Blog

SAMBA+ 4.12.4, 4.11.11 and 4.10.17 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.

The packages address the following issues:

• CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results.

  A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba's AD DC LDAP server.

• CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU.

  Compression of replies to NetBIOS over TCP/IP name resolution and DNS packets (which can be supplied as UDP requests) can be abused to consume excessive amounts of CPU on the Samba AD DC (only).

• CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV.

  The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free.

• CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.

  The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives an empty (zero-length) UDP packet to port 137.

SAMBA+ 4.12.5 packages will be available soon.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SerNet-GnuTLS 3.6.14 has just been released. SAMBA+ 4.12.3 packages on various SUSE and Red Hat platforms depend on a recent version of GnuTLS, which is provided by the sernet-gnutls packages.

The sernet-gnutls package is part of the SAMBA+ repositories for the following distributions:

• RHEL6 - Red Hat Enterprise Linux 6
• CentOS 6
• Oracle Linux 6
• RHEL7 - Red Hat Enterprise Linux 7
• CentOS 7
• Oracle Linux 7
• SLES11 - SUSE Linux Enterprise Server 11
• SLES12 - SUSE Linux Enterprise Server 12
• openSUSE Leap 42

The new sernet-gnutls packages address the GnuTLS security issue CVE-2020-13777:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13777

and include an additional patch to solve a memory (RAM) consuming bug:

• Bug 14399 - Server RAM filling up when writing to share from macOS
  https://bugzilla.samba.org/show_bug.cgi?id=14399

The new SAMBA+ 4.12.3 for AIX 7 does also include the recently patched GnuTLS version.

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.12.3 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu are available now.

These packages address a lot of issues, which are listed in the Samba 4.12.3 release notes.

Additionally fixes for the following issues are included:

• Bug 14382: Use-after-free in winbind
  https://bugzilla.samba.org/show_bug.cgi?id=14382

• Bug 11990: dnsserver: correctly set rpc flag for reverse zone
  https://bugzilla.samba.org/show_bug.cgi?id=11990

• Bug 9869: Use function level 2008_R2 for domain classicupgrade
  https://bugzilla.samba.org/show_bug.cgi?id=9869

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ software packages from the 4.12 release series are now available for Ubuntu 20.04 LTS (Focal Fossa).

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. New SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.12.2, 4.11.8 and 4.10.15 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.

The packages address the following issues:

• CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ

  A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server.

• CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC

  A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.