13663 – [SECURITY] Upcoming 2018 AD Security release

Bug 13663 - [SECURITY] Upcoming 2018 AD Security release

Summary: [SECURITY] Upcoming 2018 AD Security release

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.9.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	CVE-2018-14629 13628 13669 CVE-2018-16851 13678 CVE-2018-16857
Blocks:
	Show dependency tree / graph

Reported:	2018-10-24 08:15 UTC by Andrew Bartlett
Modified:	2018-11-29 07:53 UTC (History)
CC List:	7 users (show)

See Also:

Attachments
combined patch for master (28.75 KB, patch) 2018-11-06 02:08 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.9 (24.38 KB, patch) 2018-11-06 02:08 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.8 (8.22 KB, patch) 2018-11-06 02:09 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.7 (8.22 KB, patch) 2018-11-06 02:09 UTC, Andrew Bartlett	no flags	Details
combined patch for master (v2) (28.80 KB, patch) 2018-11-06 02:17 UTC, Andrew Bartlett	no flags	Details
combined patch for master (v3) (28.81 KB, patch) 2018-11-06 02:40 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.9 (v3) (24.43 KB, patch) 2018-11-06 02:40 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.8 (v3) (8.23 KB, patch) 2018-11-06 02:43 UTC, Andrew Bartlett	gary: review+	Details
combined patch for 4.7 (v3) (8.23 KB, patch) 2018-11-06 02:47 UTC, Andrew Bartlett	gary: review+	Details
combined patch for master (v4) (29.35 KB, patch) 2018-11-06 03:23 UTC, Andrew Bartlett	gary: review+	Details
combined patch for 4.9 (v4) (24.98 KB, patch) 2018-11-06 03:24 UTC, Andrew Bartlett	gary: review+	Details
combined patch for master (v5) (29.40 KB, patch) 2018-11-06 04:24 UTC, Andrew Bartlett	gary: review+	Details
combined patch for 4.9 (v5) (25.03 KB, patch) 2018-11-06 04:25 UTC, Andrew Bartlett	gary: review+	Details
combined patch for master (v6) (34.62 KB, patch) 2018-11-06 23:22 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.9 (v6) (28.00 KB, patch) 2018-11-06 23:23 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.8 (v6) (11.25 KB, patch) 2018-11-06 23:24 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.7 (v6) (11.25 KB, patch) 2018-11-06 23:24 UTC, Andrew Bartlett	no flags	Details
combined patch for master (v7) (44.75 KB, text/plain) 2018-11-07 02:18 UTC, Gary Lockyer	no flags	Details
combined patch for master (v8) (44.98 KB, patch) 2018-11-07 03:57 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.9 (v8) (38.27 KB, patch) 2018-11-07 03:58 UTC, Andrew Bartlett	no flags	Details
combined patch for 4.8 (v8) (11.31 KB, patch) 2018-11-07 03:59 UTC, Andrew Bartlett	abartlet: review? (gary) dbagnall: review+ abartlet: review+	Details
combined patch for 4.7 (v8) (11.31 KB, patch) 2018-11-07 03:59 UTC, Andrew Bartlett	abartlet: review? (gary) dbagnall: review+ abartlet: review+	Details
script to produce patches (4.17 KB, application/x-shellscript) 2018-11-07 04:01 UTC, Andrew Bartlett	no flags	Details
combined patch for master (v9) excluding CVE-2018-16857 (44.86 KB, patch) 2018-11-08 02:04 UTC, Andrew Bartlett	dbagnall: review+ abartlet: review+	Details
combined patch for 4.9 (v9) excluding CVE-2018-16857 (38.15 KB, patch) 2018-11-08 02:04 UTC, Andrew Bartlett	abartlet: review? (gary) dbagnall: review+	Details
Show Obsolete (20) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2018-10-24 08:15:25 UTC

A security release is tentatively planned for November 20th 2018

Comment 1 Andrew Bartlett 2018-11-06 02:08:07 UTC

Created attachment 14580 [details]
combined patch for master

Comment 2 Andrew Bartlett 2018-11-06 02:08:48 UTC

Created attachment 14581 [details]
combined patch for 4.9

Comment 3 Andrew Bartlett 2018-11-06 02:09:15 UTC

Created attachment 14582 [details]
combined patch for 4.8

Comment 4 Andrew Bartlett 2018-11-06 02:09:52 UTC

Created attachment 14583 [details]
combined patch for 4.7

Comment 5 Andrew Bartlett 2018-11-06 02:16:35 UTC

The patches here are uploaded to facilitate an autobuild of all four trees of the combined branch.  The authoritative patches are in the other bugs.

Comment 6 Andrew Bartlett 2018-11-06 02:17:38 UTC

Created attachment 14585 [details]
combined patch for master (v2)

Comment 7 Andrew Bartlett 2018-11-06 02:40:23 UTC

Created attachment 14586 [details]
combined patch for master (v3)

Comment 8 Andrew Bartlett 2018-11-06 02:40:52 UTC

Created attachment 14587 [details]
combined patch for 4.9 (v3)

Comment 9 Andrew Bartlett 2018-11-06 02:43:11 UTC

Created attachment 14588 [details]
combined patch for 4.8 (v3)

Comment 10 Andrew Bartlett 2018-11-06 02:47:15 UTC

Created attachment 14589 [details]
combined patch for 4.7 (v3)

Comment 11 Andrew Bartlett 2018-11-06 03:23:40 UTC

Created attachment 14592 [details]
combined patch for master (v4)

The 4.9 patches needed re-spinning

Comment 12 Andrew Bartlett 2018-11-06 03:24:11 UTC

Created attachment 14593 [details]
combined patch for 4.9 (v4)

Comment 13 Andrew Bartlett 2018-11-06 04:24:57 UTC

Created attachment 14601 [details]
combined patch for master (v5)

Comment 14 Andrew Bartlett 2018-11-06 04:25:41 UTC

Created attachment 14602 [details]
combined patch for 4.9 (v5)

Comment 15 Andrew Bartlett 2018-11-06 23:22:32 UTC

Created attachment 14608 [details]
combined patch for master (v6)

Comment 16 Andrew Bartlett 2018-11-06 23:23:41 UTC

Created attachment 14609 [details]
combined patch for 4.9 (v6)

Comment 17 Andrew Bartlett 2018-11-06 23:24:18 UTC

Created attachment 14610 [details]
combined patch for 4.8 (v6)

Comment 18 Andrew Bartlett 2018-11-06 23:24:52 UTC

Created attachment 14611 [details]
combined patch for 4.7 (v6)

Comment 19 Gary Lockyer 2018-11-07 02:18:45 UTC

Created attachment 14612 [details]
combined patch for master (v7)

Comment 20 Andrew Bartlett 2018-11-07 03:57:57 UTC

Created attachment 14618 [details]
combined patch for master (v8)

Comment 21 Andrew Bartlett 2018-11-07 03:58:39 UTC

Created attachment 14619 [details]
combined patch for 4.9 (v8)

Comment 22 Andrew Bartlett 2018-11-07 03:59:13 UTC

Created attachment 14620 [details]
combined patch for 4.8 (v8)

Comment 23 Andrew Bartlett 2018-11-07 03:59:48 UTC

Created attachment 14621 [details]
combined patch for 4.7 (v8)

Comment 24 Andrew Bartlett 2018-11-07 04:01:52 UTC

Created attachment 14622 [details]
script to produce patches

This script helps me produce all the right patches, given git branches

Comment 25 Andrew Bartlett 2018-11-07 07:09:48 UTC

The patches for Samba 4.8 passed a private autobuild

Comment 26 Andrew Bartlett 2018-11-07 18:46:19 UTC

The patches for Samba 4.9 passed a private autobuild

Comment 27 Andrew Bartlett 2018-11-07 22:22:53 UTC

The v8 patches have now passed on 4.7, 4.8 and 4.9.

Comment 28 Andrew Bartlett 2018-11-08 02:04:04 UTC

Created attachment 14637 [details]
combined patch for master (v9) excluding CVE-2018-16857

Comment 29 Andrew Bartlett 2018-11-08 02:04:48 UTC

Created attachment 14638 [details]
combined patch for 4.9 (v9) excluding CVE-2018-16857

Comment 30 Andrew Bartlett 2018-11-08 06:02:48 UTC

This security release is ready.

All the component patches are signed off (this is just a summary set).

Comment 31 Andrew Bartlett 2018-11-08 21:15:23 UTC

(In reply to Andrew Bartlett from comment #29)
The 4.9 patch (v9) passed a full autobuild

Comment 32 Douglas Bagnall 2018-11-08 22:38:08 UTC

Comment on attachment 14637 [details]
combined patch for master (v9) excluding CVE-2018-16857

I can confirm that the master patch amounts to the sum of the constituent bugs.

I didn't have time to do the same for 4.9.

Comment 33 Karolin Seeger 2018-11-12 08:18:15 UTC

Waiting for "review +" flags here.

Comment 34 Andrew Bartlett 2018-11-12 17:38:23 UTC

(In reply to Karolin Seeger from comment #33)
These are 'just' the roll-up (but on the inverse, they are what I ran the autobuild on).  

The reviews are all set on the patches for the release versions on the bugs.

Comment 35 Douglas Bagnall 2018-11-12 23:37:20 UTC

Comment on attachment 14621 [details]
combined patch for 4.7 (v8)

Summarising the backport patches:

 * 4.7 and 4.8 are the same.
 * 4.9 adds the CVE-2018-16852 DNS NULL pointer deref patch (and a trivial whitespace change)
 * master adds the MIT krb5 warning and the self-referencing CNAME "comfort" patch.

Comment 36 Andrew Bartlett 2018-11-14 04:13:39 UTC

Please note the combined patches (originally created to aid autobuild runs) do not include the patches for CVE-2018-16857.  This is deliberate.

Comment 37 Karolin Seeger 2018-11-16 10:33:17 UTC

Opening bug report for vendors.
Planned release date is Tuesday, November 27 2018.

Comment 38 Andrew Bartlett 2018-11-16 18:19:31 UTC

Comment on attachment 14637 [details]
combined patch for master (v9) excluding CVE-2018-16857

This name change on the patch description just clarifies the earlier comment where it might be noticed by vendors in a rush.  This last CVE was added after final testing of the main set was completed, and was tested independently.

Comment 39 Andrew Bartlett 2018-11-16 18:20:56 UTC

(In reply to Andrew Bartlett from comment #38)
Additionally, CVE-2018-16857 is a 4.9/master only issue.

Comment 40 Karolin Seeger 2018-11-27 09:32:44 UTC

Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address these defects.