From fb5d78cfa064ac76826bc92c61c4a2f4a252c00b Mon Sep 17 00:00:00 2001
From: Karolin Seeger <kseeger@samba.org>
Date: Mon, 26 Nov 2018 09:42:44 +0100
Subject: WHATSNEW: Add release notes for Samba 4.7.12.

o  CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
                   Internal DNS server)
o  CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o  CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o  CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
                   configuration (unsupported))

Signed-off-by: Karolin Seeger <kseeger@samba.org>
---
 WHATSNEW.txt | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 101 insertions(+), 2 deletions(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e3da5bfadb5..be9dc7e56c3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,102 @@
+                   ==============================
+                   Release Notes for Samba 4.7.12
+                          November 27, 2018
+                   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
+                   Internal DNS server)
+o  CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
+o  CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
+o  CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
+                   configuration (unsupported))
+
+
+=======
+Details
+=======
+
+o  CVE-2018-14629:
+   All versions of Samba from 4.0.0 onwards are vulnerable to infinite
+   query recursion caused by CNAME loops. Any dns record can be added via
+   ldap by an unprivileged user using the ldbadd tool, so this is a
+   security issue.
+
+o  CVE-2018-16841:
+   When configured to accept smart-card authentication, Samba's KDC will call
+   talloc_free() twice on the same memory if the principal in a validly signed
+   certificate does not match the principal in the AS-REQ.
+
+   This is only possible after authentication with a trusted certificate.
+
+   talloc is robust against further corruption from a double-free with
+   talloc_free() and directly calls abort(), terminating the KDC process.
+
+   There is no further vulnerability associated with this issue, merely a
+   denial of service.
+
+o  CVE-2018-16851:
+   During the processing of an LDAP search before Samba's AD DC returns
+   the LDAP entries to the client, the entries are cached in a single
+   memory object with a maximum size of 256MB.  When this size is
+   reached, the Samba process providing the LDAP service will follow the
+   NULL pointer, terminating the process.
+
+   There is no further vulnerability associated with this issue, merely a
+   denial of service.
+
+o  CVE-2018-16853:
+   A user in a Samba AD domain can crash the KDC when Samba is built in the
+   non-default MIT Kerberos configuration.
+
+   With this advisory we clarify that the MIT Kerberos build of the Samba
+   AD DC is considered experimental.  Therefore the Samba Team will not
+   issue security patches for this configuration.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.7.11:
+--------------------
+
+o  Andrew Bartlett <abartlet@samba.org>
+   * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
+     mis-matching principal.
+   * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
+     Kerberos is experimental
+
+o  Aaron Haslett <aaronhaslett@catalyst.net.nz>
+   * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.
+
+o  Garming Sam <garming@catalyst.net.nz>
+   * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ==============================
                    Release Notes for Samba 4.7.11
                           October 23, 2018
@@ -60,8 +159,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 4.7.10
-- 
cgit v1.2.1