Samba 4.3.13 Available for Download

Samba 4.3.13 (gzipped)

Patch (gzipped) against Samba 4.3.12

                   Release Notes for Samba 4.3.13
                          December 19, 2016

This is a security release in order to address the following defects:

o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
   Overflow Remote Code Execution Vulnerability).
o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
   trusted realms).
o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege


o  CVE-2016-2123:
   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
   parses data from the Samba Active Directory ldb database.  Any user
   who can write to the dnsRecord attribute over LDAP can trigger this
   memory corruption.

   By default, all authenticated LDAP users can write to the dnsRecord
   attribute on new DNS objects. This makes the defect a remote privilege

o  CVE-2016-2125
   Samba client code always requests a forwardable ticket
   when using Kerberos authentication. This means the
   target server, which must be in the current or trusted
   domain/realm, is given a valid general purpose Kerberos
   "Ticket Granting Ticket" (TGT), which can be used to
   fully impersonate the authenticated user or service.

o  CVE-2016-2126
   A remote, authenticated, attacker can cause the winbindd process
   to crash using a legitimate Kerberos ticket due to incorrect
   handling of the arcfour-hmac-md5 PAC checksum.

   A local service with access to the winbindd privileged pipe can
   cause winbindd to cache elevated access permissions.

Changes since 4.3.12:

o  Volker Lendecke <>
   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.

o  Stefan Metzmacher <>
   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in