Samba 4.16.11 - Release Notes

From: Jule Anger Date: Wed, 19 Jul 2023 14:38:23 +0000 (+0200) Subject: add missing release notes for security releases 4.18.5, 4.17.10 and 4.16.11 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=6c4000de33aa2be2795bd5192b80598453a2dd6a;p=samba-web.git add missing release notes for security releases 4.18.5, 4.17.10 and 4.16.11 Signed-off-by: Jule Anger --- diff --git a/history/samba-4.16.11.html b/history/samba-4.16.11.html new file mode 100644 index 0000000..8b7a49f --- /dev/null +++ b/history/samba-4.16.11.html @@ -0,0 +1,70 @@ + + + +Samba 4.16.11 - Release Notes + + +

Samba 4.16.11 Available for Download

+Samba 4.16.11 (gzipped)
+Signature +

+Patch (gzipped) against Samba 4.16.10
+Signature +

+                   ===============================
+                   Release Notes for Samba 4.16.11
+                            July 19, 2023
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
+                  crafted request can trigger an out-of-bounds read in winbind
+                  and possibly crash it.
+                  https://www.samba.org/samba/security/CVE-2022-2127.html
+
+o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
+                  Spotlight can be triggered by an unauthenticated attacker by
+                  issuing a malformed RPC request.
+                  https://www.samba.org/samba/security/CVE-2023-34966.html
+
+o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
+                  Spotlight can be used by an unauthenticated attacker to
+                  trigger a process crash in a shared RPC mdssvc worker process.
+                  https://www.samba.org/samba/security/CVE-2023-34967.html
+
+o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
+                  side absolute path of shares and files and directories in
+                  search results.
+                  https://www.samba.org/samba/security/CVE-2023-34968.html
+
+
+Changes since 4.16.10
+---------------------
+
+o  Ralph Boehme <slow@samba.org>
+   * BUG 15072: CVE-2022-2127.
+   * BUG 15340: CVE-2023-34966.
+   * BUG 15341: CVE-2023-34967.
+   * BUG 15388: CVE-2023-34968.
+
+o  Samuel Cabrero <scabrero@samba.org>
+   * BUG 15072: CVE-2022-2127.
+
+o  Volker Lendecke <vl@samba.org>
+   * BUG 15072: CVE-2022-2127.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
+
+
+

+ + diff --git a/history/samba-4.17.10.html b/history/samba-4.17.10.html new file mode 100644 index 0000000..f345ce6 --- /dev/null +++ b/history/samba-4.17.10.html @@ -0,0 +1,73 @@ + + + +Samba 4.17.10 - Release Notes + + +

Samba 4.17.10 Available for Download

+Samba 4.17.10 (gzipped)
+Signature +

+Patch (gzipped) against Samba 4.17.9
+Signature +

+                   ===============================
+                   Release Notes for Samba 4.17.10
+                            July 19, 2023
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
+                  crafted request can trigger an out-of-bounds read in winbind
+                  and possibly crash it.
+                  https://www.samba.org/samba/security/CVE-2022-2127.html
+
+o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
+                  "server signing = required" or for SMB2 connections to Domain
+                  Controllers where SMB2 packet signing is mandatory.
+                  https://www.samba.org/samba/security/CVE-2023-3347.html
+
+o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
+                  Spotlight can be triggered by an unauthenticated attacker by
+                  issuing a malformed RPC request.
+                  https://www.samba.org/samba/security/CVE-2023-34966.html
+
+o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
+                  Spotlight can be used by an unauthenticated attacker to
+                  trigger a process crash in a shared RPC mdssvc worker process.
+                  https://www.samba.org/samba/security/CVE-2023-34967.html
+
+o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
+                  side absolute path of shares and files and directories in
+                  search results.
+                  https://www.samba.org/samba/security/CVE-2023-34968.html
+
+
+Changes since 4.17.9
+--------------------
+
+o  Ralph Boehme <slow@samba.org>
+   * BUG 15072: CVE-2022-2127.
+   * BUG 15340: CVE-2023-34966.
+   * BUG 15341: CVE-2023-34967.
+   * BUG 15388: CVE-2023-34968.
+   * BUG 15397: CVE-2023-3347.
+
+o  Volker Lendecke <vl@samba.org>
+   * BUG 15072: CVE-2022-2127.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
+
+
+

+ + diff --git a/history/samba-4.18.5.html b/history/samba-4.18.5.html new file mode 100644 index 0000000..42756fc --- /dev/null +++ b/history/samba-4.18.5.html @@ -0,0 +1,73 @@ + + + +Samba 4.18.5 - Release Notes + + +

Samba 4.18.5 Available for Download

+Samba 4.18.5 (gzipped)
+Signature +

+Patch (gzipped) against Samba 4.18.4
+Signature +

+                   ==============================
+                   Release Notes for Samba 4.18.5
+                           July 19, 2023
+                   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
+                  crafted request can trigger an out-of-bounds read in winbind
+                  and possibly crash it.
+                  https://www.samba.org/samba/security/CVE-2022-2127.html
+
+o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
+                  "server signing = required" or for SMB2 connections to Domain
+                  Controllers where SMB2 packet signing is mandatory.
+                  https://www.samba.org/samba/security/CVE-2023-3347.html
+
+o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
+                  Spotlight can be triggered by an unauthenticated attacker by
+                  issuing a malformed RPC request.
+                  https://www.samba.org/samba/security/CVE-2023-34966.html
+
+o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
+                  Spotlight can be used by an unauthenticated attacker to
+                  trigger a process crash in a shared RPC mdssvc worker process.
+                  https://www.samba.org/samba/security/CVE-2023-34967.html
+
+o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
+                  side absolute path of shares and files and directories in
+                  search results.
+                  https://www.samba.org/samba/security/CVE-2023-34968.html
+
+
+Changes since 4.18.4
+--------------------
+
+o  Ralph Boehme <slow@samba.org>
+   * BUG 15072: CVE-2022-2127.
+   * BUG 15340: CVE-2023-34966.
+   * BUG 15341: CVE-2023-34967.
+   * BUG 15388: CVE-2023-34968.
+   * BUG 15397: CVE-2023-3347.
+
+o  Volker Lendecke <vl@samba.org>
+   * BUG 15072: CVE-2022-2127.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
+
+
+

+ +