2025-01-05 09:18:06 +03:00 · 2016-12-09 12:09:25 +01:00 · 2016-12-09 12:09:25 +01:00 · 7ceb7d500c
commit 7ceb7d500c
parent 8512eed8e2
1 changed files with 84 additions and 2 deletions
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@ -1,3 +1,85 @@
+                   ==============================
+                   Release Notes for Samba 4.3.13
+                          December 19, 2016
+                   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+   Overflow Remote Code Execution Vulnerability).
+o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+   trusted realms).
+o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+   elevation).
+
+=======
+Details
+=======
+
+o  CVE-2016-2123:
+   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+   parses data from the Samba Active Directory ldb database.  Any user
+   who can write to the dnsRecord attribute over LDAP can trigger this
+   memory corruption.
+
+   By default, all authenticated LDAP users can write to the dnsRecord
+   attribute on new DNS objects. This makes the defect a remote privilege
+   escalation.
+
+o  CVE-2016-2125
+   Samba client code always requests a forwardable ticket
+   when using Kerberos authentication. This means the
+   target server, which must be in the current or trusted
+   domain/realm, is given a valid general purpose Kerberos
+   "Ticket Granting Ticket" (TGT), which can be used to
+   fully impersonate the authenticated user or service.
+
+o  CVE-2016-2126
+   A remote, authenticated, attacker can cause the winbindd process
+   to crash using a legitimate Kerberos ticket due to incorrect
+   handling of the arcfour-hmac-md5 PAC checksum.
+
+   A local service with access to the winbindd privileged pipe can
+   cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.3.12:
+---------------------
+
+o  Volker Lendecke <vl@samba.org>
+   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+     check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                   ==============================
                   Release Notes for Samba 4.3.12
                          November 3, 2016
@ -106,8 +188,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================


-Release notes for older releases follow:
----------------------------------------
+----------------------------------------------------------------------
+

                   ==============================
                   Release Notes for Samba 4.3.11