SAMBA+ 4.11.5, 4.10.12 and 4.9.18 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.
The packages address the following issues:
- CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic.
The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers.
- CVE-2019-14907: Crash after failed character conversion at log level 3 or above.
When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs.
- CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed.
Also, SAMBA+ Long Term Support packages 4.8.12-25.lts.4, 4.7.12-21.lts.6 and 4.6.16-17.lts.8 including these fixes are available now.
SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.