From patchwork Thu Nov 30 11:11:47 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 7369
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4SgtnL2vwMz3wvB
	for <patchwork@web04.haj.ipfire.org>; Thu, 30 Nov 2023 11:12:06 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4SgtnG4C9Zz1TL;
	Thu, 30 Nov 2023 11:12:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4SgtnG2GRpz30RT;
	Thu, 30 Nov 2023 11:12:02 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Sgtn33zWhz2xJm
	for <development@lists.ipfire.org>; Thu, 30 Nov 2023 11:11:51 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Sgtn213Clz1Ss;
	Thu, 30 Nov 2023 11:11:50 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1701342710;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xq8J0wDwYlUle/bAL/6LPCLZ5U1pguKF27AalQEOZKA=;
	b=wG8LsiI9vyEOEMCk/jOII5cU2UDp6sIlYS7vLoO6zElQV6WIQ7UDaU3q2n7RMl+SaylgQT
	B0TGP45CII4tidDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1701342710;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xq8J0wDwYlUle/bAL/6LPCLZ5U1pguKF27AalQEOZKA=;
	b=LPlZuwmiX9go8kX3EvmtyjqX/3P7AZCi3+zP0c0e0pDaBPQluHitljtcVkqmkI7a6Y0Sp+
	Q0ry55zdg9wVhYCTvNOUAe1xf1SUgFV+zPJz5VexZ1M7prZ3ZMdAVthYlq98+rLV7xK2Lb
	Czupd4BePSp524BWPLJ1HxGtYxjxDjgIVY9AtpPxGisNDlWwO9h48h7fKezim90+HQCpx7
	MHAn7ifY4DMnSoL8wURGo5OOQIbkx5uGU22pIc/8H7yfVc1d9EGmJ0GtNkMC4SP9YEdEt2
	mr3zjTh3e9qG1LqoknXHuhZAut6gbHRKjAC5ubN3nGbpvH627Qe5X//DitkuiQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] samba: Update to version 4.19.3
Date: Thu, 30 Nov 2023 12:11:47 +0100
Message-ID: <20231130111147.170145-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: CWJHWGS5OCJT6Q5GI65VYXZB5W6LAARE
X-Message-ID-Hash: CWJHWGS5OCJT6Q5GI65VYXZB5W6LAARE
X-MailFrom: adolf.belka@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/CWJHWGS5OCJT6Q5GI65VYXZB5W6LAARE/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

- IPFire-3.x
- Upfate from version 4.19.0 to 4.19.3
- Changelog
    4.19.3
	This is the latest stable release of the Samba 4.19 release series.
	It contains the security-relevant bugfix CVE-2018-14628:
	    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
	    allow read of object tombstones over LDAP
	    (Administrator action required!)
	    https://www.samba.org/samba/security/CVE-2018-14628.html
	Description of CVE-2018-14628
	All versions of Samba from 4.0.0 onwards are vulnerable to an
	 information leak (compared with the established behaviour of
	 Microsoft's Active Directory) when Samba is an Active Directory Domain
	 Controller.
	When a domain was provisioned with an unpatched Samba version,
	 the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
	 instead of being very strict (as on a Windows provisioned domain).
	This means also non privileged users can use the
	 LDAP_SERVER_SHOW_DELETED_OID control in order to view,
	 the names and preserved attributes of deleted objects.
	No information that was hidden before the deletion is visible, but in
	 with the correct ntSecurityDescriptor value in place the whole object
	 is also not visible without administrative rights.
	There is no further vulnerability associated with this error, merely an
	 information disclosure.
	Action required in order to resolve CVE-2018-14628!
	The patched Samba does NOT protect existing domains!
	The administrator needs to run the following command
	(on only one domain controller)
	in order to apply the protection to an existing domain:
	  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
	The above requires manual interaction in order to review the
	changes before they are applied. Typicall question look like this:
	  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
	        Owner mismatch: SY (in ref) DA(in current)
	        Group mismatch: SY (in ref) DA(in current)
	        Part dacl is different between reference and current here is the detail:
	                (A;;LCRPLORC;;;AU) ACE is not present in the reference
	                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
	                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
	                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
	                (A;;LCRP;;;BA) ACE is not present in the current
	   [y/N/all/none] y
	  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
	The change should be confirmed with 'y' for all objects starting with
	'CN=Deleted Objects'.
    4.19.2
	o  Jeremy Allison <jra@samba.org>
	   * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
	     after failed IPC FSCTL_PIPE_TRANSCEIVE.
	   * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
	     call.
	o  Ralph Boehme <slow@samba.org>
	   * BUG 15463: macOS mdfind returns only 50 results.
	o  Volker Lendecke <vl@samba.org>
	   * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
	     previous cache entry value.
	o  Stefan Metzmacher <metze@samba.org>
	   * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
	     impacts sendmail, zabbix, potentially more.
	o  Martin Schwenke <mschwenke@ddn.com>
	   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
	o  Joseph Sutton <josephsutton@catalyst.net.nz>
	   * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
	     Heimdal KDC in Samba 4.19
	   * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
	     in use.
    4.19.1
	This is a security release in order to address the following defects:
	o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as root to
	                  existing unix domain sockets on the file system.
	                  https://www.samba.org/samba/security/CVE-2023-3961.html
	o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening files with
	                  OVERWRITE disposition when using the acl_xattr Samba VFS
	                  module with the smb.conf setting
	                  "acl_xattr:ignore system acls = yes"
	                  https://www.samba.org/samba/security/CVE-2023-4091.html
	o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
	                  attributes, including secrets and passwords.  Additionally,
	                  the access check fails open on error conditions.
	                  https://www.samba.org/samba/security/CVE-2023-4154.html
	o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
                          server block for a user-defined amount of time, denying
	                  service.
	                  https://www.samba.org/samba/security/CVE-2023-42669.html
	o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
	                  listeners, disrupting service on the AD DC.
	                  https://www.samba.org/samba/security/CVE-2023-42670.html

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 samba/samba.nm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samba/samba.nm b/samba/samba.nm
index 205439fea..a97809d3f 100644
--- a/samba/samba.nm
+++ b/samba/samba.nm
@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = samba
-version    = 4.19.0
+version    = 4.19.3
 release    = 1
 
 groups     = Networking/Daemons