<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.16.4.html">samba-4.16.4</a></li>
<li><a href="samba-4.16.3.html">samba-4.16.3</a></li>
<li><a href="samba-4.16.2.html">samba-4.16.2</a></li>
<li><a href="samba-4.16.1.html">samba-4.16.1</a></li>
<li><a href="samba-4.16.0.html">samba-4.16.0</a></li>
+ <li><a href="samba-4.15.9.html">samba-4.15.9</a></li>
<li><a href="samba-4.15.8.html">samba-4.15.8</a></li>
<li><a href="samba-4.15.7.html">samba-4.15.7</a></li>
<li><a href="samba-4.15.6.html">samba-4.15.6</a></li>
<li><a href="samba-4.15.2.html">samba-4.15.2</a></li>
<li><a href="samba-4.15.1.html">samba-4.15.1</a></li>
<li><a href="samba-4.15.0.html">samba-4.15.0</a></li>
+ <li><a href="samba-4.14.14.html">samba-4.14.14</a></li>
<li><a href="samba-4.14.13.html">samba-4.14.13</a></li>
<li><a href="samba-4.14.12.html">samba-4.14.12</a></li>
<li><a href="samba-4.14.11.html">samba-4.14.11</a></li>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.14.14 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.14.14 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.gz">Samba 4.14.14 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.gz">Patch (gzipped) against Samba 4.14.13</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.14.14
+ July 27, 2022
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.14.13
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.15.9 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.15.9 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.gz">Samba 4.15.9 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.gz">Patch (gzipped) against Samba 4.15.8</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.15.9
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.15.8
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 15047: CVE-2022-2031.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.16.4 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.16.4 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.gz">Samba 4.16.4 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.gz">Patch (gzipped) against Samba 4.16.3</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.16.4
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.16.3
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+</pre>
+</p>
+</body>
+</html>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>27 July 2022</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.16.4-security-2022-07-27.patch">
+ patch for Samba 4.16.4</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.15.9-security-2022-07-27.patch">
+ patch for Samba 4.15.9</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.14.14-security-2022-07-27.patch">
+ patch for Samba 4.14.14</a><br />
+ </td>
+ <td>CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745 and CVE-2022-32746.
+ Please see announcements for details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td>
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031">CVE-2022-2031</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742">CVE-2022-32742</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744">CVE-2022-32744</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745">CVE-2022-32745</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746">CVE-2022-32746</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2022-2031.html">Announcement</a>,
+<a href="/samba/security/CVE-2022-32742.html">Announcement</a>,
+<a href="/samba/security/CVE-2022-32744.html">Announcement</a>,
+<a href="/samba/security/CVE-2022-32745.html">Announcement</a>,
+<a href="/samba/security/CVE-2022-32746.html">Announcement</a>.
+ </td>
+
<tr>
<td>31 January 2022</td>
<td><a href="/samba/ftp/patches/security/samba-4.15.5-security-2022-01-31.patch">
--- /dev/null
+<!-- BEGIN: posted_news/20220727-081708.4.16.4.body.html -->
+<h5><a name="4.16.4">27 July 2022</a></h5>
+<p class=headline>Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases are available for Download</p>
+<p>
+These are Security Releases in order to address
+<a href="/samba/security/CVE-2022-2031.html">CVE-2022-2031</a>,
+<a href="/samba/security/CVE-2022-32742.html">CVE-2022-32742</a>,
+<a href="/samba/security/CVE-2022-32744.html">CVE-2022-32744</a>,
+<a href="/samba/security/CVE-2022-32745.html">CVE-2022-32745</a> and
+<a href="/samba/security/CVE-2022-32746.html">CVE-2022-32746</a>.
+</p>
+
+<p>
+If you are building/using ldb from a system library, you'll
+also need the related updated ldb tarball, otherwise you can ignore it.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID AA99442FB680B620).
+</p>
+
+<p>
+The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025).
+</p>
+
+<p>
+The Samba 4.16.4 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.gz">patch against Samba 4.16.3</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.16.4.html">the release notes for more info</a>.
+The ldb 2.5.2 release for use with Samba 4.16.4 can be
+<a href="https://download.samba.org/pub/ldb/ldb-2.5.2.tar.gz">downloaded here</a>.
+</p>
+
+<p>
+The Samba 4.15.9 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.gz">patch against Samba 4.15.8</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.15.9.html">the release notes for more info</a>.
+The ldb 2.4.4 release for use with Samba 4.15.9 can be
+<a href="https://download.samba.org/pub/ldb/ldb-2.4.4.tar.gz">downloaded here</a>.
+</p>
+
+<p>
+The Samba 4.14.14 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.gz">patch against Samba 4.14.13</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.14.14.html">the release notes for more info</a>.
+The ldb 2.3.4 release for use with Samba 4.14.14 can be
+<a href="https://download.samba.org/pub/ldb/ldb-2.3.4.tar.gz">downloaded here</a>.
+</p>
+<!-- END: posted_news/20220727-081708.4.16.4.body.html -->
--- /dev/null
+<!-- BEGIN: posted_news/20220727-081708.4.16.4.headline.html -->
+<li> 27 July 2022 <a href="#4.16.4">Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases are available for Download</a></li>
+<!-- END: posted_news/20220727-081708.4.16.4.headline.html -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-2031.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD users can bypass certain restrictions
+== associated with changing passwords.
+==
+== CVE ID#: CVE-2022-2031
+==
+== Versions: All versions of Samba prior to 4.16.4
+==
+== Summary: The KDC and the kpasswd service share a single account
+== and set of keys, allowing them to decrypt each other's
+== tickets. A user who has been requested to change their
+== password can exploit this to obtain and use tickets to
+== other services.
+===========================================================
+
+===========
+Description
+===========
+
+The KDC and the kpasswd service share a single account and set of
+keys. In certain cases, this makes the two services susceptible to
+confusion.
+
+When a user's password has expired, that user is requested to change
+their password. Until doing so, the user is restricted to only
+acquiring tickets to kpasswd.
+
+However, a vulnerability meant that the kpasswd's principal, when
+canonicalized, was set to that of the TGS (Ticket-Granting Service),
+thus yielding TGTs from ordinary kpasswd requests. These TGTs could be
+used to perform an Elevation of Privilege attack by obtaining service
+tickets and using services in the forest. This vulnerability existed
+in versions of Samba built with Heimdal Kerberos.
+
+A separate vulnerability in Samba versions below 4.16, and in Samba
+built with MIT Kerberos, led the KDC to accept kpasswd tickets as if
+they were TGTs, with the same overall outcome.
+
+On the reverse side of the issue, password changes could be effected
+by presenting TGTs as if they were kpasswd tickets. TGTs having
+potentially longer lifetimes than kpasswd tickets, the value of a
+stolen cache containing a TGT was hence increased to an attacker, with
+the possibility of indefinite control over an account by means of a
+password change.
+
+Finally, kpasswd service tickets would be accepted for changes to
+one's own password, contrary to the requirement that tickets be
+acquired with an initial KDC request in such cases.
+
+As part of the mitigations, the lifetime of kpasswd tickets has been
+restricted to a maximum of two minutes. The KDC will not longer accept
+TGTs with two minutes or less left to live, to make sure it does not
+accept kpasswd tickets.
+
+==================
+Patch Availability
+==================
+
+Patches addressing these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
+
+==========
+Workaround
+==========
+
+kpasswd is not a critical protocol for the AD DC in most installations, it can
+be disabled by setting "kpasswd port = 0" in the smb.conf.
+
+=======
+Credits
+=======
+
+Originally reported by Luke Howard.
+
+Patches provided by Joseph Sutton and Andreas Schneider of the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-32742.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject: Server memory information leak via SMB1.
+==
+== CVE ID#: CVE-2022-32742
+==
+== Versions: All versions of Samba.
+==
+== Summary: SMB1 Client with write access to a share can cause
+== server memory contents to be written into a file
+== or printer.
+==
+====================================================================
+
+===========
+Description
+===========
+
+Please note that only versions of Samba prior to 4.11.0 are vulnerable
+to this bug by default. Samba versions 4.11.0 and above disable SMB1
+by default, and will only be vulnerable if the administrator has
+deliberately enabled SMB1 in the smb.conf file.
+
+All versions of Samba with SMB1 enabled are vulnerable to a server
+memory information leak bug over SMB1 if a client can write data to a
+share. Some SMB1 write requests were not correctly range checked to
+ensure the client had sent enough data to fulfill the write, allowing
+server memory contents to be written into the file (or printer)
+instead of client supplied data. The client cannot control the area of
+the server memory that is written to the file (or printer).
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.16.4, 4.15.9 and 4.14.14 have been issued as
+security releases to correct the defect. Patches against older Samba
+versions are available at http://samba.org/samba/patches/. Samba
+vendors and administrators running affected versions are advised to
+upgrade or apply the patch as soon as possible.
+
+==================
+CVSSv3.1 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3)
+
+==========
+Workaround
+==========
+
+This is an SMB1-only vulnerability. Since Samba release 4.11.0 SMB1
+has been disabled by default. We do not recommend enabling SMB1 server
+support. For Samba versions prior to 4.11.0 please disable SMB1 by
+adding
+
+server min protocol = SMB2_02
+
+to the [global] section of your smb.conf and restarting smbd.
+
+=======
+Credits
+=======
+
+This problem was reported by Luca Moro working with Trend Micro Zero
+Day Initiative. Jeremy Allison of Google and the Samba Team provided
+the fix.
+
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-32744.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD users can forge password change requests for
+== any user.
+==
+== CVE ID#: CVE-2022-32744
+==
+== Versions: Samba 4.3 and later
+==
+== Summary: The KDC accepts kpasswd requests encrypted with any
+== key known to it. By encrypting forged kpasswd requests
+== with its own key, a user can change the passwords of
+== other users, enabling full domain takeover.
+===========================================================
+
+===========
+Description
+===========
+
+Tickets received by the kpasswd service were decrypted without
+specifying that only that service's own keys should be tried. By
+setting the ticket's server name to a principal associated with their
+own account, or by exploiting a fallback where known keys would be
+tried until a suitable one was found, an attacker could have the
+server accept tickets encrypted with any key, including their own.
+
+A user could thus change the password of the Administrator account and
+gain total control over the domain. Full loss of confidentiality and
+integrity would be possible, as well as of availability by denying
+users access to their accounts.
+
+In addition, the kpasswd service would accept tickets encrypted by the
+krbtgt key of an RODC, in spite of the fact that RODCs should not have
+been able to authorise password changes.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)
+
+==========
+Workaround
+==========
+
+kpasswd is not a critical protocol for the AD DC in most installations, it can
+be disabled by setting "kpasswd port = 0" in the smb.conf.
+
+=======
+Credits
+=======
+
+Initial report, patches, and this advisory by Joseph Sutton of
+Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-32745.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD users can crash the server process with an
+== LDAP add or modify request.
+==
+== CVE ID#: CVE-2022-32745
+==
+== Versions: Samba 4.16, 4.15.2, 4.14.10, 4.13.14, and later
+==
+== Summary: Samba AD users can cause the server to access
+== uninitialised data with an LDAP add or modify request,
+== usually resulting in a segmentation fault.
+===========================================================
+
+===========
+Description
+===========
+
+Due to incorrect values used as the limit for a loop and as the
+'count' parameter to memcpy(), the server, receiving a specially
+crafted message, leaves an array of structures partially
+uninitialised, or accesses an arbitrary element beyond the end of an
+array.
+
+Outcomes achievable by an attacker include segmentation faults and
+corresponding loss of availability. Depending on the contents of the
+uninitialised memory, confidentiality may also be affected.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L (5.4)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Initial report, patches, and this advisory by Joseph Sutton of
+Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2022-32746.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD users can induce a use-after-free in the
+== server process with an LDAP add or modify request.
+==
+== CVE ID#: CVE-2022-32746
+==
+== Versions: All versions of Samba prior to 4.16.4
+==
+== Summary: The AD DC database audit logging module can be made to
+== access LDAP message values that have been freed by a
+== preceding database module, resulting in a use-after-
+== free. This is only possible when modifying certain
+== privileged attributes, such as userAccountControl.
+===========================================================
+
+===========
+Description
+===========
+
+Some database modules make a shallow copy of an LDAP add/delete
+message so they can make modifications to its elements without
+affecting the original message. Each element in a message points to an
+array of values, and these arrays are shared between the original
+message and the copy.
+
+The issue arises when a database module adds new values to an existing
+array. A call to realloc() increases the array's size to accommodate
+new elements, but at the same time, frees the old array. This leaves
+the original message element with a dangling pointer to a now-freed
+array. When the database audit logging module subsequently logs the
+details of the original message, it will access this freed data,
+generally resulting in corrupted log output or a crash.
+
+The code paths susceptible to this issue are reachable when certain
+specific attributes, such as userAccountControl, are added or
+modified. These attributes are not editable by default without having
+a privilege assigned, such as Write Property.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
+
+==========
+Workaround
+==========
+
+Disabling AD DC database audit logging prevents the use-after-free
+from occurring, as that is the only component that will access the
+original message.
+
+=======
+Credits
+=======
+
+Initial report, patches, and this advisory by Joseph Sutton and Andrew
+Bartlett of Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
git.samba.org / samba-web.git / commitdiff