Blog

New updated SAMBA+ 4.16.3-*, 4.15.8-* and 4.14.13-* packages have just been released (the exact version numbers are listed below). These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issues:

• CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords.
• CVE-2022-32744: Samba AD users can forge password change requests for any user.
• CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request.
• CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
• CVE-2022-32742: Server memory information leak via SMB1.

The first versions with the fixes:

• (SuSE, RedHat, ...):    4.16.3-18, 4.15.8-15 and 4.14.13-16
• Debian/Ubuntu:       4.16.3-18, 4.15.8-16 and 4.14.13-16
• AIX:                             4.16.3-2,  4.15.8-6  and 4.14.13-11

Packages with the official 4.16.4, 4.15.9 and 4.14.14 upstream releases will follow in the next days.

SAMBA+ 4.16.3 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These package updates address several issues, which are listed in the release notes:

• https://www.samba.org/samba/history/samba-4.16.3.html

The Samba Team at SerNet has just released SAMBA+ 4.15.8. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

• https://www.samba.org/samba/history/samba-4.15.8.html

There are also 4.15.8 packages available for RHEL 9, CentOS Stream 9, AlmaLinux 9 and the upcoming Rocky Linux 9 and Oracle Linux 9 releases.

SAMBA+ 4.16.2 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

There are now also packages available for RHEL 9 and the upcoming Rocky Linux 9, AlmaLinux 9, Oracle Linux 9 releases.

These package updates address several issues, which are listed in the release notes:

• https://www.samba.org/samba/history/samba-4.16.2.html

SAMBA+ 4.16.1 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now. This is the first stable SAMBA+ release of the new Samba 4.16 release series. Please make sure to test thoroughly before upgrading and read the release notes carefully! Details on upgrading can be found in the SAMBA+ HowTo collection.

The release notes, which contain information about changes and new features of the new major release, are available here:

   https://www.samba.org/samba/history/samba-4.16.0.html

A particular point to emphasize is the following:

• New samba-dcerpcd binary to provide DCERPC in the member server setup
  This novel development found its way into upstream Samba thanks to Volker Lendecke, long-time Samba team member and co-founder of SerNet. He has been working on this for a long time and with the creation of a new samba-dcerpcd binary he made it possible that DCERPC services can be used independently of smbd. This opens up new standalone usage scenarios for DCERPC outside the samba framework, e.g. samba-dcerpcd can be used with the Linux kernel SMB2 server ksmbd or other SMB2 server implementations.

Another important point:

• SSSD compatibility
  SAMBA+ 4.16 packages for Red Hat and SUSE based platforms can now be used in combination with the System Security Services Daemon (SSSD), even with SSSD as member of an Active Directory domain. Please note that SerNet still strongly recommends to not use SSSD on file server setups, since this has some limitations and complicates the server configuration.
  
  In this context additional RPM packages have been added and package dependencies changed. On usual setups the sernet-samba-common-private package will sernet-samba-common. In combination with SSSD sernet-samba-common-private requires Red Hat's or SUSE's samba-common package.
  
  The sernet-samba-python package has been renamed to sernet-samba-python3, which depends on sernet-samba-python3-private. Usual setups just require the new sernet-samba-python3-private package. If you are running your own or third party scripts, which make use of sernet-samba's Python modules, you can install the sernet-samba-python package to make the modules available in the standard (site-packages) library path.

The new packages also address the issues, which are listed in the Samba 4.16.1 release notes:

   https://www.samba.org/samba/history/samba-4.16.1.html

and the following additional issues:

• Bug 15050: smbclient no longer can connect to Azure
• Bug 14054: Kerberos Pre-Authentication updates badPwdCount for the 2 newest passwords in the history and results in ACCOUNT_LOCKED_OUT
• Bug 14125: As kerberos service/acceptor we may not accept tickets with our previous machine password 
• Bug 12907: pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains with more than 1 hop between server and user realm

Gnome tracker support has been removed from Samba's MacOS Spotlight service. SerNet recommends to use the more scalable Elasticsearch backend. The content of the sernet-samba-spotlight package has been merged into the sernet-samba package.

With the new 4.16 release Samba 4.15 has been turned into the "maintenance mode" and Samba 4.14 into the "security fixes only mode". Samba 4.13 will not receive any updates beyond this point. The SAMBA+ 4.13 repositories will be disabled soon. Please update to a more recent version of SAMBA+. If you need assitance updating, have a look at our support services. 

As another choice mainly of interest for OEM, SerNet offers an on demand Long Term Support (LTS) option, prolonging the time span for security updates.