Jule Anger
2023-Mar-29 14:50 UTC
[Announce] Samba 4.18.1, 4.17.7., 4.16.10 Security Releases are available for Download
Release Announcements --------------------- This are security releases in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated ???????????????? but otherwise unprivileged users to delete this attribute from ???????????????? any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a ???????????????? remote LDAP server, will by default send new or reset ???????????????? passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 ???????????????? Confidential attribute disclosure via LDAP filters was ???????????????? insufficient and an attacker may be able to obtain ???????????????? confidential BitLocker recovery keys from a Samba AD DC. ???????????????? Installations with such secrets in their Samba AD should ???????????????? assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Changes ------- o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 15276: CVE-2023-0225. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 15270: CVE-2023-0614. ?? * BUG 15331: ldb wildcard matching makes excessive allocations. ?? * BUG 15332: large_ldap test is inefficient. o? Rob van der Linde <rob at catalyst.net.nz> ?? * BUG 15315: CVE-2023-0922. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not ???? allow full write to all attributes (additional changes). ?? * BUG 15270: CVE-2023-0614. ?? * BUG 15276: CVE-2023-0225. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The Samba source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.18.1.html ??????? https://www.samba.org/samba/history/samba-4.17.7.html https://www.samba.org/samba/history/samba-4.16.10.html If you are building/using ldb from a system library, you'll also need the related updated ldb tarball, otherwise you can ignore it. The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). The ldb source code can be downloaded from: samba-4.18.1: https://download.samba.org/pub/ldb/ldb-2.7.2.tar.gz samba-4.17.7: https://download.samba.org/pub/ldb/ldb-2.6.2.tar.gz samba-4.16.10: https://download.samba.org/pub/ldb/ldb-2.5.3.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team
Reasonably Related Threads
- [Announce] Samba 4.18.1, 4.17.7., 4.16.10 Security Releases are available for Download
- [Announce] Samba 4.17.8 Available for Download
- [Announce] Samba 4.17.8 Available for Download
- 4.18.x on bullseye-security update?
- [Announce] Samba 4.18.2 Available for Download