Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted samba 2:4.24.3+dfsg-1 (source) into unstable
Date: Tue, 26 May 2026 13:05:20 +0000
Signed by: Michael Tokarev <mjt@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 May 2026 15:46:55 +0300
Source: samba
Architecture: source
Version: 2:4.24.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Changes:
 samba (2:4.24.3+dfsg-1) unstable; urgency=medium
 .
   * This is a security release in order to address the following defects:
 .
     CVE-2026-1933: Missing access checks on reparse point operations
 .
       On a share marked "read only = yes" and on file handles opened R/O users
       can set or delete the reparse point xattrs on files that the user has
       write-access in the file system for.
 .
       https://www.samba.org/samba/security/CVE-2026-1933.html
 .
     CVE-2026-2340: WORM vfs module does not block overwrites
 .
       The WORM (Write-Once, Read Many) vfs module is supposed to lock write
       access to shared files, so they cannot be altered after initial writes.
       It was allowing files to be overwritten by renaming a newly created file
       over a protected file.
 .
       https://www.samba.org/samba/security/CVE-2026-2340.html
 .
     CVE-2026-3012: auto-enrolment GPO installing CA certificate over http
       without verification
 .
       To bootstrap a certificate chain a domain member must fetch a certificate
       without TLS. It was trusting HTTP for this when a more secure encrypted
       LDAP channel was also available.
 .
       https://www.samba.org/samba/security/CVE-2026-3012.html
 .
     CVE-2026-3238: Denial of service against AD DC WINS server
 .
       The WINS server component of the Active Directory Domain controller code
       in Samba is vulnerable to a NULL pointer dereference and crash caused by
       an unauthenticated UDP packet.
 .
       https://www.samba.org/samba/security/CVE-2026-3238.html
 .
     CVE-2026-4408: Unauthenticated Remote Code Execution in Samba DCE/RPC
       SAMR server
 .
       Samba file servers and classic (non-AD) domain controllers with
       samba-dcerpcd started as a system service and with a "check password
       script" that has the %u substitution character are vulnerable to a
       remote code execution.
 .
       https://www.samba.org/samba/security/CVE-2026-4408.html
 .
     CVE-2026-4480: Unauthenticated Remote Code Execution in Samba
       printing subsystem
 .
       Samba print servers with a "print command" that has the %J substitution
       character are vulnerable to a Remote Code Execution.
 .
       https://www.samba.org/samba/security/CVE-2026-4480.html
Checksums-Sha1:
 6e411db48ea515937c4159054a682e88da40455e 6088 samba_4.24.3+dfsg-1.dsc
 9afa6c300553aa57cb17a8c7d529ba00791be8e8 25797720 samba_4.24.3+dfsg.orig.tar.xz
 3ff54076df1cc0ac428e02e60b7f78f4ccdbfde0 191168 samba_4.24.3+dfsg-1.debian.tar.xz
 bbf1536af6ada3b9a4b0e87bfa637517855c18bd 6098 samba_4.24.3+dfsg-1_source.buildinfo
Checksums-Sha256:
 090d08a39ded5c2ea07346862c0a6b19cf5f87819f3a4eb38086b3f327d0f06d 6088 samba_4.24.3+dfsg-1.dsc
 bf6e87d4e61271c2cd19a5803a029232efb83c1088f46d211f7ae318ee0683a0 25797720 samba_4.24.3+dfsg.orig.tar.xz
 5338c8ed35b50ee84d13d1efc6729cdbc7e1565d8bdfe6a4dcf815f625f66877 191168 samba_4.24.3+dfsg-1.debian.tar.xz
 ae57cc6f46e2c726d2f6cec40b550abb076224bd3ddce8abe08b2216be7c4d3f 6098 samba_4.24.3+dfsg-1_source.buildinfo
Files:
 0fce5400824bbf64639f0ecefed57e53 6088 net optional samba_4.24.3+dfsg-1.dsc
 24056a5bdb4a12b22a6632d8bf183766 25797720 net optional samba_4.24.3+dfsg.orig.tar.xz
 f314fa421f7025a17c5654a8705c643d 191168 net optional samba_4.24.3+dfsg-1.debian.tar.xz
 ca1af0575d426cc61e4f24486edf9aa8 6098 net optional samba_4.24.3+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqFZZeCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeri6qIF7pgunnqRDur5Jxs3LVYzi/p+zFzRMxIrmrg
hxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AACiIBAAwcR4jd+i7eZmhripOhK+AjS5
eSumWdo+BbJd7FD5+Sux+oLhK4V2uoYtan1/e+hkarIQJ5uynC+03f0Puo53nO9n
Zcvla98TKkt4q115d0oqCWk6s1hlYBR9p0c2GTRIKeDXd6JLOYDwcTzbK15CPLkN
egogmBavj1myLFzAThs4NYcKuhIJpzPU4QMNmus7TE7vqzrcdrqi9CJrGvqfRFnk
xzwtfzxjkOvc1YsCZARgQJpRkd82hdTyqBX9CM01wBFmHNCeY2T/zu8oypK0H9KT
fzL1ihNSPgjpfb8CpdFdw0UKFKQmah/5jHp01ZFcvBZ6LlmM0b0P9kb9DmC6i3eG
/yVwPw1J0Nx3Uhyvvvd2v0QqSg6gym3yRtVQpJXLV5A4Ty5i6fSG+K1yUXMkTGoj
3/snDT5HUW+D18AmyXYeoRJMDpfKYNeEVc3K9U3Kq3pgR7VPCRbwa1mPQKnGVTev
iG/AyTBJ+T+GqjVtgcaXJK9stEeDrfTXpx5QE9g3MQhuKvZVLdkAAWJMDzAw9M6P
mMgutHJn5F80dla3KyzllrG89T60jb5sr/JTdDEf3CRguyRRRqsx0c8UO8/H5hAo
zk5iR1JasqfYIfhd7TsQWIaqHTN+KNNrgwhHClByFNkN2+NGlQyUYQMIWPQJtnRo
Gtab53omNG15M2xrmDQ=
=qqhH
-----END PGP SIGNATURE-----
News for package samba
