Blog

SAMBA+ 4.19.3-5 and SAMBA+ 4.18.9-9 have just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

Please see the release history here:

The fix for CVE-2018-14628, which is now part of the upstream 4.19.3 and 4.18.9 releases was already fixed in SAMBA+ 4.19.2 and SAMBA+ 4.18.8. For completeness we describe once more how to apply the actual fix for the AD database. If you did that already along with the previous SAMBA+ update, then you don't have to do the following steps again.

Action required in order to resolve CVE-2018-14628

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' 

The change should be confirmed with 'y' for all objects starting with

'CN=Deleted Objects'.


SAMBA+ 4.19.2-4 has just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

https://www.samba.org/samba/history/samba-4.19.2.html

In addition to the fixed from the release notes above SAMBA+ contains also 2 additional notable fixes:

A fix for Kerboros User2User TGS-REQ, which may prevent users to retrieve tickets for themselves in certain conditions: https://bugzilla.samba.org/show_bug.cgi?id=15492

Even more important is the second additional change, which fixes the permission of the deleted objects container (CVE-2018-14628). It is however required to run a command to fix the permission, because the ACLs on the container will not be changed automatically. What you will have to do to fix the permission is this:

==================================================
Action required in order to resolve CVE-2018-14628
==================================================

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.

The next updates of the 4.17 and 4.18 SAMBA+ packages will also address CVE-2018-14628.

SAMBA+ packages are available as software subscriptions and can be purchased in the SAMBA+ shop. Detailed information and prices can be found at https://usdshop.samba.plus (currency: USD) or https://shop.samba.plus (currency: EUR). The new SAMBA+ packages are included in the existing subscriptions. If you have any further questions or would like to request a quote, please feel free to contact us.

SerNet Samba Team


SAMBA+ 4.19.1, 4.18.8 and 4.17.12 have just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now. Please note: This are Security Updates, packages should be deployed as soon as possible. These packages address several security related issues.

  • CVE-2023-3961 Unsanitized client pipe name passed to local_np_connect()
  • CVE-2023-4154 dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES"
  • CVE-2023-4091 Client can truncate file with read-only permissions
  • CVE-2023-42670 The procedure number is out of range when starting Active Directory Users and Computers
  • CVE-2023-42669 rpcecho, enabled and running in AD DC, allows blocking sleep on request

Additionally the 4.19.1 release includes fixes for:

  • Bug 15491: Heap buffer overflow with freshness tokens in the Heimdal KDC

SAMBA+ 4.19.0 has just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now. 

This is the first stable SAMBA+ release of the new Samba 4.19 release series. Please make sure to test thoroughly before upgrading and read the release notes carefully! The release notes, which contain information about changes and new features of the new major release, are available here: 

Also, SAMBA+ 4.18.7 was published, which is a bug fix release. You can find the details about this release here: 

With the new 4.19 release, Samba 4.18 has been turned into the "maintenance mode" and Samba 4.17 into the "security fixes only mode". Samba 4.16 will not receive any updates beyond this point. The SAMBA+ 4.16 repositories will be disabled soon. Please update to a recent version of SAMBA+. 

Please note: There was a bug observed in the interaction with active directory domain controllers running mixed versions of Samba: If you upgrade just some DCs to 4.19 and others keep running at 4.18 or older, these older version did hit an assert, see the detailed information on the bug. This is why we delayed our SAMBA+ 4.19 packages until we could publish fixed packages for 4.16, 4.17 and 4.18, too. In case you want to install a 4.19 DC with other SAMBA+ DCs running older versions than 4.19, make sure to update them to the latest fixed version of 4.18/4.17/4.16 that we released (4.18.7-9, 4.17.11-28 and 4.16.11-26). This does not affect member server installations. 

The 4.16 packages will soon be removed from the server – SAMBA+ 4.17, 4.18 and 4.19 will be the supported release branches from now on. 

Details on upgrading to the new SAMBA+ version can be found in the SAMBA+ HowTo collection.


SAMBA+ 4.17.11 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:
https://www.samba.org/samba/history/samba-4.17.11.html

The process on how to access the SAMBA+ Software Packages has changed. Please consult our SAMBA+ HowTo to learn more. 


Contact us
Contact
Deutsch English Français