SAMBA+
SerNet

Blog

SAMBA+ Security Releases 4.15.5, 4.14.12 and 4.13.17

New SAMBA+ 4.15.5, 4.14.12 and 4.13.17 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issues:

  • CVE-2021-44141: Information leak via symlinks of existence of files or directories outside of the exported share.
  • CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
  • CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.

Details are listed in the respective release notes for Samba 4.15.5, 4.14.12 and 4.13.17.

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.15.4 available

SAMBA+ 4.15.4 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

For the ARM platform, SerNet has already offered packages for Debian-based distributions, and now RPMs for RHEL 8-based distributions are also available for the ARM64/aarch64 platform.

These  updates address several issues, which are listed in the release notes for Samba 4.15.4.

Additionally the following issues are addressed in the SAMBA+ packages:

  • Bug 14867: printing fixes after the MS KB5006670 fixes

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ meta-data symlink vulnerabilities CVE-2021-43566 and CVE-2021-20316

SAMBA+ 4.13.16 has just been released. This is a security release that addresses CVE-2021-43566. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

All versions of the Samba file server prior to 4.15.0 are affected by CVE-2021-20316. Samba versions prior to 4.15.0 cannot be patched.

Please update affected systems as soon as possible. If possible upgrade to SAMBA+ 4.15, otherwise consult the release notes for possible mitigations for CVE-2021-20316.

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.14.11 and 4.13.15 published

The Samba Team at SerNet published SAMBA+ 4.14.11 and 4.13.15. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

Please note that the 'username map [script]' workaround, which was required for some setups after the release of 4.14.10 and 4.13.14
(CVE-2020-25717), is not required anymore. Detailed information is included in the CVE-2020-25717 announcement.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.15.3 is ready to download

SAMBA+ 4.15.3 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are
available now.

These packages address several issues, which are listed in the Samba 4.15.3 release notes.

Please note that the 'username map [script]' workaround, which was required for some setups after the release of 4.15.2 (CVE-2020-25717), is not required since the SAMBA+ 4.15.2-7 releases (deb and rpm packages) anymore. Detailed information is included in the CVE-2020-25717 announcement: 

Additionally the new 4.15.3 packages address the following issues:

  •   Bug 12449: Avoid recursion in the windows dns admin gui
  •   Bug 14927: sysvolcheck and sysvolreset don't handle deny ACEs

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

Contact us
Contact
Deutsch English Français