Ubuntu
samba package

Nov 2021 security update tracking bug

Bug #1950363 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers
Focal
Fix Released
Undecided
Marc Deslauriers
Hirsute
Fix Released
Undecided
Marc Deslauriers
Impish
Fix Released
Undecided
Marc Deslauriers
Jammy
Fix Released
Undecided
Marc Deslauriers

Bug Description

This bug is for tracking the Nov 2021 Samba security update:

o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
                  authentication.
                  https://www.samba.org/samba/security/CVE-2016-2124.html

o CVE-2020-25717: A user on the domain can become root on domain members.
                  https://www.samba.org/samba/security/CVE-2020-25717.html
                  (PLEASE READ! There are important behaviour changes described)

o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
                  by an RODC.
                  https://www.samba.org/samba/security/CVE-2020-25718.html

o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
                  tickets.
                  https://www.samba.org/samba/security/CVE-2020-25719.html

o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
                  (eg objectSid).
                  https://www.samba.org/samba/security/CVE-2020-25721.html

o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
                  checking of data stored.
                  https://www.samba.org/samba/security/CVE-2020-25722.html

o CVE-2021-3738: Use after free in Samba AD DC RPC server.
                  https://www.samba.org/samba/security/CVE-2021-3738.html

o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
                  https://www.samba.org/samba/security/CVE-2021-23192.html

Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Focal):
status: New → In Progress
Changed in samba (Ubuntu Hirsute):
status: New → In Progress
Changed in samba (Ubuntu Impish):
status: New → In Progress
Changed in samba (Ubuntu Jammy):
status: New → In Progress
Changed in samba (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Hirsute):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Impish):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Jammy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.13.14+dfsg-0ubuntu0.21.10.1

---------------
samba (2:4.13.14+dfsg-0ubuntu0.21.10.1) impish-security; urgency=medium

  * Update to 4.13.14 as a security update (LP: #1950363)
    - debian/patches/CVE-2021-20254.patch: removed, included in new
      version.
    - debian/control: bump ldb Build-Depends to 2.2.3.
    - debian/samba-libs.install: added libdcerpc-pkt-auth.so.0.
    - debian/patches/trusted_domain_regression_fix.patch: fix regression
      introduced in 4.13.14.
    - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
      CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192

 -- Marc Deslauriers <email address hidden> Tue, 09 Nov 2021 14:52:07 -0500

Changed in samba (Ubuntu Impish):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.13.14+dfsg-0ubuntu0.21.04.1

---------------
samba (2:4.13.14+dfsg-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * Update to 4.13.14 as a security update (LP: #1950363)
    - debian/patches/CVE-2021-20254.patch: removed, included in new
      version.
    - debian/control: bump ldb Build-Depends to 2.2.3.
    - debian/samba-libs.install: removed libsmbd-conn.so.0, added
      libdcerpc-pkt-auth.so.0.
    - debian/libwbclient0.symbols: added new symbol.
    - debian/patches/trusted_domain_regression_fix.patch: fix regression
      introduced in 4.13.14.
    - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
      CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192

 -- Marc Deslauriers <email address hidden> Tue, 09 Nov 2021 14:52:07 -0500

Changed in samba (Ubuntu Hirsute):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.13.14+dfsg-0ubuntu0.20.04.1

---------------
samba (2:4.13.14+dfsg-0ubuntu0.20.04.1) focal-security; urgency=medium

  * Update to 4.13.14 as a security update (LP: #1950363)
    - Removed patches included in new version:
      + CVE-*.patch
      + zerologon*.patch
      + 0023-libsmb-Don-t-try-to-find-posix-stat-info-in-SMBC_get.patch
      + build-Remove-tests-for-getdents-and-getdirentries.patch
      + fix-double-free-with-unresolved-credentia-cache.patch
      + wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
      + wscript-split-function-check-to-one-per-line-and-sor.patch
    - Add/Refresh patches from Hirsute package:
      + Rename-mdfind-to-mdsearch.patch
      + bug_221618_precise-64bit-prototype.patch
      + fix-nfs-service-name-to-nfs-kernel-server.patch
    - debian/control: bump libldb-dev Build-Depends to 2.2.3, bump
      libtalloc to 2.3.1, libtdb to 1.4.3, and libtevent to 0.10.2.
    - debian/*.install, debian/*.symbols: sync with Hirsute package, added
      libdcerpc-pkt-auth.so.0.
    - debian/rules: build with --enable-spotlight, remove --accel-aes as it
      is no longer used with gnutls.
    - debian/control: add libicu-dev to Build-Depends.
    - debian/patches/trusted_domain_regression_fix.patch: fix regression
      introduced in 4.13.14.
    - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
      CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192

 -- Marc Deslauriers <email address hidden> Mon, 01 Nov 2021 07:33:25 -0400

Changed in samba (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Fixing this issue on Ubuntu 18.04 LTS is going to be problematic.

The backport to 4.10 of the patchset to fix most of the CVEs contains 686 commits. Backporting that to bionic's 4.7.6 may not be feasible.

The main issue with updating bionic to 4.13.14 is the lack of support for python 2.7. I have successfully built 4.13.14 on bionic along with required version bumps of talloc, tdb, tevent, and ldb. sssd was successfully rebuilt by adding a few patches to support newer Samba releases.

Unfortunately, freeipa has a dependency on python-samba which can't be solved.

While we can update bionic to Samba 4.13.14, this will likely break freeipa. I don't think the required python 3 dependencies are available in bionic to build a later freeipa.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There is an updated Samba package for bionic in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

It contains fixes for CVE-2016-2124, CVE-2020-25717, CVE-2020-25722 and CVE-2021-3671 which appear to be the most severe issues. Upstream has advised which commits are the important ones.

If someone is running Samba as an AD-DC, could you please test them and comment here? Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

In case we end up having to update bionic to a more recent samba, I've stuck the update package and dependencies in my ppa here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing/+packages

The current plan is to use the update in comment #5.

Revision history for this message
Kevin Liao (kevinliao) wrote :

Hi all, I want to ask one question.

For CVE-2021-23192, I saw from samba website (https://www.samba.org/samba/security/CVE-2021-23192.html) that it affects only samba 4.10.0 and later. Because what bionic used is samba 4.7.6. Can I say that bionic is not affected by this single CVE? Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

That is correct, samba 4.7.6 in bionic is not vulnerable to CVE-2021-23192.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've uploaded updated Bionic packages that fix Samba bug #14901 in the security team's PPA here for testing:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Changed in samba (Ubuntu Jammy):
status: In Progress → Fix Committed
Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Bionic):
status: New → Fix Released
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.13.14+dfsg-0ubuntu1

---------------
samba (2:4.13.14+dfsg-0ubuntu1) jammy; urgency=medium

  * Update to 4.13.14 as a security update (LP: #1950363)
    - debian/patches/CVE-2021-20254.patch: removed, included in new
      version.
    - debian/control: bump ldb Build-Depends to 2.2.3.
    - debian/samba-libs.install: added libdcerpc-pkt-auth.so.0.
    - debian/patches/trusted_domain_regression_fix.patch: fix regression
      introduced in 4.13.14.
    - debian/patches/bug14901-*.patch: upstream patches to fix some
      mapping issues.
    - debian/patches/bug14918-*.patch: upstream patches to properly handle
      dangling symlinks.
    - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
      CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192

 -- Marc Deslauriers <email address hidden> Tue, 09 Nov 2021 14:52:07 -0500

Changed in samba (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.