Samba released security updates patching three issues CVE-2019-14902, CVE-2019-14907, and CVE-2019-19344.
The medium-rated CVE-2019-14902 fixes a problem where a newly delegated right, but more importantly the removal of a previously delegated right, would not be inherited on any domain controller other than the one where the change was made. This means if a user had been delegated the right to make alterations to a subtree, such as changing passwords, and that right was then rescinded, that move would not automatically be taken away on all domain controllers.
The patch fixes this issue, but Samba noted, “it is vital that a full-sync be done TO each Domain Controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs.”
CVE-2019-14907, medium rated, can allow a crash after failed character conversion at log level three or higher affecting Samba 4.0 and later. In the Samba Active Directory Domain Controller this may cause a long-lived process to terminate.
The final issue, CVE-2019-19344, covers a use after free issue during DNS zone scavenging in Samba Active Directory Domain Controller in versions 4.9 and later. When Samba 4.9 was rolled out it contained an off by default feature to tombstone dynamically created DNS records that had reached their expiration point. There is a use-after-free issue in this code that if the proper conditions exist save that read memory into the database.
Patches for all three issues have been posted.
