Samba 4.22.2 Available for Download

Samba 4.22.2 (gzipped)
Signature

Patch (gzipped) against Samba 4.22.1
Signature

                   ==============================
                   Release Notes for Samba 4.22.2
                           June 05, 2025
                   ==============================


This is the latest stable release of the Samba 4.22 release series.
It contains the security-relevant bugfix CVE-2025-0620:

    smbd doesn't pick up group membership changes
    when re-authenticating an expired SMB session
    https://www.samba.org/samba/security/CVE-2025-0620.html


Description of CVE-2025-0620
-----------------------------

    With Kerberos authentication SMB sessions typically have an
    associated lifetime, requiring re-authentication by the
    client when the session expires. As part of the
    re-authentication, Samba receives the current group
    membership information and is expected to reflect this
    change in further SMB request processing.

    For historic reasons, Samba maintains a cache of
    associations between a user's impersonation information and
    connected shares. A recent change in this cache caused Samba
    to not reflect group membership changes from session
    re-authentication when processing further SMB requests.

    As a result, when an administrator removes a user from a
    particular group in Active Directory, this change will not
    become effective unless the user disconnects from the server
    and establishes a new connection.


Changes since 4.22.1
--------------------

o  Ralph Boehme <slow@samba.org>
   * BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up
     group membership changes when re-authenticating an expired SMB
     session.
   * BUG 15861: Profile sync fails due to Directory Leases.

o  Pavel Filipenský <pfilipensky@samba.org>
   * BUG 15727: net ad join fails with "Failed to join domain: failed to create
     kerberos keytab".

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15851: dcerpcd not able to bind to listening port.

o  Anoop C S <anoopcs@samba.org>
   * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
     level beyond share root.

o  Martin Schwenke <mschwenke@ddn.com>
   * BUG 15858: CTDB does not put nodes running NFS into grace on graceful
     shutdown.