released security updates patching three issues CVE-2019-14902, CVE-2019-14907,
CVE-2019-14902 fixes a problem where a newly delegated right, but more
importantly the removal of a previously delegated right, would not be inherited
on any domain controller other than the one where the change was made. This
means if a user had been delegated the right to make alterations to a subtree,
such as changing passwords, and that right was then rescinded, that move would
not automatically be taken away on all domain controllers.
fixes this issue, but Samba noted, “it
is vital that a full-sync be done TO each Domain Controller to ensure each ACL
(ntSecurityDescriptor) is re-calculated on the whole set of DCs.”
medium rated, can allow a crash after failed character conversion at log level
three or higher affecting Samba 4.0 and later. In the Samba Active Directory
Domain Controller this may cause a long-lived process to terminate.
covers a use after free issue during DNS zone scavenging in Samba Active
Directory Domain Controller in versions 4.9 and later. When Samba 4.9 was
rolled out it contained an off by default feature to tombstone dynamically
created DNS records that had reached their expiration point. There is a
use-after-free issue in this code that if the proper conditions exist save that
read memory into the database.
all three issues have been posted.