Samba 4.18.1 Available for Download

Samba 4.18.1 (gzipped)

Patch (gzipped) against Samba 4.18.0

                   Release Notes for Samba 4.18.1
                           March 29, 2023

This is a security release in order to address the following defects:

o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
                 but otherwise unprivileged users to delete this attribute from
                 any object in the directory.

o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                 remote LDAP server, will by default send new or reset
                 passwords over a signed-only connection.

o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                 Confidential attribute disclosure via LDAP filters was
                 insufficient and an attacker may be able to obtain
                 confidential BitLocker recovery keys from a Samba AD DC.
                 Installations with such secrets in their Samba AD should
                 assume they have been obtained and need replacing.

Changes since 4.18.0

o  Douglas Bagnall <>
   * BUG 15276: CVE-2023-0225.

o  Andrew Bartlett <>
   * BUG 15270: CVE-2023-0614.
   * BUG 15331: ldb wildcard matching makes excessive allocations.
   * BUG 15332: large_ldap test is inefficient.

o  Rob van der Linde <>
   * BUG 15315: CVE-2023-0922.

o  Joseph Sutton <>
   * BUG 15270: CVE-2023-0614.
   * BUG 15276: CVE-2023-0225.