samba-4.4,0

[bdubbs@…]

New point version

[Douglas R. Reno]

This is a security release in order to address the following CVEs:

o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server)

======= Details =======

o CVE-2015-7560:

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.

o CVE-2016-0771:

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record, resulting in a remote denial-of-service attack. As long as the affected TXT record remains undisturbed in the Samba database, a targeted DNS query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records, as "allow dns updates = secure only" is the default. Any other value would allow anonymous clients to trigger this bug, which is a much higher risk.

[Douglas R. Reno]

Replying to renodr:

This is a security release in order to address the following CVEs:

o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server)

======= Details =======

o CVE-2015-7560:

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.

​https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7560 SEVERITY: MEDIUM

o CVE-2016-0771:

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record, resulting in a remote denial-of-service attack. As long as the affected TXT record remains undisturbed in the Samba database, a targeted DNS query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records, as "allow dns updates = secure only" is the default. Any other value would allow anonymous clients to trigger this bug, which is a much higher risk.

​https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0771 SEVERITY: MEDIUM

[Douglas R. Reno]

After Discussion with Bruce, I have decided to accept the KRB and Samba updates for trunk as well as systemd. Note: even though it is April 1st, this is not an April Fools joke!

[Douglas R. Reno]

I should be able to start working on this and KRB5 tomorrow. I also bought a miniature book on Samba to aid me here.

[Douglas R. Reno]

Won't have time to work on it anytime soon.

[bdubbs@…]

Now version 4.4.0

[bdubbs@…]

There is an interesting line output from configure:

Checking getconf LFS_CFLAGS : not found

I wonder what that is?

[bdubbs@…]

Fixed at revision 17247.