[Eisfair] Samba security release 2.22.0 (Status 'stable')
Thomas Bork
tom at eisfair.org
Sa Dez 26 10:13:52 CET 2015
Hi @all,
es steht das Samba-Security-release 2.22.0 mit dem Status 'stable' zur
Installation bereit. Dieses ging ohne weitere Änderungen aus der Version
2.21.2 ('testing') hervor.
Dieses Release fixt mehrere sicherheitsrelevante Fehler in Samba. Zu den
Sicherheits-Problemen und betroffenen Samba-Versionen:
#######################################################################
Release Announcements
---------------------
This is a security release in order to address the following CVEs:
o CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server)
o CVE-2015-3223 (Denial of service in Samba Active Directory
server)
o CVE-2015-5252 (Insufficient symlink verification in smbd)
o CVE-2015-5299 (Missing access control check in shadow copy
code)
o CVE-2015-5296 (Samba client requesting encryption vulnerable
to downgrade attack)
o CVE-2015-8467 (Denial of service attack against Windows
Active Directory server)
o CVE-2015-5330 (Remote memory read in Samba LDAP server)
Please note that if building against a system libldb, the required
version has been bumped to ldb-1.1.24. This is needed to ensure
we build against a system ldb library that contains the fixes
for CVE-2015-5330 and CVE-2015-3223.
=======
Details
=======
o CVE-2015-7540:
All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to
an anonymous memory exhaustion attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server provided
by the AD DC in the samba daemon process to consume unlimited memory
and be terminated.
o CVE-2015-3223:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a denial of service attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to become unresponsive, preventing the server
from servicing any other requests.
This flaw is not exploitable beyond causing the code to loop expending
CPU resources.
o CVE-2015-5252:
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
a bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path
prefix with another directory on the file system, the smbd daemon may
allow the client to follow a symlink pointing to a file or directory
in that other directory, even if the share parameter "wide links" is
set to "no" (the default).
o CVE-2015-5299:
All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
a missing access control check in the vfs_shadow_copy2 module. When
looking for the shadow copy directory under the share path the current
accessing user should have DIRECTORY_LIST access rights in order to
view the current snapshots.
This was not being checked in the affected versions of Samba.
o CVE-2015-5296:
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to
a server.
Without this a man-in-the-middle attack could downgrade the connection
and connect using the supplied credentials as an unsigned, unencrypted
connection.
o CVE-2015-8467:
Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.
Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create. Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.
o CVE-2015-5330:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a remote memory read attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to return heap memory beyond the length of the
requested value.
This memory may contain data that the client should not be allowed to
see, allowing compromise of the server.
The memory may either be returned to the client in an error string, or
stored in the database by a suitabily privileged user. If untrusted
users can create objects in your database, please confirm that all DN
and name attributes are reasonable.
#######################################################################
Bei eisfair sind alle halbwegs aktuellen Samba-Versionen betroffen - ein
Update ist deshalb dringend angeraten.
Changelog zur bisherigen stabilen eisfair-Samba-Version 2.20.0:
===============================================================
2.21.2 --> 2.22.0
-----------------
- 4.3.3 (4.3.3-for-eisfair-1-patch-1, status stable)
2.21.1 --> 2.21.2
-----------------
- 4.3.3 (4.3.3-for-eisfair-1-patch-1, status testing)
2.21.0 --> 2.21.1
-----------------
- 4.3.2 (4.3.2-for-eisfair-1-patch-1, status testing)
- configure with --with-sockets-dir=/run/samba
- require eiskernel 2.14.0
- removed /usr/share/doc/samba/tools/justpop.exe
- /usr/share/doc/samba/tools/logon.bat:
removed line with justpop.exe
2.20.1 --> 2.21.0
-----------------
- 4.3.1 (4.3.1-for-eisfair-1-patch-1, status unstable)
- require libarchive 2.6.0 for tar function of smbclient
- require zip 2.6.0 for smbwebclient
- new var SAMBA_INSECURE:
If 'yes', bind to all interfaces and allow all nets.
SAMBA_INTERFACES, SAMBA_TRUSTED_NETS and interfaces
from base were ignored.
- /tmp/preinstall.sh:
remove ' br x br' from kernel error message
- /etc/init.d/samba:
- changed lockdir='/var/lock/samba' to
lockdir='/run/lock/samba'
- don't create empty unexpected.tdb in lockdir in
do_loadnmbd
- don't delete gencache.tdb and gencache_notrans.tdb in
do_loadnmbd
- create backups with tdbdump with option '-l' now,
because gencache_notrans.tdb is a mutex tdb and
otherwise complains with:
tdb_mutex_open_ok[/run/lock/samba/gencache_notrans.tdb]:
Can use mutexes only with MUTEX_LOCKING or NOLOCK
Failed to open /run/lock/samba/gencache_notrans.tdb
- sleep 1 after stopping smbd and nmbd for self deleting
of pid files
- clean up old messaging sockets
/etc/msg.sock/?*
$lockdir/msg.lock/?*
- /usr/bin/smbstat:
correct do_c_status to not filter out lines with ':'
due changed machine output of smbstatus with the ':'
in it, eg: 192.168.6.72 (ipv4:192.168.6.112:51149)
- /var/install/config.d/samba.sh:
- setting "require strong key = no" for compatibility
with older servers
- setting "allow nt4 crypto = yes" for compatibility
with older clients
- deactivated "max protocol = SMB3" and
"client max protocol = SMB3", because the default in 4.3
_is_ SMB3 (means SMB3_11 - WIN 10)
smbstatus is showing protocol level of clients now
- changed " dont descend = proc" for share 'all' to
" dont descend = proc,sys,dev" due recursiv structure
- /tmp/preinstall.sh:
- save parts of samba versions earlier 4.3
- change var/lock/samba to run/lock/samba in backup routine
for samba versions earlier 4.3
- /tmp/install.sh:
- changed lockdir='/var/lock/samba' to lockdir='/run/lock/samba'
- changed rundir /var/run/samba to /run/samba
- /var/install/deinstall/samba:
added '$rm_command /etc/msg.sock'
- /var/install/bin/samba-check-status:
changed smbdpidfile='/var/run/smbd.pid'
nmbdpidfile='/var/run/nmbd.pid'
winbinddpidfile='/var/run/winbindd.pid'
to smbdpidfile='/run/smbd.pid'
nmbdpidfile='/run/nmbd.pid'
winbinddpidfile='/run/winbindd.pid'
Release-Notes der internen Samba-Versionen nach 4.1.20, welche in der
letzten stabilen eisfair-Samba-Version 2.20.0. verwendet wurde:
=====================================================================
https://www.samba.org/samba/history/samba-4.3.3.html
https://www.samba.org/samba/history/samba-4.3.2.html
https://www.samba.org/samba/history/samba-4.3.1.html
https://www.samba.org/samba/history/samba-4.3.0.html
https://www.samba.org/samba/history/samba-4.2.7.html
https://www.samba.org/samba/history/samba-4.2.6.html
https://www.samba.org/samba/history/samba-4.2.5.html
https://www.samba.org/samba/history/samba-4.2.4.html
https://www.samba.org/samba/history/samba-4.2.3.html
https://www.samba.org/samba/history/samba-4.2.2.html
https://www.samba.org/samba/history/samba-4.2.1.html
https://www.samba.org/samba/history/samba-4.2.0.html
https://www.samba.org/samba/history/samba-4.1.21.html
Dieses Paket bei http://pack-eis.de:
====================================
http://www.pack-eis.de/index.php?p=17520
Changelog:
==========
http://www.pack-eis.de/index.php?action=showfile&pid=17520&filename=usr/share/doc/samba/changes.txt
Ich wünsche Euch auch weiterhin viel Spass mit eisfair und einen guten
Rutsch in's neue Jahr!
Das Posting geht parallel an spline.eisfair und spline.eisfair.dev.
Produktive Rückmeldungen bitte an spline.eisfair.
--
der tom
[eisfair-team]
Mehr Informationen über die Mailingliste Eisfair