Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 915867 (CVE-2023-5568)

Summary: <net-fs/samba-4.19.2: multiple vulnerabilities
Product: Gentoo Security Reporter: Krzysztof Olędzki <ole+gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: major CC: hydrapolic, samba
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: C3 [stable?]
Package list:
Runtime testing required: ---

Description Krzysztof Olędzki 2023-10-16 20:58:01 UTC
                   Release Notes for Samba 4.19.2
                          October 16, 2023

This is the latest stable release of the Samba 4.19 release series.

Changes since 4.19.1

o  Jeremy Allison <>
   * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
     after failed IPC FSCTL_PIPE_TRANSCEIVE.
   * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()

o  Ralph Boehme <>
   * BUG 15463: macOS mdfind returns only 50 results.

o  Volker Lendecke <>
   * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
     previous cache entry value.

o  Stefan Metzmacher <>
   * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
     impacts sendmail, zabbix, potentially more.

o  Martin Schwenke <>
   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.

o  Joseph Sutton <>
   * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
     Heimdal KDC in Samba 4.19
   * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
     in use.
Comment 1 Krzysztof Olędzki 2023-10-16 20:58:19 UTC
Comment 2 Krzysztof Olędzki 2023-10-16 21:03:11 UTC
Looking at, we probably don't need a GLSA, but both samba-4.19.0-r1.ebuild and samba-4.19.1.ebuild should be dropped once samba-4.19.2.ebuild gets added.

Especially that another important change in this release is fixing libnss_winbind memory corruption. For samba-4.18 it was fixed in samba-4.18.8 which was released a week ago, but for samba-4.19 this is the first usable version for systems using libnss_winbind.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-17 19:52:18 UTC
I really think you should consider proxy maintaining this given you're on top of what needs to be done.
Comment 4 Larry the Git Cow gentoo-dev 2023-10-18 12:25:40 UTC
The bug has been referenced in the following commit(s):

commit 75c0e03f350aa2025ba1b08171fcad66522614b8
Author:     Ben Kohler <>
AuthorDate: 2023-10-18 12:24:44 +0000
Commit:     Ben Kohler <>
CommitDate: 2023-10-18 12:25:33 +0000

    net-fs/samba: add 4.19.2
    Signed-off-by: Ben Kohler <>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.19.2.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)