From 8b0506340901b22a0b2647b0ad7ed15bd4427cdc Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Wed, 24 Feb 2016 12:18:19 +0100 Subject: [PATCH] WHATSNEW: Add release notes for Samba 4.0.23. CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change permissions on link target. CVE-2016-0771: Read of uninitialized memory DNS TXT handling Signed-off-by: Karolin Seeger --- WHATSNEW.txt | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 85 insertions(+), 2 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2cd1a200f9a..dc94dd401e8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,86 @@ + ============================== + Release Notes for Samba 4.1.23 + March 8, 2015 + ============================== + + +This is a security release in order to address the following CVEs: + +o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) +o CVE-2016-0771 (Out-of-bounds read in internal DNS server) + +======= +Details +======= + +o CVE-2015-7560: + All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to + a malicious client overwriting the ownership of ACLs using symlinks. + + An authenticated malicious client can use SMB1 UNIX extensions to + create a symlink to a file or directory, and then use non-UNIX SMB1 + calls to overwrite the contents of the ACL on the file or directory + linked to. + +o CVE-2016-0771: + All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as + an AD DC and choose to run the internal DNS server, are vulnerable to an + out-of-bounds read issue during DNS TXT record handling caused by users + with permission to modify DNS records. + + A malicious client can upload a specially constructed DNS TXT record, + resulting in a remote denial-of-service attack. As long as the affected + TXT record remains undisturbed in the Samba database, a targeted DNS + query may continue to trigger this exploit. + + While unlikely, the out-of-bounds read may bypass safety checks and + allow leakage of memory from the server in the form of a DNS TXT reply. + + By default only authenticated accounts can upload DNS records, + as "allow dns updates = secure only" is the default. + Any other value would allow anonymous clients to trigger this + bug, which is a much higher risk. + + +Changes since 4.1.22: +--------------------- + +o Jeremy Allison + * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can + change permissions on link target. + +o Garming Sam + * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT + handling. + +o Stefan Metzmacher + * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT + handling. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================== Release Notes for Samba 4.1.22 December 16, 2015 @@ -153,8 +236,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.1.21 -- 2.34.1