diff options
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r-- | WHATSNEW.txt | 70 |
1 files changed, 68 insertions, 2 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 977c85a09b..defe3cb619 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,70 @@ ============================= + Release Notes for Samba 4.1.6 + March 11, 2014 + ============================= + + +This is a security release in order to address +CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and +CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake). + +o CVE-2013-4496: + Samba versions 3.4.0 and above allow the administrator to implement + locking out Samba accounts after a number of bad password attempts. + + However, all released versions of Samba did not implement this check for + password changes, such as are available over multiple SAMR and RAP + interfaces, allowing password guessing attacks. + +o CVE-2013-6442: + Samba versions 4.0.0 and above have a flaw in the smbcacls command. If + smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" + command options it will remove the existing ACL on the object being + modified, leaving the file or directory unprotected. + + +Changes since 4.1.5: +-------------------- + +o Jeremy Allison <jra@samba.org> + * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when + setting owner or group owner. + + +o Andrew Bartlett <abartlet@samba.org> + * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password + changes. + + +o Stefan Metzmacher <metze@samba.org> + * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password + changes. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.1.5 February 21, 2014 ============================= @@ -94,8 +160,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.1.4 |