"o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). https://www.samba.org/samba/security/CVE-2022-45141.html" Please bump to 4.15.13, 4.16.8, 4.15.13.
This bug has been opened for almost a month. Should I create a separate one requesting version bump to samba-4.15.13 & samba-4.16.8 (and perhaps 4.17.4 which may be a larger change) or is this one sufficient to track the changes?
(In reply to Krzysztof Olędzki from comment #1) > This bug has been opened for almost a month. > > Should I create a separate one requesting version bump to samba-4.15.13 & > samba-4.16.8 (and perhaps 4.17.4 which may be a larger change) or is this > one sufficient to track the changes? This one is sufficient.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdaf50845c6806cd79d92e454d197360a9bd315 commit 6cdaf50845c6806cd79d92e454d197360a9bd315 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-02-22 19:36:36 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-02-22 19:36:51 +0000 net-fs/samba: cleanup vulnerable 4.16.7-r4 Bug: https://bugs.gentoo.org/886153 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-fs/samba/Manifest | 1 - net-fs/samba/samba-4.16.7-r4.ebuild | 368 ------------------------------------ 2 files changed, 369 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=5bfe8198b2352fa0ac46dbc59d078650dc544a7e commit 5bfe8198b2352fa0ac46dbc59d078650dc544a7e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-17 05:56:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 05:56:46 +0000 [ GLSA 202309-06 ] Samba: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/820566 Bug: https://bugs.gentoo.org/821688 Bug: https://bugs.gentoo.org/830983 Bug: https://bugs.gentoo.org/832433 Bug: https://bugs.gentoo.org/861512 Bug: https://bugs.gentoo.org/866225 Bug: https://bugs.gentoo.org/869122 Bug: https://bugs.gentoo.org/878273 Bug: https://bugs.gentoo.org/880437 Bug: https://bugs.gentoo.org/886153 Bug: https://bugs.gentoo.org/903621 Bug: https://bugs.gentoo.org/905320 Bug: https://bugs.gentoo.org/910334 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-06.xml | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+)