Samba 4.15.13 (gzipped)
Signature
Patch (gzipped) against Samba 4.15.12
Signature
=============================== Release Notes for Samba 4.15.13 December 15, 2022 =============================== This is the latest stable release of the Samba 4.15 release series. It also contains security changes in order to address the following defects: o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). https://www.samba.org/samba/security/CVE-2022-45141.html Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-37967 and CVE-2022-38023 carefully! samba-tool got a new 'domain trust modify' subcommand ----------------------------------------------------- This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options). See 'samba-tool domain trust modify --help' for further details. smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- allow nt4 crypto Deprecated no allow nt4 crypto:COMPUTERACCOUNT New kdc default domain supported enctypes New (see manpage) kdc supported enctypes New (see manpage) kdc force enable rc4 weak session keys New No reject md5 clients New Default, Deprecated Yes reject md5 servers New Default, Deprecated Yes server schannel Deprecated Yes server schannel require seal New, Deprecated Yes server schannel require seal:COMPUTERACCOUNT New winbind sealed pipes Deprecated Yes Changes since 4.15.12 --------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15237: CVE-2022-37966. * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. o Ralph Boehme <slow@samba.org> * BUG 15240: CVE-2022-38023. o Luke Howard <lukeh@padl.com> * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. o Stefan Metzmacher <metze@samba.org> * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows. * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry * BUG 15237: CVE-2022-37966. * BUG 15240: CVE-2022-38023. o Andreas Schneider <asn@samba.org> * BUG 15237: CVE-2022-37966. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15231: CVE-2022-37967. * BUG 15237: CVE-2022-37966. o Nicolas Williams <nico@cryptonector.com> * BUG 15214: CVE-2022-45141. * BUG 15237: CVE-2022-37966. o Nicolas Williams <nico@twosigma.com> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.