An update for samba is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2577 Final 1.0 1.0 2026-06-05 Initial 2026-06-05 2026-06-05 openEuler SA Tool V1.0 2026-06-05 samba security update An update for samba is now available for openEuler-20.03-LTS-SP4 Samba is a suite of programs for Linux and Unix to interoperate with Windows. Security Fix(es): ['-------- Forwarded Message --------', 'Date: Tue, 26 May 2026 14:29:50 +0200', 'Reply-To: Stefan Metzmacher <metze () samba org>', 'Release Announcements\n---------------------\n\nThis is a security release in order to address the following defects:\n\no CVE-2026-1933: Missing access checks on reparse point operations\n\n On a share marked "read only = yes" and\n on file handles opened R/O users can set\n or delete the reparse point xattrs on files\n that the user has write-access in the file\n system for.', 'o CVE-2026-2340: WORM vfs module does not block overwrites\n\n The WORM (Write-Once, Read Many) vfs module\n is supposed to lock write access to shared\n files, so they cannot be altered after initial\n writes. It was allowing files to be overwritten\n by renaming a newly created file over a protected\n file.', 'o CVE-2026-3012: auto-enrolment GPO installing CA certificate over http\n without verification\n\n To bootstrap a certificate chain a domain member must\n fetch a certificate without TLS. It was trusting HTTP\n for this when a more secure encrypted LDAP channel\n was also available.', 'o CVE-2026-3238: Denial of service against AD DC WINS server\n\n The WINS server component of the Active\n Directory Domain controller code in Samba\n is vulnerable to a NULL pointer dereference\n and crash caused by a unauthenticated UDP\n packet.', 'server', '"check password script" that has the %u substitution\n character are vulnerable to a remote code execution.', 'o CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing\n subsystem\n\n Samba print servers with a "print command"\n that has the %J substitution character\n are vulnerable to a Remote Code Execution.', 'Changes\n-------\n\no Douglas Bagnall <douglas.bagnall () catalyst net nz>\n * BUG 15997: CVE-2026-2340\n * BUG 16003: CVE-2026-3012\n * BUG 16033: CVE-2026-4480\n * BUG 16034: CVE-2026-4408\n\no Pavel Kohout <pavel () aisle com>\n * BUG 15997: CVE-2026-2340\n\no Volker Lendecke <vl () samba org>\n * BUG 15992: CVE-2026-1933\n * BUG 16012: CVE-2026-3238\n\no Stefan Metzmacher <metze () samba org>\n * BUG 15992: CVE-2026-1933\n * BUG 16033: CVE-2026-4480\n * BUG 16034: CVE-2026-4408', "has Homedir / In passwd\n\n#######################################\nReporting bugs & Development Discussion\n#######################################\n\nPlease discuss this release on the samba-technical mailing list or by\njoining the #samba-technical:matrix.org matrix room, or\n#samba-technical IRC channel on irc.libera.chat.\n\nIf you do report problems then please try to send high quality\nfeedback. If you don't provide vital information to help us track down\nthe problem then you will probably be ignored. All bug reports should\nbe filed under the Samba 4.1 and newer product in the project's Bugzilla\ndatabase (", ').\n\n\n======================================================================\n== Our Code, Our Bugs, Our Responsibility.\n== The Samba Team\n======================================================================\n\n\n\n================\nDownload Details\n================\n\nThe uncompressed tarballs and patch files have been signed\nusing GnuPG (ID AA99442FB680B620). The source code can be downloaded\nfrom:', 'The release notes are available online at:', 'Our Code, Our Bugs, Our Responsibility.\n(', ')\n\n --Enjoy\n The Samba Team'](CVE-2026-3238) A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.(CVE-2026-4408) A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the 'print command' setting via the '%J' substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.(CVE-2026-4480) An update for samba is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical samba https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2577 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3238 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-4408 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-4480 https://nvd.nist.gov/vuln/detail/CVE-2026-3238 https://nvd.nist.gov/vuln/detail/CVE-2026-4408 https://nvd.nist.gov/vuln/detail/CVE-2026-4480 openEuler-20.03-LTS-SP4 ctdb-4.11.12-38.oe2003sp4.aarch64.rpm ctdb-tests-4.11.12-38.oe2003sp4.aarch64.rpm libsmbclient-4.11.12-38.oe2003sp4.aarch64.rpm libsmbclient-devel-4.11.12-38.oe2003sp4.aarch64.rpm libwbclient-4.11.12-38.oe2003sp4.aarch64.rpm libwbclient-devel-4.11.12-38.oe2003sp4.aarch64.rpm python3-samba-4.11.12-38.oe2003sp4.aarch64.rpm python3-samba-dc-4.11.12-38.oe2003sp4.aarch64.rpm python3-samba-test-4.11.12-38.oe2003sp4.aarch64.rpm samba-4.11.12-38.oe2003sp4.aarch64.rpm samba-client-4.11.12-38.oe2003sp4.aarch64.rpm samba-common-4.11.12-38.oe2003sp4.aarch64.rpm samba-common-tools-4.11.12-38.oe2003sp4.aarch64.rpm samba-dc-4.11.12-38.oe2003sp4.aarch64.rpm samba-dc-bind-dlz-4.11.12-38.oe2003sp4.aarch64.rpm samba-dc-provision-4.11.12-38.oe2003sp4.aarch64.rpm samba-debuginfo-4.11.12-38.oe2003sp4.aarch64.rpm samba-debugsource-4.11.12-38.oe2003sp4.aarch64.rpm samba-devel-4.11.12-38.oe2003sp4.aarch64.rpm samba-help-4.11.12-38.oe2003sp4.aarch64.rpm samba-krb5-printing-4.11.12-38.oe2003sp4.aarch64.rpm samba-libs-4.11.12-38.oe2003sp4.aarch64.rpm samba-test-4.11.12-38.oe2003sp4.aarch64.rpm samba-winbind-4.11.12-38.oe2003sp4.aarch64.rpm samba-winbind-clients-4.11.12-38.oe2003sp4.aarch64.rpm samba-winbind-krb5-locator-4.11.12-38.oe2003sp4.aarch64.rpm samba-winbind-modules-4.11.12-38.oe2003sp4.aarch64.rpm ctdb-4.11.12-38.oe2003sp4.x86_64.rpm ctdb-tests-4.11.12-38.oe2003sp4.x86_64.rpm libsmbclient-4.11.12-38.oe2003sp4.x86_64.rpm libsmbclient-devel-4.11.12-38.oe2003sp4.x86_64.rpm libwbclient-4.11.12-38.oe2003sp4.x86_64.rpm libwbclient-devel-4.11.12-38.oe2003sp4.x86_64.rpm python3-samba-4.11.12-38.oe2003sp4.x86_64.rpm python3-samba-dc-4.11.12-38.oe2003sp4.x86_64.rpm python3-samba-test-4.11.12-38.oe2003sp4.x86_64.rpm samba-4.11.12-38.oe2003sp4.x86_64.rpm samba-client-4.11.12-38.oe2003sp4.x86_64.rpm samba-common-4.11.12-38.oe2003sp4.x86_64.rpm samba-common-tools-4.11.12-38.oe2003sp4.x86_64.rpm samba-dc-4.11.12-38.oe2003sp4.x86_64.rpm samba-dc-bind-dlz-4.11.12-38.oe2003sp4.x86_64.rpm samba-dc-provision-4.11.12-38.oe2003sp4.x86_64.rpm samba-debuginfo-4.11.12-38.oe2003sp4.x86_64.rpm samba-debugsource-4.11.12-38.oe2003sp4.x86_64.rpm samba-devel-4.11.12-38.oe2003sp4.x86_64.rpm samba-help-4.11.12-38.oe2003sp4.x86_64.rpm samba-krb5-printing-4.11.12-38.oe2003sp4.x86_64.rpm samba-libs-4.11.12-38.oe2003sp4.x86_64.rpm samba-test-4.11.12-38.oe2003sp4.x86_64.rpm samba-vfs-glusterfs-4.11.12-38.oe2003sp4.x86_64.rpm samba-winbind-4.11.12-38.oe2003sp4.x86_64.rpm samba-winbind-clients-4.11.12-38.oe2003sp4.x86_64.rpm samba-winbind-krb5-locator-4.11.12-38.oe2003sp4.x86_64.rpm samba-winbind-modules-4.11.12-38.oe2003sp4.x86_64.rpm samba-4.11.12-38.oe2003sp4.src.rpm samba-pidl-4.11.12-38.oe2003sp4.noarch.rpm ['-------- Forwarded Message --------', 'Date: Tue, 26 May 2026 14:29:50 +0200', 'Reply-To: Stefan Metzmacher <metze () samba org>', 'Release Announcements\n---------------------\n\nThis is a security release in order to address the following defects:\n\no CVE-2026-1933: Missing access checks on reparse point operations\n\n On a share marked "read only = yes" and\n on file handles opened R/O users can set\n or delete the reparse point xattrs on files\n that the user has write-access in the file\n system for.', 'o CVE-2026-2340: WORM vfs module does not block overwrites\n\n The WORM (Write-Once, Read Many) vfs module\n is supposed to lock write access to shared\n files, so they cannot be altered after initial\n writes. It was allowing files to be overwritten\n by renaming a newly created file over a protected\n file.', 'o CVE-2026-3012: auto-enrolment GPO installing CA certificate over http\n without verification\n\n To bootstrap a certificate chain a domain member must\n fetch a certificate without TLS. It was trusting HTTP\n for this when a more secure encrypted LDAP channel\n was also available.', 'o CVE-2026-3238: Denial of service against AD DC WINS server\n\n The WINS server component of the Active\n Directory Domain controller code in Samba\n is vulnerable to a NULL pointer dereference\n and crash caused by a unauthenticated UDP\n packet.', 'server', '"check password script" that has the %u substitution\n character are vulnerable to a remote code execution.', 'o CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing\n subsystem\n\n Samba print servers with a "print command"\n that has the %J substitution character\n are vulnerable to a Remote Code Execution.', 'Changes\n-------\n\no Douglas Bagnall <douglas.bagnall () catalyst net nz>\n * BUG 15997: CVE-2026-2340\n * BUG 16003: CVE-2026-3012\n * BUG 16033: CVE-2026-4480\n * BUG 16034: CVE-2026-4408\n\no Pavel Kohout <pavel () aisle com>\n * BUG 15997: CVE-2026-2340\n\no Volker Lendecke <vl () samba org>\n * BUG 15992: CVE-2026-1933\n * BUG 16012: CVE-2026-3238\n\no Stefan Metzmacher <metze () samba org>\n * BUG 15992: CVE-2026-1933\n * BUG 16033: CVE-2026-4480\n * BUG 16034: CVE-2026-4408', "has Homedir / In passwd\n\n#######################################\nReporting bugs & Development Discussion\n#######################################\n\nPlease discuss this release on the samba-technical mailing list or by\njoining the #samba-technical:matrix.org matrix room, or\n#samba-technical IRC channel on irc.libera.chat.\n\nIf you do report problems then please try to send high quality\nfeedback. If you don't provide vital information to help us track down\nthe problem then you will probably be ignored. All bug reports should\nbe filed under the Samba 4.1 and newer product in the project's Bugzilla\ndatabase (", ').\n\n\n======================================================================\n== Our Code, Our Bugs, Our Responsibility.\n== The Samba Team\n======================================================================\n\n\n\n================\nDownload Details\n================\n\nThe uncompressed tarballs and patch files have been signed\nusing GnuPG (ID AA99442FB680B620). The source code can be downloaded\nfrom:', 'The release notes are available online at:', 'Our Code, Our Bugs, Our Responsibility.\n(', ')\n\n --Enjoy\n The Samba Team'] 2026-06-05 CVE-2026-3238 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H samba security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2577 A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service. 2026-06-05 CVE-2026-4408 openEuler-20.03-LTS-SP4 Critical 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H samba security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2577 A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the 'print command' setting via the '%J' substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system. 2026-06-05 CVE-2026-4480 openEuler-20.03-LTS-SP4 High 8.5 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H samba security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2577