-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathWHATSNEW.txt
1531 lines (1097 loc) · 56.6 KB
/
WHATSNEW.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
=============================
Release Notes for Samba 4.3.8
April 12, 2016
=============================
This is a security release containing one additional
regression fix for the security release 4.3.7.
This fixes a regression that prevents things like 'net ads join'
from working against a Windows 2003 domain.
Changes since 4.3.7:
====================
o Stefan Metzmacher <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016
Release notes for the original 4.3.7 release follows:
-----------------------------------------------------
=============================
Release Notes for Samba 4.3.7
April 12, 2016
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-5370 (Multiple errors in DCE-RPC code)
o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
o CVE-2016-2112 (LDAP client and server don't enforce integrity)
o CVE-2016-2113 (Missing TLS certificate validation)
o CVE-2016-2114 ("server signing = mandatory" not enforced)
o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
The number of changes are rather huge for a security release,
compared to typical security releases.
Given the number of problems and the fact that they are all related
to man in the middle attacks we decided to fix them all at once
instead of splitting them.
In order to prevent the man in the middle attacks it was required
to change the (default) behavior for some protocols. Please see the
"New smb.conf options" and "Behavior changes" sections below.
=======
Details
=======
o CVE-2015-5370
Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
denial of service attacks (crashes and high cpu consumption)
in the DCE-RPC client and server implementations. In addition,
errors in validation of the DCE-RPC packets can lead to a downgrade
of a secure connection to an insecure one.
While we think it is unlikely, there's a nonzero chance for
a remote code execution attack against the client components,
which are used by smbd, winbindd and tools like net, rpcclient and
others. This may gain root access to the attacker.
The above applies all possible server roles Samba can operate in.
Note that versions before 3.6.0 had completely different marshalling
functions for the generic DCE-RPC layer. It's quite possible that
that code has similar problems!
The downgrade of a secure connection to an insecure one may
allow an attacker to take control of Active Directory object
handles created on a connection created from an Administrator
account and re-use them on the now non-privileged connection,
compromising the security of the Samba AD-DC.
o CVE-2016-2110:
There are several man in the middle attacks possible with
NTLMSSP authentication.
E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
can be cleared by a man in the middle.
This was by protocol design in earlier Windows versions.
Windows Server 2003 RTM and Vista RTM introduced a way
to protect against the trivial downgrade.
See MsvAvFlags and flag 0x00000002 in
https://msdn.microsoft.com/en-us/library/cc236646.aspx
This new feature also implies support for a mechlistMIC
when used within SPNEGO, which may prevent downgrades
from other SPNEGO mechs, e.g. Kerberos, if sign or
seal is finally negotiated.
The Samba implementation doesn't enforce the existence of
required flags, which were requested by the application layer,
e.g. LDAP or SMB1 encryption (via the unix extensions).
As a result a man in the middle can take over the connection.
It is also possible to misguide client and/or
server to send unencrypted traffic even if encryption
was explicitly requested.
LDAP (with NTLMSSP authentication) is used as a client
by various admin tools of the Samba project,
e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
As an active directory member server LDAP is also used
by the winbindd service when connecting to domain controllers.
Samba also offers an LDAP server when running as
active directory domain controller.
The NTLMSSP authentication used by the SMB1 encryption
is protected by smb signing, see CVE-2015-5296.
o CVE-2016-2111:
It's basically the same as CVE-2015-0005 for Windows:
The NETLOGON service in Microsoft Windows Server 2003 SP2,
Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
and R2, when a Domain Controller is configured, allows remote
attackers to spoof the computer name of a secure channel's
endpoint, and obtain sensitive session information, by running a
crafted application and leveraging the ability to sniff network
traffic, aka "NETLOGON Spoofing Vulnerability".
The vulnerability in Samba is worse as it doesn't require
credentials of a computer account in the domain.
This only applies to Samba running as classic primary domain controller,
classic backup domain controller or active directory domain controller.
The security patches introduce a new option called "raw NTLMv2 auth"
("yes" or "no") for the [global] section in smb.conf.
Samba (the smbd process) will reject client using raw NTLMv2
without using NTLMSSP.
Note that this option also applies to Samba running as
standalone server and member server.
You should also consider using "lanman auth = no" (which is already the default)
and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
as they might impact compatibility with older clients. These also
apply for all server roles.
o CVE-2016-2112:
Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).
As active directory domain controller Samba also provides an LDAP server.
Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)
protection.
Samba has support for an option called "client ldap sasl wrapping" since version
3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
Tools using the builtin LDAP client library do not obey the
"client ldap sasl wrapping" option. This applies to tools like:
"samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
options like "--sign" and "--encrypt". With the security update they will
also obey the "client ldap sasl wrapping" option as default.
In all cases, even if explicitly request via "client ldap sasl wrapping",
"--sign" or "--encrypt", the protection can be downgraded by a man in the
middle.
The LDAP server doesn't have an option to enforce strong authentication
yet. The security patches will introduce a new option called
"ldap server require strong auth", possible values are "no",
"allow_sasl_over_tls" and "yes".
As the default behavior was as "no" before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.
o CVE-2016-2113:
Samba has support for TLS/SSL for some protocols:
ldap and http, but currently certificates are not
validated at all. While we have a "tls cafile" option,
the configured certificate is not used to validate
the server certificate.
This applies to ldaps:// connections triggered by tools like:
"ldbsearch", "ldbedit" and more. Note that it only applies
to the ldb tools when they are built as part of Samba or with Samba
extensions installed, which means the Samba builtin LDAP client library is
used.
It also applies to dcerpc client connections using ncacn_http (with https://),
which are only used by the openchange project. Support for ncacn_http
was introduced in version 4.2.0.
The security patches will introduce a new option called
"tls verify peer". Possible values are "no_check", "ca_only",
"ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
If you use the self-signed certificates which are auto-generated
by Samba, you won't have a crl file and need to explicitly
set "tls verify peer = ca_and_name".
o CVE-2016-2114
Due to a regression introduced in Samba 4.0.0,
an explicit "server signing = mandatory" in the [global] section
of the smb.conf was not enforced for clients using the SMB1 protocol.
As a result it does not enforce smb signing and allows man in the middle attacks.
This problem applies to all possible server roles:
standalone server, member server, classic primary domain controller,
classic backup domain controller and active directory domain controller.
In addition, when Samba is configured with "server role = active directory domain controller"
the effective default for the "server signing" option should be "mandatory".
During the early development of Samba 4 we had a new experimental
file server located under source4/smb_server. But before
the final 4.0.0 release we switched back to the file server
under source3/smbd.
But the logic for the correct default of "server signing" was not
ported correctly ported.
Note that the default for server roles other than active directory domain
controller, is "off" because of performance reasons.
o CVE-2016-2115:
Samba has an option called "client signing", this is turned off by default
for performance reasons on file transfers.
This option is also used when using DCERPC with ncacn_np.
In order to get integrity protection for ipc related communication
by default the "client ipc signing" option is introduced.
The effective default for this new option is "mandatory".
In order to be compatible with more SMB server implementations,
the following additional options are introduced:
"client ipc min protocol" ("NT1" by default) and
"client ipc max protocol" (the highest support SMB2/3 dialect by default).
These options overwrite the "client min protocol" and "client max protocol"
options, because the default for "client max protocol" is still "NT1".
The reason for this is the fact that all SMB2/3 support SMB signing,
while there are still SMB1 implementations which don't offer SMB signing
by default (this includes Samba versions before 4.0.0).
Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
against active directory domain controllers despite of the
"client signing" and "client ipc signing" options.
o CVE-2016-2118 (a.k.a. BADLOCK):
The Security Account Manager Remote Protocol [MS-SAMR] and the
Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
are both vulnerable to man in the middle attacks. Both are application level
protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
These protocols are typically available on all Windows installations
as well as every Samba server. They are used to maintain
the Security Account Manager Database. This applies to all
roles, e.g. standalone, domain member, domain controller.
Any authenticated DCERPC connection a client initiates against a server
can be used by a man in the middle to impersonate the authenticated user
against the SAMR or LSAD service on the server.
The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
in this case. A man in the middle can change auth level to CONNECT
(which means authentication without message protection) and take over
the connection.
As a result, a man in the middle is able to get read/write access to the
Security Account Manager Database, which reveals all passwords
and any other potential sensitive information.
Samba running as an active directory domain controller is additionally
missing checks to enforce PKT_PRIVACY for the
Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
is not enforcing at least PKT_INTEGRITY.
====================
New smb.conf options
====================
allow dcerpc auth level connect (G)
This option controls whether DCERPC services are allowed to be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
message integrity nor privacy protection.
Some interfaces like samr, lsarpc and netlogon have a hard-coded default
of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
The behavior can be overwritten per interface name (e.g. lsarpc,
netlogon, samr, srvsvc, winreg, wkssvc ...) by using
'allow dcerpc auth level connect:interface = yes' as option.
This option yields precedence to the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
client ipc signing (G)
This controls whether the client is allowed or required to use
SMB signing for IPC$ connections as DCERPC transport. Possible
values are auto, mandatory and disabled.
When set to mandatory or default, SMB signing is required.
When set to auto, SMB signing is offered, but not enforced and
if set to disabled, SMB signing is not offered either.
Connections from winbindd to Active Directory Domain Controllers
always enforce signing.
Default: client ipc signing = default
client ipc max protocol (G)
The value of the parameter (a string) is the highest protocol level that will
be supported for IPC$ connections as DCERPC transport.
Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.
The value default refers to the latest supported protocol, currently SMB3_11.
See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
Default: client ipc max protocol = default
Example: client ipc max protocol = SMB2_10
client ipc min protocol (G)
This setting controls the minimum protocol version that the will be
attempted to use for IPC$ connections as DCERPC transport.
Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.
The value default refers to the higher value of NT1 and the
effective value of "client min protocol".
See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
Default: client ipc min protocol = default
Example: client ipc min protocol = SMB3_11
ldap server require strong auth (G)
The ldap server require strong auth defines whether the
ldap server requires ldap traffic to be signed or
signed and encrypted (sealed). Possible values are no,
allow_sasl_over_tls and yes.
A value of no allows simple and sasl binds over all transports.
A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.
A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.
Default: ldap server require strong auth = yes
raw NTLMv2 auth (G)
This parameter determines whether or not smbd(8) will allow SMB1 clients
without extended security (without SPNEGO) to use NTLMv2 authentication.
If this option, lanman auth and ntlm auth are all disabled, then only
clients with SPNEGO support will be permitted. That means NTLMv2 is only
supported within NTLMSSP.
Default: raw NTLMv2 auth = no
tls verify peer (G)
This controls if and how strict the client will verify the peer's
certificate and name. Possible values are (in increasing order): no_check,
ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
When set to no_check the certificate is not verified at all,
which allows trivial man in the middle attacks.
When set to ca_only the certificate is verified to be signed from a ca
specified in the "tls ca file" option. Setting "tls ca file" to a valid file
is required. The certificate lifetime is also verified. If the "tls crl file"
option is configured, the certificate is also verified against
the ca crl.
When set to ca_and_name_if_available all checks from ca_only are performed.
In addition, the peer hostname is verified against the certificate's
name, if it is provided by the application layer and not given as
an ip address string.
When set to ca_and_name all checks from ca_and_name_if_available are performed.
In addition the peer hostname needs to be provided and even an ip
address is checked against the certificate's name.
When set to as_strict_as_possible all checks from ca_and_name are performed.
In addition the "tls crl file" needs to be configured. Future versions
of Samba may implement additional checks.
Default: tls verify peer = as_strict_as_possible
tls priority (G) (backported from Samba 4.3 to Samba 4.2)
This option can be set to a string describing the TLS protocols to be
supported in the parts of Samba that use GnuTLS, specifically the AD DC.
The default turns off SSLv3, as this protocol is no longer considered
secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
in HTTPS applications.
The valid options are described in the GNUTLS Priority-Strings
documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
Default: tls priority = NORMAL:-VERS-SSL3.0
================
Behavior changes
================
o The default auth level for authenticated binds has changed from
DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
That means ncacn_ip_tcp:server is now implicitly the same
as ncacn_ip_tcp:server[sign] and offers a similar protection
as ncacn_np:server, which relies on smb signing.
o The following constraints are applied to SMB1 connections:
- "client lanman auth = yes" is now consistently
required for authenticated connections using the
SMB1 LANMAN2 dialect.
- "client ntlmv2 auth = yes" and "client use spnego = yes"
(both the default values), require extended security (SPNEGO)
support from the server. That means NTLMv2 is only used within
NTLMSSP.
o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
default of "client ldap sasl wrapping = sign". Even with
"client ldap sasl wrapping = plain" they will automatically upgrade
to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
server.
Changes since 4.3.6:
====================
o Jeremy Allison <[email protected]>
* Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Christian Ambach <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Ralph Boehme <[email protected]>
* Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
integrity protection.
o Günther Deschner <[email protected]>
* Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Björn Jacke <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Volker Lendecke <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Stefan Metzmacher <[email protected]>
* Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
* Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
* Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
integrity protection.
* Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
* Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
* Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
* Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
the middle attacks.
* Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
integrity protected.
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
o Richard Sharpe <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
=============================
Release Notes for Samba 4.3.6
March 8, 2016
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
o CVE-2016-0771 (Out-of-bounds read in internal DNS server)
=======
Details
=======
o CVE-2015-7560:
All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.
An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.
o CVE-2016-0771:
All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.
A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.
While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.
By default only authenticated accounts can upload DNS records,
as "allow dns updates = secure only" is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.
Changes since 4.3.5:
--------------------
o Jeremy Allison <[email protected]>
* BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
change permissions on link target.
o Garming Sam <[email protected]>
* BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
handling.
o Stefan Metzmacher <[email protected]>
* BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
handling.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Older release notes to follow:
------------------------------
=============================
Release Notes for Samba 4.3.5
February 23, 2016
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.4:
--------------------
o Jeremy Allison <[email protected]>
* BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
filesystem with no ACL support.
* BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
o Christian Ambach <[email protected]>
* BUG 6482: s3:utils/smbget: Fix recursive download.
* BUG 11400: s3:smbd/oplock: Obey kernel oplock setting when releasing
oplocks.
o Alexander Bokovoy <[email protected]>
* BUG 11693: s3-parm: Clean up defaults when removing global parameters.
o Ralph Boehme <[email protected]>
* BUG 11684: s3:smbd: Ignore initial allocation size for directory creation.
* BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
o Amitay Isaacs <[email protected]>
* BUG 11705: ctdb: Remove error messages after kernel security update
(CVE-2015-8543).
o Volker Lendecke <[email protected]>
* BUG 11732: param: Fix str_list_v3 to accept ";" again.
o Stefan Metzmacher <[email protected]>
* BUG 11699: Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4.
o Jose A. Rivera <[email protected]>
* BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
creating a new file.
o Christof Schmitt <[email protected]>
* BUG 11670: winbindd: Handle expired sessions correctly.
o Andreas Schneider <[email protected]>
* BUG 11690: s3-client: Add a KRB5 wrapper for smbspool.
o Uri Simchoni <[email protected]>
* BUG 11580: vfs_shadow_copy2: Fix case where snapshots are outside the
share.
* BUG 11662: smbclient: Query disk usage relative to current directory.
* BUG 11681: smbd: Show correct disk size for different quota and dfree block
sizes.
* BUG 11682: smbcacls: Fix uninitialized variable.
o Martin Schwenke <[email protected]>
* BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...".
o Hemanth Thummala <[email protected]>
* BUG 11708: loadparm: Fix memory leak issue.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.3.4
January 12, 2016
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.3:
--------------------
o Michael Adam <[email protected]>
* BUG 11619: doc: Fix a typo in the smb.conf manpage, explanation of idmap
config.
* BUG 11647: s3:smbd: Fix a corner case of the symlink verification.
o Jeremy Allison <[email protected]>
* BUG 11624: s3: libsmb: Correctly initialize the list head when keeping a
list of primary followed by DFS connections.
* BUG 11625: Reduce the memory footprint of empty string options.
o Douglas Bagnall <[email protected]>
* BUG 11659: Update lastLogon and lastLogonTimestamp.
o Ralph Boehme <[email protected]>
* BUG 11065: vfs_fruit: Enable POSIX directory rename semantics.
* BUG 11466: Copying files with vfs_fruit fails when using vfs_streams_xattr
without stream prefix and type suffix.
* BUG 11645: smbd: Make "hide dot files" option work with "store dos
attributes = yes".
o Günther Deschner <[email protected]>
* BUG 11639: lib/async_req: Do not install async_connect_send_test.
o Stefan Metzmacher <[email protected]>
* BUG 11394: Crash: Bad talloc magic value - access after free.
o Rowland Penny <[email protected]>
* BUG 11613: samba-tool: Fix uncaught exception if no fSMORoleOwner
attribute is given.
o Karolin Seeger <[email protected]>
* BUG 11619: docs: Fix some typos in the idmap backend section.
* BUG 11641: docs: Fix typos in man vfs_gpfs.
o Uri Simchoni <[email protected]>
* BUG 11649: smbd: Do not disable "store dos attributes" on-the-fly.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.3.3
December 16, 2015
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-3223 (Denial of service in Samba Active Directory
server)
o CVE-2015-5252 (Insufficient symlink verification in smbd)
o CVE-2015-5299 (Missing access control check in shadow copy
code)
o CVE-2015-5296 (Samba client requesting encryption vulnerable
to downgrade attack)
o CVE-2015-8467 (Denial of service attack against Windows
Active Directory server)
o CVE-2015-5330 (Remote memory read in Samba LDAP server)
Please note that if building against a system libldb, the required
version has been bumped to ldb-1.1.24. This is needed to ensure
we build against a system ldb library that contains the fixes
for CVE-2015-5330 and CVE-2015-3223.
=======
Details
=======
o CVE-2015-3223:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a denial of service attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to become unresponsive, preventing the server
from servicing any other requests.
This flaw is not exploitable beyond causing the code to loop expending
CPU resources.
o CVE-2015-5252:
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
a bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path
prefix with another directory on the file system, the smbd daemon may
allow the client to follow a symlink pointing to a file or directory
in that other directory, even if the share parameter "wide links" is
set to "no" (the default).
o CVE-2015-5299:
All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
a missing access control check in the vfs_shadow_copy2 module. When
looking for the shadow copy directory under the share path the current
accessing user should have DIRECTORY_LIST access rights in order to
view the current snapshots.
This was not being checked in the affected versions of Samba.
o CVE-2015-5296:
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to
a server.
Without this a man-in-the-middle attack could downgrade the connection
and connect using the supplied credentials as an unsigned, unencrypted
connection.
o CVE-2015-8467:
Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.
Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create. Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.
o CVE-2015-5330:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a remote memory read attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to return heap memory beyond the length of the
requested value.
This memory may contain data that the client should not be allowed to
see, allowing compromise of the server.
The memory may either be returned to the client in an error string, or
stored in the database by a suitabily privileged user. If untrusted
users can create objects in your database, please confirm that all DN
and name attributes are reasonable.
Changes since 4.3.2:
--------------------
o Andrew Bartlett <[email protected]>
* BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
userAccountControl.
o Jeremy Allison <[email protected]>
* BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
* BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
access outside the share).
* BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
snapdir.
o Douglas Bagnall <[email protected]>
* BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
o Stefan Metzmacher <[email protected]>
* BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
smb encryption on the client side.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.3.2
December 01, 2015
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.1:
--------------------
o Michael Adam <[email protected]>
* BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
o Jeremy Allison <[email protected]>
* BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an
attribute type of zero.
* BUG 11565: auth: gensec: Fix a memory leak.
* BUG 11566: lib: util: Make non-critical message a warning.
* BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2
create containing them.
* BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files
below an open directory handle.
o Ralph Boehme <[email protected]>
* BUG 11562: s4:lib/messaging: Use correct path for names.tdb.
* BUG 11564: async_req: Fix non-blocking connect().
o Volker Lendecke <[email protected]>
* BUG 11243: vfs_gpfs: Re-enable share modes.
* BUG 11570: smbd: Send SMB2 oplock breaks unencrypted.
* BUG 11612: winbind: Fix crash on invalid idmap configs.
o YvanM <[email protected]>
* BUG 11584: manpage: Correct small typo error.
o Stefan Metzmacher <[email protected]>
* BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus.
* BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE()
clearer.
o Marc Muehlfeld <[email protected]>
* BUG 9912: Changing log level of two entries to DBG_NOTICE.
* BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch().
o Noel Power <[email protected]>
* BUG 11569: Fix winbindd crashes with samlogon for trusted domain user.
* BUG 11597: Backport some valgrind fixes from upstream master.