samba - Mar 2013 - [Announce] Samba 4.0.4 Security Release Available for Download

Release Announcements
---------------------

This is a security release in order to address CVE-2013-1863
(World-writeable files may be created in additional shares on a
Samba 4.0 AD DC).

o  CVE-2013-1863:
   Administrators of the Samba 4.0 Active Directory Domain
   Controller might unexpectedly find files created world-writeable
   if additional CIFS file shares are created on the AD DC.
   Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
   defect.


Changes since 4.0.3:
--------------------

o   Andrew Bartlett <abartlet at samba.org>
    * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to
0777.

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.0 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/stable/

The release notes are available online at:

	http://www.samba.org/samba/history/samba-4.0.4.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team

As our announcement of 4.0.4 has confused some of our administrators as
to who is affected, and because there are IMPORTANT STEPS included that
affected administrators need to follow, I'm posting the whole advisory
text below:

On Tue, 2013-03-19 at 11:04 +0100, Karolin Seeger wrote:
> Release Announcements
> ---------------------
> 
> This is a security release in order to address CVE-2013-1863
> (World-writeable files may be created in additional shares on a
> Samba 4.0 AD DC).
> 
> o  CVE-2013-1863:
>    Administrators of the Samba 4.0 Active Directory Domain
>    Controller might unexpectedly find files created world-writeable
>    if additional CIFS file shares are created on the AD DC.
>    Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
>    defect.
> 
> 
> Changes since 4.0.3:
> --------------------
> 
> o   Andrew Bartlett <abartlet at samba.org>
>     * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask'
to 0777.

============================================================ Subject:    
World-writeable files may be created in additional shares on a
==		Samba 4.0 AD DC
=== CVE ID#:     CVE-2013-1863
=== Versions:    Samba 4.0.0rc6 - 4.0.3 (inclusive)
=== Summary:	Administrators of the Samba 4.0 Active Directory Domain
==		Controller might unexpectedly find files created world-writeable
==		if additional CIFS file shares are created on the AD DC.
===========================================================
==========Description
==========
Administrators of the Samba 4.0 Active Directory Domain Controller might
unexpectedly find files created world-writeable if additional CIFS file shares
are created on the AD DC.

By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the [sysvol] and [netlogon] shares.

However, on other shares, when only configured with simple unix
user/group/other permissions, the forced setting of 'create mask' and
'directory mask' on AD DC installations would apply, resulting in
world-writable file permissions being set.

These permissions are visible with the standard tools, and only the initial
file creation is affected.  As Samba honours the unix permissions, the security
of files where explicit permissions have been set are not affected.

Administrators will need to manually correct the permissions of any
world-writable files and directories.  After upgrading, either recursively set
correct permissions using the Windows ACL editor, or run something like e.g.:

sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R
/path/to/share
(Please note that this command might need to be adapted to your needs).

This will remove all the ACLs (a reasonable step as this only impacts on shares
without an ACL set), including a problematic default posix ACL on
subdirectories.

=================Mitigating factors
=================
By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the default [sysvol] and [netlogon] shares.

Users of our file server when configured in any other mode, such as a
standalone server, domain member (including of a Samba 4.0 AD Domain), file
server or classic (NT4-like) domain controller are not impacted.  Many Samba
4.0 AD DC installations have followed the Team's advise to split their
installation in this way, and so are not affected.

Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file
server are
not impacted.  This is not the default in upstream Samba, but importantly it is
the only available configuration in samba4 packages of Samba 4.0 in Debian
(including experimental) and Ubuntu supplied packages.

Likewise, packages and installations built --without-ad-dc are not impacted, as
only AD DC installations will set this configuration.  We understand Red Hat
and Fedora installations are built in this mode.

Unless guest access has been explicitly allowed (guest ok = yes), only
authenticated users would be able to read/write any of accidentally
world-writable files.  Similarly, the 'read only = no' default in the
smb.conf
still applies.

=========Workaround
=========
Set a recursive and inherited ACL on the root of the share (for example, using
the ACL editor on a Windows client)

=================Patch Availability
=================
Patches addressing this defect have been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.0.4, has been issued as security
releases to correct the defect.  Samba administrators running affected versions
are advised to upgrade to 4.0.4 or apply the patch as soon as
possible.

======Credits
======
The vulnerability was noticed by a number of observant administrators,
including Ricky Nance <ricky.nance at weaubleau.k12.mo.us>.

=========================================================== Our Code, Our Bugs,
Our Responsibility.
== The Samba Team
=========================================================-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

The user promo at pjnetworks.com does not accept mail from your address.

The headers of the message sent from your address are shown below:
>From sentto-3853030-434075-1363821512-promo=pjnetworks.com at
returns.groups.yahoo.com Wed Mar 20 19:18:27 2013
Received: from ng5-vm2.bullet.mail.gq1.yahoo.com ([98.136.219.54]:31789)
	by ajay.pjnetworks.org with smtp (Exim 4.80)
	(envelope-from <sentto-3853030-434075-1363821512-promo=pjnetworks.com at
returns.groups.yahoo.com>)
	id 1UISH4-0004xM-R6
	for promo at pjnetworks.com; Wed, 20 Mar 2013 19:18:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com;
s=echoe; t=1363821514; bh=M1yBRUFFCbqDxr3HeFg6mgk+C/QA2eFZxrjpUxAPgiE=;
h=Received:Received:X-Yahoo-Newman-Id:X-Sender:X-Apparently-To:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:X-Forwarded-To:X-Forwarded-For:Delivered-To:X-Received:X-Received:X-Received:X-Received-SPF:Authentication-Results:X-Received:X-Spam-Checker-Version:X-Spam-Level:X-Spam-Status:X-Original-To:Delivered-To:X-Received:Message-ID:To:In-Reply-To:References:Organization:X-Mailer:X-Beenthere:X-Mailman-Version:List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:Errors-To:X-Sneakemail-Label:X-Sneakemail-Address:X-Sneakemail-Tag:X-Sneakemail-From:X-Sneakemail-Is-Sneakemail:X-Sneakemail-Folder-Path:X-Originating-IP:X-eGroups-Msg-Info:X-eGroups-From:From:Sender:MIME-Version:Mailing-List:Delivered-To:List-Id:Precedence:List-Unsubscribe:Date:Subject:Reply-To:X-Yahoo-Newman-Property:Content-Type;
b=MpZ2uJJwCrfvglpPK4kYq955zOjbb6Zsmvh20oPQrz1SPaM302K28QltqcRx5EuuLw4GitcUKVKPv6dwATXwNNvZjtReMXxgYhqSLlntEkYKszq9x5V47TKImkPr/J5+NJuregZBVC7afBmqW+GIDXNcrX+DsuAdB/vXwcThMIgDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=echoe; d=yahoogroups.com;
	b=xzhP7vRNWsRSU/rfYHirxp0/AEqUO76xO4CJiw7DWFAOkaHli2aqb7GgAd3+25nTdnHtc56PkSfF4fTciHSLzTMU9cJ7CuDRCWZTTUIr9YSxAlMfDmr/Cq9VoXQ70ncu/yEA82T7dLobkTC9pf6PtgY0YsAlUNLUJExYOXShAZE=;
Received: from [98.137.0.89] by ng5.bullet.mail.gq1.yahoo.com with NNFMP; 20 Mar
2013 23:18:34 -0000
Received: from [10.193.39.25] by tg9.bullet.mail.gq1.yahoo.com with NNFMP; 20
Mar 2013 23:18:34 -0000
X-Yahoo-Newman-Id: 3853030-m434075
X-Sender: we4m5mdz0t at sneakemail.com
X-Apparently-To: ******************************
X-Received: (qmail 79292 invoked from network); 20 Mar 2013 23:18:32 -0000
X-Received: from unknown (10.193.84.163)
  by m6.grp.bf1.yahoo.com with QMQP; 20 Mar 2013 23:18:32 -0000
X-Received: from unknown (HELO sneak2.sneakemail.com) (38.113.6.65)
  by mta3.grp.bf1.yahoo.com with SMTP; 20 Mar 2013 23:18:31 -0000
X-Received: (qmail 5168 invoked from network); 20 Mar 2013 23:18:31 -0000
X-Received: from unknown (HELO localhost.localdomain) (192.168.0.1)
  by sneak2.sneakemail.com with SMTP; 20 Mar 2013 23:18:31 -0000
X-Received: from 209.85.215.47 by mail.sneakemail.com with SMTP;
 20 Mar 2013 23:18:31 -0000
X-Received: by mail-la0-f47.google.com with SMTP id fj20so3984114lab.20 for
 <a5mmdc96rb at snkmail.com>; Wed, 20 Mar 2013 16:18:29 -0700 (PDT)
X-Received: by 10.112.9.231 with SMTP id d7mr10485227lbb.8.1363821509865; 
       Wed, 20 Mar 2013 16:18:29 -0700 (PDT)
X-Forwarded-To: a5mmdc96rb at snkmail.com
X-Forwarded-For: charlessandhurst at gmail.com a5mmdc96rb at snkmail.com
Delivered-To: charlessandhurst at gmail.com
X-Received: by 10.112.61.41 with SMTP id m9csp30951lbr;        Wed,
 20 Mar 2013 16:18:28 -0700 (PDT)
X-Received: by 10.68.11.35 with SMTP id n3mr11647929pbb.220.1363821507444;
        Wed, 20 Mar 2013 16:18:27 -0700 (PDT)
X-Received: from mail.samba.org (fn.samba.org. [216.83.154.106])        by
 mx.google.com with ESMTPS id td2si4067436pac.21.2013.03.20.16.18.25
 (version=TLSv1 cipher=RC4-SHA bits=128/128);        Wed, 20 Mar 2013
 16:18:27 -0700 (PDT)
X-Received-SPF: pass (google.com: domain of samba-technical-bounces at
lists.samba.org
 designates 216.83.154.106 as permitted sender) client-ip=216.83.154.106;
Authentication-Results: mx.google.com;       spf=pass (google.com: domain
 of samba-technical-bounces at lists.samba.org designates 216.83.154.106 as
 permitted sender) smtp.mail=samba-technical-bounces at lists.samba.org
X-Received: from fn.samba.org (localhost [127.0.0.1])	by mail.samba.org
 (Postfix) with ESMTP id 2AC26465B8;	Wed, 20 Mar 2013 17:17:53 -0600 (MDT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on fn.samba.org
X-Spam-Level:
X-Spam-Status: No, score=-2.9 required=3.8 tests=ALL_TRUSTED,BAYES_00
	autolearn=unavailable version=3.3.1
X-Original-To: samba-technical at samba.org
Delivered-To: samba-technical at samba.org
X-Received: from [127.0.0.1] (localhost [127.0.0.1])	by mail.samba.org
 (Postfix) with ESMTPS id 36C45AD55C;	Wed, 20 Mar 2013 17:17:44 -0600 (MDT)
Message-ID: <1363821462.29146.23.camel at jesse>
To: ******************************, samba-announce at samba.org,
 samba-technical at samba.org, samba at samba.org
In-Reply-To: <E1UHtOw-008UZu-9G at intern.SerNet.DE>
References: <E1UHtOw-008UZu-9G at intern.SerNet.DE>
Organization:
X-Mailer: Evolution 3.4.4 (3.4.4-2.fc17)
X-Beenthere: samba-technical at lists.samba.org
X-Mailman-Version: 2.1.13
List-Unsubscribe:
<https://lists.samba.org/mailman/options/samba-technical>,
 <mailto:samba-technical-request at lists.samba.org?subject=unsubscribe>
List-Archive: <http://lists.samba.org/pipermail/samba-technical>
List-Post: <mailto:samba-technical at lists.samba.org>
List-Help: <mailto:samba-technical-request at
lists.samba.org?subject=help>
List-Subscribe:
<https://lists.samba.org/mailman/listinfo/samba-technical>,
	<mailto:samba-technical-request at lists.samba.org?subject=subscribe>
Errors-To: samba-technical-bounces at lists.samba.org
X-Sneakemail-Label: Jay Stevens
X-Sneakemail-Address: a5mmdc96rb at snkmail.com
X-Sneakemail-Tag:
X-Sneakemail-From: Andrew Bartlett <abartlet at samba.org>
X-Sneakemail-Is-Sneakemail: yes
X-Sneakemail-Folder-Path: /Desktop
X-Originating-IP: 38.113.6.65
X-eGroups-Msg-Info: 1:12:0:0:0
X-eGroups-From: "Andrew Bartlett abartlet-at-samba.org |Jay Stevens|"
<zntnjyvept at sneakemail.com>
From: "Andrew Bartlett abartlet-at-samba.org |Jay Stevens|"
<1yp5ydf8qt at sneakemail.com>
Sender: ******************************
MIME-Version: 1.0
Mailing-List: list ******************************; contact spammers-elite-owner
at yahoogroups.com
Delivered-To: mailing list ******************************
List-Id: <spammers-elite.yahoogroups.com>
Precedence: bulk
List-Unsubscribe: <mailto:spammers-elite-unsubscribe at yahoogroups.com>
Date: Thu, 21 Mar 2013 10:17:42 +1100
Subject: Re: [Announce] Samba 4.0.4 Security Release Available for Download
Reply-To: ******************************
X-Yahoo-Newman-Property: groups-email-ff-u
Content-Type: multipart/alternative;
 boundary="WqBg0zxwcrXLkgAH8qWX7XSsCMM5Kh2ZLTqgOBT"
X-Spam-Status: No, scoreX-Spam-Score: 
X-Spam-Bar: 
X-Ham-Report: 
X-Spam-Flag: NO