1 ===============================
2 Release Notes for Samba 4.13.17
4 ===============================
7 This is a security release in order to address the following defects:
9 o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
10 https://www.samba.org/samba/security/CVE-2021-44142.html
12 o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
13 https://www.samba.org/samba/security/CVE-2022-0336.html
19 o Ralph Boehme <slow@samba.org>
20 * BUG 14914: CVE-2021-44142
22 o Joseph Sutton <josephsutton@catalyst.net.nz>
23 * BUG 14950: CVE-2022-0336
26 #######################################
27 Reporting bugs & Development Discussion
28 #######################################
30 Please discuss this release on the samba-technical mailing list or by
31 joining the #samba-technical IRC channel on irc.libera.chat or the
32 #samba-technical:matrix.org matrix channel.
34 If you do report problems then please try to send high quality
35 feedback. If you don't provide vital information to help us track down
36 the problem then you will probably be ignored. All bug reports should
37 be filed under the Samba 4.1 and newer product in the project's Bugzilla
38 database (https://bugzilla.samba.org/).
41 ======================================================================
42 == Our Code, Our Bugs, Our Responsibility.
44 ======================================================================
47 Release notes for older releases follow:
48 ----------------------------------------
50 ===============================
51 Release Notes for Samba 4.13.16
53 ===============================
56 This is a security release in order to address the following defects:
58 o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x.
59 https://www.samba.org/samba/security/CVE-2021-43566.html
67 All versions of Samba prior to 4.13.16 are vulnerable to a malicious
68 client using an SMB1 or NFS symlink race to allow a directory to be
69 created in an area of the server file system not exported under the
70 share definition. Note that SMB1 has to be enabled, or the share
71 also available via NFS in order for this attack to succeed.
73 Clients that have write access to the exported part of the file system
74 under a share via SMB1 unix extensions or NFS can create symlinks that
75 can race the server by renaming an existing path and then replacing it
76 with a symlink. If the client wins the race it can cause the server to
77 create a directory under the new symlink target after the exported
78 share path check has been done. This new symlink target can point to
79 anywhere on the server file system. The authenticated user must have
80 permissions to create a directory under the target directory of the
83 This is a difficult race to win, but theoretically possible. Note that
84 the proof of concept code supplied wins the race only when the server
85 is slowed down and put under heavy load. Exploitation of this bug has
86 not been seen in the wild.
92 o Jeremy Allison <jra@samba.org>
93 * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
96 #######################################
97 Reporting bugs & Development Discussion
98 #######################################
100 Please discuss this release on the samba-technical mailing list or by
101 joining the #samba-technical IRC channel on irc.libera.chat or the
102 #samba-technical:matrix.org matrix channel.
104 If you do report problems then please try to send high quality
105 feedback. If you don't provide vital information to help us track down
106 the problem then you will probably be ignored. All bug reports should
107 be filed under the Samba 4.1 and newer product in the project's Bugzilla
108 database (https://bugzilla.samba.org/).
111 ======================================================================
112 == Our Code, Our Bugs, Our Responsibility.
114 ======================================================================
117 ----------------------------------------------------------------------
118 ===============================
119 Release Notes for Samba 4.13.15
121 ===============================
124 This is the latest stable release of the Samba 4.13 release series.
129 There have been a few regressions in the security release 4.13.14:
131 o CVE-2020-25717: A user on the domain can become root on domain members.
132 https://www.samba.org/samba/security/CVE-2020-25717.html
134 The instructions have been updated and some workarounds
135 initially adviced for 4.13.14 are no longer required and
136 should be reverted in most cases.
138 o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
139 un-deletable. While this release should fix this bug, it is
140 adviced to have a look at the bug report for more detailed
141 information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
143 Changes since 4.13.14
144 ---------------------
146 o Andrew Bartlett <abartlet@samba.org>
147 * BUG 14656: Spaces incorrectly collapsed in ldb attributes.
148 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
149 side effects for the local nt token.
150 * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-
153 o Ralph Boehme <slow@samba.org>
154 * BUG 14922: Kerberos authentication on standalone server in MIT realm
157 o Alexander Bokovoy <ab@samba.org>
158 * BUG 14903: Support for ROLE_IPA_DC is incomplete.
160 o Stefan Metzmacher <metze@samba.org>
161 * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
162 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
163 side effects for the local nt token.
165 o Joseph Sutton <josephsutton@catalyst.net.nz>
166 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
167 side effects for the local nt token.
170 #######################################
171 Reporting bugs & Development Discussion
172 #######################################
174 Please discuss this release on the samba-technical mailing list or by
175 joining the #samba-technical IRC channel on irc.freenode.net.
177 If you do report problems then please try to send high quality
178 feedback. If you don't provide vital information to help us track down
179 the problem then you will probably be ignored. All bug reports should
180 be filed under the Samba 4.1 and newer product in the project's Bugzilla
181 database (https://bugzilla.samba.org/).
184 ======================================================================
185 == Our Code, Our Bugs, Our Responsibility.
187 ======================================================================
190 ----------------------------------------------------------------------
191 ===============================
192 Release Notes for Samba 4.13.14
194 ===============================
197 This is a security release in order to address the following defects:
199 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
201 https://www.samba.org/samba/security/CVE-2016-2124.html
203 o CVE-2020-25717: A user on the domain can become root on domain members.
204 https://www.samba.org/samba/security/CVE-2020-25717.html
205 (PLEASE READ! There are important behaviour changes described)
207 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
209 https://www.samba.org/samba/security/CVE-2020-25718.html
211 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
213 https://www.samba.org/samba/security/CVE-2020-25719.html
215 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
217 https://www.samba.org/samba/security/CVE-2020-25721.html
219 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
220 checking of data stored.
221 https://www.samba.org/samba/security/CVE-2020-25722.html
223 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
224 https://www.samba.org/samba/security/CVE-2021-3738.html
226 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
227 https://www.samba.org/samba/security/CVE-2021-23192.html
230 Changes since 4.13.13
231 ---------------------
233 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
236 o Andrew Bartlett <abartlet@samba.org>
242 o Ralph Boehme <slow@samba.org>
245 o Alexander Bokovoy <ab@samba.org>
248 o Samuel Cabrero <scabrero@samba.org>
251 o Nadezhda Ivanova <nivanova@symas.com>
254 o Stefan Metzmacher <metze@samba.org>
263 o Andreas Schneider <asn@samba.org>
266 o Joseph Sutton <josephsutton@catalyst.net.nz>
275 #######################################
276 Reporting bugs & Development Discussion
277 #######################################
279 Please discuss this release on the samba-technical mailing list or by
280 joining the #samba-technical IRC channel on irc.libera.chat or the
281 #samba-technical:matrix.org matrix channel.
283 If you do report problems then please try to send high quality
284 feedback. If you don't provide vital information to help us track down
285 the problem then you will probably be ignored. All bug reports should
286 be filed under the Samba 4.1 and newer product in the project's Bugzilla
287 database (https://bugzilla.samba.org/).
290 ======================================================================
291 == Our Code, Our Bugs, Our Responsibility.
293 ======================================================================
296 ----------------------------------------------------------------------
299 ===============================
300 Release Notes for Samba 4.13.13
302 ===============================
305 This is the latest stable release of the Samba 4.13 release series.
308 Changes since 4.13.12
309 ---------------------
311 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
312 * BUG 14868: rodc_rwdc test flaps.
313 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
315 o Andrew Bartlett <abartlet@samba.org>
316 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
317 bit' S4U2Proxy Constrained Delegation bypass in Samba with
319 * BUG 14836: Python ldb.msg_diff() memory handling failure.
320 * BUG 14845: "in" operator on ldb.Message is case sensitive.
321 * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
322 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
323 * BUG 14874: Allow special chars like "@" in samAccountName when generating
325 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
327 o Isaac Boukris <iboukris@gmail.com>
328 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
329 bit' S4U2Proxy Constrained Delegation bypass in Samba with
331 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
333 o Viktor Dukhovni <viktor@twosigma.com>
334 * BUG 12998: Fix transit path validation.
335 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
337 o Luke Howard <lukeh@padl.com>
338 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
339 bit' S4U2Proxy Constrained Delegation bypass in Samba with
341 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
343 o Stefan Metzmacher <metze@samba.org>
344 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
346 o David Mulder <dmulder@suse.com>
347 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
349 o Andreas Schneider <asn@samba.org>
350 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
351 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
353 o Joseph Sutton <josephsutton@catalyst.net.nz>
354 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
355 bit' S4U2Proxy Constrained Delegation bypass in Samba with
357 * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
358 violation: brlock.tdb, share_entries.tdb.
359 * BUG 14836: Python ldb.msg_diff() memory handling failure.
360 * BUG 14845: "in" operator on ldb.Message is case sensitive.
361 * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
362 * BUG 14868: rodc_rwdc test flaps.
363 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
364 * BUG 14874: Allow special chars like "@" in samAccountName when generating
366 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
368 o Nicolas Williams <nico@twosigma.com>
369 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
370 bit' S4U2Proxy Constrained Delegation bypass in Samba with
372 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
375 #######################################
376 Reporting bugs & Development Discussion
377 #######################################
379 Please discuss this release on the samba-technical mailing list or by
380 joining the #samba-technical IRC channel on irc.freenode.net.
382 If you do report problems then please try to send high quality
383 feedback. If you don't provide vital information to help us track down
384 the problem then you will probably be ignored. All bug reports should
385 be filed under the Samba 4.1 and newer product in the project's Bugzilla
386 database (https://bugzilla.samba.org/).
389 ======================================================================
390 == Our Code, Our Bugs, Our Responsibility.
392 ======================================================================
395 ----------------------------------------------------------------------
397 ===============================
398 Release Notes for Samba 4.13.12
400 ===============================
403 This is the latest stable release of the Samba 4.13 release series.
406 Changes since 4.13.11
407 ---------------------
409 o Andrew Bartlett <abartlet@samba.org>
410 * BUG 14806: Address a signifcant performance regression in database access
411 in the AD DC since Samba 4.12.
412 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
413 Samba 4.9 by using an explicit database handle cache.
414 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
415 server name in a TGS-REQ.
416 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
417 * BUG 14819: Address flapping dsdb_schema_attributes test.
419 o Björn Baumbach <bb@sernet.de>
420 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
421 server name in a TGS-REQ
423 o Luke Howard <lukeh@padl.com>
424 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
425 server name in a TGS-REQ.
427 o Volker Lendecke <vl@samba.org>
428 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
429 server name in a TGS-REQ.
431 o Gary Lockyer <gary@catalyst.net.nz>
432 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
433 server name in a TGS-REQ.
435 o Stefan Metzmacher <metze@samba.org>
436 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
437 server name in a TGS-REQ.
439 o Andreas Schneider <asn@samba.org>
440 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
441 server name in a TGS-REQ.
443 o Martin Schwenke <martin@meltin.net>
444 * BUG 14784: Fix CTDB flag/status update race conditions.
446 o Joseph Sutton <josephsutton@catalyst.net.nz>
447 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
448 server name in a TGS-REQ.
451 #######################################
452 Reporting bugs & Development Discussion
453 #######################################
455 Please discuss this release on the samba-technical mailing list or by
456 joining the #samba-technical IRC channel on irc.freenode.net.
458 If you do report problems then please try to send high quality
459 feedback. If you don't provide vital information to help us track down
460 the problem then you will probably be ignored. All bug reports should
461 be filed under the Samba 4.1 and newer product in the project's Bugzilla
462 database (https://bugzilla.samba.org/).
465 ======================================================================
466 == Our Code, Our Bugs, Our Responsibility.
468 ======================================================================
471 ----------------------------------------------------------------------
474 ===============================
475 Release Notes for Samba 4.13.11
477 ===============================
480 This is the latest stable release of the Samba 4.13 release series.
483 Changes since 4.13.10
484 ---------------------
486 o Jeremy Allison <jra@samba.org>
487 * BUG 14769: smbd panic on force-close share during offload write.
489 o Ralph Boehme <slow@samba.org>
490 * BUG 14731: Fix returned attributes on fake quota file handle and avoid
492 * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
493 * BUG 14787: net conf list crashes when run as normal user.
495 o Stefan Metzmacher <metze@samba.org>
496 * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap
498 * BUG 14793: Start the SMB encryption as soon as possible.
500 o Andreas Schneider <asn@samba.org>
501 * BUG 14792: Winbind should not start if the socket path for the privileged
505 #######################################
506 Reporting bugs & Development Discussion
507 #######################################
509 Please discuss this release on the samba-technical mailing list or by
510 joining the #samba-technical IRC channel on irc.freenode.net.
512 If you do report problems then please try to send high quality
513 feedback. If you don't provide vital information to help us track down
514 the problem then you will probably be ignored. All bug reports should
515 be filed under the Samba 4.1 and newer product in the project's Bugzilla
516 database (https://bugzilla.samba.org/).
519 ======================================================================
520 == Our Code, Our Bugs, Our Responsibility.
522 ======================================================================
525 ----------------------------------------------------------------------
528 ===============================
529 Release Notes for Samba 4.13.10
531 ===============================
534 This is the latest stable release of the Samba 4.13 release series.
540 o Jeremy Allison <jra@samba.org>
541 * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
542 Windows ACL for directory handles.
543 * BUG 14721: Take a copy to make sure we don't reference free'd memory.
544 * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
545 * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
546 change_file_owner_to_parent() error path.
548 o Andrew Bartlett <abartlet@samba.org>
549 * BUG 14575: samba-tool: Give better error information when the
550 'domain backup restore' fails with a duplicate SID.
552 o Ralph Boehme <slow@samba.org>
553 * BUG 14714: smbd: Correctly initialize close timestamp fields.
554 * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
556 o Volker Lendecke <vl@samba.org>
557 * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
559 o Stefan Metzmacher <metze@samba.org>
560 * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
561 * BUG 14752: smbXsrv_{open,session,tcon}: Protect
562 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
564 o Joseph Sutton <josephsutton@catalyst.net.nz>
565 * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
567 * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
571 #######################################
572 Reporting bugs & Development Discussion
573 #######################################
575 Please discuss this release on the samba-technical mailing list or by
576 joining the #samba-technical IRC channel on irc.freenode.net.
578 If you do report problems then please try to send high quality
579 feedback. If you don't provide vital information to help us track down
580 the problem then you will probably be ignored. All bug reports should
581 be filed under the Samba 4.1 and newer product in the project's Bugzilla
582 database (https://bugzilla.samba.org/).
585 ======================================================================
586 == Our Code, Our Bugs, Our Responsibility.
588 ======================================================================
591 ----------------------------------------------------------------------
594 ==============================
595 Release Notes for Samba 4.13.9
597 ==============================
600 This is the latest stable release of the Samba 4.13 release series.
606 o Jeremy Allison <jra@samba.org>
607 * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
609 o Andrew Bartlett <abartlet@samba.org>
610 * BUG 14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit
611 to "log level", synchronise "log level" in smb.conf with the code.
613 o Ralph Boehme <slow@samba.org>
614 * BUG 14672: Fix smbd panic when two clients open same file.
615 * BUG 14675: Fix memory leak in the RPC server.
616 * BUG 14679: s3: smbd: Fix deferred renames.
618 o Samuel Cabrero <scabrero@samba.org>
619 * BUG 14675: s3-iremotewinspool: Set the per-request memory context.
621 o Volker Lendecke <vl@samba.org>
622 * BUG 14675: rpc_server3: Fix a memleak for internal pipes.
624 o Stefan Metzmacher <metze@samba.org>
625 * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
626 * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
629 o Christof Schmitt <cs@samba.org>
630 * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
633 o Martin Schwenke <martin@meltin.net
634 * BUG 14288: Fix the build on OmniOS.
637 #######################################
638 Reporting bugs & Development Discussion
639 #######################################
641 Please discuss this release on the samba-technical mailing list or by
642 joining the #samba-technical IRC channel on irc.freenode.net.
644 If you do report problems then please try to send high quality
645 feedback. If you don't provide vital information to help us track down
646 the problem then you will probably be ignored. All bug reports should
647 be filed under the Samba 4.1 and newer product in the project's Bugzilla
648 database (https://bugzilla.samba.org/).
651 ======================================================================
652 == Our Code, Our Bugs, Our Responsibility.
654 ======================================================================
657 ----------------------------------------------------------------------
660 ==============================
661 Release Notes for Samba 4.13.8
663 ==============================
666 This is a security release in order to address the following defect:
668 o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
669 in the Samba file server process token.
677 The Samba smbd file server must map Windows group identities (SIDs) into unix
678 group ids (gids). The code that performs this had a flaw that could allow it
679 to read data beyond the end of the array in the case where a negative cache
680 entry had been added to the mapping cache. This could cause the calling code
681 to return those values into the process token that stores the group
682 membership for a user.
684 Most commonly this flaw caused the calling code to crash, but an alert user
685 (Peter Eriksson, IT Department, Linköping University) found this flaw by
686 noticing an unprivileged user was able to delete a file within a network
687 share that they should have been disallowed access to.
689 Analysis of the code paths has not allowed us to discover a way for a
690 remote user to be able to trigger this flaw reproducibly or on demand,
691 but this CVE has been issued out of an abundance of caution.
697 o Volker Lendecke <vl@samba.org>
698 * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
701 #######################################
702 Reporting bugs & Development Discussion
703 #######################################
705 Please discuss this release on the samba-technical mailing list or by
706 joining the #samba-technical IRC channel on irc.freenode.net.
708 If you do report problems then please try to send high quality
709 feedback. If you don't provide vital information to help us track down
710 the problem then you will probably be ignored. All bug reports should
711 be filed under the Samba 4.1 and newer product in the project's Bugzilla
712 database (https://bugzilla.samba.org/).
715 ======================================================================
716 == Our Code, Our Bugs, Our Responsibility.
718 ======================================================================
721 ----------------------------------------------------------------------
724 ==============================
725 Release Notes for Samba 4.13.7
727 ==============================
730 This is a follow-up release to depend on the correct ldb version. This is only
731 needed when building against a system ldb library.
733 This is a security release in order to address the following defects:
735 o CVE-2020-27840: Heap corruption via crafted DN strings.
736 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
744 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
745 crafted DNs as part of a bind request. More serious heap corruption is likely
749 User-controlled LDAP filter strings against the AD DC LDAP server may crash
752 For more details, please refer to the security advisories.
758 o Release with dependency on ldb version 2.2.1.
761 #######################################
762 Reporting bugs & Development Discussion
763 #######################################
765 Please discuss this release on the samba-technical mailing list or by
766 joining the #samba-technical IRC channel on irc.freenode.net.
768 If you do report problems then please try to send high quality
769 feedback. If you don't provide vital information to help us track down
770 the problem then you will probably be ignored. All bug reports should
771 be filed under the Samba 4.1 and newer product in the project's Bugzilla
772 database (https://bugzilla.samba.org/).
775 ======================================================================
776 == Our Code, Our Bugs, Our Responsibility.
778 ======================================================================
781 ----------------------------------------------------------------------
784 ==============================
785 Release Notes for Samba 4.13.6
787 ==============================
790 This is a security release in order to address the following defects:
792 o CVE-2020-27840: Heap corruption via crafted DN strings.
793 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
801 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
802 crafted DNs as part of a bind request. More serious heap corruption is likely
806 User-controlled LDAP filter strings against the AD DC LDAP server may crash
809 For more details, please refer to the security advisories.
815 o Andrew Bartlett <abartlet@samba.org>
816 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
818 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
819 * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
821 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
824 #######################################
825 Reporting bugs & Development Discussion
826 #######################################
828 Please discuss this release on the samba-technical mailing list or by
829 joining the #samba-technical IRC channel on irc.freenode.net.
831 If you do report problems then please try to send high quality
832 feedback. If you don't provide vital information to help us track down
833 the problem then you will probably be ignored. All bug reports should
834 be filed under the Samba 4.1 and newer product in the project's Bugzilla
835 database (https://bugzilla.samba.org/).
838 ======================================================================
839 == Our Code, Our Bugs, Our Responsibility.
841 ======================================================================
844 ----------------------------------------------------------------------
847 ==============================
848 Release Notes for Samba 4.13.5
850 ==============================
853 This is the latest stable release of the Samba 4.13 release series.
859 o Trever L. Adams <trever.adams@gmail.com>
860 * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
863 o Jeremy Allison <jra@samba.org>
864 * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
865 setup failed on temp proxy connection.
866 * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
867 force a full reload of services.
869 o Andrew Bartlett <abartlet@samba.org>
870 * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
873 o Ralph Boehme <slow@samba.org
874 * BUG 14503: s3: Fix fcntl waf configure check.
875 * BUG 14602: s3/auth: Implement "winbind:ignore domains".
876 * BUG 14617: smbd: Use fsp->conn->session_info for the initial
877 delete-on-close token.
879 o Peter Eriksson <pen@lysator.liu.se>
880 * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
883 o Björn Jacke <bj@sernet.de>
884 * BUG 14624: classicupgrade: Treat old never expires value right.
886 o Volker Lendecke <vl@samba.org>
887 * BUG 14636: g_lock: Fix uninitalized variable reads.
889 o Stefan Metzmacher <metze@samba.org>
890 * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
892 o Andreas Schneider <asn@samba.org>
893 * BUG 14625: lib:util: Avoid free'ing our own pointer.
895 o Paul Wise <pabs3@bonedaddy.net>
896 * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
899 #######################################
900 Reporting bugs & Development Discussion
901 #######################################
903 Please discuss this release on the samba-technical mailing list or by
904 joining the #samba-technical IRC channel on irc.freenode.net.
906 If you do report problems then please try to send high quality
907 feedback. If you don't provide vital information to help us track down
908 the problem then you will probably be ignored. All bug reports should
909 be filed under the Samba 4.1 and newer product in the project's Bugzilla
910 database (https://bugzilla.samba.org/).
913 ======================================================================
914 == Our Code, Our Bugs, Our Responsibility.
916 ======================================================================
919 ----------------------------------------------------------------------
922 ==============================
923 Release Notes for Samba 4.13.4
925 ==============================
928 This is the latest stable release of the Samba 4.13 release series.
934 o Jeremy Allison <jra@samba.org>
935 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
937 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
938 same way as a regular share definition does.
940 o Dimitry Andric <dimitry@andric.com>
941 * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
944 o Andrew Bartlett <abartlet@samba.org>
945 * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
947 o Ralph Boehme <slow@samba.org>
948 * BUG 14596: vfs_fruit may close wrong backend fd.
949 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
950 same way as a regular share definition does.
952 o Arne Kreddig <arne@kreddig.net>
953 * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
955 o Stefan Metzmacher <metze@samba.org>
956 * BUG 14596: vfs_fruit may close wrong backend fd.
957 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
960 o Andreas Schneider <asn@samba.org>
961 * BUG 14601: The cache directory for the user gencache should be created
964 o Martin Schwenke <martin@meltin.net>
965 * BUG 14594: Be more flexible with repository names in CentOS 8 test
969 #######################################
970 Reporting bugs & Development Discussion
971 #######################################
973 Please discuss this release on the samba-technical mailing list or by
974 joining the #samba-technical IRC channel on irc.freenode.net.
976 If you do report problems then please try to send high quality
977 feedback. If you don't provide vital information to help us track down
978 the problem then you will probably be ignored. All bug reports should
979 be filed under the Samba 4.1 and newer product in the project's Bugzilla
980 database (https://bugzilla.samba.org/).
983 ======================================================================
984 == Our Code, Our Bugs, Our Responsibility.
986 ======================================================================
989 ----------------------------------------------------------------------
992 ==============================
993 Release Notes for Samba 4.13.3
995 ==============================
998 This is the latest stable release of the Samba 4.13 release series.
1001 Changes since 4.13.2
1002 --------------------
1004 o Jeremy Allison <jra@samba.org>
1005 * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
1006 fails for crypto blob.
1007 * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
1008 leaks from a function.
1009 * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
1010 NULL via TALLOC_FREE().
1011 * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
1013 * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
1016 o Ralph Boehme <slow@samba.org>
1017 * BUG 14248: samba process does not honor max log size.
1018 * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
1021 o Isaac Boukris <iboukris@gmail.com>
1022 * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
1024 o Günther Deschner <gd@samba.org>
1025 * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
1027 o Volker Lendecke <vl@samba.org>
1028 * BUG 14517: smbclient: Fix recursive mget.
1029 * BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
1031 o Anoop C S <anoopcs@samba.org>
1032 * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
1034 * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
1036 o Jones Syue <jonessyue@qnap.com>
1037 * BUG 14514: interface: Fix if_index is not parsed correctly.
1040 #######################################
1041 Reporting bugs & Development Discussion
1042 #######################################
1044 Please discuss this release on the samba-technical mailing list or by
1045 joining the #samba-technical IRC channel on irc.freenode.net.
1047 If you do report problems then please try to send high quality
1048 feedback. If you don't provide vital information to help us track down
1049 the problem then you will probably be ignored. All bug reports should
1050 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1051 database (https://bugzilla.samba.org/).
1054 ======================================================================
1055 == Our Code, Our Bugs, Our Responsibility.
1057 ======================================================================
1060 ---------------------------------------------------------------------- ==============================
1061 Release Notes for Samba 4.13.2
1063 ==============================
1066 This is the latest stable release of the Samba 4.13 release series.
1068 Major enhancements include:
1069 o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
1070 o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
1078 The GlusterFS write-behind performance translator, when used with Samba, could
1079 be a source of data corruption. The translator, while processing a write call,
1080 immediately returns success but continues writing the data to the server in the
1081 background. This can cause data corruption when two clients relying on Samba to
1082 provide data consistency are operating on the same file.
1084 The write-behind translator is enabled by default on GlusterFS.
1085 The vfs_glusterfs plugin will check for the presence of the translator and
1086 refuse to connect if detected. Please disable the write-behind translator for
1087 the GlusterFS volume to allow the plugin to connect to the volume.
1090 Changes since 4.13.1
1091 --------------------
1093 o Jeremy Allison <jra@samba.org>
1094 * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
1095 **lines onto mem_ctx on return.
1097 o Ralph Boehme <slow@samba.org>
1098 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
1100 o Alexander Bokovoy <ab@samba.org>
1101 * BUG 14538: smb.conf.5: Add clarification how configuration changes
1103 * BUG 14552: daemons: Report status to systemd even when running in
1105 * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
1107 o Günther Deschner <gd@samba.org>
1108 * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
1111 o Amitay Isaacs <amitay@gmail.com>
1112 * BUG 14487: provision: Add support for BIND 9.16.x.
1113 * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
1114 * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
1116 o Björn Jacke <bjacke@samba.org>
1117 * BUG 14522: docs: Fix default value of spoolss:architecture.
1119 o Laurent Menase <laurent.menase@hpe.com>
1120 * BUG 14388: winbind: Fix a memleak.
1122 o Stefan Metzmacher <metze@samba.org>
1123 * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
1125 o Sachin Prabhu <sprabhu@redhat.com>
1126 * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
1129 o Khem Raj <raj.khem@gmail.com>
1130 * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
1132 o Anoop C S <anoopcs@samba.org>
1133 * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
1135 o Andreas Schneider <asn@samba.org>
1136 * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
1137 * BUG 14550: examples:auth: Do not install example plugin.
1139 o Martin Schwenke <martin@meltin.net>
1140 * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
1142 o Andrew Walker <awalker@ixsystems.com>
1143 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
1146 #######################################
1147 Reporting bugs & Development Discussion
1148 #######################################
1150 Please discuss this release on the samba-technical mailing list or by
1151 joining the #samba-technical IRC channel on irc.freenode.net.
1153 If you do report problems then please try to send high quality
1154 feedback. If you don't provide vital information to help us track down
1155 the problem then you will probably be ignored. All bug reports should
1156 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1157 database (https://bugzilla.samba.org/).
1160 ======================================================================
1161 == Our Code, Our Bugs, Our Responsibility.
1163 ======================================================================
1166 ----------------------------------------------------------------------
1169 ==============================
1170 Release Notes for Samba 4.13.1
1172 ==============================
1175 This is a security release in order to address the following defects:
1177 o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
1178 o CVE-2020-14323: Unprivileged user can crash winbind.
1179 o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
1188 The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
1189 request file name notification on a directory handle when a condition such as
1190 "new file creation" or "file size change" or "file timestamp update" occurs.
1192 A missing permissions check on a directory handle requesting ChangeNotify
1193 meant that a client with a directory handle open only for
1194 FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
1195 notify replies from the server. These replies contain information that should
1196 not be available to directory handles open for FILE_READ_ATTRIBUTE only.
1199 winbind in version 3.6 and later implements a request to translate multiple
1200 Windows SIDs into names in one request. This was done for performance
1201 reasons: The Microsoft RPC call domain controllers offer to do this
1202 translation, so it was an obvious extension to also offer this batch
1203 operation on the winbind unix domain stream socket that is available to local
1204 processes on the Samba server.
1206 Due to improper input validation a hand-crafted packet can make winbind
1207 perform a NULL pointer dereference and thus crash.
1210 Some DNS records (such as MX and NS records) usually contain data in the
1211 additional section. Samba's dnsserver RPC pipe (which is an administrative
1212 interface not used in the DNS server itself) made an error in handling the
1213 case where there are no records present: instead of noticing the lack of
1214 records, it dereferenced uninitialised memory, causing the RPC server to
1215 crash. This RPC server, which also serves protocols other than dnsserver,
1216 will be restarted after a short delay, but it is easy for an authenticated
1217 non-admin attacker to crash it again as soon as it returns. The Samba DNS
1218 server itself will continue to operate, but many RPC services will not.
1220 For more details, please refer to the security advisories.
1223 Changes since 4.13.0
1224 --------------------
1226 o Jeremy Allison <jra@samba.org>
1227 * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
1228 unless the directory handle is open for SEC_DIR_LIST.
1230 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
1231 * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
1233 * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
1235 o Volker Lendecke <vl@samba.org>
1236 * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
1239 #######################################
1240 Reporting bugs & Development Discussion
1241 #######################################
1243 Please discuss this release on the samba-technical mailing list or by
1244 joining the #samba-technical IRC channel on irc.freenode.net.
1246 If you do report problems then please try to send high quality
1247 feedback. If you don't provide vital information to help us track down
1248 the problem then you will probably be ignored. All bug reports should
1249 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1250 database (https://bugzilla.samba.org/).
1253 ======================================================================
1254 == Our Code, Our Bugs, Our Responsibility.
1256 ======================================================================
1259 ----------------------------------------------------------------------
1262 ==============================
1263 Release Notes for Samba 4.13.0
1265 ==============================
1268 This is the first stable release of the Samba 4.13 release series.
1269 Please read the release notes carefully before upgrading.
1275 Please avoid to set "server schannel = no" and "server schannel= auto" on all
1276 Samba domain controllers due to the wellknown ZeroLogon issue.
1278 For details please see
1279 https://www.samba.org/samba/security/CVE-2020-1472.html.
1282 NEW FEATURES/CHANGES
1283 ====================
1285 Python 3.6 or later required
1286 ----------------------------
1288 Samba's minimum runtime requirement for python was raised to Python
1289 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
1290 3.6 both to access new features and because this is the oldest version
1291 we test with in our CI infrastructure.
1293 This is also the last release where it will be possible to build Samba
1294 (just the file server) with Python versions 2.6 and 2.7.
1296 As Python 2.7 has been End Of Life upstream since April 2020, Samba
1297 is dropping ALL Python 2.x support in the NEXT release.
1299 Samba 4.14 to be released in March 2021 will require Python 3.6 or
1302 wide links functionality
1303 ------------------------
1305 For this release, the code implementing the insecure "wide links = yes"
1306 functionality has been moved out of the core smbd code and into a separate
1307 VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
1308 by smbd as the last but one module before vfs_default if "wide links = yes"
1309 is enabled on the share (note, the existing restrictions on enabling wide
1310 links around the SMB1 "unix extensions" and the "allow insecure wide links"
1311 parameters are still in force). The implicit loading was done to allow
1312 existing users of "wide links = yes" to keep this functionality without
1313 having to make a change to existing working smb.conf files.
1315 Please note that the Samba developers recommend changing any Samba
1316 installations that currently use "wide links = yes" to use bind mounts
1317 as soon as possible, as "wide links = yes" is an inherently insecure
1318 configuration which we would like to remove from Samba. Moving the
1319 feature into a VFS module allows this to be done in a cleaner way
1322 A future release to be determined will remove this implicit linkage,
1323 causing administrators who need this functionality to have to explicitly
1324 add the vfs_widelinks module into the "vfs objects =" parameter lists.
1325 The release notes will be updated to note this change when it occurs.
1327 NT4-like 'classic' Samba domain controllers
1328 -------------------------------------------
1330 Samba 4.13 deprecates Samba's original domain controller mode.
1332 Sites using Samba as a Domain Controller should upgrade from the
1333 NT4-like 'classic' Domain Controller to a Samba Active Directory DC
1334 to ensure full operation with modern windows clients.
1336 SMBv1 only protocol options deprecated
1337 --------------------------------------
1339 A number of smb.conf parameters for less-secure authentication methods
1340 which are only possible over SMBv1 are deprecated in this release.
1346 The deprecated "ldap ssl ads" smb.conf option has been removed.
1352 Parameter Name Description Default
1353 -------------- ----------- -------
1354 ldap ssl ads Removed
1355 smb2 disable lock sequence checking Added No
1356 smb2 disable oplock break retry Added No
1357 domain logons Deprecated no
1358 raw NTLMv2 auth Deprecated no
1359 client plaintext auth Deprecated no
1360 client NTLMv2 auth Deprecated yes
1361 client lanman auth Deprecated no
1362 client use spnego Deprecated yes
1363 server require schannel:COMPUTER Added
1366 CHANGES SINCE 4.13.0rc5
1367 =======================
1369 o Jeremy Allison <jra@samba.org>
1370 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
1371 netr_ServerPasswordSet2 against unencrypted passwords.
1373 o Günther Deschner <gd@samba.org>
1374 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
1375 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
1377 o Gary Lockyer <gary@catalyst.net.nz>
1378 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
1381 o Stefan Metzmacher <metze@samba.org>
1382 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
1383 challenges in netlogon_creds_server_init()
1384 "server require schannel:WORKSTATION$ = no".
1387 CHANGES SINCE 4.13.0rc4
1388 =======================
1390 o Andreas Schneider <asn@samba.org>
1391 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
1393 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
1394 * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
1397 o Stefan Metzmacher <metze@samba.org>
1398 * BUG 14482: Fix build problem if libbsd-dev is not installed.
1401 CHANGES SINCE 4.13.0rc3
1402 =======================
1404 o David Disseldorp <ddiss@samba.org>
1405 * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
1407 o Volker Lendecke <vl@samba.org>
1408 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
1411 o Stefan Metzmacher <metze@samba.org>
1412 * BUG 14428: PANIC: Assert failed in get_lease_type().
1413 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
1417 CHANGES SINCE 4.13.0rc2
1418 =======================
1420 o Andrew Bartlett <abartlet@samba.org>
1421 * BUG 14460: Deprecate domain logons, SMBv1 things.
1423 o Günther Deschner <gd@samba.org>
1424 * BUG 14318: docs: Add missing winexe manpage.
1426 o Christof Schmitt <cs@samba.org>
1427 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
1429 o Martin Schwenke <martin@meltin.net>
1430 * BUG 14466: ctdb disable/enable can fail due to race condition.
1433 CHANGES SINCE 4.13.0rc1
1434 =======================
1436 o Andrew Bartlett <abartlet@samba.org>
1437 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
1439 o Isaac Boukris <iboukris@gmail.com>
1440 * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
1442 o Volker Lendecke <vl@samba.org>
1443 * BUG 14435: winbind: Fix lookuprids cache problem.
1445 o Stefan Metzmacher <metze@samba.org>
1446 * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
1449 o Andreas Schneider <asn@samba.org>
1450 * BUG 14358: docs: Fix documentation for require_membership_of of
1453 o Martin Schwenke <martin@meltin.net>
1454 * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
1461 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
1464 #######################################
1465 Reporting bugs & Development Discussion
1466 #######################################
1468 Please discuss this release on the samba-technical mailing list or by
1469 joining the #samba-technical IRC channel on irc.freenode.net.
1471 If you do report problems then please try to send high quality
1472 feedback. If you don't provide vital information to help us track down
1473 the problem then you will probably be ignored. All bug reports should
1474 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1475 database (https://bugzilla.samba.org/).
1478 ======================================================================
1479 == Our Code, Our Bugs, Our Responsibility.
1481 ======================================================================