=============================== Release Notes for Samba 4.13.17 January 31, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module. https://www.samba.org/samba/security/CVE-2021-44142.html o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks. https://www.samba.org/samba/security/CVE-2022-0336.html Changes since 4.13.16 --------------------- o Ralph Boehme * BUG 14914: CVE-2021-44142 o Joseph Sutton * BUG 14950: CVE-2022-0336 ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== Release notes for older releases follow: ---------------------------------------- =============================== Release Notes for Samba 4.13.16 January 10, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x. https://www.samba.org/samba/security/CVE-2021-43566.html ======= Details ======= o CVE-2021-43566: All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild. Changes since 4.13.15 --------------------- o Jeremy Allison * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.15 December 15, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Important Notes =============== There have been a few regressions in the security release 4.13.14: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds initially adviced for 4.13.14 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg FredNurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. Changes since 4.13.14 --------------------- o Andrew Bartlett * BUG 14656: Spaces incorrectly collapsed in ldb attributes. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. * BUG 14902: User with multiple spaces (eg FredNurk) become un- deletable. o Ralph Boehme * BUG 14922: Kerberos authentication on standalone server in MIT realm broken. o Alexander Bokovoy * BUG 14903: Support for ROLE_IPA_DC is incomplete. o Stefan Metzmacher * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Joseph Sutton * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.14 November 9, 2021 =============================== This is a security release in order to address the following defects: o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication. https://www.samba.org/samba/security/CVE-2016-2124.html o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html (PLEASE READ! There are important behaviour changes described) o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC. https://www.samba.org/samba/security/CVE-2020-25718.html o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets. https://www.samba.org/samba/security/CVE-2020-25719.html o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). https://www.samba.org/samba/security/CVE-2020-25721.html o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored. https://www.samba.org/samba/security/CVE-2020-25722.html o CVE-2021-3738: Use after free in Samba AD DC RPC server. https://www.samba.org/samba/security/CVE-2021-3738.html o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability. https://www.samba.org/samba/security/CVE-2021-23192.html Changes since 4.13.13 --------------------- o Douglas Bagnall * CVE-2020-25722 o Andrew Bartlett * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 o Ralph Boehme * CVE-2020-25717 o Alexander Bokovoy * CVE-2020-25717 o Samuel Cabrero * CVE-2020-25717 o Nadezhda Ivanova * CVE-2020-25722 o Stefan Metzmacher * CVE-2016-2124 * CVE-2020-25717 * CVE-2020-25719 * CVE-2020-25722 * CVE-2021-23192 * CVE-2021-3738 * ldb: version 2.2.3 o Andreas Schneider * CVE-2020-25719 o Joseph Sutton * CVE-2020-17049 * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 * MS CVE-2020-17049 ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.13 October 29, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.12 --------------------- o Douglas Bagnall * BUG 14868: rodc_rwdc test flaps. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andrew Bartlett * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Isaac Boukris * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Viktor Dukhovni * BUG 12998: Fix transit path validation. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Luke Howard * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Stefan Metzmacher * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o David Mulder * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andreas Schneider * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Joseph Sutton * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Nicolas Williams * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.12 September 22, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.11 --------------------- o Andrew Bartlett * BUG 14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12. * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14818: Address flapping samba_tool_drs_showrepl test. * BUG 14819: Address flapping dsdb_schema_attributes test. o Björn Baumbach * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ o Luke Howard * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Volker Lendecke * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Gary Lockyer * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Stefan Metzmacher * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Andreas Schneider * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Martin Schwenke * BUG 14784: Fix CTDB flag/status update race conditions. o Joseph Sutton * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.11 September 07, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.10 --------------------- o Jeremy Allison * BUG 14769: smbd panic on force-close share during offload write. o Ralph Boehme * BUG 14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS. * BUG 14783: smbd "deadtime" parameter doesn't work anymore. * BUG 14787: net conf list crashes when run as normal user. o Stefan Metzmacher * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7. * BUG 14793: Start the SMB encryption as soon as possible. o Andreas Schneider * BUG 14792: Winbind should not start if the socket path for the privileged pipe is too long. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- =============================== Release Notes for Samba 4.13.10 July 14, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.9 -------------------- o Jeremy Allison * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles. * BUG 14721: Take a copy to make sure we don't reference free'd memory. * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname(). * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path. o Andrew Bartlett * BUG 14575: samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID. o Ralph Boehme * BUG 14714: smbd: Correctly initialize close timestamp fields. * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs. o Volker Lendecke * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler(). o Stefan Metzmacher * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd. * BUG 14752: smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records. o Joseph Sutton * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ backend. * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.9 May 11, 2021 ============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.8 -------------------- o Jeremy Allison * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. o Andrew Bartlett * BUG 14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code. o Ralph Boehme * BUG 14672: Fix smbd panic when two clients open same file. * BUG 14675: Fix memory leak in the RPC server. * BUG 14679: s3: smbd: Fix deferred renames. o Samuel Cabrero * BUG 14675: s3-iremotewinspool: Set the per-request memory context. o Volker Lendecke * BUG 14675: rpc_server3: Fix a memleak for internal pipes. o Stefan Metzmacher * BUG 11899: third_party: Update socket_wrapper to version 1.3.2. * BUG 14640: third_party: Update socket_wrapper to version 1.3.3. o Christof Schmitt * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict. o Martin Schwenke * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.7 March 24, 2021 ============================== This is a follow-up release to depend on the correct ldb version. This is only needed when building against a system ldb library. This is a security release in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. ======= Details ======= o CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible. o CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server. For more details, please refer to the security advisories. Changes since 4.13.6 -------------------- o Release with dependency on ldb version 2.2.1. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.6 March 24, 2021 ============================== This is a security release in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. ======= Details ======= o CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible. o CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server. For more details, please refer to the security advisories. Changes since 4.13.5 -------------------- o Andrew Bartlett * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold. o Douglas Bagnall * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via bad DNs. * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.5 March 09, 2021 ============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.4 -------------------- o Trever L. Adams * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure. o Jeremy Allison * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection. * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services. o Andrew Bartlett * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones. o Ralph Boehme conn->session_info for the initial delete-on-close token. o Peter Eriksson * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path. o Björn Jacke * BUG 14624: classicupgrade: Treat old never expires value right. o Volker Lendecke * BUG 14636: g_lock: Fix uninitalized variable reads. o Stefan Metzmacher * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file(). o Andreas Schneider * BUG 14625: lib:util: Avoid free'ing our own pointer. o Paul Wise * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.4 January 26, 2021 ============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.3 -------------------- o Jeremy Allison * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7. * BUG 14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does. o Dimitry Andric * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging functions. o Andrew Bartlett * BUG 14579: Do not create an empty DB when accessing a sam.ldb. o Ralph Boehme * BUG 14596: vfs_fruit may close wrong backend fd. * BUG 14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does. o Arne Kreddig * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*. o Stefan Metzmacher * BUG 14596: vfs_fruit may close wrong backend fd. * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7. o Andreas Schneider * BUG 14601: The cache directory for the user gencache should be created recursively. o Martin Schwenke * BUG 14594: Be more flexible with repository names in CentOS 8 test environments. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.3 December 15, 2020 ============================== This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.2 -------------------- o Jeremy Allison * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob. * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function. * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(). * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match all other uses. * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown share. o Ralph Boehme * BUG 14248: samba process does not honor max log size. * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE. o Isaac Boukris * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms. o Günther Deschner * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator. o Volker Lendecke * BUG 14517: smbclient: Fix recursive mget. * BUG 14581: clitar: Use do_list()'s recursion in clitar.c. o Anoop C S * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind translator. * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS. o Jones Syue * BUG 14514: interface: Fix if_index is not parsed correctly. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.2 November 03, 2020 ============================== This is the latest stable release of the Samba 4.13 release series. Major enhancements include: o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization. o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind translator. ======= Details ======= The GlusterFS write-behind performance translator, when used with Samba, could be a source of data corruption. The translator, while processing a write call, immediately returns success but continues writing the data to the server in the background. This can cause data corruption when two clients relying on Samba to provide data consistency are operating on the same file. The write-behind translator is enabled by default on GlusterFS. The vfs_glusterfs plugin will check for the presence of the translator and refuse to connect if detected. Please disable the write-behind translator for the GlusterFS volume to allow the plugin to connect to the volume. Changes since 4.13.1 -------------------- o Jeremy Allison * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return. o Ralph Boehme * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special. o Alexander Bokovoy * BUG 14538: smb.conf.5: Add clarification how configuration changes reflected by Samba. * BUG 14552: daemons: Report status to systemd even when running in foreground. * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0. o Günther Deschner * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present. o Amitay Isaacs * BUG 14487: provision: Add support for BIND 9.16.x. * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization. * BUG 14541: libndr: Avoid assigning duplicate versions to symbols. o Björn Jacke * BUG 14522: docs: Fix default value of spoolss:architecture. o Laurent Menase * BUG 14388: winbind: Fix a memleak. o Stefan Metzmacher * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature. o Sachin Prabhu * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs. o Khem Raj * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. o Anoop C S * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice. o Andreas Schneider * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7. * BUG 14550: examples:auth: Do not install example plugin. o Martin Schwenke * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code. o Andrew Walker * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.1 October 29, 2020 ============================== This is a security release in order to address the following defects: o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. o CVE-2020-14323: Unprivileged user can crash winbind. o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records. ======= Details ======= o CVE-2020-14318: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only. o CVE-2020-14323: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: The Microsoft RPC call domain controllers offer to do this translation, so it was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server. Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash. o CVE-2020-14383: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. For more details, please refer to the security advisories. Changes since 4.13.0 -------------------- o Jeremy Allison * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. o Douglas Bagnall * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using 'samba-tool'. * BUG 14472: CVE-2020-14383: Remote crash after adding MX records. o Volker Lendecke * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.13.0 September 22, 2020 ============================== This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading. ZeroLogon ========= Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue. For details please see https://www.samba.org/samba/security/CVE-2020-1472.html. NEW FEATURES/CHANGES ==================== Python 3.6 or later required ---------------------------- Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure. This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7. As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release. Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build. wide links functionality ------------------------ For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files. Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future. A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs. NT4-like 'classic' Samba domain controllers ------------------------------------------- Samba 4.13 deprecates Samba's original domain controller mode. Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients. SMBv1 only protocol options deprecated -------------------------------------- A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release. REMOVED FEATURES ================ The deprecated "ldap ssl ads" smb.conf option has been removed. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- ldap ssl ads Removed smb2 disable lock sequence checking Added No smb2 disable oplock break retry Added No domain logons Deprecated no raw NTLMv2 auth Deprecated no client plaintext auth Deprecated no client NTLMv2 auth Deprecated yes client lanman auth Deprecated no client use spnego Deprecated yes server require schannel:COMPUTER Added CHANGES SINCE 4.13.0rc5 ======================= o Jeremy Allison * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords. o Günther Deschner * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations. o Gary Lockyer * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge. o Stefan Metzmacher * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no". CHANGES SINCE 4.13.0rc4 ======================= o Andreas Schneider * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14. * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name. * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain entry. o Stefan Metzmacher * BUG 14482: Fix build problem if libbsd-dev is not installed. CHANGES SINCE 4.13.0rc3 ======================= o David Disseldorp * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules". o Volker Lendecke * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. o Stefan Metzmacher * BUG 14428: PANIC: Assert failed in get_lease_type(). * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. CHANGES SINCE 4.13.0rc2 ======================= o Andrew Bartlett * BUG 14460: Deprecate domain logons, SMBv1 things. o Günther Deschner * BUG 14318: docs: Add missing winexe manpage. o Christof Schmitt * BUG 14166: util: Allow symlinks in directory_create_or_exist. o Martin Schwenke * BUG 14466: ctdb disable/enable can fail due to race condition. CHANGES SINCE 4.13.0rc1 ======================= o Andrew Bartlett * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs. o Isaac Boukris * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option. o Volker Lendecke * BUG 14435: winbind: Fix lookuprids cache problem. o Stefan Metzmacher * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos. o Andreas Schneider * BUG 14358: docs: Fix documentation for require_membership_of of pam_winbind.conf. o Martin Schwenke * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread count. KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ======================================================================