Karolin Seeger
2013-Mar-19 10:04 UTC
[Samba] [Announce] Samba 4.0.4 Security Release Available for Download
Release Announcements --------------------- This is a security release in order to address CVE-2013-1863 (World-writeable files may be created in additional shares on a Samba 4.0 AD DC). o CVE-2013-1863: Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this defect. Changes since 4.0.3: -------------------- o Andrew Bartlett <abartlet at samba.org> * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.0 product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/stable/ The release notes are available online at: http://www.samba.org/samba/history/samba-4.0.4.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Andrew Bartlett
2013-Mar-20 23:17 UTC
[Samba] [Announce] Samba 4.0.4 Security Release Available for Download
As our announcement of 4.0.4 has confused some of our administrators as to who is affected, and because there are IMPORTANT STEPS included that affected administrators need to follow, I'm posting the whole advisory text below: On Tue, 2013-03-19 at 11:04 +0100, Karolin Seeger wrote:> Release Announcements > --------------------- > > This is a security release in order to address CVE-2013-1863 > (World-writeable files may be created in additional shares on a > Samba 4.0 AD DC). > > o CVE-2013-1863: > Administrators of the Samba 4.0 Active Directory Domain > Controller might unexpectedly find files created world-writeable > if additional CIFS file shares are created on the AD DC. > Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this > defect. > > > Changes since 4.0.3: > -------------------- > > o Andrew Bartlett <abartlet at samba.org> > * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.============================================================ Subject: World-writeable files may be created in additional shares on a == Samba 4.0 AD DC === CVE ID#: CVE-2013-1863 === Versions: Samba 4.0.0rc6 - 4.0.3 (inclusive) === Summary: Administrators of the Samba 4.0 Active Directory Domain == Controller might unexpectedly find files created world-writeable == if additional CIFS file shares are created on the AD DC. =========================================================== ==========Description ========== Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the [sysvol] and [netlogon] shares. However, on other shares, when only configured with simple unix user/group/other permissions, the forced setting of 'create mask' and 'directory mask' on AD DC installations would apply, resulting in world-writable file permissions being set. These permissions are visible with the standard tools, and only the initial file creation is affected. As Samba honours the unix permissions, the security of files where explicit permissions have been set are not affected. Administrators will need to manually correct the permissions of any world-writable files and directories. After upgrading, either recursively set correct permissions using the Windows ACL editor, or run something like e.g.: sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R /path/to/share (Please note that this command might need to be adapted to your needs). This will remove all the ACLs (a reasonable step as this only impacts on shares without an ACL set), including a problematic default posix ACL on subdirectories. =================Mitigating factors ================= By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the default [sysvol] and [netlogon] shares. Users of our file server when configured in any other mode, such as a standalone server, domain member (including of a Samba 4.0 AD Domain), file server or classic (NT4-like) domain controller are not impacted. Many Samba 4.0 AD DC installations have followed the Team's advise to split their installation in this way, and so are not affected. Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are not impacted. This is not the default in upstream Samba, but importantly it is the only available configuration in samba4 packages of Samba 4.0 in Debian (including experimental) and Ubuntu supplied packages. Likewise, packages and installations built --without-ad-dc are not impacted, as only AD DC installations will set this configuration. We understand Red Hat and Fedora installations are built in this mode. Unless guest access has been explicitly allowed (guest ok = yes), only authenticated users would be able to read/write any of accidentally world-writable files. Similarly, the 'read only = no' default in the smb.conf still applies. =========Workaround ========= Set a recursive and inherited ACL on the root of the share (for example, using the ACL editor on a Windows client) =================Patch Availability ================= Patches addressing this defect have been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.4, has been issued as security releases to correct the defect. Samba administrators running affected versions are advised to upgrade to 4.0.4 or apply the patch as soon as possible. ======Credits ====== The vulnerability was noticed by a number of observant administrators, including Ricky Nance <ricky.nance at weaubleau.k12.mo.us>. =========================================================== Our Code, Our Bugs, Our Responsibility. == The Samba Team =========================================================-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
a5mmdc96rb at snkmail.com
2013-Mar-20 23:25 UTC
[Samba] [Announce] Samba 4.0.4 Security Release Available for Download
The user promo at pjnetworks.com does not accept mail from your address. The headers of the message sent from your address are shown below:>From sentto-3853030-434075-1363821512-promo=pjnetworks.com at returns.groups.yahoo.com Wed Mar 20 19:18:27 2013Received: from ng5-vm2.bullet.mail.gq1.yahoo.com ([98.136.219.54]:31789) by ajay.pjnetworks.org with smtp (Exim 4.80) (envelope-from <sentto-3853030-434075-1363821512-promo=pjnetworks.com at returns.groups.yahoo.com>) id 1UISH4-0004xM-R6 for promo at pjnetworks.com; Wed, 20 Mar 2013 19:18:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=echoe; t=1363821514; bh=M1yBRUFFCbqDxr3HeFg6mgk+C/QA2eFZxrjpUxAPgiE=; h=Received:Received:X-Yahoo-Newman-Id:X-Sender:X-Apparently-To:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Forwarded-To:X-Forwarded-For:Delivered-To:X-Received:X-Received:X-Received:X-Received-SPF:Authentication-Results:X-Received:X-Spam-Checker-Version:X-Spam-Level:X-Spam-Status:X-Original-To:Delivered-To:X-Received:Message-ID:To:In-Reply-To:References:Organization:X-Mailer:X-Beenthere:X-Mailman-Version:List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:Errors-To:X-Sneakemail-Label:X-Sneakemail-Address:X-Sneakemail-Tag:X-Sneakemail-From:X-Sneakemail-Is-Sneakemail:X-Sneakemail-Folder-Path:X-Originating-IP:X-eGroups-Msg-Info:X-eGroups-From:From:Sender:MIME-Version:Mailing-List:Delivered-To:List-Id:Precedence:List-Unsubscribe:Date:Subject:Reply-To:X-Yahoo-Newman-Property:Content-Type; b=MpZ2uJJwCrfvglpPK4kYq955zOjbb6Zsmvh20oPQrz1SPaM302K28QltqcRx5EuuLw4GitcUKVKPv6dwATXwNNvZjtReMXxgYhqSLlntEkYKszq9x5V47TKImkPr/J5+NJuregZBVC7afBmqW+GIDXNcrX+DsuAdB/vXwcThMIgDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=echoe; d=yahoogroups.com; b=xzhP7vRNWsRSU/rfYHirxp0/AEqUO76xO4CJiw7DWFAOkaHli2aqb7GgAd3+25nTdnHtc56PkSfF4fTciHSLzTMU9cJ7CuDRCWZTTUIr9YSxAlMfDmr/Cq9VoXQ70ncu/yEA82T7dLobkTC9pf6PtgY0YsAlUNLUJExYOXShAZE=; Received: from [98.137.0.89] by ng5.bullet.mail.gq1.yahoo.com with NNFMP; 20 Mar 2013 23:18:34 -0000 Received: from [10.193.39.25] by tg9.bullet.mail.gq1.yahoo.com with NNFMP; 20 Mar 2013 23:18:34 -0000 X-Yahoo-Newman-Id: 3853030-m434075 X-Sender: we4m5mdz0t at sneakemail.com X-Apparently-To: ****************************** X-Received: (qmail 79292 invoked from network); 20 Mar 2013 23:18:32 -0000 X-Received: from unknown (10.193.84.163) by m6.grp.bf1.yahoo.com with QMQP; 20 Mar 2013 23:18:32 -0000 X-Received: from unknown (HELO sneak2.sneakemail.com) (38.113.6.65) by mta3.grp.bf1.yahoo.com with SMTP; 20 Mar 2013 23:18:31 -0000 X-Received: (qmail 5168 invoked from network); 20 Mar 2013 23:18:31 -0000 X-Received: from unknown (HELO localhost.localdomain) (192.168.0.1) by sneak2.sneakemail.com with SMTP; 20 Mar 2013 23:18:31 -0000 X-Received: from 209.85.215.47 by mail.sneakemail.com with SMTP; 20 Mar 2013 23:18:31 -0000 X-Received: by mail-la0-f47.google.com with SMTP id fj20so3984114lab.20 for <a5mmdc96rb at snkmail.com>; Wed, 20 Mar 2013 16:18:29 -0700 (PDT) X-Received: by 10.112.9.231 with SMTP id d7mr10485227lbb.8.1363821509865; Wed, 20 Mar 2013 16:18:29 -0700 (PDT) X-Forwarded-To: a5mmdc96rb at snkmail.com X-Forwarded-For: charlessandhurst at gmail.com a5mmdc96rb at snkmail.com Delivered-To: charlessandhurst at gmail.com X-Received: by 10.112.61.41 with SMTP id m9csp30951lbr; Wed, 20 Mar 2013 16:18:28 -0700 (PDT) X-Received: by 10.68.11.35 with SMTP id n3mr11647929pbb.220.1363821507444; Wed, 20 Mar 2013 16:18:27 -0700 (PDT) X-Received: from mail.samba.org (fn.samba.org. [216.83.154.106]) by mx.google.com with ESMTPS id td2si4067436pac.21.2013.03.20.16.18.25 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 20 Mar 2013 16:18:27 -0700 (PDT) X-Received-SPF: pass (google.com: domain of samba-technical-bounces at lists.samba.org designates 216.83.154.106 as permitted sender) client-ip=216.83.154.106; Authentication-Results: mx.google.com; spf=pass (google.com: domain of samba-technical-bounces at lists.samba.org designates 216.83.154.106 as permitted sender) smtp.mail=samba-technical-bounces at lists.samba.org X-Received: from fn.samba.org (localhost [127.0.0.1]) by mail.samba.org (Postfix) with ESMTP id 2AC26465B8; Wed, 20 Mar 2013 17:17:53 -0600 (MDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on fn.samba.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=3.8 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable version=3.3.1 X-Original-To: samba-technical at samba.org Delivered-To: samba-technical at samba.org X-Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.samba.org (Postfix) with ESMTPS id 36C45AD55C; Wed, 20 Mar 2013 17:17:44 -0600 (MDT) Message-ID: <1363821462.29146.23.camel at jesse> To: ******************************, samba-announce at samba.org, samba-technical at samba.org, samba at samba.org In-Reply-To: <E1UHtOw-008UZu-9G at intern.SerNet.DE> References: <E1UHtOw-008UZu-9G at intern.SerNet.DE> Organization: X-Mailer: Evolution 3.4.4 (3.4.4-2.fc17) X-Beenthere: samba-technical at lists.samba.org X-Mailman-Version: 2.1.13 List-Unsubscribe: <https://lists.samba.org/mailman/options/samba-technical>, <mailto:samba-technical-request at lists.samba.org?subject=unsubscribe> List-Archive: <http://lists.samba.org/pipermail/samba-technical> List-Post: <mailto:samba-technical at lists.samba.org> List-Help: <mailto:samba-technical-request at lists.samba.org?subject=help> List-Subscribe: <https://lists.samba.org/mailman/listinfo/samba-technical>, <mailto:samba-technical-request at lists.samba.org?subject=subscribe> Errors-To: samba-technical-bounces at lists.samba.org X-Sneakemail-Label: Jay Stevens X-Sneakemail-Address: a5mmdc96rb at snkmail.com X-Sneakemail-Tag: X-Sneakemail-From: Andrew Bartlett <abartlet at samba.org> X-Sneakemail-Is-Sneakemail: yes X-Sneakemail-Folder-Path: /Desktop X-Originating-IP: 38.113.6.65 X-eGroups-Msg-Info: 1:12:0:0:0 X-eGroups-From: "Andrew Bartlett abartlet-at-samba.org |Jay Stevens|" <zntnjyvept at sneakemail.com> From: "Andrew Bartlett abartlet-at-samba.org |Jay Stevens|" <1yp5ydf8qt at sneakemail.com> Sender: ****************************** MIME-Version: 1.0 Mailing-List: list ******************************; contact spammers-elite-owner at yahoogroups.com Delivered-To: mailing list ****************************** List-Id: <spammers-elite.yahoogroups.com> Precedence: bulk List-Unsubscribe: <mailto:spammers-elite-unsubscribe at yahoogroups.com> Date: Thu, 21 Mar 2013 10:17:42 +1100 Subject: Re: [Announce] Samba 4.0.4 Security Release Available for Download Reply-To: ****************************** X-Yahoo-Newman-Property: groups-email-ff-u Content-Type: multipart/alternative; boundary="WqBg0zxwcrXLkgAH8qWX7XSsCMM5Kh2ZLTqgOBT" X-Spam-Status: No, scoreX-Spam-Score: X-Spam-Bar: X-Ham-Report: X-Spam-Flag: NO
Apparently Analagous Threads
- [Announce] Samba 4.0.4 Security Release Available for Download
- dovecot-stable: NIL from in envelope request
- [Bug 1513] New: CIDR address/masklen matching support for permitopen=
- Problem with fts found against Dovecot hg; examples + trace attached
- subsetting a data set