Samba 4.15.13 Available for Download

Samba 4.15.13 (gzipped)
Signature

Patch (gzipped) against Samba 4.15.12
Signature

                   ===============================
                   Release Notes for Samba 4.15.13
                          December 15, 2022
                   ===============================


This is the latest stable release of the Samba 4.15 release series.
It also contains security changes in order to address the following defects:

o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
                  RC4-HMAC Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A Samba Active Directory DC will issue weak rc4-hmac
                  session keys for use between modern clients and servers
                  despite all modern Kerberos implementations supporting
                  the aes256-cts-hmac-sha1-96 cipher.

                  On Samba Active Directory DCs and members
                  'kerberos encryption types = legacy' would force
                  rc4-hmac as a client even if the server supports
                  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

                  https://www.samba.org/samba/security/CVE-2022-37966.html

o CVE-2022-37967: This is the Samba CVE for the Windows
                  Kerberos Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A service account with the special constrained
                  delegation permission could forge a more powerful
                  ticket than the one it was presented with.

                  https://www.samba.org/samba/security/CVE-2022-37967.html

o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
                  same algorithms as rc4-hmac cryptography in Kerberos,
                  and so must also be assumed to be weak.

                  https://www.samba.org/samba/security/CVE-2022-38023.html

o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
                  Vulnerability was disclosed by Microsoft on Nov 8 2022
                  and per RFC8429 it is assumed that rc4-hmac is weak,

                  Vulnerable Samba Active Directory DCs will issue rc4-hmac
                  encrypted tickets despite the target server supporting
                  better encryption (eg aes256-cts-hmac-sha1-96).

                  https://www.samba.org/samba/security/CVE-2022-45141.html

Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!

samba-tool got a new 'domain trust modify' subcommand
-----------------------------------------------------

This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.

smb.conf changes
----------------

  Parameter Name                               Description             Default
  --------------                               -----------             -------
  allow nt4 crypto                             Deprecated              no
  allow nt4 crypto:COMPUTERACCOUNT             New
  kdc default domain supported enctypes        New (see manpage)
  kdc supported enctypes                       New (see manpage)
  kdc force enable rc4 weak session keys       New                     No
  reject md5 clients                           New Default, Deprecated Yes
  reject md5 servers                           New Default, Deprecated Yes
  server schannel                              Deprecated              Yes
  server schannel require seal                 New, Deprecated         Yes
  server schannel require seal:COMPUTERACCOUNT New
  winbind sealed pipes                         Deprecated              Yes

Changes since 4.15.12
---------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
   * BUG 15237: CVE-2022-37966.
   * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.

o  Ralph Boehme <slow@samba.org>
   * BUG 15240: CVE-2022-38023.

o  Luke Howard <lukeh@padl.com>
   * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
     Windows.
   * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
     vulnerability.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
   * BUG 15237: CVE-2022-37966.
   * BUG 15240: CVE-2022-38023.

o  Andreas Schneider <asn@samba.org>
   * BUG 15237: CVE-2022-37966.

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
     user-controlled pointer in FAST.
   * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
   * BUG 15231: CVE-2022-37967.
   * BUG 15237: CVE-2022-37966.

o  Nicolas Williams <nico@cryptonector.com>
   * BUG 15214: CVE-2022-45141.
   * BUG 15237: CVE-2022-37966.

o  Nicolas Williams <nico@twosigma.com>
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
     user-controlled pointer in FAST.