UbuntuUpdates.org

Package "winbind"

Name: winbind

Description:

service to resolve user and group information from Windows NT servers
Latest version: 2:4.22.3+dfsg-4ubuntu2.4
Release: questing (25.10)
Level: security
Repository: main
Head package: samba
Homepage: https://www.samba.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "winbind"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "winbind" in Questing

Repository Area Version
base main 2:4.22.3+dfsg-4ubuntu2
updates main 2:4.22.3+dfsg-4ubuntu2.4

Changelog

Version: 2:4.22.3+dfsg-4ubuntu2.4 2026-05-26 16:07:36 UTC

  samba (2:4.22.3+dfsg-4ubuntu2.4) questing-security; urgency=medium

  * SECURITY UPDATE: May 2026 security updates
    - debian/patches/security-202605-*.patch
    - CVE-2026-1933 - Missing access checks on reparse point operations
    - CVE-2026-2340 - WORM vfs module does not block overwrites
    - CVE-2026-3012 - auto-enrolment GPO installing CA certificate over
                      http without verification
    - CVE-2026-3238 - Denial of service against AD DC WINS server
    - CVE-2026-4408 - Unauthenticated Remote Code Execution in Samba
                      DCE/RPC SAMR server
    - CVE-2026-4480 - Unauthenticated Remote Code Execution in Samba
                      printing subsystem

 -- Marc Deslauriers <email address hidden> Thu, 21 May 2026 12:32:07 -0400
Source diff to previous version
CVE-2026-1933 Missing access check on reparse point operations
CVE-2026-2340 vfs_worm does not block directory modification
CVE-2026-3012 group policy certificate enrollment uses http:// without validation
CVE-2026-3238 unauthenticated udp packet crashes AD DC nbt server
CVE-2026-4408 Remote Code Execution in SAMR when check password script contains %u substitution placeholder
CVE-2026-4480 Unauthenticated Remote Code Execution using print command

Version: 2:4.22.3+dfsg-4ubuntu2.2 2025-11-13 01:07:24 UTC

  samba (2:4.22.3+dfsg-4ubuntu2.2) questing-security; urgency=medium

  * No-change rebuild to fix amd64v3 publishing issue.

 -- Marc Deslauriers <email address hidden> Wed, 12 Nov 2025 08:19:28 -0500
Source diff to previous version

Version: 2:4.22.3+dfsg-4ubuntu2.1 2025-10-16 10:07:22 UTC

  samba (2:4.22.3+dfsg-4ubuntu2.1) questing-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory disclosure via vfs_streams_xattr
    - debian/patches/CVE-2025-9640-1.patch: add torture test for inserting
      hole in stream in source3/selftest/tests.py, source4/torture/*.
    - debian/patches/CVE-2025-9640-2.patch: fix unitialized write in
      source3/modules/vfs_streams_xattr.c.
    - CVE-2025-9640
  * SECURITY UPDATE: command injection via WINS server hook script
    - debian/patches/CVE-2025-10230-1.patch: check that wins hook sanitizes
      names in python/samba/tests/usage.py, selftest/*, source4/torture/*,
      testprogs/blackbox/wins_hook_test.
    - debian/patches/CVE-2025-10230-2.patch: restrict names fed to shell in
      source4/nbt_server/wins/wins_hook.c.
    - CVE-2025-10230

 -- Marc Deslauriers <email address hidden> Thu, 09 Oct 2025 08:57:10 -0400
CVE-2025-9640 A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows
CVE-2025-10230 Command injection via WINS server hook script


About   -   Send Feedback to @ubuntu_updates