Karolin Seeger
2019-Oct-29 09:45 UTC
[Samba] [Announce] Samba 4.11.2, 4.10.10 and 4.9.15 Security Releases Available
Release Announcements --------------------- These are security releases in order to address the following defects: o CVE-2019-10218: Client code can return filenames containing path separators. o CVE-2019-14833: Samba AD DC check password script does not receive the full password. o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync. ======Details ====== o CVE-2019-10218: Malicious servers can cause Samba client code to return filenames containing path separators to calling code. o CVE-2019-14833: When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string. o CVE-2019-14847: Users with the "get changes" extended access right can crash the AD DC LDAP server by requesting an attribute using the range= syntax. For more details and workarounds, please refer to the security advisories. Changes: -------- o Jeremy Allison <jra at samba.org> * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code from evil server returned names. o Andrew Bartlett <abartlet at samba.org> * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable password. * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync. o Bj?rn Baumbach <bb at sernet.de> * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password script. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.11.2.html https://www.samba.org/samba/history/samba-4.10.10.html https://www.samba.org/samba/history/samba-4.9.15.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20191029/0ddfc4fe/signature.sig>
Apparently Analagous Threads
- [Announce] Samba 4.11.2, 4.10.10 and 4.9.15 Security Releases Available
- Recent inability to view long filenames stored with scp via samba mount
- Recent inability to view long filenames stored with scp via samba mount
- Samab 4.11.2, 4.10.10 and 4.9.15 for rhel7/centos7 rpms
- Samba4 KDC - no such entry found in hdb