This is a security release in order to address the following CVEs: o CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server) o CVE-2015-3223 (Denial of service in Samba Active Directory server) o CVE-2015-5252 (Insufficient symlink verification in smbd) o CVE-2015-5299 (Missing access control check in shadow copy code) o CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack) o CVE-2015-8467 (Denial of service attack against Windows Active Directory server) o CVE-2015-5330 (Remote memory read in Samba LDAP server) Please note that if building against a system libldb, the required version has been bumped to ldb-1.1.24. This is needed to ensure we build against a system ldb library that contains the fixes for CVE-2015-5330 and CVE-2015-3223. ======= Details ======= o CVE-2015-7540: All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to an anonymous memory exhaustion attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server provided by the AD DC in the samba daemon process to consume unlimited memory and be terminated. o CVE-2015-3223: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. o CVE-2015-5252: All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is set to "no" (the default). o CVE-2015-5299: All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORY_LIST access rights in order to view the current snapshots. This was not being checked in the affected versions of Samba. o CVE-2015-5296: Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. o CVE-2015-8467: Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows. Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects. o CVE-2015-5330: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server. The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html The release notes are available online at: https://www.samba.org/samba/history/samba-4.3.3.html https://www.samba.org/samba/history/samba-4.2.7.html https://www.samba.org/samba/history/samba-4.1.22.html The uncompressed ldb tarball has been signed using GnuPG (ID 13084025). The ldb-1.1.24 source code can be downloaded from: https://download.samba.org/pub/ldb/ldb-1.1.24.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
commit c0a1144a4485149c25782a5b3b4dfddaca79dbcd Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Dec 16 14:57:40 2015 sys-libs/ldb: Security bump to version 1.1.24 (bug #568432). Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> commit 066e135c8b38e4d7960abbfbf446e43775c792f6 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Dec 16 15:17:47 2015 net-fs/samba: Security bump to versions 4.1.22, 4.2.7 and 4.3.3 See also bug #568432 Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Okay guys... we're now at that very unpleaseant point where we must decide how to further handle samba packages: As this bug report clearly states that all of our stable samba packages are affected by one or more of these CVEs. Thus we need to get some 4.x samba version stable or we remove(/mask?) all stable samba packages and thus won't provide any samba package for stable users anymore. I have neither the time nor the technical samba background knowledge to handle the task of stabilizing such an unthankful and complex package samba unfortuantely is.
We can stabilize the libraries for now, and we will see what to do with samba later. Arches, please test and mark stable: =sys-libs/ldb-1.1.24 =sys-libs/talloc-2.1.5 =sys-libs/tevent-0.9.26 =sys-libs/tdb-1.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
Why exactly is it that samba 4 cannot go stable?
(In reply to Jeroen Roovers from comment #5) > Why exactly is it that samba 4 cannot go stable? Let's make it stable
(In reply to Víctor Ostorga from comment #6) > (In reply to Jeroen Roovers from comment #5) > > Why exactly is it that samba 4 cannot go stable? > > Let's make it stable If you want to cause more problems like https://forums.gentoo.org/viewtopic-t-1036156.html then go ahead. Sorry that I cannot add anything constructive here but when we stabilize samba-4 before it got multilib support we are going to make a lot of users even more unhappy.
(In reply to Lars Wendler (Polynomial-C) from comment #7) > (In reply to Víctor Ostorga from comment #6) > > (In reply to Jeroen Roovers from comment #5) > > > Why exactly is it that samba 4 cannot go stable? > > > > Let's make it stable > > If you want to cause more problems like > > https://forums.gentoo.org/viewtopic-t-1036156.html > > then go ahead. Sorry that I cannot add anything constructive here but when > we stabilize samba-4 before it got multilib support we are going to make a > lot of users even more unhappy. There will always be problems, that's why we are here, to fix them. Multilib is still on work, I am reaching upstream to check how to fix it, but right now some samba software was not created with multilib on mind. I vote to make samba 4 stable, even with the problems that would arise. Samba 3 is dead upstream.
ppc stable
ppc64 stable
arm stable
ia64 stable
alpha stable
sparc stable
(In reply to Lars Wendler (Polynomial-C) from comment #7) > (In reply to Víctor Ostorga from comment #6) > > (In reply to Jeroen Roovers from comment #5) > > > Why exactly is it that samba 4 cannot go stable? > > > > Let's make it stable > > If you want to cause more problems like <vague forum reference> I thought we had a bug tracker for tracking bugs. In this case we should have an additional tracker bug to track those, maybe?
Stable for HPPA.
Following up on this bug. Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes for bug-fixing.
@ Security: Please vote!
GLSA Vote: No(In reply to Yury German from comment #17) > Following up on this bug. > Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes > for bug-fixing. As Yury mentioned 3.6.25 is vulnerable. @maintainers, now that 4.2.11 is stable can 3.6.25 be removed? GLSA Vote: No
This issue was resolved and addressed in GLSA 201612-47 at https://security.gentoo.org/glsa/201612-47 by GLSA coordinator Aaron Bauman (b-man).