Hi, I'm currently uploading: - sid=4.6.7+dfsg-2 - stretch-security=4.5.8+dfsg-2+deb9u2 - jessie-security=4.2.14+dfsg-0+deb8u8
I'll do stretch-pu later (4.5.12+dfsg-2) but I won't do wheezy-lts (only CVE-2017-12150 and -12163 are needed). Regards 2017-09-20 10:07 GMT+02:00 Karolin Seeger via samba-announce <samba-annou...@lists.samba.org>: > Release Announcements > --------------------- > > These are security releases in order to address the following defects: > > o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they > should) > o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS > redirects) > o CVE-2017-12163 (Server memory information leak over SMB1) > > > ======= > Details > ======= > > o CVE-2017-12150: > A man in the middle attack may hijack client connections. > > o CVE-2017-12151: > A man in the middle attack can read and may alter confidential > documents transferred via a client connection, which are reached > via DFS redirect when the original connection used SMB3. > > o CVE-2017-12163: > Client with write access to a share can cause server memory contents to be > written into a file or printer. > > For more details and workarounds, please see the security advisories: > > o https://www.samba.org/samba/security/CVE-2017-12150.html > o https://www.samba.org/samba/security/CVE-2017-12151.html > o https://www.samba.org/samba/security/CVE-2017-12163.html > > > Changes: > -------- > > o Jeremy Allison <j...@samba.org> > * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes > async. > * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from > writing server memory to file. > > o Ralph Boehme <s...@samba.org> > * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories > directly. > > o Stefan Metzmacher <me...@samba.org> > * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs > redirects. > * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing > when they should. > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical IRC channel on irc.freenode.net. > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track down > the problem then you will probably be ignored. All bug reports should > be filed under the "Samba 4.1 and newer" product in the project's Bugzilla > database (https://bugzilla.samba.org/). > > > ====================================================================== > == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > ====================================================================== > > > > ================ > Download Details > ================ > > The uncompressed tarballs and patch files have been signed > using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded > from: > > https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > https://www.samba.org/samba/history/samba-4.6.8.html > https://www.samba.org/samba/history/samba-4.5.14.html > https://www.samba.org/samba/history/samba-4.4.16.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team -- Mathieu
