Karolin Seeger
2021-Mar-24 12:02 UTC
[Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) Security Releases
Release Announcements
---------------------
These are security releases in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
======Details
======
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
For more details, please refer to the security advisories.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.14.2.html
https://www.samba.org/samba/history/samba-4.13.7.html
https://www.samba.org/samba/history/samba-4.12.14.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba-announce/attachments/20210324/2a5f76af/signature.sig>
L.P.H. van Belle
2021-Mar-25 08:36 UTC
[Samba] [Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) Security Releases
Hai Joachim, Packages will come online soon, all builders are running. Building and more important testing them do cost time. But they will come online today. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Joachim Lindenberg [mailto:samba at lindenberg.one] > Verzonden: woensdag 24 maart 2021 19:28 > Aan: 'L.P.H. van Belle' > Onderwerp: WG: [Samba] [Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) > and 4.12.14 (4.12.13) Security Releases > > Hai Louis, > I ran apt update & apt upgrade & samba -V > and it still reports Version 4.12.12-Debian. Is there a delay because of a > CDN? Or too busy with other stuff? > Didn?t check the one instance on 4.13, that is offline right now. > Greetz, > Joachim > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Karolin Seeger > via samba > Gesendet: Wednesday, 24 March 2021 13:02 > An: samba-announce at lists.samba.org; samba at lists.samba.org; samba- > technical at lists.samba.org > Betreff: [Samba] [Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and > 4.12.14 (4.12.13) Security Releases > > Release Announcements > --------------------- > > These are security releases in order to address the following defects: > > o CVE-2020-27840: Heap corruption via crafted DN strings. > o CVE-2021-20277: Out of bounds read in AD DC LDAP server. > > > ======> Details > ======> > o CVE-2020-27840: > An anonymous attacker can crash the Samba AD DC LDAP server by sending > easily > crafted DNs as part of a bind request. More serious heap corruption is > likely > also possible. > > o CVE-2021-20277: > User-controlled LDAP filter strings against the AD DC LDAP server may > crash > the LDAP server. > > For more details, please refer to the security advisories. > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical IRC channel on irc.freenode.net. > > If you do report problems then please try to send high quality feedback. > If you don't provide vital information to help us track down the problem > then you will probably be ignored. All bug reports should be filed under > the Samba 4.1 and newer product in the project's Bugzilla database > (https://bugzilla.samba.org/). > > > =====================================================================> == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > =====================================================================> > > > ===============> Download Details > ===============> > The uncompressed tarballs and patch files have been signed using GnuPG (ID > AA99442FB680B620). The source code can be downloaded > from: > > https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > https://www.samba.org/samba/history/samba-4.14.2.html > https://www.samba.org/samba/history/samba-4.13.7.html > https://www.samba.org/samba/history/samba-4.12.14.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team