Once done, can we please also stabilize net-fs/samba-4.18.8 and then remove old versions from the tree (samba-4.18.4-r1, samba-4.18.5-r1, samba-4.18.6-r1, samba-4.18.7 and samba-4.19.0-r1) ============================== Release Notes for Samba 4.18.8 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html ============================== Release Notes for Samba 4.19.1 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html Note that 4.19.1 should not be used in production yet. While it does fixes the mentioned security bugs, there are still several functionality / stability fixes that are planned to be included in 4.19.2 with 2023-10-16 ETA (a week from now).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9ca8ab1fb4782d6517f9e5b96d4da7ece2196e commit 1f9ca8ab1fb4782d6517f9e5b96d4da7ece2196e Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-10-10 18:03:18 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-10-10 18:04:31 +0000 net-fs/samba: add 4.18.8 Bug: https://bugs.gentoo.org/915556 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.18.8.ebuild | 383 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 384 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe87bbb5572ebbd784dc0d7825d745c3ea5fddcf commit fe87bbb5572ebbd784dc0d7825d745c3ea5fddcf Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2023-10-10 17:50:29 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2023-10-10 18:04:31 +0000 net-fs/samba: add 4.19.1 Bug: https://bugs.gentoo.org/915556 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 1 + net-fs/samba/samba-4.19.1.ebuild | 382 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 383 insertions(+)
(In reply to Krzysztof Olędzki from comment #0) > Once done, can we please also stabilize net-fs/samba-4.18.8 and then remove > old versions from the tree (samba-4.18.4-r1, samba-4.18.5-r1, > samba-4.18.6-r1, samba-4.18.7 and samba-4.19.0-r1) > [...] > Note that 4.19.1 should not be used in production yet. While it does fixes > the mentioned security bugs, there are still several functionality / > stability fixes that are planned to be included in 4.19.2 with 2023-10-16 > ETA (a week from now). Going forward, please link to the upstream advisory as well, but also make separate remarks in an additional comment to make them harder to miss. See also https://bugs.gentoo.org/910606#c7.
Will do, thank you so much Sam! By "link to the upstream advisor" you mean adding links like "https://www.samba.org/samba/security/CVE-2023-3961.html" to "See Also" or something else?
(In reply to Krzysztof Olędzki from comment #3) > Will do, thank you so much Sam! > No, thank you for keeping on top of all of this! > By "link to the upstream advisor" you mean adding links like > "https://www.samba.org/samba/security/CVE-2023-3961.html" to "See Also" or > something else? Maybe chuck it in URL? I usually dump them at the top of the first comment though if there's multiple. I think See Also has a bunch of restrictions (it has to recognise the link as a bug tracker).
What is left here? GLSA and removal of the old ebuilds?
(In reply to Krzysztof Olędzki from comment #5) > What is left here? GLSA and removal of the old ebuilds? Yes, as indicated by the whiteboard (although in general that isn't always up-to-date).
Ping. Please remove the vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ba820011c7aaea8f57f4dc6370ebe39e6ca1227 commit 1ba820011c7aaea8f57f4dc6370ebe39e6ca1227 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2024-02-09 17:11:53 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2024-02-09 17:13:36 +0000 net-fs/samba: drop versions Bug: https://bugs.gentoo.org/915556 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/Manifest | 9 - net-fs/samba/samba-4.18.4-r1.ebuild | 384 ------------------------------------ net-fs/samba/samba-4.18.5-r1.ebuild | 383 ----------------------------------- net-fs/samba/samba-4.18.6-r1.ebuild | 383 ----------------------------------- net-fs/samba/samba-4.18.7.ebuild | 383 ----------------------------------- net-fs/samba/samba-4.18.9.ebuild | 383 ----------------------------------- net-fs/samba/samba-4.19.0-r1.ebuild | 382 ----------------------------------- net-fs/samba/samba-4.19.1.ebuild | 382 ----------------------------------- net-fs/samba/samba-4.19.2.ebuild | 382 ----------------------------------- net-fs/samba/samba-4.19.3.ebuild | 382 ----------------------------------- 10 files changed, 3453 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54 commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 06:05:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891267 Bug: https://bugs.gentoo.org/910606 Bug: https://bugs.gentoo.org/915556 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)
