diff options
author | Karolin Seeger <kseeger@samba.org> | 2016-12-09 12:09:25 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2016-12-09 12:09:25 +0100 |
commit | 7ceb7d500cfb87f151f95e9d75a1d720b08fc825 (patch) | |
tree | 85201d97fe10b992508727329471e87654143253 | |
parent | 8512eed8e2fb7f16a884b659e381257745a669fd (diff) | |
download | samba-7ceb7d500cfb87f151f95e9d75a1d720b08fc825.tar.gz |
WHATSNEW: Add release notes for Samba 4.3.13.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
-rw-r--r-- | WHATSNEW.txt | 86 |
1 files changed, 84 insertions, 2 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b03de04d8fb..310b5991fe7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,86 @@ ============================== + Release Notes for Samba 4.3.13 + December 19, 2016 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer + Overflow Remote Code Execution Vulnerability). +o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in + trusted realms). +o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege + elevation). + +======= +Details +======= + +o CVE-2016-2123: + The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, + leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name + parses data from the Samba Active Directory ldb database. Any user + who can write to the dnsRecord attribute over LDAP can trigger this + memory corruption. + + By default, all authenticated LDAP users can write to the dnsRecord + attribute on new DNS objects. This makes the defect a remote privilege + escalation. + +o CVE-2016-2125 + Samba client code always requests a forwardable ticket + when using Kerberos authentication. This means the + target server, which must be in the current or trusted + domain/realm, is given a valid general purpose Kerberos + "Ticket Granting Ticket" (TGT), which can be used to + fully impersonate the authenticated user or service. + +o CVE-2016-2126 + A remote, authenticated, attacker can cause the winbindd process + to crash using a legitimate Kerberos ticket due to incorrect + handling of the arcfour-hmac-md5 PAC checksum. + + A local service with access to the winbindd privileged pipe can + cause winbindd to cache elevated access permissions. + + +Changes since 4.3.12: +--------------------- + +o Volker Lendecke <vl@samba.org> + * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995. + +o Stefan Metzmacher <metze@samba.org> + * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers. + * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in + check_pac_checksum(). + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== Release Notes for Samba 4.3.12 November 3, 2016 ============================== @@ -106,8 +188,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.3.11 |