Karolin Seeger
2018-Nov-27 09:27 UTC
[Samba] [Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
Release Announcements --------------------- These are security releases in order to address the following defects: o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) CVE-2018-16852 and CVE-2018-16857 affect 4.9 only. ======Details ====== o CVE-2018-14629: All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. o CVE-2018-16841: When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16851: During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16852: During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16853: A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory we clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this configuration. o CVE-2018-16857: AD DC Configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. For more details and workarounds, please refer to the security advisories. Changes since 4.9.2: -------------------- o Andrew Bartlett <abartlet at samba.org> * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with mis-matching principal. * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT Kerberos is experimental o Tim Beale <timbeale at catalyst.net.nz> * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int. o Joe Guo <joeg at catalyst.net.nz> * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after class or function definition, found 1. o Aaron Haslett <aaronhaslett at catalyst.net.nz> * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. o Gary Lockyer <gary at catalyst.net.nz> * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC DNS management. o Garming Sam <garming at catalyst.net.nz> * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.9.3.html https://www.samba.org/samba/history/samba-4.8.7.html https://www.samba.org/samba/history/samba-4.7.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181127/13e0acee/signature.sig>
Apparently Analagous Threads
- [Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
- [Announce] Samba 4.9.4 Available for Download
- [Samba] [Announce] Samba 4.9.4 Available for Download
- [Announce] Samba 4.8.8 Available for Download
- [Samba] [Announce] Samba 4.8.8 Available for Download