Samba 4.16.11 Available for Download

Samba 4.16.11 (gzipped)

Patch (gzipped) against Samba 4.16.10

                   Release Notes for Samba 4.16.11
                            July 19, 2023

This is a security release in order to address the following defects:

o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                  crafted request can trigger an out-of-bounds read in winbind
                  and possibly crash it.

o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                  Spotlight can be triggered by an unauthenticated attacker by
                  issuing a malformed RPC request.

o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                  Spotlight can be used by an unauthenticated attacker to
                  trigger a process crash in a shared RPC mdssvc worker process.

o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                  side absolute path of shares and files and directories in
                  search results.

Changes since 4.16.10

o  Ralph Boehme <>
   * BUG 15072: CVE-2022-2127.
   * BUG 15340: CVE-2023-34966.
   * BUG 15341: CVE-2023-34967.
   * BUG 15388: CVE-2023-34968.

o  Samuel Cabrero <>
   * BUG 15072: CVE-2022-2127.

o  Volker Lendecke <>
   * BUG 15072: CVE-2022-2127.

o  Stefan Metzmacher <>
   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.