CVE-2018-14628 (https://bugzilla.samba.org/show_bug.cgi?id=13595): https://bugzilla.redhat.com/show_bug.cgi?id=1625445 An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. Doesn't seem like fixes ever made it to git.
4.19.3 has been released with a fix according to the release notes: "This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bug CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html" Note that manual administrator intervention will be required to fix this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65207b4f907c4ca868ce51d94fe24bb9e9e9924 commit f65207b4f907c4ca868ce51d94fe24bb9e9e9924 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-11-27 20:44:27 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-11-27 20:46:16 +0000 net-fs/samba: add 4.19.3 Bug: https://bugs.gentoo.org/891267 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 383 insertions(+)
Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize?
I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series.
