Samba 4.11.2 Available for Download

Samba 4.11.2 (gzipped)

Patch (gzipped) against Samba 4.11.1

                   Release Notes for Samba 4.11.2
                          October 29, 2019

This is a security release in order to address the following defects:

o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
		  via dirsync.


o  CVE-2019-10218:
   Malicious servers can cause Samba client code to return filenames containing
   path separators to calling code.

o  CVE-2019-14833:
   When the password contains multi-byte (non-ASCII) characters, the check
   password script does not receive the full password string.

o  CVE-2019-14847:
   Users with the "get changes" extended access right can crash the AD DC LDAP
   server by requesting an attribute using the range= syntax.

For more details and workarounds, please refer to the security advisories.

Changes since 4.11.1:

o  Jeremy Allison <>
   * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
     from evil server returned names.

o  Andrew Bartlett <>
   * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
   * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
     combined with dirsync.

o  Björn Baumbach <>
   * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password