Karolin Seeger
2019-Apr-08 08:00 UTC
[Announce] Samba 4.10.2, 4.9.6 and 4.8.11 Security Releases Available
Release Announcements
---------------------
These are a security releases in order to address the following defects:
o CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
o CVE-2019-3880 (Save registry file outside share as unprivileged user)
======Details
======
o CVE-2019-3870:
During the provision of a new Active Directory DC, some files in the private/
directory are created world-writable.
o CVE-2019-3880:
Authenticated users with write permission can trigger a symlink traversal to
write or detect files outside the Samba share.
For more details and workarounds, please refer to the security advisories.
Changes:
--------
o Andrew Bartlett <abartlet at samba.org>
* BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
smbd.mkdir().
o Jeremy Allison <jra at samba.org>
* BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's
Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.10.2.html
https://www.samba.org/samba/history/samba-4.9.6.html
https://www.samba.org/samba/history/samba-4.8.11.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba-announce/attachments/20190408/01d9974a/signature.sig>
Reasonably Related Threads
- [Announce] Samba 4.10.2, 4.9.6 and 4.8.11 Security Releases Available
- Debian Stretch, Samba 4.10.2, 4.9.6 and 4.8.11 Available (amd64/i386)
- Debian Stretch, Samba 4.10.2, 4.9.6 and 4.8.11 Available (amd64/i386)
- Debian Stretch, Samba 4.10.2, 4.9.6 and 4.8.11 Available (amd64/i386)
- Now available, Ubuntu Bionic packages for Samba 4.10.2, 4.9.6 *(both amd64 only)
Wisdom of the Ancients
