1 ===============================
2 Release Notes for Samba 4.13.14
4 ===============================
7 This is a security release in order to address the following defects:
9 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
11 https://www.samba.org/samba/security/CVE-2016-2124.html
13 o CVE-2020-25717: A user on the domain can become root on domain members.
14 https://www.samba.org/samba/security/CVE-2020-25717.html
15 (PLEASE READ! There are important behaviour changes described)
17 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
19 https://www.samba.org/samba/security/CVE-2020-25718.html
21 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
23 https://www.samba.org/samba/security/CVE-2020-25719.html
25 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
27 https://www.samba.org/samba/security/CVE-2020-25721.html
29 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
30 checking of data stored.
31 https://www.samba.org/samba/security/CVE-2020-25722.html
33 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
34 https://www.samba.org/samba/security/CVE-2021-3738.html
36 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
37 https://www.samba.org/samba/security/CVE-2021-23192.html
43 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
46 o Andrew Bartlett <abartlet@samba.org>
52 o Ralph Boehme <slow@samba.org>
55 o Alexander Bokovoy <ab@samba.org>
58 o Samuel Cabrero <scabrero@samba.org>
61 o Nadezhda Ivanova <nivanova@symas.com>
64 o Stefan Metzmacher <metze@samba.org>
73 o Andreas Schneider <asn@samba.org>
76 o Joseph Sutton <josephsutton@catalyst.net.nz>
85 #######################################
86 Reporting bugs & Development Discussion
87 #######################################
89 Please discuss this release on the samba-technical mailing list or by
90 joining the #samba-technical IRC channel on irc.libera.chat or the
91 #samba-technical:matrix.org matrix channel.
93 If you do report problems then please try to send high quality
94 feedback. If you don't provide vital information to help us track down
95 the problem then you will probably be ignored. All bug reports should
96 be filed under the Samba 4.1 and newer product in the project's Bugzilla
97 database (https://bugzilla.samba.org/).
100 ======================================================================
101 == Our Code, Our Bugs, Our Responsibility.
103 ======================================================================
106 Release notes for older releases follow:
107 ----------------------------------------
110 ===============================
111 Release Notes for Samba 4.13.13
113 ===============================
116 This is the latest stable release of the Samba 4.13 release series.
119 Changes since 4.13.12
120 ---------------------
122 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
123 * BUG 14868: rodc_rwdc test flaps.
124 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
126 o Andrew Bartlett <abartlet@samba.org>
127 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
128 bit' S4U2Proxy Constrained Delegation bypass in Samba with
130 * BUG 14836: Python ldb.msg_diff() memory handling failure.
131 * BUG 14845: "in" operator on ldb.Message is case sensitive.
132 * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
133 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
134 * BUG 14874: Allow special chars like "@" in samAccountName when generating
136 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
138 o Isaac Boukris <iboukris@gmail.com>
139 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
140 bit' S4U2Proxy Constrained Delegation bypass in Samba with
142 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
144 o Viktor Dukhovni <viktor@twosigma.com>
145 * BUG 12998: Fix transit path validation.
146 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
148 o Luke Howard <lukeh@padl.com>
149 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
150 bit' S4U2Proxy Constrained Delegation bypass in Samba with
152 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
154 o Stefan Metzmacher <metze@samba.org>
155 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
157 o David Mulder <dmulder@suse.com>
158 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
160 o Andreas Schneider <asn@samba.org>
161 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
162 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
164 o Joseph Sutton <josephsutton@catalyst.net.nz>
165 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
166 bit' S4U2Proxy Constrained Delegation bypass in Samba with
168 * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
169 violation: brlock.tdb, share_entries.tdb.
170 * BUG 14836: Python ldb.msg_diff() memory handling failure.
171 * BUG 14845: "in" operator on ldb.Message is case sensitive.
172 * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
173 * BUG 14868: rodc_rwdc test flaps.
174 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
175 * BUG 14874: Allow special chars like "@" in samAccountName when generating
177 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
179 o Nicolas Williams <nico@twosigma.com>
180 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
181 bit' S4U2Proxy Constrained Delegation bypass in Samba with
183 * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
186 #######################################
187 Reporting bugs & Development Discussion
188 #######################################
190 Please discuss this release on the samba-technical mailing list or by
191 joining the #samba-technical IRC channel on irc.freenode.net.
193 If you do report problems then please try to send high quality
194 feedback. If you don't provide vital information to help us track down
195 the problem then you will probably be ignored. All bug reports should
196 be filed under the Samba 4.1 and newer product in the project's Bugzilla
197 database (https://bugzilla.samba.org/).
200 ======================================================================
201 == Our Code, Our Bugs, Our Responsibility.
203 ======================================================================
206 ----------------------------------------------------------------------
208 ===============================
209 Release Notes for Samba 4.13.12
211 ===============================
214 This is the latest stable release of the Samba 4.13 release series.
217 Changes since 4.13.11
218 ---------------------
220 o Andrew Bartlett <abartlet@samba.org>
221 * BUG 14806: Address a signifcant performance regression in database access
222 in the AD DC since Samba 4.12.
223 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
224 Samba 4.9 by using an explicit database handle cache.
225 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
226 server name in a TGS-REQ.
227 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
228 * BUG 14819: Address flapping dsdb_schema_attributes test.
230 o Björn Baumbach <bb@sernet.de>
231 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
232 server name in a TGS-REQ
234 o Luke Howard <lukeh@padl.com>
235 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
236 server name in a TGS-REQ.
238 o Volker Lendecke <vl@samba.org>
239 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
240 server name in a TGS-REQ.
242 o Gary Lockyer <gary@catalyst.net.nz>
243 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
244 server name in a TGS-REQ.
246 o Stefan Metzmacher <metze@samba.org>
247 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
248 server name in a TGS-REQ.
250 o Andreas Schneider <asn@samba.org>
251 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
252 server name in a TGS-REQ.
254 o Martin Schwenke <martin@meltin.net>
255 * BUG 14784: Fix CTDB flag/status update race conditions.
257 o Joseph Sutton <josephsutton@catalyst.net.nz>
258 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
259 server name in a TGS-REQ.
262 #######################################
263 Reporting bugs & Development Discussion
264 #######################################
266 Please discuss this release on the samba-technical mailing list or by
267 joining the #samba-technical IRC channel on irc.freenode.net.
269 If you do report problems then please try to send high quality
270 feedback. If you don't provide vital information to help us track down
271 the problem then you will probably be ignored. All bug reports should
272 be filed under the Samba 4.1 and newer product in the project's Bugzilla
273 database (https://bugzilla.samba.org/).
276 ======================================================================
277 == Our Code, Our Bugs, Our Responsibility.
279 ======================================================================
282 ----------------------------------------------------------------------
285 ===============================
286 Release Notes for Samba 4.13.11
288 ===============================
291 This is the latest stable release of the Samba 4.13 release series.
294 Changes since 4.13.10
295 ---------------------
297 o Jeremy Allison <jra@samba.org>
298 * BUG 14769: smbd panic on force-close share during offload write.
300 o Ralph Boehme <slow@samba.org>
301 * BUG 14731: Fix returned attributes on fake quota file handle and avoid
303 * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
304 * BUG 14787: net conf list crashes when run as normal user.
306 o Stefan Metzmacher <metze@samba.org>
307 * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap
309 * BUG 14793: Start the SMB encryption as soon as possible.
311 o Andreas Schneider <asn@samba.org>
312 * BUG 14792: Winbind should not start if the socket path for the privileged
316 #######################################
317 Reporting bugs & Development Discussion
318 #######################################
320 Please discuss this release on the samba-technical mailing list or by
321 joining the #samba-technical IRC channel on irc.freenode.net.
323 If you do report problems then please try to send high quality
324 feedback. If you don't provide vital information to help us track down
325 the problem then you will probably be ignored. All bug reports should
326 be filed under the Samba 4.1 and newer product in the project's Bugzilla
327 database (https://bugzilla.samba.org/).
330 ======================================================================
331 == Our Code, Our Bugs, Our Responsibility.
333 ======================================================================
336 ----------------------------------------------------------------------
339 ===============================
340 Release Notes for Samba 4.13.10
342 ===============================
345 This is the latest stable release of the Samba 4.13 release series.
351 o Jeremy Allison <jra@samba.org>
352 * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
353 Windows ACL for directory handles.
354 * BUG 14721: Take a copy to make sure we don't reference free'd memory.
355 * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
356 * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
357 change_file_owner_to_parent() error path.
359 o Andrew Bartlett <abartlet@samba.org>
360 * BUG 14575: samba-tool: Give better error information when the
361 'domain backup restore' fails with a duplicate SID.
363 o Ralph Boehme <slow@samba.org>
364 * BUG 14714: smbd: Correctly initialize close timestamp fields.
365 * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
367 o Volker Lendecke <vl@samba.org>
368 * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
370 o Stefan Metzmacher <metze@samba.org>
371 * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
372 * BUG 14752: smbXsrv_{open,session,tcon}: Protect
373 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
375 o Joseph Sutton <josephsutton@catalyst.net.nz>
376 * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
378 * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
382 #######################################
383 Reporting bugs & Development Discussion
384 #######################################
386 Please discuss this release on the samba-technical mailing list or by
387 joining the #samba-technical IRC channel on irc.freenode.net.
389 If you do report problems then please try to send high quality
390 feedback. If you don't provide vital information to help us track down
391 the problem then you will probably be ignored. All bug reports should
392 be filed under the Samba 4.1 and newer product in the project's Bugzilla
393 database (https://bugzilla.samba.org/).
396 ======================================================================
397 == Our Code, Our Bugs, Our Responsibility.
399 ======================================================================
402 ----------------------------------------------------------------------
405 ==============================
406 Release Notes for Samba 4.13.9
408 ==============================
411 This is the latest stable release of the Samba 4.13 release series.
417 o Jeremy Allison <jra@samba.org>
418 * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
420 o Andrew Bartlett <abartlet@samba.org>
421 * BUG 14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit
422 to "log level", synchronise "log level" in smb.conf with the code.
424 o Ralph Boehme <slow@samba.org>
425 * BUG 14672: Fix smbd panic when two clients open same file.
426 * BUG 14675: Fix memory leak in the RPC server.
427 * BUG 14679: s3: smbd: Fix deferred renames.
429 o Samuel Cabrero <scabrero@samba.org>
430 * BUG 14675: s3-iremotewinspool: Set the per-request memory context.
432 o Volker Lendecke <vl@samba.org>
433 * BUG 14675: rpc_server3: Fix a memleak for internal pipes.
435 o Stefan Metzmacher <metze@samba.org>
436 * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
437 * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
440 o Christof Schmitt <cs@samba.org>
441 * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
444 o Martin Schwenke <martin@meltin.net
445 * BUG 14288: Fix the build on OmniOS.
448 #######################################
449 Reporting bugs & Development Discussion
450 #######################################
452 Please discuss this release on the samba-technical mailing list or by
453 joining the #samba-technical IRC channel on irc.freenode.net.
455 If you do report problems then please try to send high quality
456 feedback. If you don't provide vital information to help us track down
457 the problem then you will probably be ignored. All bug reports should
458 be filed under the Samba 4.1 and newer product in the project's Bugzilla
459 database (https://bugzilla.samba.org/).
462 ======================================================================
463 == Our Code, Our Bugs, Our Responsibility.
465 ======================================================================
468 ----------------------------------------------------------------------
471 ==============================
472 Release Notes for Samba 4.13.8
474 ==============================
477 This is a security release in order to address the following defect:
479 o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
480 in the Samba file server process token.
488 The Samba smbd file server must map Windows group identities (SIDs) into unix
489 group ids (gids). The code that performs this had a flaw that could allow it
490 to read data beyond the end of the array in the case where a negative cache
491 entry had been added to the mapping cache. This could cause the calling code
492 to return those values into the process token that stores the group
493 membership for a user.
495 Most commonly this flaw caused the calling code to crash, but an alert user
496 (Peter Eriksson, IT Department, Linköping University) found this flaw by
497 noticing an unprivileged user was able to delete a file within a network
498 share that they should have been disallowed access to.
500 Analysis of the code paths has not allowed us to discover a way for a
501 remote user to be able to trigger this flaw reproducibly or on demand,
502 but this CVE has been issued out of an abundance of caution.
508 o Volker Lendecke <vl@samba.org>
509 * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
512 #######################################
513 Reporting bugs & Development Discussion
514 #######################################
516 Please discuss this release on the samba-technical mailing list or by
517 joining the #samba-technical IRC channel on irc.freenode.net.
519 If you do report problems then please try to send high quality
520 feedback. If you don't provide vital information to help us track down
521 the problem then you will probably be ignored. All bug reports should
522 be filed under the Samba 4.1 and newer product in the project's Bugzilla
523 database (https://bugzilla.samba.org/).
526 ======================================================================
527 == Our Code, Our Bugs, Our Responsibility.
529 ======================================================================
532 ----------------------------------------------------------------------
535 ==============================
536 Release Notes for Samba 4.13.7
538 ==============================
541 This is a follow-up release to depend on the correct ldb version. This is only
542 needed when building against a system ldb library.
544 This is a security release in order to address the following defects:
546 o CVE-2020-27840: Heap corruption via crafted DN strings.
547 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
555 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
556 crafted DNs as part of a bind request. More serious heap corruption is likely
560 User-controlled LDAP filter strings against the AD DC LDAP server may crash
563 For more details, please refer to the security advisories.
569 o Release with dependency on ldb version 2.2.1.
572 #######################################
573 Reporting bugs & Development Discussion
574 #######################################
576 Please discuss this release on the samba-technical mailing list or by
577 joining the #samba-technical IRC channel on irc.freenode.net.
579 If you do report problems then please try to send high quality
580 feedback. If you don't provide vital information to help us track down
581 the problem then you will probably be ignored. All bug reports should
582 be filed under the Samba 4.1 and newer product in the project's Bugzilla
583 database (https://bugzilla.samba.org/).
586 ======================================================================
587 == Our Code, Our Bugs, Our Responsibility.
589 ======================================================================
592 ----------------------------------------------------------------------
595 ==============================
596 Release Notes for Samba 4.13.6
598 ==============================
601 This is a security release in order to address the following defects:
603 o CVE-2020-27840: Heap corruption via crafted DN strings.
604 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
612 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
613 crafted DNs as part of a bind request. More serious heap corruption is likely
617 User-controlled LDAP filter strings against the AD DC LDAP server may crash
620 For more details, please refer to the security advisories.
626 o Andrew Bartlett <abartlet@samba.org>
627 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
629 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
630 * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
632 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
635 #######################################
636 Reporting bugs & Development Discussion
637 #######################################
639 Please discuss this release on the samba-technical mailing list or by
640 joining the #samba-technical IRC channel on irc.freenode.net.
642 If you do report problems then please try to send high quality
643 feedback. If you don't provide vital information to help us track down
644 the problem then you will probably be ignored. All bug reports should
645 be filed under the Samba 4.1 and newer product in the project's Bugzilla
646 database (https://bugzilla.samba.org/).
649 ======================================================================
650 == Our Code, Our Bugs, Our Responsibility.
652 ======================================================================
655 ----------------------------------------------------------------------
658 ==============================
659 Release Notes for Samba 4.13.5
661 ==============================
664 This is the latest stable release of the Samba 4.13 release series.
670 o Trever L. Adams <trever.adams@gmail.com>
671 * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
674 o Jeremy Allison <jra@samba.org>
675 * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
676 setup failed on temp proxy connection.
677 * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
678 force a full reload of services.
680 o Andrew Bartlett <abartlet@samba.org>
681 * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
684 o Ralph Boehme <slow@samba.org
685 * BUG 14503: s3: Fix fcntl waf configure check.
686 * BUG 14602: s3/auth: Implement "winbind:ignore domains".
687 * BUG 14617: smbd: Use fsp->conn->session_info for the initial
688 delete-on-close token.
690 o Peter Eriksson <pen@lysator.liu.se>
691 * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
694 o Björn Jacke <bj@sernet.de>
695 * BUG 14624: classicupgrade: Treat old never expires value right.
697 o Volker Lendecke <vl@samba.org>
698 * BUG 14636: g_lock: Fix uninitalized variable reads.
700 o Stefan Metzmacher <metze@samba.org>
701 * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
703 o Andreas Schneider <asn@samba.org>
704 * BUG 14625: lib:util: Avoid free'ing our own pointer.
706 o Paul Wise <pabs3@bonedaddy.net>
707 * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
710 #######################################
711 Reporting bugs & Development Discussion
712 #######################################
714 Please discuss this release on the samba-technical mailing list or by
715 joining the #samba-technical IRC channel on irc.freenode.net.
717 If you do report problems then please try to send high quality
718 feedback. If you don't provide vital information to help us track down
719 the problem then you will probably be ignored. All bug reports should
720 be filed under the Samba 4.1 and newer product in the project's Bugzilla
721 database (https://bugzilla.samba.org/).
724 ======================================================================
725 == Our Code, Our Bugs, Our Responsibility.
727 ======================================================================
730 ----------------------------------------------------------------------
733 ==============================
734 Release Notes for Samba 4.13.4
736 ==============================
739 This is the latest stable release of the Samba 4.13 release series.
745 o Jeremy Allison <jra@samba.org>
746 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
748 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
749 same way as a regular share definition does.
751 o Dimitry Andric <dimitry@andric.com>
752 * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
755 o Andrew Bartlett <abartlet@samba.org>
756 * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
758 o Ralph Boehme <slow@samba.org>
759 * BUG 14596: vfs_fruit may close wrong backend fd.
760 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
761 same way as a regular share definition does.
763 o Arne Kreddig <arne@kreddig.net>
764 * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
766 o Stefan Metzmacher <metze@samba.org>
767 * BUG 14596: vfs_fruit may close wrong backend fd.
768 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
771 o Andreas Schneider <asn@samba.org>
772 * BUG 14601: The cache directory for the user gencache should be created
775 o Martin Schwenke <martin@meltin.net>
776 * BUG 14594: Be more flexible with repository names in CentOS 8 test
780 #######################################
781 Reporting bugs & Development Discussion
782 #######################################
784 Please discuss this release on the samba-technical mailing list or by
785 joining the #samba-technical IRC channel on irc.freenode.net.
787 If you do report problems then please try to send high quality
788 feedback. If you don't provide vital information to help us track down
789 the problem then you will probably be ignored. All bug reports should
790 be filed under the Samba 4.1 and newer product in the project's Bugzilla
791 database (https://bugzilla.samba.org/).
794 ======================================================================
795 == Our Code, Our Bugs, Our Responsibility.
797 ======================================================================
800 ----------------------------------------------------------------------
803 ==============================
804 Release Notes for Samba 4.13.3
806 ==============================
809 This is the latest stable release of the Samba 4.13 release series.
815 o Jeremy Allison <jra@samba.org>
816 * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
817 fails for crypto blob.
818 * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
819 leaks from a function.
820 * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
821 NULL via TALLOC_FREE().
822 * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
824 * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
827 o Ralph Boehme <slow@samba.org>
828 * BUG 14248: samba process does not honor max log size.
829 * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
832 o Isaac Boukris <iboukris@gmail.com>
833 * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
835 o Günther Deschner <gd@samba.org>
836 * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
838 o Volker Lendecke <vl@samba.org>
839 * BUG 14517: smbclient: Fix recursive mget.
840 * BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
842 o Anoop C S <anoopcs@samba.org>
843 * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
845 * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
847 o Jones Syue <jonessyue@qnap.com>
848 * BUG 14514: interface: Fix if_index is not parsed correctly.
851 #######################################
852 Reporting bugs & Development Discussion
853 #######################################
855 Please discuss this release on the samba-technical mailing list or by
856 joining the #samba-technical IRC channel on irc.freenode.net.
858 If you do report problems then please try to send high quality
859 feedback. If you don't provide vital information to help us track down
860 the problem then you will probably be ignored. All bug reports should
861 be filed under the Samba 4.1 and newer product in the project's Bugzilla
862 database (https://bugzilla.samba.org/).
865 ======================================================================
866 == Our Code, Our Bugs, Our Responsibility.
868 ======================================================================
871 ---------------------------------------------------------------------- ==============================
872 Release Notes for Samba 4.13.2
874 ==============================
877 This is the latest stable release of the Samba 4.13 release series.
879 Major enhancements include:
880 o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
881 o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
889 The GlusterFS write-behind performance translator, when used with Samba, could
890 be a source of data corruption. The translator, while processing a write call,
891 immediately returns success but continues writing the data to the server in the
892 background. This can cause data corruption when two clients relying on Samba to
893 provide data consistency are operating on the same file.
895 The write-behind translator is enabled by default on GlusterFS.
896 The vfs_glusterfs plugin will check for the presence of the translator and
897 refuse to connect if detected. Please disable the write-behind translator for
898 the GlusterFS volume to allow the plugin to connect to the volume.
904 o Jeremy Allison <jra@samba.org>
905 * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
906 **lines onto mem_ctx on return.
908 o Ralph Boehme <slow@samba.org>
909 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
911 o Alexander Bokovoy <ab@samba.org>
912 * BUG 14538: smb.conf.5: Add clarification how configuration changes
914 * BUG 14552: daemons: Report status to systemd even when running in
916 * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
918 o Günther Deschner <gd@samba.org>
919 * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
922 o Amitay Isaacs <amitay@gmail.com>
923 * BUG 14487: provision: Add support for BIND 9.16.x.
924 * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
925 * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
927 o Björn Jacke <bjacke@samba.org>
928 * BUG 14522: docs: Fix default value of spoolss:architecture.
930 o Laurent Menase <laurent.menase@hpe.com>
931 * BUG 14388: winbind: Fix a memleak.
933 o Stefan Metzmacher <metze@samba.org>
934 * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
936 o Sachin Prabhu <sprabhu@redhat.com>
937 * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
940 o Khem Raj <raj.khem@gmail.com>
941 * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
943 o Anoop C S <anoopcs@samba.org>
944 * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
946 o Andreas Schneider <asn@samba.org>
947 * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
948 * BUG 14550: examples:auth: Do not install example plugin.
950 o Martin Schwenke <martin@meltin.net>
951 * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
953 o Andrew Walker <awalker@ixsystems.com>
954 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
957 #######################################
958 Reporting bugs & Development Discussion
959 #######################################
961 Please discuss this release on the samba-technical mailing list or by
962 joining the #samba-technical IRC channel on irc.freenode.net.
964 If you do report problems then please try to send high quality
965 feedback. If you don't provide vital information to help us track down
966 the problem then you will probably be ignored. All bug reports should
967 be filed under the Samba 4.1 and newer product in the project's Bugzilla
968 database (https://bugzilla.samba.org/).
971 ======================================================================
972 == Our Code, Our Bugs, Our Responsibility.
974 ======================================================================
977 ----------------------------------------------------------------------
980 ==============================
981 Release Notes for Samba 4.13.1
983 ==============================
986 This is a security release in order to address the following defects:
988 o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
989 o CVE-2020-14323: Unprivileged user can crash winbind.
990 o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
999 The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
1000 request file name notification on a directory handle when a condition such as
1001 "new file creation" or "file size change" or "file timestamp update" occurs.
1003 A missing permissions check on a directory handle requesting ChangeNotify
1004 meant that a client with a directory handle open only for
1005 FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
1006 notify replies from the server. These replies contain information that should
1007 not be available to directory handles open for FILE_READ_ATTRIBUTE only.
1010 winbind in version 3.6 and later implements a request to translate multiple
1011 Windows SIDs into names in one request. This was done for performance
1012 reasons: The Microsoft RPC call domain controllers offer to do this
1013 translation, so it was an obvious extension to also offer this batch
1014 operation on the winbind unix domain stream socket that is available to local
1015 processes on the Samba server.
1017 Due to improper input validation a hand-crafted packet can make winbind
1018 perform a NULL pointer dereference and thus crash.
1021 Some DNS records (such as MX and NS records) usually contain data in the
1022 additional section. Samba's dnsserver RPC pipe (which is an administrative
1023 interface not used in the DNS server itself) made an error in handling the
1024 case where there are no records present: instead of noticing the lack of
1025 records, it dereferenced uninitialised memory, causing the RPC server to
1026 crash. This RPC server, which also serves protocols other than dnsserver,
1027 will be restarted after a short delay, but it is easy for an authenticated
1028 non-admin attacker to crash it again as soon as it returns. The Samba DNS
1029 server itself will continue to operate, but many RPC services will not.
1031 For more details, please refer to the security advisories.
1034 Changes since 4.13.0
1035 --------------------
1037 o Jeremy Allison <jra@samba.org>
1038 * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
1039 unless the directory handle is open for SEC_DIR_LIST.
1041 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
1042 * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
1044 * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
1046 o Volker Lendecke <vl@samba.org>
1047 * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
1050 #######################################
1051 Reporting bugs & Development Discussion
1052 #######################################
1054 Please discuss this release on the samba-technical mailing list or by
1055 joining the #samba-technical IRC channel on irc.freenode.net.
1057 If you do report problems then please try to send high quality
1058 feedback. If you don't provide vital information to help us track down
1059 the problem then you will probably be ignored. All bug reports should
1060 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1061 database (https://bugzilla.samba.org/).
1064 ======================================================================
1065 == Our Code, Our Bugs, Our Responsibility.
1067 ======================================================================
1070 ----------------------------------------------------------------------
1073 ==============================
1074 Release Notes for Samba 4.13.0
1076 ==============================
1079 This is the first stable release of the Samba 4.13 release series.
1080 Please read the release notes carefully before upgrading.
1086 Please avoid to set "server schannel = no" and "server schannel= auto" on all
1087 Samba domain controllers due to the wellknown ZeroLogon issue.
1089 For details please see
1090 https://www.samba.org/samba/security/CVE-2020-1472.html.
1093 NEW FEATURES/CHANGES
1094 ====================
1096 Python 3.6 or later required
1097 ----------------------------
1099 Samba's minimum runtime requirement for python was raised to Python
1100 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
1101 3.6 both to access new features and because this is the oldest version
1102 we test with in our CI infrastructure.
1104 This is also the last release where it will be possible to build Samba
1105 (just the file server) with Python versions 2.6 and 2.7.
1107 As Python 2.7 has been End Of Life upstream since April 2020, Samba
1108 is dropping ALL Python 2.x support in the NEXT release.
1110 Samba 4.14 to be released in March 2021 will require Python 3.6 or
1113 wide links functionality
1114 ------------------------
1116 For this release, the code implementing the insecure "wide links = yes"
1117 functionality has been moved out of the core smbd code and into a separate
1118 VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
1119 by smbd as the last but one module before vfs_default if "wide links = yes"
1120 is enabled on the share (note, the existing restrictions on enabling wide
1121 links around the SMB1 "unix extensions" and the "allow insecure wide links"
1122 parameters are still in force). The implicit loading was done to allow
1123 existing users of "wide links = yes" to keep this functionality without
1124 having to make a change to existing working smb.conf files.
1126 Please note that the Samba developers recommend changing any Samba
1127 installations that currently use "wide links = yes" to use bind mounts
1128 as soon as possible, as "wide links = yes" is an inherently insecure
1129 configuration which we would like to remove from Samba. Moving the
1130 feature into a VFS module allows this to be done in a cleaner way
1133 A future release to be determined will remove this implicit linkage,
1134 causing administrators who need this functionality to have to explicitly
1135 add the vfs_widelinks module into the "vfs objects =" parameter lists.
1136 The release notes will be updated to note this change when it occurs.
1138 NT4-like 'classic' Samba domain controllers
1139 -------------------------------------------
1141 Samba 4.13 deprecates Samba's original domain controller mode.
1143 Sites using Samba as a Domain Controller should upgrade from the
1144 NT4-like 'classic' Domain Controller to a Samba Active Directory DC
1145 to ensure full operation with modern windows clients.
1147 SMBv1 only protocol options deprecated
1148 --------------------------------------
1150 A number of smb.conf parameters for less-secure authentication methods
1151 which are only possible over SMBv1 are deprecated in this release.
1157 The deprecated "ldap ssl ads" smb.conf option has been removed.
1163 Parameter Name Description Default
1164 -------------- ----------- -------
1165 ldap ssl ads Removed
1166 smb2 disable lock sequence checking Added No
1167 smb2 disable oplock break retry Added No
1168 domain logons Deprecated no
1169 raw NTLMv2 auth Deprecated no
1170 client plaintext auth Deprecated no
1171 client NTLMv2 auth Deprecated yes
1172 client lanman auth Deprecated no
1173 client use spnego Deprecated yes
1174 server require schannel:COMPUTER Added
1177 CHANGES SINCE 4.13.0rc5
1178 =======================
1180 o Jeremy Allison <jra@samba.org>
1181 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
1182 netr_ServerPasswordSet2 against unencrypted passwords.
1184 o Günther Deschner <gd@samba.org>
1185 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
1186 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
1188 o Gary Lockyer <gary@catalyst.net.nz>
1189 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
1192 o Stefan Metzmacher <metze@samba.org>
1193 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
1194 challenges in netlogon_creds_server_init()
1195 "server require schannel:WORKSTATION$ = no".
1198 CHANGES SINCE 4.13.0rc4
1199 =======================
1201 o Andreas Schneider <asn@samba.org>
1202 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
1204 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
1205 * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
1208 o Stefan Metzmacher <metze@samba.org>
1209 * BUG 14482: Fix build problem if libbsd-dev is not installed.
1212 CHANGES SINCE 4.13.0rc3
1213 =======================
1215 o David Disseldorp <ddiss@samba.org>
1216 * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
1218 o Volker Lendecke <vl@samba.org>
1219 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
1222 o Stefan Metzmacher <metze@samba.org>
1223 * BUG 14428: PANIC: Assert failed in get_lease_type().
1224 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
1228 CHANGES SINCE 4.13.0rc2
1229 =======================
1231 o Andrew Bartlett <abartlet@samba.org>
1232 * BUG 14460: Deprecate domain logons, SMBv1 things.
1234 o Günther Deschner <gd@samba.org>
1235 * BUG 14318: docs: Add missing winexe manpage.
1237 o Christof Schmitt <cs@samba.org>
1238 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
1240 o Martin Schwenke <martin@meltin.net>
1241 * BUG 14466: ctdb disable/enable can fail due to race condition.
1244 CHANGES SINCE 4.13.0rc1
1245 =======================
1247 o Andrew Bartlett <abartlet@samba.org>
1248 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
1250 o Isaac Boukris <iboukris@gmail.com>
1251 * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
1253 o Volker Lendecke <vl@samba.org>
1254 * BUG 14435: winbind: Fix lookuprids cache problem.
1256 o Stefan Metzmacher <metze@samba.org>
1257 * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
1260 o Andreas Schneider <asn@samba.org>
1261 * BUG 14358: docs: Fix documentation for require_membership_of of
1264 o Martin Schwenke <martin@meltin.net>
1265 * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
1272 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
1275 #######################################
1276 Reporting bugs & Development Discussion
1277 #######################################
1279 Please discuss this release on the samba-technical mailing list or by
1280 joining the #samba-technical IRC channel on irc.freenode.net.
1282 If you do report problems then please try to send high quality
1283 feedback. If you don't provide vital information to help us track down
1284 the problem then you will probably be ignored. All bug reports should
1285 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1286 database (https://bugzilla.samba.org/).
1289 ======================================================================
1290 == Our Code, Our Bugs, Our Responsibility.
1292 ======================================================================