Release Announcements --------------------- This is the latest stable release of the Samba 4.21 release series. It contains the security-relevant bugfix CVE-2025-0620: ??? smbd doesn't pick up group membership changes ??? when re-authenticating an expired SMB session ??? https://www.samba.org/samba/security/CVE-2025-0620.html Description of CVE-2025-0620 ----------------------------- ??? With Kerberos authentication SMB sessions typically have an ??? associated lifetime, requiring re-authentication by the ??? client when the session expires. As part of the ??? re-authentication, Samba receives the current group ??? membership information and is expected to reflect this ??? change in further SMB request processing. ??? For historic reasons, Samba maintains a cache of ??? associations between a user's impersonation information and ??? connected shares. A recent change in this cache caused Samba ??? to not reflect group membership changes from session ??? re-authentication when processing further SMB requests. ??? As a result, when an administrator removes a user from a ??? particular group in Active Directory, this change will not ??? become effective unless the user disconnects from the server ??? and establishes a new connection. Changes since 4.21.5 -------------------- o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 15774: Running "gpo manage motd set" twice fails with backtrace. ?? * BUG 15829: samba-tool gpo backup creates entity backups it can't read. ?? * BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with ???? prepended 0's. o? Ralph Boehme <slow at samba.org> ?? * BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group membership ???? changes when re-authenticating an expired SMB session. ?? * BUG 15767: Deadlock between two smbd processes. o? Pavel Filipensk? <pfilipensky at samba.org> ?? * BUG 15727: net ad join fails with "Failed to join domain: failed to create ???? kerberos keytab". o? Andreas Hasenack <andreas.hasenack at canonical.com> ?? * BUG 15774: Running "gpo manage motd set" twice fails with backtrace. o? Volker Lendecke <vl at samba.org> ?? * BUG 15841: Wide link issue in samba 4.22. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 15767: Deadlock between two smbd processes. ?? * BUG 15851: dcerpcd not able to bind to listening port. o? Anoop C S <anoopcs at samba.org> ?? * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any ???? level beyond share root. o? Martin Schwenke <mschwenke at ddn.com> ?? * BUG 15858: CTDB does not put nodes running NFS into grace on graceful ???? shutdown. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.21.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team