-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Oct 2023 18:17:19 +0300 Source: samba Binary: samba-ad-dc samba-ad-provision samba-common Architecture: all Version: 2:4.17.12+dfsg-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Michael Tokarev Description: samba-ad-dc - Samba control files to run AD Domain Controller samba-ad-provision - Samba files needed for AD domain provision samba-common - common files used by both the Samba server and client Changes: samba (2:4.17.12+dfsg-0+deb12u1) bookworm-security; urgency=medium . * new stable security bugfix release: o CVE-2023-3961: https://www.samba.org/samba/security/CVE-2023-3961.html Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. o CVE-2023-4091: https://www.samba.org/samba/security/CVE-2023-4091.html SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" o CVE-2023-4154: https://www.samba.org/samba/security/CVE-2023-4154.html An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. o CVE-2023-42669: https://www.samba.org/samba/security/CVE-2023-42669.html Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. o CVE-2023-42670: https://www.samba.org/samba/security/CVE-2023-42670.html Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. Checksums-Sha1: 993b624b2ae2e415281a721da82de278c48cc8ca 29892 samba-ad-dc_4.17.12+dfsg-0+deb12u1_all.deb 05619911b71da4cf0b43d6b3141e53f9d2b6b740 415192 samba-ad-provision_4.17.12+dfsg-0+deb12u1_all.deb fb62840966e2518be5e08ad4ae9e96a039d11a20 87884 samba-common_4.17.12+dfsg-0+deb12u1_all.deb 7d7f77d607b67c0d997b71c5b6fab386baace90c 6495 samba_4.17.12+dfsg-0+deb12u1_all-buildd.buildinfo Checksums-Sha256: 6d4ee23daed397abef10e150339f2cd9eb5452cfd0ea4fe8f241aed457eb1ad3 29892 samba-ad-dc_4.17.12+dfsg-0+deb12u1_all.deb 8a7cbc44946500b03041cd23916ab287ca97f1aa2eaceeca547c9efe40dcee6c 415192 samba-ad-provision_4.17.12+dfsg-0+deb12u1_all.deb 4b976d81101da3d77a4e5ba32b83b2bcccb1104caa94d1fc67abc3a0e1e153cf 87884 samba-common_4.17.12+dfsg-0+deb12u1_all.deb c539211c945ebf19a322f81b263d0d38ca09c665298479e29eb561f4a87d90b6 6495 samba_4.17.12+dfsg-0+deb12u1_all-buildd.buildinfo Files: 51053c7029df323e74e23b1df156f836 29892 net optional samba-ad-dc_4.17.12+dfsg-0+deb12u1_all.deb ad288087e61e8c67d45c04f10e236234 415192 net optional samba-ad-provision_4.17.12+dfsg-0+deb12u1_all.deb 24a15c594a454346af4e4be0e8970a75 87884 net optional samba-common_4.17.12+dfsg-0+deb12u1_all.deb c3f43cc77040fa641b34623fbd3aece0 6495 net optional samba_4.17.12+dfsg-0+deb12u1_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzW1K1578DQd6MDTQEbLkkg2OS0oFAmUlceQACgkQEbLkkg2O S0ojNA/+I/8yXL7HgXcBXLlB8totUo47/8jocLrTIQCTByi7QmYkJvY8kI6Qv3Dm uVCohQPN/Q40z3TDWzydlk9LNnq7vJlhZqfHXO2gKwc7+6TKf7NR+laZoG7BUkjW sGT58UIjT+EvUTO25pBON1m2izFxLhfgd4Hh1lOEN23J+NfWBbb2uaTKdo8ENlKs dGs0K0FZl9A+o6s/u/FFKpjI4fPXdQh7bNYZYZ57NYld5OOW465qH94KsbiQjP3r xLTE7gp1ibm75BlxZDlGYciVcrRzGVlh3amY4d3/nMyyVsOHBTRvnEjCbfuAjZTD TEJEdPkE6ksZnI4HIQE7CNaw569IrGL1NR6x3C2R16g18dziGQorG7alZ5dSxZAj VKAXk2AfoXd7+YlcqxQSSn/JWnwY8oSIfnR3APHS66B+/TDX1CEJS5Tkud2ak/3I N31801cBe7l2yO/HOrKHXhWeyO/i1GzvuAKN2vKwyfYTieck0g83jblh8AM23SU/ fft3gv2hPbUEGC0s+OWLrh4Uond1pQ3DvVmnF4q96LP8aCEhUBX08n8a7VD57tJ1 dL+3grFM4wIcVa+c3cPeK/m3NwdVcrF8u2NA0mmJE2tyzNCvWNUT7wLEMrzX7yG/ mdpa1Oa82rrPN5IPOnKX53UUqAqgrCeDf7dQlhQTKuD2vqZOjXY= =Bq0D -----END PGP SIGNATURE-----