Upstream has issued advisories: https://www.samba.org/samba/security/CVE-2018-14629.html https://www.samba.org/samba/security/CVE-2018-16841.html https://www.samba.org/samba/security/CVE-2018-16851.html It sounds like the first two issues might actually be in ldb and talloc.
Debian has issued an advisory for this on November 27: https://www.debian.org/security/2018/dsa-4345
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => bgmilne
The security issues announced on 2018-11-28 are: CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server), CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT), CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server), CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers), (only affects 4.9.x) CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) and CVE-2018-16857 (Bad password count in AD DC not always effective). (only affects 4.9.x). 4.6.x is EOL as of 2018-09-13: series git branch status started maintenance security discontinued (EOL) 4.10 (details) master next upcoming release series 4.9 (details) v4-9-test current stable release series 2018-09-13 4.8 (details) v4-8-test maintenance mode 2018-03-13 2018-09-13 4.7 (details) v4-7-test security fixes only 2017-09-21 2018-03-13 2018-09-13 4.6 (details) v4-6-test discontinued (EOL) 2017-03-07 2017-09-21 2018-03-13 2018-09-13 It looks like our best option here is to upgrade to 4.7.12 (which fixes all of the above issues except the ones specific to 4.9.x). I have submitted builds of the following to updates_testing for 6: tdb 1.3.14 talloc 2.1.11 tevent 0.9.36 ldb 1.2.3 (bundles a newer version of cmocka than is available, requires 1.1.1, 6 has 1.0.1) samba 4.7.12 (also bundles cmocka 1.1.1, though I didn't enable this myself) SRPMS required: tdb-1.3.14-1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347250 ) talloc-2.1.11-1.1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347251 ) tevent-0.9.36-1.1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347252 ) ldb-1.2.3-1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347277 ) samba-4.7.12-1.mga6.src.rpm (still building on the build system, but built fine locally on mga6) ( http://svnweb.mageia.org/packages?view=revision&revision=1347278 ) I have done minimal testing (e.g. smbclient 4.7.12 can browse and connect to 4.6.x server, and to a 4.7.12 server) and it works for those tests.
CC: (none) => bgmilneAssignee: bgmilne => qa-bugsStatus: NEW => ASSIGNED
Thanks. Is there a reason we can't just update cmocka too?
> Is there a reason we can't just update cmocka too? I have submitted cmocka too. In the ldb case ( http://svnweb.mageia.org/packages/updates/6/ldb/current/SPECS/ldb.spec?r1=1347277&r2=1347359&pathrev=1347359 , not submitted ), building with this installed doesn't change which binaries are shipped, cmocka is only used as a build tool when bundled. In the case of samba, building with cmocka >= 1.1.1 avoids shipping %{_libdir}/samba/libcmocka-samba4.so Submitted as: samba-4.7.12-1.1.mga6.src.rpm (still building) (I am AFK for the next week)
Advisory: ======================== Updated ldb, talloc, and samba packages fix security vulnerabilities: Florian Stuelpner discovered that Samba is vulnerable to infinite query recursion caused by CNAME loops, resulting in denial of service (CVE-2018-14629). Alex MacCuish discovered that a user with a valid certificate or smart card can crash the Samba AD DC's KDC when configured to accept smart-card authentication (CVE-2018-16841). Garming Sam of the Samba Team and Catalyst discovered a NULL pointer dereference vulnerability in the Samba AD DC LDAP server allowing a user able to read more than 256MB of LDAP entries to crash the Samba AD DC's LDAP server (CVE-2018-16851). Samba has been updated to version 4.7.12 of the 4.7.x stable branch, and the tdb, talloc, tevent, ldb, and cmocka packages have also been updated. The sssd package has also been rebuilt against the updated ldb. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16851 https://www.samba.org/samba/security/CVE-2018-14629.html https://www.samba.org/samba/security/CVE-2018-16841.html https://www.samba.org/samba/security/CVE-2018-16851.html https://www.samba.org/samba/history/samba-4.7.0.html https://www.samba.org/samba/history/samba-4.7.1.html https://www.samba.org/samba/history/samba-4.7.2.html https://www.samba.org/samba/history/samba-4.7.3.html https://www.samba.org/samba/history/samba-4.7.4.html https://www.samba.org/samba/history/samba-4.7.5.html https://www.samba.org/samba/history/samba-4.7.6.html https://www.samba.org/samba/history/samba-4.7.7.html https://www.samba.org/samba/history/samba-4.7.8.html https://www.samba.org/samba/history/samba-4.7.9.html https://www.samba.org/samba/history/samba-4.7.10.html https://www.samba.org/samba/history/samba-4.7.11.html https://www.samba.org/samba/history/samba-4.7.12.html https://www.debian.org/security/2018/dsa-4345 ======================== Updated packages in core/updates_testing: ======================== libtdb1-1.3.14-1.mga6 tdb-utils-1.3.14-1.mga6 libtdb-devel-1.3.14-1.mga6 python-tdb-1.3.14-1.mga6 libtalloc2-2.1.11-1.1.mga6 libtalloc-devel-2.1.11-1.1.mga6 python-talloc-2.1.11-1.1.mga6 libpytalloc-util2-2.1.11-1.1.mga6 libpytalloc-util-devel-2.1.11-1.1.mga6 libtevent0-0.9.36-1.1.mga6 libtevent-devel-0.9.36-1.1.mga6 python-tevent-0.9.36-1.1.mga6 libldb1-1.2.3-1.mga6 ldb-utils-1.2.3-1.mga6 libldb-devel-1.2.3-1.mga6 python-ldb-1.2.3-1.mga6 libpyldb-util1-1.2.3-1.mga6 libpyldb-util-devel-1.2.3-1.mga6 libcmocka0-1.1.3-1.mga6 libcmocka0-static-devel-1.1.3-1.mga6 libcmocka-devel-1.1.3-1.mga6 sssd-1.13.4-9.3.mga6 sssd-common-1.13.4-9.3.mga6 sssd-client-1.13.4-9.3.mga6 libsss_sudo-1.13.4-9.3.mga6 libsss_autofs-1.13.4-9.3.mga6 sssd-tools-1.13.4-9.3.mga6 python-sssdconfig-1.13.4-9.3.mga6 python3-sssdconfig-1.13.4-9.3.mga6 python-sss-1.13.4-9.3.mga6 python3-sss-1.13.4-9.3.mga6 python-sss-murmur-1.13.4-9.3.mga6 python3-sss-murmur-1.13.4-9.3.mga6 sssd-ldap-1.13.4-9.3.mga6 sssd-krb5-common-1.13.4-9.3.mga6 sssd-krb5-1.13.4-9.3.mga6 sssd-common-pac-1.13.4-9.3.mga6 sssd-ipa-1.13.4-9.3.mga6 sssd-ad-1.13.4-9.3.mga6 sssd-proxy-1.13.4-9.3.mga6 libsss_idmap-1.13.4-9.3.mga6 libsss_idmap-devel-1.13.4-9.3.mga6 libipa_hbac-1.13.4-9.3.mga6 libipa_hbac-devel-1.13.4-9.3.mga6 python-libipa_hbac-1.13.4-9.3.mga6 python3-libipa_hbac-1.13.4-9.3.mga6 libsss_nss_idmap-1.13.4-9.3.mga6 libsss_nss_idmap-devel-1.13.4-9.3.mga6 python-libsss_nss_idmap-1.13.4-9.3.mga6 python3-libsss_nss_idmap-1.13.4-9.3.mga6 sssd-dbus-1.13.4-9.3.mga6 libsss_simpleifp-1.13.4-9.3.mga6 libsss_simpleifp-devel-1.13.4-9.3.mga6 sssd-libwbclient-1.13.4-9.3.mga6 sssd-libwbclient-devel-1.13.4-9.3.mga6 samba-4.7.12-1.1.mga6 samba-client-4.7.12-1.1.mga6 samba-common-4.7.12-1.1.mga6 samba-dc-4.7.12-1.1.mga6 libsamba-dc0-4.7.12-1.1.mga6 libkdc-samba4_2-4.7.12-1.1.mga6 libsamba-devel-4.7.12-1.1.mga6 samba-krb5-printing-4.7.12-1.1.mga6 libsamba1-4.7.12-1.1.mga6 libsmbclient0-4.7.12-1.1.mga6 libsmbclient-devel-4.7.12-1.1.mga6 libwbclient0-4.7.12-1.1.mga6 libwbclient-devel-4.7.12-1.1.mga6 python-samba-4.7.12-1.1.mga6 samba-pidl-4.7.12-1.1.mga6 samba-test-4.7.12-1.1.mga6 libsamba-test0-4.7.12-1.1.mga6 samba-winbind-4.7.12-1.1.mga6 samba-winbind-clients-4.7.12-1.1.mga6 samba-winbind-krb5-locator-4.7.12-1.1.mga6 samba-winbind-modules-4.7.12-1.1.mga6 ctdb-4.7.12-1.1.mga6 ctdb-tests-4.7.12-1.1.mga6 from SRPMS: tdb-1.3.14-1.mga6.src.rpm talloc-2.1.11-1.1.mga6.src.rpm tevent-0.9.36-1.1.mga6.src.rpm ldb-1.2.3-1.mga6.src.rpm cmocka-1.1.3-1.mga6.src.rpm sssd-1.13.4-9.3.mga6.src.rpm samba-4.7.12-1.1.mga6.src.rpm
on mga6-64 packages installed cleanly: - lib64kdc-samba4_2-4.7.12-1.1.mga6.x86_64 - lib64ldb1-1.2.3-1.mga6.x86_64 - lib64pytalloc-util2-2.1.11-1.1.mga6.x86_64 - lib64samba-dc0-4.7.12-1.1.mga6.x86_64 - lib64samba1-4.7.12-1.1.mga6.x86_64 - lib64smbclient0-4.7.12-1.1.mga6.x86_64 - lib64talloc2-2.1.11-1.1.mga6.x86_64 - lib64tdb1-1.3.14-1.mga6.x86_64 - lib64tevent0-0.9.36-1.1.mga6.x86_64 - lib64wbclient0-4.7.12-1.1.mga6.x86_64 - samba-4.7.12-1.1.mga6.x86_64 - samba-client-4.7.12-1.1.mga6.x86_64 - samba-common-4.7.12-1.1.mga6.x86_64 I can read/write to a share on 4.6.16 from 4.7.12 I can read/write to a share on 4.7.12 from 4.7.12 I can read/write to a share on 4.7.12 from 4.6.16 OK for mga6.64
CC: (none) => jimWhiteboard: (none) => MGA6-64-OK
on mga6-32 packages installed cleanly: - libkdc-samba4_2-4.7.12-1.1.mga6.i586 - libldb1-1.2.3-1.mga6.i586 - libpytalloc-util2-2.1.11-1.1.mga6.i586 - libsamba-dc0-4.7.12-1.1.mga6.i586 - libsamba1-4.7.12-1.1.mga6.i586 - libsmbclient0-4.7.12-1.1.mga6.i586 - libtalloc2-2.1.11-1.1.mga6.i586 - libtdb1-1.3.14-1.mga6.i586 - libtevent0-0.9.36-1.1.mga6.i586 - libwbclient0-4.7.12-1.1.mga6.i586 - samba-4.7.12-1.1.mga6.i586 - samba-client-4.7.12-1.1.mga6.i586 - samba-common-4.7.12-1.1.mga6.i586 I can read/write to/from shares on 4.6.16 and 4.7.12 I can read/write to/from shares on Windows 7. OK for mga6-32
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
@James Many thanks for these tests, which are taxing. It is a big help that you do them. Advisory from comment 6. Validating (you could have).
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0011.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED