Changelog
samba (2:4.17.4+dfsg-1) unstable; urgency=medium
* new upstream stable/security release, with the following changes:
- CVE-2022-37966: Windows Kerberos RC4-HMAC Elevation of Privilege
Vulnerability disclosed by Microsoft on Nov 8 2022, see
https://www.samba.org/samba/security/CVE-2022-37966.html
- CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022. See
https://www.samba.org/samba/security/CVE-2022-37967.html
- CVE-2022-38023: Weak "RC4" (rc4-hmac) protection of the NetLogon Secure
channel uses, see https://www.samba.org/samba/security/CVE-2022-38023.html
There are several important behavior changes included in this release,
which may cause compatibility problems interacting with system still
expecting the former behavior. Please read the documents referenced above!
See also the WHATSNEW.txt document, as there are several new, changed
and deprecated smb.conf parameters.
* Other bugfixes in this release (from WHATSNEW.txt):
https://bugzilla.samba.org/show_bug.cgi?id=14929 CVE-2022-44640
Upstream Heimdal free of user-controlled pointer in FAST.
https://bugzilla.samba.org/show_bug.cgi?id=15219
Heimdal session key selection in AS-REQ examines wrong entry.
https://bugzilla.samba.org/show_bug.cgi?id=13135 The KDC logic around
msDs-supportedEncryptionTypes differs from Windows.
https://bugzilla.samba.org/show_bug.cgi?id=14611 CVE-2021-20251
Bad password count not incremented atomically.
https://bugzilla.samba.org/show_bug.cgi?id=15206 libnet: change_password()
doesn't work with dcerpc_samr_ChangePasswordUser4()
https://bugzilla.samba.org/show_bug.cgi?id=15230
Memory leak in snprintf replacement functions.
https://bugzilla.samba.org/show_bug.cgi?id=15253 RODC doesn't reset
badPwdCount reliable via an RWDC (CVE-2021-20251 regression).
https://bugzilla.samba.org/show_bug.cgi?id=15198
Prevent EBADF errors with vfs_glusterfs.
https://bugzilla.samba.org/show_bug.cgi?id=15243
%U for include directive doesn't work for share listing (netshareenum).
https://bugzilla.samba.org/show_bug.cgi?id=15257
Stack smashing in net offlinejoin requestodj.
* removed patches which are now included upstream:
- nsswitch-pam-data-time_t.patch
- CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
-- Michael Tokarev <email address hidden> Thu, 15 Dec 2022 21:54:31 +0300