CVE-2019-14861 (https://nvd.nist.gov/vuln/detail/CVE-2019-14861): All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer. CVE-2019-14870 (https://nvd.nist.gov/vuln/detail/CVE-2019-14870): All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e5574cfdbc454b77bf24f6a88914eb57ff03b78 commit 6e5574cfdbc454b77bf24f6a88914eb57ff03b78 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-12-17 13:47:36 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-12-17 13:50:01 +0000 net-fs/samba: Security bump to versions 4.9.17, 4.10.11 and 4.11.4 Bug: https://bugs.gentoo.org/702928 Package-Manager: Portage-2.3.82, Repoman-2.3.20 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-fs/samba/Manifest | 3 + net-fs/samba/samba-4.10.11.ebuild | 315 ++++++++++++++++++++++++++++++++++++++ net-fs/samba/samba-4.11.4.ebuild | 311 +++++++++++++++++++++++++++++++++++++ net-fs/samba/samba-4.9.17.ebuild | 308 +++++++++++++++++++++++++++++++++++++ 4 files changed, 937 insertions(+)
Is there currently a bug preventing stabilisation for sparc, hppa, or just behind?
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-52 at https://security.gentoo.org/glsa/202003-52 by GLSA coordinator Thomas Deutschmann (whissi).
