SAMBA+ 4.13.16 has just been released. This is a security release that addresses CVE-2021-43566. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.
All versions of the Samba file server prior to 4.15.0 are affected by CVE-2021-20316. Samba versions prior to 4.15.0 cannot be patched.
- CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share.
- CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share.
Please update affected systems as soon as possible. If possible upgrade to SAMBA+ 4.15, otherwise consult the release notes for possible mitigations for CVE-2021-20316.
SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.