[Pkg-samba-maint] [samba] 08/08: NEWS file for 2:3.6.6-6+deb7u8
Andrew Bartlett
abartlet-guest at moszumanska.debian.org
Wed Apr 13 01:33:25 UTC 2016
This is an automated email from the git hooks/post-receive script.
abartlet-guest pushed a commit to branch wheezy
in repository samba.
commit 0c40b90790187f2028a87cc8ae5f9c77f8394e32
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 13 13:19:07 2016 +1200
NEWS file for 2:3.6.6-6+deb7u8
---
debian/NEWS | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 77 insertions(+)
diff --git a/debian/NEWS b/debian/NEWS
index 679425a..bcaeca5 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,80 @@
+samba (2:3.6.6-6+deb7u8) wheezy-security; urgency=high
+
+ This Samba security release addresses both Denial of Service and Man in
+ the Middle vulnerabilities.
+
+ A significant number of patches were back-ported, and in some areas
+ of winbindd the behaviour is now more like Samba 4.2 than 3.6
+
+ This new security patch implements new smb.conf options and a
+ number of stricter behaviours to prevent Man in the Middle attacks
+ on our network services, as a client and as a server.
+
+ Between these changes, compatibility with a large number of older
+ software versions has been lost in the default configuration.
+
+ See the release notes in WHATNEW.txt for more information.
+
+
+ Here are some additional hints how to work around the new stricter default behaviors:
+
+ * As a File Server, compatibility with the Linux Kernel cifs
+ client depends on which configuration options are selected, please
+ use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+ * As a file or printer client and as a domain member, out of the
+ box compatibility with Samba less than 4.0 and other SMB/CIFS
+ servers, depends on support for SMB signing or SMB2 on the
+ server, which is often disabled or absent. You may need to
+ adjust the "client ipc signing" to "no" in these cases.
+
+ * Due to bug Samba bug #11830, when Samba is configured as a
+ domain member in Active Directory domain and this domain has
+ trust to other Active Directory domains, you will need to set
+
+ winbind sealed pipes = false
+ require strong key = false
+
+ Doing so will however remove an aspect of our protection against
+ MitM attacks between winbindd and the domain controllers.
+
+ However, all of these can be worked around by setting smb.conf
+ options in Samba, see the 4.2.0 and 4.2.11 release notes (because
+ many of the fixes are backported from there) at
+ https://www.samba.org/samba/history/samba-4.2.0.html and
+ https://www.samba.org/samba/history/samba-4.2.11.html and the
+ Samba wiki for details, workarounds and suggested
+ security-improving changes to these and other software packages.
+
+
+ New smb.conf options and defaults:
+
+ * raw NTLMv2 auth = no
+ * client ipc signing = no
+ * winbind sealed pipes = yes
+ * allow dcerpc auth level connect = no
+
+
+ Suggested further improvements after patching:
+
+ It is recommended that administrators set these additional options,
+ if compatible with their network environment:
+
+ server signing = mandatory
+ ntlm auth = no
+
+ Without "server signing = mandatory", Man in the Middle attacks
+ are still possible against our file server and
+ classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+ Samba's AD DC.) Note that this has heavy impact on the file server
+ performance, so you need to decide between performance and
+ security. These Man in the Middle attacks for smb file servers are
+ well known for decades.
+
+ Without "ntlm auth = no", there may still be clients not using
+ NTLMv2, and these observed passwords may be brute-forced easily using
+ cloud-computing resources or rainbow tables.
+
samba (2:3.6.5-2) unstable; urgency=low
NSS modules have been split out from libpam-winbind to
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list