team.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba Team.
+
+Catalyst thanks Planet Innovation for supporting the production of
+this security fix.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-42670.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC Busy RPC multiple listener DoS
+==
+== CVE ID#: CVE-2023-42670
+==
+== Versions: All versions of Samba since Samba 4.16
+==
+== Summary: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+===========================================================
+
+===========
+Description
+===========
+
+Samba as an Active Directory DC operates RPC services from two
+distinct parts of the codebase. Those services focused on the AD DC
+are started in the main "samba" process, while services focused on the
+fileserver and NT4-like DC are started from the new samba-dcerpcd,
+which is launched on-demand from the fileserver (smbd) tasks.
+
+When starting, samba-dcerpcd must first confirm which services not to
+provide, so as to avoid duplicate listeners.
+
+The issue in this advisory is that, when Samba's RPC server is under
+load, or otherwise not responding, the servers NOT built for the
+AD DC (eg build instead for the NT4-emulation "classic DCs") can be
+incorrectly started, and compete to listen on the same unix domain
+sockets.
+
+This then results in some queries being answered by the AD DC, and
+some not. This has been seen in production at multiple sites, as "The
+procedure number is out of range" when starting Active Directory Users
+and Computers tool, however it can also be triggered maliciously, to
+prevent service on the AD DC.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
+
+==========
+Workaround
+==========
+
+Setting "rpc start on demand helpers = no" in the smb.conf will
+disable the file-server based RPC servers entirely. While used less
+often, these services are required so this is not a long-term solution.
+
+=======
+Credits
+=======
+
+Originally reported by Kirin van der Veer of Planet Innovation and
+diagnosed by Andrew Bartlett of Catalyst and the Samba Team.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba Team.
+
+Catalyst thanks Planet Innovation for supporting the production of
+this security fix.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file