From: Jennifer Sutton Date: Wed, 4 Feb 2026 00:51:38 +0000 (+1300) Subject: CVE-2026-20833: WHATSNEW: Document new default for ‘kdc default domain supported... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;ds=inline;p=thirdparty%2Fsamba.git CVE-2026-20833: WHATSNEW: Document new default for ‘kdc default domain supported enctypes’ Signed-off-by: Jennifer Sutton Reviewed-by: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Feb 18 01:52:23 UTC 2026 on atb-devel-224 --- diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d845d16cbe7..89b5e6628f2 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -22,6 +22,13 @@ JSON Audit logging The two leading spaces before the opening '{' on JSON audit log lines have been removed. And any embedded new line characters '\n' are converted to spaces. +Domain encryption types changed to AES by default +------------------------------------------------- + +The default value of the smb.conf option ‘kdc default domain supported enctypes’ +now corresponds to ‘aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96’ (both AES +encryption types) if the domain functional level is 2008 or higher. This +addresses CVE-2026-20833. REMOVED FEATURES ================ @@ -32,6 +39,7 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- + kdc default domain supported enctypes New default AES encryption types (if supported by domain) KNOWN ISSUES