From 2b9cb935ccb1fa894e2106a4fbc662f43d6a2cbc Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Fri, 9 Dec 2016 10:59:27 +0100 Subject: [PATCH] WHATSNEW: Add release notes for Samba 4.4.8. Signed-off-by: Karolin Seeger --- WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 2 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7268196fed8..1fee16bae43 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,86 @@ ============================= + Release Notes for Samba 4.4.8 + December 19, 2016 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer + Overflow Remote Code Execution Vulnerability). +o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in + trusted realms). +o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege + elevation). + +======= +Details +======= + +o CVE-2016-2123: + The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, + leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name + parses data from the Samba Active Directory ldb database. Any user + who can write to the dnsRecord attribute over LDAP can trigger this + memory corruption. + + By default, all authenticated LDAP users can write to the dnsRecord + attribute on new DNS objects. This makes the defect a remote privilege + escalation. + +o CVE-2016-2125 + Samba client code always requests a forwardable ticket + when using Kerberos authentication. This means the + target server, which must be in the current or trusted + domain/realm, is given a valid general purpose Kerberos + "Ticket Granting Ticket" (TGT), which can be used to + fully impersonate the authenticated user or service. + +o CVE-2016-2126 + A remote, authenticated, attacker can cause the winbindd process + to crash using a legitimate Kerberos ticket due to incorrect + handling of the arcfour-hmac-md5 PAC checksum. + + A local service with access to the winbindd privileged pipe can + cause winbindd to cache elevated access permissions. + + +Changes since 4.4.7: +-------------------- + +o Volker Lendecke + * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995. + +o Stefan Metzmacher + * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers. + * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in + check_pac_checksum(). + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.4.7 October 26, 2016 ============================= @@ -96,8 +178,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.4.6 -- 2.11.4.GIT