From patchwork Mon Dec 18 17:29:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7404 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Sv6Jg2fHvz3xLM for ; Mon, 18 Dec 2023 17:29:39 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Sv6Jd5mMdz4QG; Mon, 18 Dec 2023 17:29:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Sv6Jd52ytz30ZQ; Mon, 18 Dec 2023 17:29:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Sv6JL4d3xz311b for ; Mon, 18 Dec 2023 17:29:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Sv6JL24txz19Q; Mon, 18 Dec 2023 17:29:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1702920562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OVkjhCJ2ZTaoVCVj5OG0BrelCMZj/uVokzWhkXamPaw=; b=H0+bSh3gcA2vbYeAU/THYmKLopXUc+nqxbCqJV9KFneGziCi0jVdBstGOUgvCl8gytwthm DxvqOJ86RYNYsmDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1702920562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OVkjhCJ2ZTaoVCVj5OG0BrelCMZj/uVokzWhkXamPaw=; b=mkjTeaYdKTTuGYfrsnDOSB0WLd4O3AJLv7gJK3XjHeSmuRHiVAzXgWgzttG1Aj9xFfwU4B zCGdBVDUh/GY/LDTy9Wscy2AsNq+CdtWSKXTRqCGEL5+cFADTuhGauNW47SqWqNlMavqwv MGXCjUg7TZcXGrJadl/HskW4QBAvBAB0loL6+XkYQOJ7744A8FRzlHR8YeoCht40+PwlU2 MqDpbig/pSinGlFDxHC6RdmI7sGisPRHiVR7GYEi0UGUB2NOxb0XXn3+I8yUv0B5XMTP8K U/DUQOMZ4vPaWENULFQHBb6pGle9/HM7gkGfeoXI8V0AnfdlorhMAiITFvNPDw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] samba: Update to version 4.19.3 Date: Mon, 18 Dec 2023 18:29:02 +0100 Message-ID: <20231218172911.2531726-11-adolf.belka@ipfire.org> In-Reply-To: <20231218172911.2531726-1-adolf.belka@ipfire.org> References: <20231218172911.2531726-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: BRWSNJDHEKOIDOUTLMUWS23RBBOORH6S X-Message-ID-Hash: BRWSNJDHEKOIDOUTLMUWS23RBBOORH6S X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 4.19.2 to 4.19.3 - Update of rootfile not required - I don't believe that the CVE from this version will affect IPFire users as Samba on IPFire is not run as an Active Directory Domain Controller. That functionality was removed some time ago. - Changelog 4.19.3 This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 * BUG 15520: sid_strings test broken by unix epoch > 1700000000. * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). * BUG 15499: Improve logging for failover scenarios. * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal accounts. * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. * BUG 15513: Samba doesn't build with Python 3.12 Signed-off-by: Adolf Belka --- lfs/samba | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/samba b/lfs/samba index 2f2184ecc..7ebac8ded 100644 --- a/lfs/samba +++ b/lfs/samba @@ -24,7 +24,7 @@ include Config -VER = 4.19.2 +VER = 4.19.3 SUMMARY = A SMB/CIFS File, Print, and Authentication Server THISAPP = samba-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 97 +PAK_VER = 98 DEPS = avahi cups perl-Parse-Yapp perl-JSON @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = cb3747f1be6e712c6e68f3720e68aee7db2e4dcc48a9210d002337d6690ed8b027919f333dc4a7c1e74b716ebceeff1d8071463899513edfe51da967d71d8148 +$(DL_FILE)_BLAKE2 = f83af3b50d795bdc4a250fe96040721150acc3b8effddd473e3cfa3ef6eeec99928b1307a18a472be45049e1d0b74650b9f6dd4bf5c434277c94ab88cb493b3b install : $(TARGET)