CVE-2018-14628 (https://bugzilla.samba.org/show_bug.cgi?id=13595): https://bugzilla.redhat.com/show_bug.cgi?id=1625445 An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. Doesn't seem like fixes ever made it to git.
4.19.3 has been released with a fix according to the release notes: "This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bug CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html" Note that manual administrator intervention will be required to fix this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65207b4f907c4ca868ce51d94fe24bb9e9e9924 commit f65207b4f907c4ca868ce51d94fe24bb9e9e9924 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-11-27 20:44:27 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-11-27 20:46:16 +0000 net-fs/samba: add 4.19.3 Bug: https://bugs.gentoo.org/891267 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 383 insertions(+)
Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize?
I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series.
Samba is a really large and complex system and my experience with the last several main releases was that it was often taking several months for all critical regressions to be first identified and then fixed. So, while samba-4.19 was released 3 months ago and so 4.19.3 seems like a good target, perhaps we can also include 4.18.9 [1] which has the same fix? At the same time, we probably also want to drop samba-4.18.4-r1.ebuild, samba-4.18.5-r1.ebuild, samba-4.18.6-r1.ebuild and samba-4.18.7.ebuild form the tree? See https://bugs.gentoo.org/915556 Same for samba-4.19.1.ebuild - https://bugs.gentoo.org/915867. [1] https://www.samba.org/samba/history/samba-4.18.9.html
Ah, looks like 4.18.9 got a fix for this as well!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06001d963251a6b3fb59d2a17ad7a695789e70f0 commit 06001d963251a6b3fb59d2a17ad7a695789e70f0 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-12-04 21:02:44 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-12-04 21:03:34 +0000 net-fs/samba: add 4.18.9 Bug: https://bugs.gentoo.org/891267 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.18.9.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 384 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54 commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 06:05:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891267 Bug: https://bugs.gentoo.org/910606 Bug: https://bugs.gentoo.org/915556 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)