2025-01-05 09:18:06 +03:00 · 2023-10-10 10:41:53 +02:00 · 2023-10-10 10:41:53 +02:00 · a59469b2a8
commit a59469b2a8
parent 2acdaf9860
1 changed files with 85 additions and 2 deletions
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@ -1,3 +1,87 @@
                   ===============================
                   Release Notes for Samba 4.17.12
                          October 10, 2023
                   ===============================
 This is a security release in order to address the following defects:
 o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as root to
                  existing unix domain sockets on the file system.
                  https://www.samba.org/samba/security/CVE-2023-3961.html
 o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening files with
                  OVERWRITE disposition when using the acl_xattr Samba VFS
                  module with the smb.conf setting
                  "acl_xattr:ignore system acls = yes"
                  https://www.samba.org/samba/security/CVE-2023-4091.html
 o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
                  attributes, including secrets and passwords.  Additionally,
                  the access check fails open on error conditions.
                  https://www.samba.org/samba/security/CVE-2023-4154.html
 o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
                  server block for a user-defined amount of time, denying
                  service.
                  https://www.samba.org/samba/security/CVE-2023-42669.html
 o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
                  listeners, disrupting service on the AD DC.
                  https://www.samba.org/samba/security/CVE-2023-42670.html
 Changes since 4.17.11
 ---------------------
 o  Jeremy Allison <jra@samba.org>
   * BUG 15422: CVE-2023-3961.
 o  Andrew Bartlett <abartlet@samba.org>
   * BUG 15424: CVE-2023-4154.
   * BUG 15473: CVE-2023-42670.
   * BUG 15474: CVE-2023-42669.
 o  Ralph Boehme <slow@samba.org>
   * BUG 15439: CVE-2023-4091.
 o  Christian Merten <christian@merten.dev>
   * BUG 15424: CVE-2023-4154.
 o  Stefan Metzmacher <metze@samba.org>
   * BUG 15424: CVE-2023-4154.
 o  Andreas Schneider <asn@samba.org>
   * BUG 15424: CVE-2023-4154.
 o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 15424: CVE-2023-4154.
 #######################################
 Reporting bugs & Development Discussion
 #######################################
 Please discuss this release on the samba-technical mailing list or by
 joining the #samba-technical:matrix.org matrix room, or
 #samba-technical IRC channel on irc.libera.chat.
 If you do report problems then please try to send high quality
 feedback. If you don't provide vital information to help us track down
 the problem then you will probably be ignored.  All bug reports should
 be filed under the Samba 4.1 and newer product in the project's Bugzilla
 database (https://bugzilla.samba.org/).
 ======================================================================
 == Our Code, Our Bugs, Our Responsibility.
 == The Samba Team
 ======================================================================
 Release notes for older releases follow:
 ----------------------------------------
                   ===============================
                   Release Notes for Samba 4.17.11
                         September 07, 2023
@ -85,8 +169,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
-Release notes for older releases follow:
+----------------------------------------------------------------------
 ----------------------------------------
                   ===============================
                   Release Notes for Samba 4.17.10
                            July 19, 2023