samba-4.9.4

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Now 4.9.3

Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available

These are security releases in order to address
CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server),
CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT),
CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server),
CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers),
CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) and
CVE-2018-16857 (Bad password count in AD DC not always effective). 

[Douglas R. Reno]

Now 4.9.4. Three more critical CVEs. Consider bumping to Highest priority.

[Douglas R. Reno]

Change Notes, here we go!

4.9.2

Changes since 4.9.1:
--------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 13418: dsdb: Add comments explaining the limitations of our current
     backlink behaviour.
   * BUG 13621: Fix problems running domain backups (handling SMBv2, sites).

o  Tim Beale <timbeale@catalyst.net.nz>
   * BUG 13621: Fix problems running domain backups (handling SMBv2, sites).

o  Ralph Boehme <slow@samba.org>
   * BUG 13465: testparm: Fix crashes with PANIC: Messaging not initialized on
     SLES 12 SP3.
   * BUG 13642: Make vfs_fruit able to cleanup AppleDouble files.
   * BUG 13646: File saving issues with vfs_fruit on samba >= 4.8.5.
   * BUG 13649: Enabling vfs_fruit looses FinderInfo.
   * BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error
     NT_STATUS_INTERNAL_ERROR.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and
     simplify vacuuming.

o  Volker Lendecke <vl@samba.org>
   * BUG 13465: examples: Fix the smb2mount build.
   * BUG 13629: libtevent: Fix build due to missing open_memstream on Illiumos.
   * BUG 13662: winbindd_cache: Fix timeout calculation for sid<->name cache.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 13653: dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 13418: Extended DN SID component missing for member after switching
     group membership.
   * BUG 13624: Return STATUS_SESSION_EXPIRED error encrypted, if the request
     was encrypted.

o  David Mulder <dmulder@suse.com>
   * BUG 13621: python: Allow forced signing via smb.SMB().
   * BUG 13665: lib:socket: If returning early, set ifaces.

o  Noel Power <noel.power@suse.com>
   * BUG 13616: ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept
     utf8 encoded unicode.

o  Christof Schmitt <cs@samba.org>
   * BUG 13465: testparm: Fix crashes with PANIC: Messaging not initialized on
     SLES 12 SP3.
   * BUG 13673: smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY
     attribute.

o  Andreas Schneider <asn@samba.org>
   * BUG 13601: waf: Add -fstack-clash-protection.
   * BUG 13668: winbind: Fix segfault if an invalid passdb backend is
     configured.

o  Martin Schwenke <martin@meltin.net>
   * BUG 13659: Fix bugs in CTDB event handling.
   * BUG 13670: Misbehaving nodes are sometimes not banned.

4.9.3

This is a security release in order to address the following defects:

o  CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
                   Internal DNS server)
o  CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o  CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o  CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o  CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
                   configuration (unsupported))
o  CVE-2018-16857 (Bad password count in AD DC not always effective)


=======
Details
=======

o  CVE-2018-14629:
   All versions of Samba from 4.0.0 onwards are vulnerable to infinite
   query recursion caused by CNAME loops. Any dns record can be added via
   ldap by an unprivileged user using the ldbadd tool, so this is a
   security issue.

o  CVE-2018-16841:
   When configured to accept smart-card authentication, Samba's KDC will call
   talloc_free() twice on the same memory if the principal in a validly signed
   certificate does not match the principal in the AS-REQ.

   This is only possible after authentication with a trusted certificate.

   talloc is robust against further corruption from a double-free with
   talloc_free() and directly calls abort(), terminating the KDC process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16851:
   During the processing of an LDAP search before Samba's AD DC returns
   the LDAP entries to the client, the entries are cached in a single
   memory object with a maximum size of 256MB.  When this size is
   reached, the Samba process providing the LDAP service will follow the
   NULL pointer, terminating the process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16852:
   During the processing of an DNS zone in the DNS management DCE/RPC server,
   the internal DNS server or the Samba DLZ plugin for BIND9, if the
   DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
   property is set, the server will follow a NULL pointer and terminate.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16853:
   A user in a Samba AD domain can crash the KDC when Samba is built in the
   non-default MIT Kerberos configuration.

   With this advisory we clarify that the MIT Kerberos build of the Samba
   AD DC is considered experimental.  Therefore the Samba Team will not
   issue security patches for this configuration.

o  CVE-2018-16857:
   AD DC Configurations watching for bad passwords (to restrict brute forcing
   of passwords) in a window of more than 3 minutes may not watch for bad
   passwords at all.

For more details and workarounds, please refer to the security advisories.


Changes since 4.9.2:
--------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
     mis-matching principal.
   * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
     Kerberos is experimental

o  Tim Beale <timbeale@catalyst.net.nz>
   * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat
     lockOutObservationWindow as 64-bit int.

o  Joe Guo <joeg@catalyst.net.nz>
   * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after
     class or function definition, found 1.

o  Aaron Haslett <aaronhaslett@catalyst.net.nz>
   * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC
     DNS management.

o  Garming Sam <garming@catalyst.net.nz>
   * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.

4.9.4

Major bug fixes include:
------------------------

   o dns: Fix CNAME loop prevention using counter regression (bug #13600).


Changes since 4.9.3:
--------------------

o  Ralph Boehme <slow@samba.org>
   * BUG 9175: libcli/smb: Don't overwrite status code.
   * BUG 12164: wbinfo --group-info 'NT AUTHORITY\System' does not work.
   * BUG 13661: Session setup reauth fails to sign response.
   * BUG 13677: vfs_fruit: Validation of writes on AFP_AfpInfo stream.
   * BUG 13688: vfs_shadow_copy2: Nicely deal with attempts to open previous
     version for writing.
   * BUG 13455: Restoring previous version of stream with vfs_shadow_copy2 fails
     with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build.

o  Günther Deschner <gd@samba.org>
   * BUG 13708: s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs.

o  Joe Guo <joeg@catalyst.net.nz>
   * PEP8: fix E231: missing whitespace after ','.

o  Volker Lendecke <vl@samba.org>
   * BUG 13629: winbindd: Fix crash when taking profiles.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 13600: CVE-2018-14629 dns: Fix CNAME loop prevention using counter
     regression.

o  Garming Sam <garming@catalyst.net.nz>
   * BUG 13686: 'samba-tool user syscpasswords' fails on a domain with many DCs. 

o  Andreas Schneider <asn@samba.org>
   * BUG 13571: CVE-2018-16853: Do not segfault if client is not set.
   * BUG 13679: lib:util: Fix DEBUGCLASS pointer initializiation.

o  Martin Schwenke <martin@meltin.net>
   * BUG 13696: ctdb-daemon: Exit with error if a database directory does not
     exist.

o  Justin Stephenson <jstephen@redhat.com>
   * BUG 13498: s3:libads: Add net ads leave keep-account option.

[Douglas R. Reno]

Some notes here:

I ran the test suite (make test) because I do so for every release to point out possible issues as it affects our configuation options 1 and 2.

I've found a handful of regressions in 4.9.4. Three different things can occur when running the test suite - a fork() bomb happens, which can crash the system. It's also possible for an infinite loop to happen with CNAME resolution - which lead to a process running away even after I killed the test suite manually via Ctrl+C. Thirdly, there is a problem with smbclient that was discovered via this test suite. If I share more than 100 files (and my file server, which has samba-4.9.1 on it, has close to 10k files in one share), smbclient will disconnect and then subsequently crash.

DJ has also reported an issue to me regarding BIND9 and Samba. He had to setup service management for named to have a 2 second delay and then restart upon fail.

I do not want to drop this in the book, because it breaks configurations, but I might still have to anyway just to fix the security problems. If I do, I will update to Samba-4.9.5 the day that it releases, rain, shine, or snow.

I'm going to let the test suite finish on it's own now, and then commit it (although reluctantly).

[Douglas R. Reno]

Fixed at r20921