| 2 | |
| 3 | NOTE: This release is designated as "critical" by the Samba team. |
| 4 | |
| 5 | |
| 6 | {{{ |
| 7 | ============================= |
| 8 | Release Notes for Samba 4.8.4 |
| 9 | August 14, 2018 |
| 10 | ============================= |
| 11 | |
| 12 | |
| 13 | This is a security release in order to address the following defects: |
| 14 | |
| 15 | o CVE-2018-1139 (Weak authentication protocol allowed.) |
| 16 | o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.) |
| 17 | o CVE-2018-10858 (Insufficient input validation on client directory |
| 18 | listing in libsmbclient.) |
| 19 | o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.) |
| 20 | o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP |
| 21 | server.) |
| 22 | |
| 23 | |
| 24 | ======= |
| 25 | Details |
| 26 | ======= |
| 27 | |
| 28 | o CVE-2018-1139: |
| 29 | Vulnerability that allows authentication via NTLMv1 even if disabled. |
| 30 | |
| 31 | o CVE-2018-1140: |
| 32 | Missing null pointer checks may crash the Samba AD DC, both over |
| 33 | DNS and LDAP. |
| 34 | |
| 35 | o CVE-2018-10858: |
| 36 | A malicious server could return a directory entry that could corrupt |
| 37 | libsmbclient memory. |
| 38 | |
| 39 | o CVE-2018-10918: |
| 40 | Missing null pointer checks may crash the Samba AD DC, over the |
| 41 | authenticated DRSUAPI RPC service. |
| 42 | |
| 43 | o CVE-2018-10919: |
| 44 | Missing access control checks allow discovery of confidential attribute |
| 45 | values via authenticated LDAP search expressions. |
| 46 | |
| 47 | |
| 48 | Changes since 4.8.3: |
| 49 | -------------------- |
| 50 | |
| 51 | o Jeremy Allison <jra@samba.org> |
| 52 | * BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against |
| 53 | returns from malicious servers. |
| 54 | |
| 55 | o Andrew Bartlett <abartlet@samba.org> |
| 56 | * BUG 13374: CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query |
| 57 | with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140 |
| 58 | * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when |
| 59 | not servicePrincipalName is set on a user. |
| 60 | |
| 61 | o Tim Beale <timbeale@catalyst.net.nz> |
| 62 | * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via |
| 63 | searches. |
| 64 | |
| 65 | o Günther Deschner <gd@samba.org> |
| 66 | * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it |
| 67 | is disabled via "ntlm auth". |
| 68 | |
| 69 | o Andrej Gessel <Andrej.Gessel@janztec.com> |
| 70 | * BUG 13374: CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in |
| 71 | ltdb_index_dn_attr(). |
| 72 | }}} |