SAMBA+ 4.9.3, 4.8.7 and 4.7.12 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.
The packages address the following issues:
- CVE-2018-14629 Unprivileged adding of CNAME record causing loop in AD Internal DNS server
- CVE-2018-16841 Double-free in Samba AD DC KDC with PKINIT
- CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
- CVE-2018-16852 NULL pointer de-reference in Samba AD DC DNS servers
- CVE-2018-16857 Bad password count in AD DC not always effective
Samba 4.9.3 addresses all CVEs listed above. Samba 4.8.7 and 4.7.12 addresses all except CVE-2018-16852 and CVE-2018-16857.
The SAMBA+ binary packages are not affected by the following issue, which is part of the Samba security releases:
* CVE-2018-16853 Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration
SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.