Release Planning for Samba 4.17: Difference between revisions

From SambaWiki
(Release Samba v4.17.0rc1)
(Change mode to end of life)
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.17 is the [[Samba_Release_Planning#Upcoming_Release|'''new upcoming release series''']].
Samba 4.17 has been marked [[Samba_Release_Planning#Discontinued_.28End_of_Life.29|'''discontinued''']].


==[[Blocker bugs|Release blocking bugs]]==
==[[Blocker bugs|Release blocking bugs]]==
Line 5: Line 5:
* [https://bugzilla.samba.org/buglist.cgi?bug_severity=regression&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=VERIFIED&query_format=advanced&target_milestone=4.17 Unresolved 4.17 regression bugs]
* [https://bugzilla.samba.org/buglist.cgi?bug_severity=regression&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=VERIFIED&query_format=advanced&target_milestone=4.17 Unresolved 4.17 regression bugs]


== Samba 4.17.0rc3==
== Samba 4.17.12 ==


<small>('''Updated 16-August-2022''')</small>
<small>('''Updated 10-October-2023''')</small>


* Tuesday, October 10 2023 - [https://download.samba.org/pub/samba/stable/samba-4.17.12.tar.gz Samba 4.17.12] has been released as a '''Security Release''' to address the following defects:
* Tuesday, August 23 2022 - Planned release date for '''Samba 4.17.0rc3'''.
** [https://www.samba.org/samba/security/CVE-2023-3961.html CVE-2023-3961] (Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system.)
** [https://www.samba.org/samba/security/CVE-2023-4091.html CVE-2023-4091] (SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes")
** [https://www.samba.org/samba/security/CVE-2023-4154.html CVE-2023-4154] (An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions.)
** [https://www.samba.org/samba/security/CVE-2023-42669.html CVE-2023-42669] (Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service.)
** [https://www.samba.org/samba/security/CVE-2023-42670.html CVE-2023-42670] (Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC.)
[https://www.samba.org/samba/history/samba-4.17.12.html Release Notes Samba 4.17.12]

== Samba 4.17.11 ==

<small>('''Updated 19-July-2023''')</small>

* Thursday, September 7 2023 - '''Samba 4.17.11''' has been released. There will be security releases only beyond this point.
[https://www.samba.org/samba/history/samba-4.17.11.html Release Notes Samba 4.17.11]

== Samba 4.17.10 ==

<small>('''Updated 19-July-2023''')</small>

* Wednesday, July 19 2023 - [https://download.samba.org/pub/samba/stable/samba-4.17.10.tar.gz Samba 4.17.10] has been released as a '''Security Release''' to address the following defects:
** [https://www.samba.org/samba/security/CVE-2023-34967.html CVE-2023-34967] (Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process.)
** [https://www.samba.org/samba/security/CVE-2022-2127.html CVE-2022-2127] (When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it.)
** [https://www.samba.org/samba/security/CVE-2023-34968.html CVE-2023-34968] (As part of the Spotlight protocol Samba discloses the server-side absolute path of shares and files and directories in search results.)
** [https://www.samba.org/samba/security/CVE-2023-34966.html CVE-2023-34966] (An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.)
** [https://www.samba.org/samba/security/CVE-2023-3347.html CVE-2023-3347] (SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory.)
[https://www.samba.org/samba/history/samba-4.17.10.html Release Notes Samba 4.17.10]


== Samba 4.17.9 ==

<small>('''Updated 06-July-2023''')</small>

* Thursday, July 6 2023 - '''Samba 4.17.9''' has been released.
[https://www.samba.org/samba/history/samba-4.17.9.html Release Notes Samba 4.17.9]

== Samba 4.17.8 ==

<small>('''Updated 11-May-2023''')</small>

* Thursday, May 11 2023 - '''Samba 4.17.8''' has been released.
[https://www.samba.org/samba/history/samba-4.17.8.html Release Notes Samba 4.17.8]

== Samba 4.17.7 ==

<small>('''Updated 2023-March-29''')</small>

* Wednesday, March 29 2023 - [https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.gz Samba 4.17.7] has been released as a '''Security Release''' to address the following defects:
** [https://www.samba.org/samba/security/CVE-2023-0225.html CVE-2023-0225] (An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.)
** [https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0922] (The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.)
** [https://www.samba.org/samba/security/CVE-2023-0614.html CVE-2023-0614] (The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.)
[https://www.samba.org/samba/history/samba-4.17.7.html Release Notes Samba 4.17.7]

== Samba 4.17.6 ==

<small>('''Updated 9-March-2023''')</small>

* Thursday, March 9 2023 - '''Samba 4.17.6''' has been released.
[https://www.samba.org/samba/history/samba-4.17.6.html Release Notes Samba 4.17.6]

== Samba 4.17.5 ==

<small>('''Updated 26-January-2023''')</small>

* Thursday, January 26 - '''Samba 4.17.5''' has been released.
[https://www.samba.org/samba/history/samba-4.17.5.html Release Notes Samba 4.17.5]

== Samba 4.17.4 ==

<small>('''Updated 15-December-2022''')</small>

* Thursday, December 15 2022 - [https://download.samba.org/pub/samba/stable/samba-4.17.4.tar.gz Samba 4.17.4] has been released as a '''Security Release''' to address the following defects:
** [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966] (This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022)
** [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967] (This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022)
** [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023] (The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak)
[https://www.samba.org/samba/history/samba-4.17.4.html Release Notes Samba 4.17.4]

== Samba 4.17.3 ==

<small>('''Updated 15-November-2022''')</small>

* Tuesday, November 15 2022 - [https://download.samba.org/pub/samba/stable/samba-4.17.3.tar.gz Samba 4.17.3] has been released as a '''Security Release''' to address the following defects:
** [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898] (Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap)
[https://www.samba.org/samba/history/samba-4.17.3.html Release Notes Samba 4.17.3]

== Samba 4.17.2 ==

<small>('''Updated 25-October-2022''')</small>

* Tuesday, October 25 2022 - [https://download.samba.org/pub/samba/stable/samba-4.17.2.tar.gz Samba 4.17.2] has been released as a '''Security Release''' to address the following defects:
** [https://www.samba.org/samba/security/CVE-2022-3437.html CVE-2022-3437] (There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba))
** [https://www.samba.org/samba/security/CVE-2022-3592.html CVE-2022-3592] (A malicious client can use a symlink to escape the exported directory)
[https://www.samba.org/samba/history/samba-4.17.2.html Release Notes Samba 4.17.2]

== Samba 4.17.1==

<small>('''Updated 19-October-2022''')</small>

* Wednesday, October 19 2022 - '''Samba 4.17.1''' has been released.
[https://www.samba.org/samba/history/samba-4.17.1.html Release Notes Samba 4.17.1]

== Samba 4.17.0==

<small>('''Updated 13-September-2022''')</small>

* Tuesday, September 13 2022 - '''Samba 4.17.0''' has been released.
[https://www.samba.org/samba/history/samba-4.17.0.html Release Notes Samba 4.17.0]

== Samba 4.17.0rc5 ==

<small>('''Updated 06-September-2022''')</small>

* Tuesday, September 6 2022 - '''Samba 4.17.0rc5''' has been released.
[https://download.samba.org/pub/samba/rc/samba-4.17.0rc5.WHATSNEW.txt Release Notes Samba 4.17.0rc5]

== Samba 4.17.0rc4 ==

<small>('''Updated 30-August-2022''')</small>

* Tuesday, August 30 2022 - '''Samba 4.17.0rc4''' has been released.
[https://download.samba.org/pub/samba/rc/samba-4.17.0rc4.WHATSNEW.txt Release Notes Samba 4.17.0rc4]

== Samba 4.17.0rc3 ==

<small>('''Updated 23-August-2022''')</small>

* Tuesday, August 23 2022 - '''Samba 4.17.0rc3''' has been released.
[https://download.samba.org/pub/samba/rc/samba-4.17.0rc3.WHATSNEW.txt Release Notes Samba 4.17.0rc3]


== Samba 4.17.0rc2 ==
== Samba 4.17.0rc2 ==

Latest revision as of 16:02, 27 March 2024

Samba 4.17 has been marked discontinued.

Release blocking bugs

Samba 4.17.12

(Updated 10-October-2023)

  • Tuesday, October 10 2023 - Samba 4.17.12 has been released as a Security Release to address the following defects:
    • CVE-2023-3961 (Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system.)
    • CVE-2023-4091 (SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes")
    • CVE-2023-4154 (An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions.)
    • CVE-2023-42669 (Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service.)
    • CVE-2023-42670 (Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC.)
 Release Notes Samba 4.17.12

Samba 4.17.11

(Updated 19-July-2023)

  • Thursday, September 7 2023 - Samba 4.17.11 has been released. There will be security releases only beyond this point.
 Release Notes Samba 4.17.11

Samba 4.17.10

(Updated 19-July-2023)

  • Wednesday, July 19 2023 - Samba 4.17.10 has been released as a Security Release to address the following defects:
    • CVE-2023-34967 (Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process.)
    • CVE-2022-2127 (When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it.)
    • CVE-2023-34968 (As part of the Spotlight protocol Samba discloses the server-side absolute path of shares and files and directories in search results.)
    • CVE-2023-34966 (An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.)
    • CVE-2023-3347 (SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory.)
 Release Notes Samba 4.17.10


Samba 4.17.9

(Updated 06-July-2023)

  • Thursday, July 6 2023 - Samba 4.17.9 has been released.
 Release Notes Samba 4.17.9

Samba 4.17.8

(Updated 11-May-2023)

  • Thursday, May 11 2023 - Samba 4.17.8 has been released.
 Release Notes Samba 4.17.8

Samba 4.17.7

(Updated 2023-March-29)

  • Wednesday, March 29 2023 - Samba 4.17.7 has been released as a Security Release to address the following defects:
    • CVE-2023-0225 (An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.)
    • CVE-2023-0922 (The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.)
    • CVE-2023-0614 (The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.)
 Release Notes Samba 4.17.7

Samba 4.17.6

(Updated 9-March-2023)

  • Thursday, March 9 2023 - Samba 4.17.6 has been released.
 Release Notes Samba 4.17.6

Samba 4.17.5

(Updated 26-January-2023)

  • Thursday, January 26 - Samba 4.17.5 has been released.
 Release Notes Samba 4.17.5

Samba 4.17.4

(Updated 15-December-2022)

  • Thursday, December 15 2022 - Samba 4.17.4 has been released as a Security Release to address the following defects:
    • CVE-2022-37966 (This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022)
    • CVE-2022-37967 (This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022)
    • CVE-2022-38023 (The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak)
 Release Notes Samba 4.17.4

Samba 4.17.3

(Updated 15-November-2022)

  • Tuesday, November 15 2022 - Samba 4.17.3 has been released as a Security Release to address the following defects:
    • CVE-2022-42898 (Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap)
 Release Notes Samba 4.17.3

Samba 4.17.2

(Updated 25-October-2022)

  • Tuesday, October 25 2022 - Samba 4.17.2 has been released as a Security Release to address the following defects:
    • CVE-2022-3437 (There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba))
    • CVE-2022-3592 (A malicious client can use a symlink to escape the exported directory)
 Release Notes Samba 4.17.2

Samba 4.17.1

(Updated 19-October-2022)

  • Wednesday, October 19 2022 - Samba 4.17.1 has been released.
 Release Notes Samba 4.17.1

Samba 4.17.0

(Updated 13-September-2022)

  • Tuesday, September 13 2022 - Samba 4.17.0 has been released.
 Release Notes Samba 4.17.0

Samba 4.17.0rc5

(Updated 06-September-2022)

  • Tuesday, September 6 2022 - Samba 4.17.0rc5 has been released.
 Release Notes Samba 4.17.0rc5

Samba 4.17.0rc4

(Updated 30-August-2022)

  • Tuesday, August 30 2022 - Samba 4.17.0rc4 has been released.
 Release Notes Samba 4.17.0rc4

Samba 4.17.0rc3

(Updated 23-August-2022)

  • Tuesday, August 23 2022 - Samba 4.17.0rc3 has been released.
 Release Notes Samba 4.17.0rc3

Samba 4.17.0rc2

(Updated 16-August-2022)

  • Tuesday, August 16 2022 - Samba 4.17.0rc2 has been released.
 Release Notes Samba 4.17.0rc2

Samba 4.17.0rc1

(Updated 8-August-2022)

  • Monday, August 8 2022 - Samba 4.17.0rc1 has been released.
 Release Notes Samba 4.17.0rc1