Samba 4.3.13 (gzipped)
Signature
Patch (gzipped) against Samba 4.3.12
Signature
============================== Release Notes for Samba 4.3.13 December 19, 2016 ============================== This is a security release in order to address the following defects: o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability). o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in trusted realms). o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege elevation). ======= Details ======= o CVE-2016-2123: The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation. o CVE-2016-2125 Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. o CVE-2016-2126 A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the arcfour-hmac-md5 PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. Changes since 4.3.12: --------------------- o Volker Lendecke <vl@samba.org> * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995. o Stefan Metzmacher <metze@samba.org> * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers. * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in check_pac_checksum().