2025-01-03 01:18:10 +03:00 · 2023-10-10 10:41:53 +02:00 · 2023-10-10 10:41:53 +02:00 · a59469b2a8
commit a59469b2a8
parent 2acdaf9860
1 changed files with 85 additions and 2 deletions
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@ -1,3 +1,87 @@
+                   ===============================
+                   Release Notes for Samba 4.17.12
+                          October 10, 2023
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as root to
+                  existing unix domain sockets on the file system.
+                  https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening files with
+                  OVERWRITE disposition when using the acl_xattr Samba VFS
+                  module with the smb.conf setting
+                  "acl_xattr:ignore system acls = yes"
+                  https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
+                  attributes, including secrets and passwords.  Additionally,
+                  the access check fails open on error conditions.
+                  https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+                  server block for a user-defined amount of time, denying
+                  service.
+                  https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+                  listeners, disrupting service on the AD DC.
+                  https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.17.11
+---------------------
+
+o  Jeremy Allison <jra@samba.org>
+   * BUG 15422: CVE-2023-3961.
+
+o  Andrew Bartlett <abartlet@samba.org>
+   * BUG 15424: CVE-2023-4154.
+   * BUG 15473: CVE-2023-42670.
+   * BUG 15474: CVE-2023-42669.
+
+o  Ralph Boehme <slow@samba.org>
+   * BUG 15439: CVE-2023-4091.
+
+o  Christian Merten <christian@merten.dev>
+   * BUG 15424: CVE-2023-4154.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 15424: CVE-2023-4154.
+
+o  Andreas Schneider <asn@samba.org>
+   * BUG 15424: CVE-2023-4154.
+
+o  Joseph Sutton <josephsutton@catalyst.net.nz>
+   * BUG 15424: CVE-2023-4154.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                   ===============================
                   Release Notes for Samba 4.17.11
                         September 07, 2023
@ -85,8 +169,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================


-Release notes for older releases follow:
----------------------------------------
+----------------------------------------------------------------------
                   ===============================
                   Release Notes for Samba 4.17.10
                            July 19, 2023