Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702928 (CVE-2019-14861) - <net-fs/samba-{4.9.17,4.10.11,4.11.4}: multiple vulnerabilities (CVE-2019-{14861,14870})
Summary: <net-fs/samba-{4.9.17,4.10.11,4.11.4}: multiple vulnerabilities (CVE-2019-{14...
Alias: CVE-2019-14861
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on:
Blocks: CVE-2019-14870
  Show dependency tree
Reported: 2019-12-14 21:32 UTC by GLSAMaker/CVETool Bot
Modified: 2022-11-16 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-14 21:32:45 UTC
CVE-2019-14861 (
  All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x
  before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe
  provides administrative facilities to modify DNS records and zones. Samba,
  when acting as an AD DC, stores DNS records in LDAP. In AD, the default
  permissions on the DNS partition allow creation of new records by
  authenticated users. This is used for example to allow machines to
  self-register in DNS. If a DNS record was created that case-insensitively
  matched the name of the zone, the ldb_qsort() and dns_name_compare()
  routines could be confused into reading memory prior to the list of DNS
  entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and
  so following invalid memory as a pointer.

CVE-2019-14870 (
  All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x
  before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation
  model includes a feature allowing for a subset of clients to be opted out of
  constrained delegation in any way, either S4U2Self or regular Kerberos
  authentication, by forcing all tickets for these clients to be
  non-forwardable. In AD this is implemented by a user attribute
  delegation_not_allowed (aka not-delegated), which translates to
  disallow-forwardable. However the Samba AD DC does not do that for S4U2Self
  and does set the forwardable flag even if the impersonated client has the
  not-delegated flag set.
Comment 1 Larry the Git Cow gentoo-dev 2019-12-17 13:50:08 UTC
The bug has been referenced in the following commit(s):

commit 6e5574cfdbc454b77bf24f6a88914eb57ff03b78
Author:     Lars Wendler <>
AuthorDate: 2019-12-17 13:47:36 +0000
Commit:     Lars Wendler <>
CommitDate: 2019-12-17 13:50:01 +0000

    net-fs/samba: Security bump to versions 4.9.17, 4.10.11 and 4.11.4
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Signed-off-by: Lars Wendler <>

 net-fs/samba/Manifest             |   3 +
 net-fs/samba/samba-4.10.11.ebuild | 315 ++++++++++++++++++++++++++++++++++++++
 net-fs/samba/samba-4.11.4.ebuild  | 311 +++++++++++++++++++++++++++++++++++++
 net-fs/samba/samba-4.9.17.ebuild  | 308 +++++++++++++++++++++++++++++++++++++
 4 files changed, 937 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 04:01:26 UTC
Is there currently a bug preventing stabilisation for sparc, hppa, or just behind?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 16:17:41 UTC
Added to an existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 16:37:17 UTC
This issue was resolved and addressed in
 GLSA 202003-52 at
by GLSA coordinator Thomas Deutschmann (whissi).