Opened 6 years ago
Closed 6 years ago
#11331 closed enhancement (fixed)
samba-4.9.4
Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 8.4 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (5)
comment:1 by , 6 years ago
Owner: | changed from | to
---|---|
Priority: | normal → high |
Status: | new → assigned |
Summary: | samba-4.9.2 → samba-4.9.3 |
comment:2 by , 6 years ago
Summary: | samba-4.9.3 → samba-4.9.4 |
---|
Now 4.9.4. Three more critical CVEs. Consider bumping to Highest priority.
comment:3 by , 6 years ago
Change Notes, here we go!
4.9.2
Changes since 4.9.1: -------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 13418: dsdb: Add comments explaining the limitations of our current backlink behaviour. * BUG 13621: Fix problems running domain backups (handling SMBv2, sites). o Tim Beale <timbeale@catalyst.net.nz> * BUG 13621: Fix problems running domain backups (handling SMBv2, sites). o Ralph Boehme <slow@samba.org> * BUG 13465: testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3. * BUG 13642: Make vfs_fruit able to cleanup AppleDouble files. * BUG 13646: File saving issues with vfs_fruit on samba >= 4.8.5. * BUG 13649: Enabling vfs_fruit looses FinderInfo. * BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR. o Amitay Isaacs <amitay@gmail.com> * BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming. o Volker Lendecke <vl@samba.org> * BUG 13465: examples: Fix the smb2mount build. * BUG 13629: libtevent: Fix build due to missing open_memstream on Illiumos. * BUG 13662: winbindd_cache: Fix timeout calculation for sid<->name cache. o Gary Lockyer <gary@catalyst.net.nz> * BUG 13653: dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path. o Stefan Metzmacher <metze@samba.org> * BUG 13418: Extended DN SID component missing for member after switching group membership. * BUG 13624: Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted. o David Mulder <dmulder@suse.com> * BUG 13621: python: Allow forced signing via smb.SMB(). * BUG 13665: lib:socket: If returning early, set ifaces. o Noel Power <noel.power@suse.com> * BUG 13616: ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode. o Christof Schmitt <cs@samba.org> * BUG 13465: testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3. * BUG 13673: smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute. o Andreas Schneider <asn@samba.org> * BUG 13601: waf: Add -fstack-clash-protection. * BUG 13668: winbind: Fix segfault if an invalid passdb backend is configured. o Martin Schwenke <martin@meltin.net> * BUG 13659: Fix bugs in CTDB event handling. * BUG 13670: Misbehaving nodes are sometimes not banned.
4.9.3
This is a security release in order to address the following defects: o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) ======= Details ======= o CVE-2018-14629: All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. o CVE-2018-16841: When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16851: During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16852: During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16853: A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory we clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this configuration. o CVE-2018-16857: AD DC Configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. For more details and workarounds, please refer to the security advisories. Changes since 4.9.2: -------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with mis-matching principal. * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT Kerberos is experimental o Tim Beale <timbeale@catalyst.net.nz> * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int. o Joe Guo <joeg@catalyst.net.nz> * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after class or function definition, found 1. o Aaron Haslett <aaronhaslett@catalyst.net.nz> * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. o Gary Lockyer <gary@catalyst.net.nz> * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC DNS management. o Garming Sam <garming@catalyst.net.nz> * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.
4.9.4
Major bug fixes include: ------------------------ o dns: Fix CNAME loop prevention using counter regression (bug #13600). Changes since 4.9.3: -------------------- o Ralph Boehme <slow@samba.org> * BUG 9175: libcli/smb: Don't overwrite status code. * BUG 12164: wbinfo --group-info 'NT AUTHORITY\System' does not work. * BUG 13661: Session setup reauth fails to sign response. * BUG 13677: vfs_fruit: Validation of writes on AFP_AfpInfo stream. * BUG 13688: vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing. * BUG 13455: Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name. o Isaac Boukris <iboukris@gmail.com> * BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build. o Günther Deschner <gd@samba.org> * BUG 13708: s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs. o Joe Guo <joeg@catalyst.net.nz> * PEP8: fix E231: missing whitespace after ','. o Volker Lendecke <vl@samba.org> * BUG 13629: winbindd: Fix crash when taking profiles. o Stefan Metzmacher <metze@samba.org> * BUG 13600: CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression. o Garming Sam <garming@catalyst.net.nz> * BUG 13686: 'samba-tool user syscpasswords' fails on a domain with many DCs. o Andreas Schneider <asn@samba.org> * BUG 13571: CVE-2018-16853: Do not segfault if client is not set. * BUG 13679: lib:util: Fix DEBUGCLASS pointer initializiation. o Martin Schwenke <martin@meltin.net> * BUG 13696: ctdb-daemon: Exit with error if a database directory does not exist. o Justin Stephenson <jstephen@redhat.com> * BUG 13498: s3:libads: Add net ads leave keep-account option.
comment:4 by , 6 years ago
Some notes here:
I ran the test suite (make test) because I do so for every release to point out possible issues as it affects our configuation options 1 and 2.
I've found a handful of regressions in 4.9.4. Three different things can occur when running the test suite - a fork() bomb happens, which can crash the system. It's also possible for an infinite loop to happen with CNAME resolution - which lead to a process running away even after I killed the test suite manually via Ctrl+C. Thirdly, there is a problem with smbclient that was discovered via this test suite. If I share more than 100 files (and my file server, which has samba-4.9.1 on it, has close to 10k files in one share), smbclient will disconnect and then subsequently crash.
DJ has also reported an issue to me regarding BIND9 and Samba. He had to setup service management for named to have a 2 second delay and then restart upon fail.
I do not want to drop this in the book, because it breaks configurations, but I might still have to anyway just to fix the security problems. If I do, I will update to Samba-4.9.5 the day that it releases, rain, shine, or snow.
I'm going to let the test suite finish on it's own now, and then commit it (although reluctantly).
Now 4.9.3