Software Update: Samba 4.10.4 / 4.9.8 / 4.8.12

Samba runs on Unix, BSD and Linux servers, and is an open source implementation of the smb/cifsnetwork protocol. Since version 3, Samba can offer file and print services to Windows clients, and is able to act as a domain controller. Extensive documentation, including practical how-tos for a slightly older version, can be found on this page are being found. The developers have released versions 4.10.4, 4.9.8 and 4.8.12 with the following changes:

Version 4.10.4

  • BUG 13938: s3: SMB1: Don’t allow recvfile on stream fsps.
  • BUG 13882: py/provision: Fix for Python 2.6.
  • BUG 13873: netcmd: Fix ‘passwordsettings –max-pwd-age’ command.
  • BUG 13938: s3:smbd: Don’t use recvfile on streams.
  • BUG 13861: s3-libnet_join: ‘net ads join’ to child domain fails when using “-U [email protected]”.
  • BUG 13896: vfs_ceph: Explicitly enable libcephfs POSIX ACL support.
  • BUG 13940: vfs_ceph: Fix cephwrap_flistxattr() debug message.
  • BUG 13895: ctdb-common: Avoid race between fd and signal events.
  • BUG 13943: ctdb-common: Fix memory leak in run_proc.
  • BUG 13892: lib: Initialize getline() arguments.
  • BUG 13903: winbind: Fix overlapping id ranges.
  • BUG 13902: lib util debug: Increase format buffer to 4KiB.
  • BUG 13927: nsswitch pam_winbind: Fix Asan use after free.
  • BUG 13929: s4 lib socket: Ensure address string owned by parent struct.
  • BUG 13936: s3 rpc_client: Fix Asan stack use after scope.
  • BUG 10097: s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO.
  • BUG 10344: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
  • BUG 12845: smb2_sesssetup: avoid STATUS_PENDING responses for session setup.
  • BUG 13698: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
  • BUG 13796: smb2_sesssetup: avoid STATUS_PENDING responses for session setup.
  • BUG 13843: dbcheck: Fix the err_empty_attribute() check.
  • BUG 13858: vfs_snapper: Drop unneeded fstat handler.
  • BUG 13862: vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check.
  • BUG 13863: smb2_server: Grant all 8192 credits to clients.
  • BUG 13919: smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling.
  • BUG 13872: s3/vfs_glusterfs: Dynamically determine NAME_MAX.
  • BUG 13918: s3: modules: ceph: Use current working directory instead of share path.
  • BUG 13831: winbind: Use domain name from lsa query for sid_to_name cache entry.
  • BUG 13865: memcache: Increase size of default memcache to 512k.
  • BUG 13857: docs: Update smbclient manpage for “–max-protocol”.
  • BUG 13861: ‘net ads join’ to child domain fails when using “-U [email protected]”.
  • BUG 13937: s3:utils: If share is NULL in smbcacls, don’t print it.
  • BUG 13939: s3:smbspool: Fix regression printing with Kerberos credentials.
  • BUG 13860: ctdb scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd.
  • BUG 13888: ctdb-daemon: Revert “We can not assume that just because we could complete a TCP handshake”.
  • BUG 13930: ctdb daemon: Never use 0 as a client ID.
  • BUG 13943: ctdb-common: Fix memory leak.
  • BUG 13904: s3:debug: Enable logging for early startup failures.

Version 4.10.3

  • CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
  • BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum.

Version 4.9.8

  • CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
  • BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum.

Version 4.8.12

  • CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
  • BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum.

CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal.

Version number 4.10.4 / 4.9.8 / 4.8.12
Release status Final
Operating systems Linux, BSD, macOS, Solaris, UNIX
Website samba
Download
License type GPL
Comments
Loading...