An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.
Doesn't seem like fixes ever made it to git.
4.19.3 has been released with a fix according to the release notes:
"This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bug CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
Note that manual administrator intervention will be required to fix this.
The bug has been referenced in the following commit(s):
Author: Ben Kohler <email@example.com>
AuthorDate: 2023-11-27 20:44:27 +0000
Commit: Ben Kohler <firstname.lastname@example.org>
CommitDate: 2023-11-27 20:46:16 +0000
net-fs/samba: add 4.19.3
Signed-off-by: Ben Kohler <email@example.com>
net-fs/samba/Manifest | 1 +
net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
2 files changed, 383 insertions(+)
Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize?
I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series.