Samba 4.9.15 Available for Download

Samba 4.9.15 (gzipped)
Signature

Patch (gzipped) against Samba 4.9.14
Signature

                   ==============================
                   Release Notes for Samba 4.9.15
                          October 29, 2019
                   ==============================


This is a security release in order to address the following defects:

o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
		  password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
		  via dirsync.

=======
Details
=======

o  CVE-2019-10218:
   Malicious servers can cause Samba client code to return filenames containing
   path separators to calling code.

o  CVE-2019-14833:
   When the password contains multi-byte (non-ASCII) characters, the check
   password script does not receive the full password string.

o  CVE-2019-14847:
   Users with the "get changes" extended access right can crash the AD DC LDAP
   server by requesting an attribute using the range= syntax.

For more details and workarounds, please refer to the security advisories.


Changes since 4.9.14:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
     from evil server returned names.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
     password.
   * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
     combined with dirsync.

o  Björn Baumbach <bb@sernet.de>
   * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password
     script.