903621 – (CVE-2023-0225, CVE-2023-0614, CVE-2023-0922) <net-fs/samba-{4.16.10, 4.17.8, 4.18.3}: multiple vulnerabilities

Bug 903621 (CVE-2023-0225, CVE-2023-0614, CVE-2023-0922) - <net-fs/samba-{4.16.10, 4.17.8, 4.18.3}: multiple vulnerabilities

Summary: <net-fs/samba-{4.16.10, 4.17.8, 4.18.3}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-0225, CVE-2023-0614, CVE-2023-0922

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://lists.samba.org/archive/samba...
Whiteboard:	B4 [stable+]
Keywords:

Depends on:	906104 907829 908275
Blocks:
	Show dependency tree

Reported:	2023-03-31 04:14 UTC by John Helmert III
Modified:	2023-09-17 05:57 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-03-31 04:14:38 UTC

"This are security releases in order to address the following defects:

o CVE-2023-0225: An incomplete access check on dnsHostName allows
authenticated
                 but otherwise unprivileged users to delete this attribute
from
                 any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html

o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                 remote LDAP server, will by default send new or reset
                 passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html

o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                 Confidential attribute disclosure via LDAP filters was
                 insufficient and an attacker may be able to obtain
                 confidential BitLocker recovery keys from a Samba AD DC.
                 Installations with such secrets in their Samba AD should
                 assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html"

Comment 1 Adrian Bassett 2023-05-06 15:33:30 UTC

These CVEs appear to have been fixed in 4.18.1, released 29th March, see https://www.samba.org/samba/history/

However, more recent is 4.18.2 which was released Apr 19, 2023;  release notes at https://www.samba.org/samba/history/samba-4.18.2.html

Comment 2 Krzysztof Olędzki 2023-05-16 04:44:51 UTC

In addition to bumping 4.17 (to 4.17.8) - https://bugs.gentoo.org/906104 and presumably 4.18 (to 4.18.2) and 4.16 (to 4.16.10) we may also want to drop 4.15 given it is marked as EOL per https://wiki.samba.org/index.php/Samba_Release_Planning

Comment 3 Larry the Git Cow gentoo-dev

2023-09-17 05:56:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5bfe8198b2352fa0ac46dbc59d078650dc544a7e

commit 5bfe8198b2352fa0ac46dbc59d078650dc544a7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-17 05:56:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-17 05:56:46 +0000

    [ GLSA 202309-06 ] Samba: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/820566
    Bug: https://bugs.gentoo.org/821688
    Bug: https://bugs.gentoo.org/830983
    Bug: https://bugs.gentoo.org/832433
    Bug: https://bugs.gentoo.org/861512
    Bug: https://bugs.gentoo.org/866225
    Bug: https://bugs.gentoo.org/869122
    Bug: https://bugs.gentoo.org/878273
    Bug: https://bugs.gentoo.org/880437
    Bug: https://bugs.gentoo.org/886153
    Bug: https://bugs.gentoo.org/903621
    Bug: https://bugs.gentoo.org/905320
    Bug: https://bugs.gentoo.org/910334
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202309-06.xml | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)