===========================================================
== Subject:     Samba AD DC LDAP server crash (VLV and paged searches)
==
== CVE ID#:     
==
== Versions:    All versions of Samba since Samba 4.5.0
==
== Summary:     A user with read access to the directory can
                cause a NULL pointer dereference using either
                the VLV or paged search controls.
===========================================================

===========
Description
===========

A user with read access to the LDAP server can crash the LDAP
server process.  Depending on the Samba version and the choice
of process model, this may crash only the user's own connection.

Specifically, while the default in Samba 4.7.0 and later 
(and so all supported Samba versions) is for one process per
connected client, site-specific configuration trigger can change
this.

Samba 4.8 and later support the 'prefork' process model and by
using the -M option to 'samba' and all versions of Samba support
a 'single' process model.  Both of these share on process between
multiple clients.


==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

Return to the default configuration by running 'samba' with -M 
standard, however this may consume more memory. 

=======
Credits
=======

Originally reported by Zombie Ryushu.

Patches provided by Douglas Bagnall of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================