Summary: | <net-fs/samba-{4.18.9,4.19.3}: insufficient object deletion | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, bkohler, ole+gentoo, samba |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.samba.org/samba/history/samba-4.19.3.html | ||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 920512 | ||
Bug Blocks: |
Description
John Helmert III
2023-01-18 04:48:04 UTC
4.19.3 has been released with a fix according to the release notes: "This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bug CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html" Note that manual administrator intervention will be required to fix this. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65207b4f907c4ca868ce51d94fe24bb9e9e9924 commit f65207b4f907c4ca868ce51d94fe24bb9e9e9924 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-11-27 20:44:27 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-11-27 20:46:16 +0000 net-fs/samba: add 4.19.3 Bug: https://bugs.gentoo.org/891267 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 383 insertions(+) Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize? I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series. Samba is a really large and complex system and my experience with the last several main releases was that it was often taking several months for all critical regressions to be first identified and then fixed. So, while samba-4.19 was released 3 months ago and so 4.19.3 seems like a good target, perhaps we can also include 4.18.9 [1] which has the same fix? At the same time, we probably also want to drop samba-4.18.4-r1.ebuild, samba-4.18.5-r1.ebuild, samba-4.18.6-r1.ebuild and samba-4.18.7.ebuild form the tree? See https://bugs.gentoo.org/915556 Same for samba-4.19.1.ebuild - https://bugs.gentoo.org/915867. [1] https://www.samba.org/samba/history/samba-4.18.9.html Ah, looks like 4.18.9 got a fix for this as well! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06001d963251a6b3fb59d2a17ad7a695789e70f0 commit 06001d963251a6b3fb59d2a17ad7a695789e70f0 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-12-04 21:02:44 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-12-04 21:03:34 +0000 net-fs/samba: add 4.18.9 Bug: https://bugs.gentoo.org/891267 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.18.9.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 384 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54 commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 06:05:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891267 Bug: https://bugs.gentoo.org/910606 Bug: https://bugs.gentoo.org/915556 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) |