SAMBA+ 4.17.2, 4.16.6 and 4.15.11 have just been released. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.
The 4.17.2 packages address the following issues:
CVE-2022-3437: Buffer overflow in Heimdal unwrap_des3(): There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).
CVE-2022-3592: Wide links protection broken: A malicious client can use a symlink to escape the exported directory.
Samba 4.16 and 4.15 are not affected by CVE-2022-3592, the packages address CVE-2022-3437.
The 4.15.11 packages additionally address the following issues:
Bug 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Bug 15202: writev epoll_wait cpu-spinning in the LDAP server
SAMBA+ 4.15.10 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.
SAMBA+ 4.17.0 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu are available now. SAMBA+ 4.17 for AIX will follow soon.
This is the first stable SAMBA+ release of the new Samba 4.17 release series. Please make sure to test thoroughly before upgrading and read the release notes carefully! The release notes, which contain information about changes and new features of the new major release, are available here:
With the new 4.17 release Samba 4.16 has been turned into the "maintenance mode" and Samba 4.15 into the "security fixes only mode". Samba 4.14 will not receive any updates beyond this point. The SAMBA+ 4.14 repositories will be disabled soon. Please update to a more recent version of SAMBA+.
Details on upgrading can be found in the SAMBA+ HowTo collection:
SAMBA+ 4.16.5 has been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.
These package updates address several issues, which are listed in the release notes:
In addition, this SAMBA+ release also fixes a problem with recent versions of Microsoft Azure AD Connect tool, which was preventing password synchronization.
Our AIX Samba packages additionally fix a problem with the "net ads keytab create" command.
New updated SAMBA+ 4.16.3-*, 4.15.8-* and 4.14.13-* packages have just been released (the exact version numbers are listed below). These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.
The packages address the following issues:
CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords.
CVE-2022-32744: Samba AD users can forge password change requests for any user.
CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request.
CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
CVE-2022-32742: Server memory information leak via SMB1.
The first versions with the fixes:
(SuSE, RedHat, ...): 4.16.3-18, 4.15.8-15 and 4.14.13-16
Debian/Ubuntu: 4.16.3-18, 4.15.8-16 and 4.14.13-16
AIX: 4.16.3-2, 4.15.8-6 and 4.14.13-11
Packages with the official 4.16.4, 4.15.9 and 4.14.14 upstream releases will follow in the next days.