Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lts-team/packages/samba
  • thctlo/samba-lintianfix
  • arnaudr/samba
  • jrwren/samba
  • paride/samba
  • athos/samba
  • henrich/samba
  • cnotin/samba
  • mimi89999/samba
  • samba-team/samba
  • ahasenack/samba
  • jrtc27/samba
  • noel/samba
13 results
Show changes
Commits on Source (27)
Showing
with 184 additions and 204 deletions
......@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
SAMBA_VERSION_RELEASE=1
SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
......
==============================
Release Notes for Samba 4.11.3
December 10, 2019
==============================
This is a security release in order to address the following defects:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
=======
Details
=======
o CVE-2019-14861:
An authenticated user can crash the DCE/RPC DNS management server by creating
records with matching the zone name.
o CVE-2019-14870:
The DelegationNotAllowed Kerberos feature restriction was not being applied
when processing protocol transition requests (S4U2Self), in the AD DC KDC.
For more details and workarounds, please refer to the security advisories.
Changes since 4.11.2:
---------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
o Isaac Boukris <iboukris@gmail.com>
* BUG 14187: CVE-2019-14870: DelegationNotAllowed not being enforced.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.11.2
October 29, 2019
==============================
This is a security release in order to address the following defects:
o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
via dirsync.
=======
Details
=======
o CVE-2019-10218:
Malicious servers can cause Samba client code to return filenames containing
path separators to calling code.
o CVE-2019-14833:
When the password contains multi-byte (non-ASCII) characters, the check
password script does not receive the full password string.
o CVE-2019-14847:
Users with the "get changes" extended access right can crash the AD DC LDAP
server by requesting an attribute using the range= syntax.
For more details and workarounds, please refer to the security advisories.
Changes since 4.11.1:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
from evil server returned names.
o Andrew Bartlett <abartlet@samba.org>
* BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
password.
* BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
combined with dirsync.
o Björn Baumbach <bb@sernet.de>
* BUG 12438: CVE-2019-14833 dsdb: Send full password to check password
script.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.11.1
October 18, 2019
......@@ -81,8 +217,8 @@ database (https://bugzilla.samba.org/).
======================================================================
Release notes for older releases follow:
----------------------------------------
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.11.0
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb-etcd
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\-ETCD" "7" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\-ETCD" "7" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb-script.options
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\-SCRIPT\&.OPTIO" "5" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\-SCRIPT\&.OPTIO" "5" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb-statistics
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\-STATISTICS" "7" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\-STATISTICS" "7" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb-tunables
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\-TUNABLES" "7" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\-TUNABLES" "7" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB" "7" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB" "7" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\&.CONF" "5" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\&.CONF" "5" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb.sysconfig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB\&.SYSCONFIG" "5" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB\&.SYSCONFIG" "5" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdb_diagnostics
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDB_DIAGNOSTICS" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDB_DIAGNOSTICS" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: Ceph RADOS Mutex
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CEPH RADOS MUTEX" "7" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CEPH RADOS MUTEX" "7" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdbd
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDBD" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDBD" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ctdbd_wrapper
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "CTDBD_WRAPPER" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "CTDBD_WRAPPER" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ltdbtool
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "LTDBTOOL" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "LTDBTOOL" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: onnode
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "ONNODE" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "ONNODE" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
......@@ -2,12 +2,12 @@
.\" Title: ping_pong
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 10/18/2019
.\" Date: 12/10/2019
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
.TH "PING_PONG" "1" "10/18/2019" "ctdb" "CTDB \- clustered TDB database"
.TH "PING_PONG" "1" "12/10/2019" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......
samba (2:4.11.3+dfsg-1) unstable; urgency=high
* New upstream security release
- Drop merged patches for previous security fixes
- CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management
server by creating records with matching the zone name.
- CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was
not being applied when processing protocol transition requests (S4U2Self),
in the AD DC KDC.
* d/control: drop python3-matplotlib
* d/control: Fix stronger-dependency-implies-weaker
(samba depends -> recommends python3-dnspython)
-- Mathieu Parent <sathieu@debian.org> Mon, 16 Dec 2019 09:47:45 +0100
samba (2:4.11.1+dfsg-3) unstable; urgency=medium
* Add some python dependencies:
......
......@@ -87,7 +87,6 @@ Depends: adduser,
Recommends: attr,
logrotate,
python3-markdown,
python3-dnspython,
samba-dsdb-modules,
samba-vfs-modules
Suggests: bind9 (>= 1:9.5.1),
......
From 024b18d663d5ab84fe0e9a0991708d89639471b8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 Aug 2019 13:39:53 -0700
Subject: [PATCH 1/2] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code
from evil server returned names.
Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++
source3/libsmb/proto.h | 3 ++
2 files changed, 78 insertions(+)
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 5cb1fce4338..4f518339e2b 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -24,6 +24,66 @@
#include "trans2.h"
#include "../libcli/smb/smbXcli_base.h"
+/****************************************************************************
+ Check if a returned directory name is safe.
+****************************************************************************/
+
+static NTSTATUS is_bad_name(bool windows_names, const char *name)
+{
+ const char *bad_name_p = NULL;
+
+ bad_name_p = strchr(name, '/');
+ if (bad_name_p != NULL) {
+ /*
+ * Windows and POSIX names can't have '/'.
+ * Server is attacking us.
+ */
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (windows_names) {
+ bad_name_p = strchr(name, '\\');
+ if (bad_name_p != NULL) {
+ /*
+ * Windows names can't have '\\'.
+ * Server is attacking us.
+ */
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Check if a returned directory name is safe. Disconnect if server is
+ sending bad names.
+****************************************************************************/
+
+NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
+ const struct file_info *finfo)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ bool windows_names = true;
+
+ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
+ windows_names = false;
+ }
+ if (finfo->name != NULL) {
+ status = is_bad_name(windows_names, finfo->name);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("bad finfo->name\n");
+ return status;
+ }
+ }
+ if (finfo->short_name != NULL) {
+ status = is_bad_name(windows_names, finfo->short_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("bad finfo->short_name\n");
+ return status;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
/****************************************************************************
Calculate a safe next_entry_offset.
****************************************************************************/
@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
TALLOC_FREE(finfo);
return NT_STATUS_NO_MEMORY;
}
+
+ status = is_bad_finfo_name(state->cli, finfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbXcli_conn_disconnect(state->cli->conn, status);
+ TALLOC_FREE(finfo);
+ return status;
+ }
}
*pfinfo = finfo;
return NT_STATUS_OK;
@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq)
ff_eos = true;
break;
}
+
+ status = is_bad_finfo_name(state->cli, finfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbXcli_conn_disconnect(state->cli->conn, status);
+ tevent_req_nterror(req, status);
+ return;
+ }
+
if (!state->first && (state->mask[0] != '\0') &&
strcsequal(finfo->name, state->mask)) {
DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has "
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 6a647da58c8..48855d7112c 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -760,6 +760,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli,
/* The following definitions come from libsmb/clilist.c */
+NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
+ const struct file_info *finfo);
+
NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute,
NTSTATUS (*fn)(const char *, struct file_info *,
const char *, void *), void *state);
--
2.23.0.rc1.153.gdeed80330f-goog
From bfa8a5991b15f69168587b88dc2d81c172f7617c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 6 Aug 2019 12:08:09 -0700
Subject: [PATCH 2/2] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code
from evil server returned names.
Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/cli_smb2_fnum.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 535beaab841..3fa322c243b 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1442,6 +1442,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli,
goto fail;
}
+ /* Protect against server attack. */
+ status = is_bad_finfo_name(cli, finfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbXcli_conn_disconnect(cli->conn, status);
+ goto fail;
+ }
+
if (dir_check_ftype((uint32_t)finfo->mode,
(uint32_t)attribute)) {
/*
--
2.23.0.rc1.153.gdeed80330f-goog