SAMBA+
SerNet

Blog

SAMBA+ security updates for all versions available

SAMBA+ 4.18.5, 4.17.10 and 4.16.11 have just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now. Please note: This are Security Updates, packages should be deployed as soon as possible.

These packages address several security related issues:

  • CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it.
  • CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.
  • CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. 
  • CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results.
Update for SAMBA+ 4.18.4, 4.16.10 and 4.17.9 available

An update for SAMBA+ 4.18.4, 4.16.10 and 4.17.9 has been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu are available now.

These packages address the following issue:

  • Bug 15418 - secure channel faulty since Windows 10/11 update 07/2023
    The recently released Windows Update KB5028185/KB5028166 (July 11, 2023) breaks the client authentication against Samba AD DCs. 
Windows update breaks client authentication against Samba AD DCs

The recently released Windows Update KB5028185/KB5028166 (July 11, 2023) breaks the client authentication against Samba AD DCs. Other implications are possible but require further investigation. The Samba Team and SerNet are already working on a solution. We will provide SAMBA+ updates as soon we have a fix.

Update: A fix for Samba 4.18.4 is already implemented and an update available.

SAMBA+ 4.18.4 available

SAMBA+ 4.18.4 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are
available now.

These packages address several issues, which are listed in the release notes for Samba 4.18.4.

Additionally this release includes fixes for:

  •   Bug 15275 - smbd_scavenger crashes when service smbd is stopped
  •   Bug 15416 - cldap_ping_list doesn't reset num_requests to 0 on retry


The fix for the following issue was already included in the previous SAMBA+ release:

  • Bug 15381 - Register Samba processes with GPFS  
Update for SAMBA+ 4.18.3 available

An update for SAMBA+ 4.18.3 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address the following issues:

  • Bug 15381 - Register Samba processes with GPFS
    Fixes broken special handling of smbd processes accessing the GPFS file system.
  • smbd: Avoid jumping back using dptr_SeekDir() for SMB2 readdirs
    Fixes possible error in directory content listing.
  • vfs_aio_pthread: don't crash without a pthreadpool
    Avoid crash in aio_pthread vfs module.
Contact us
Contact
Deutsch English Français