============================== Release Notes for Samba 4.18.5 July 19, 2023 ============================== This is a security release in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes since 4.18.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. * BUG 15397: CVE-2023-3347. o Volker Lendecke <vl@samba.org> * BUG 15072: CVE-2022-2127. o Stefan Metzmacher <metze@samba.org> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. =============================== Release Notes for Samba 4.17.10 July 19, 2023 =============================== This is a security release in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes since 4.17.9 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. * BUG 15397: CVE-2023-3347. o Volker Lendecke <vl@samba.org> * BUG 15072: CVE-2022-2127. o Stefan Metzmacher <metze@samba.org> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. =============================== Release Notes for Samba 4.16.11 July 19, 2023 =============================== This is a security release in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes since 4.16.10 --------------------- o Ralph Boehme <slow@samba.org> * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. o Samuel Cabrero <scabrero@samba.org> * BUG 15072: CVE-2022-2127. o Volker Lendecke <vl@samba.org> * BUG 15072: CVE-2022-2127. o Stefan Metzmacher <metze@samba.org> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Regarding 4.17, some of the discussion is here: https://bugs.gentoo.org/910334#c5 (and below) If it helps, for 4.17 we can just re-use https://gitweb.gentoo.org/repo/gentoo.git/plain/net-fs/samba/samba-4.17.8.ebuild?id=d1e7521fb883fa4dd2d65487fdffda4903bd0d4a give no additional patches are needed. Optionally, if we want it to be as much similar as possible with the 4.18 one, we can change: -PYTHON_COMPAT=( python3_{10..11} ) +PYTHON_COMPAT=( python3_{9..11} ) and: PATCHES=( - "${FILESDIR}"/${PN}-4.4.0-pam.patch - "${FILESDIR}"/${PN}-4.16.1-netdb-defines.patch - "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch + "${FILESDIR}/${PN}-4.4.0-pam.patch" + "${FILESDIR}/${PN}-4.16.1-netdb-defines.patch" + "${FILESDIR}/ldb-2.5.2-skip-wav-tevent-check.patch" ) If you want, I can attach the samba-4.17.10.ebuild build file. I have been running 4.17.10 on both i386 and x86_64 for several hours, they also complied without problems. No testing for 4.18.5, yet. Also, I have no interest in 4.16 but mentioned it for the completes given it is still in the tree and [1] suggests we still have 2-3 months before it reaches EOL. [1] https://wiki.samba.org/index.php/Samba_Release_Planning#General_information
Sorry, inverted my diff - the correct one: -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) PATCHES=( - "${FILESDIR}/${PN}-4.4.0-pam.patch" - "${FILESDIR}/${PN}-4.16.1-netdb-defines.patch" - "${FILESDIR}/ldb-2.5.2-skip-wav-tevent-check.patch" + "${FILESDIR}"/${PN}-4.4.0-pam.patch + "${FILESDIR}"/${PN}-4.16.1-netdb-defines.patch + "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch )
ping ?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=535bf0b4ef4a2f4b0908478b98b5db29832fc0f1 commit 535bf0b4ef4a2f4b0908478b98b5db29832fc0f1 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-08-11 14:12:44 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-08-11 14:13:10 +0000 net-fs/samba: add 4.18.5 Bug: https://bugs.gentoo.org/910606 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.18.5.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 384 insertions(+)
What is the next step here? Note that while we now have both samba-4.18.5 and samba-4.18.6, samba-4.18.4 is the last "stable" ebuild and is impacted by all the security issues mentioned in the subject. Also, samba-4.18.7 (not yet in portage) is the first "usable" 4.18 version for many users, see https://bugs.gentoo.org/914842
The target for stabilization should be samba-4.18.8, see https://bugs.gentoo.org/915556
(In reply to Krzysztof Olędzki from comment #5) > What is the next step here? > For security bugs, please file them in Gentoo Security -> Vulnerabilities. They will then be closed once stabilisation is done and a GLSA is issued if appropriate. Filing bugs in the 'Current packages' component leads to ambiguity because after the bump, is it done or not? And it means we don't have any sort of tracking for missing stables. > Note that while we now have both samba-4.18.5 and samba-4.18.6, samba-4.18.4 > is the last "stable" ebuild and is impacted by all the security issues > mentioned in the subject. > > Also, samba-4.18.7 (not yet in portage) is the first "usable" 4.18 version > for many users, see https://bugs.gentoo.org/914842 Please do consider reviewing the documentation at e.g. https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers/User_Guide#Proxied_maintainer_in_metadata.xml and adopting Samba.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54 commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 06:05:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891267 Bug: https://bugs.gentoo.org/910606 Bug: https://bugs.gentoo.org/915556 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)