diff options
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r-- | ChangeLog.txt | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index fa4474bd3..91e0f8606 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,43 @@ +Sat Dec 17 21:14:11 UTC 2022 +patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of + Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. + A Samba Active Directory DC will issue weak rc4-hmac session keys for + use between modern clients and servers despite all modern Kerberos + implementations supporting the aes256-cts-hmac-sha1-96 cipher. + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' + would force rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + This is the Samba CVE for the Windows Kerberos Elevation of Privilege + Vulnerability disclosed by Microsoft on Nov 8 2022. + A service account with the special constrained delegation permission + could forge a more powerful ticket than the one it was presented with. + The "RC4" protection of the NetLogon Secure channel uses the same + algorithms as rc4-hmac cryptography in Kerberos, and so must also be + assumed to be weak. + Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability + was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed + that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue + rc4-hmac encrypted tickets despite the target server supporting better + encryption (eg aes256-cts-hmac-sha1-96). + Note that there are several important behavior changes included in this + release, which may cause compatibility problems interacting with system + still expecting the former behavior. + Please read the advisories of CVE-2022-37966, CVE-2022-37967 and + CVE-2022-38023 carefully! + For more information, see: + https://www.samba.org/samba/security/CVE-2022-37966.html + https://www.samba.org/samba/security/CVE-2022-37967.html + https://www.samba.org/samba/security/CVE-2022-38023.html + https://www.samba.org/samba/security/CVE-2022-45141.html + https://www.cve.org/CVERecord?id=CVE-2022-37966 + https://www.cve.org/CVERecord?id=CVE-2022-37967 + https://www.cve.org/CVERecord?id=CVE-2022-38023 + https://www.cve.org/CVERecord?id=CVE-2022-45141 + (* Security fix *) ++--------------------------+ Wed Dec 14 21:19:34 UTC 2022 patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. |