-
samba (2:4.2.14+dfsg-0+deb8u9) jessie-security; urgency=high
* This is a security release in order to address the following defects:
- CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
- CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
-- Mathieu Parent <email address hidden> Sun, 12 Nov 2017 11:10:53 +0100
-
samba (2:4.2.14+dfsg-0+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
-- Salvatore Bonaccorso <email address hidden> Thu, 18 May 2017 06:52:35 +0200
-
samba (2:4.2.14+dfsg-0+deb8u5) jessie-security; urgency=high
* This is a security release in order to fix regressions from CVE-2017-2619
* Fix "follow symlink = no" (Closes: #858564)
- s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496
(CVE-2017-2619).
- s3: smbd: Fix "follow symlink = no" regression part 2.
- s3: smbd: Fix "follow symlink = no" regression part 2.
* Fix shadow_copy2 (Closes: #858648, #858590)
- vfs_shadow_copy: handle non-existant files and wildcards
- vfs_shadow_copy2: fix crash in 4.2.x backport
- vfs_shadow_copy2: add a blackbox test suite
- s3: libsmb: Correctly align create contexts in a create call.
- s3: libsmb: Add return args to clistr_is_previous_version_path().
- s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy
info over SMB2.
- s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data().
- s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and
transform to a timewarp token.
- s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes
- selftest: add content to files created during shadow_copy2 test
- selftest: check file readability in shadow_copy2 test
- selftest: test listing directories inside snapshots
* Fix `net ads join` freeze when run a second time (Closes: #859101) since 4.2
- libads: Fix deadlock when re-joining a domain and updating keytab
-- Mathieu Parent <email address hidden> Sat, 01 Apr 2017 11:10:22 +0200
-
samba (2:4.2.14+dfsg-0+deb8u2) jessie-security; urgency=high
* This is a security release in order to address the following defects:
- CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
Overflow Remote Code Execution Vulnerability).
- CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
trusted realms).
- CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
elevation).
* Fix smbclient compatibility with Windows 10 (Closes: #820794)
-- Mathieu Parent <email address hidden> Thu, 08 Dec 2016 21:12:25 +0100
-
samba (2:4.2.10+dfsg-0+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
[ Salvatore Bonaccorso ]
* Add missing Breaks+Replaces for samba-libs binary package.
The 2:4.2.10+dfsg-0+deb8u2 update moved some libraries back to the
samba-libs binary package from the samba binary package but did not add
respective Breaks and Replaces package relations. (Closes: #821002)
* Add Patchset for regression introduced by CVE-2016-2110.
NetAPP SMB servers don't negotiate NTLMSSP_SIGN. (Closes: #822937)
[ Steven Chamberlain ]
* ctdb: Fix detection of gnukfreebsd (Closes: #802621)
GNU/kFreeBSD's platform name is 'gnukfreebsd', not just 'kfreebsd'.
[ Andrew Bartlett ]
* Add back better NEWS item for 2:4.2.10+dfsg-0+deb8u1
[ Salvatore Bonaccorso ]
* s3:smbd: fix anonymous authentication if signing is mandatory
-- Salvatore Bonaccorso <email address hidden> Wed, 01 Jun 2016 17:05:31 +0200
-
samba (2:4.1.17+dfsg-2+deb8u2) jessie-security; urgency=high
* Add vfs_stat_smb_basename.diff; adds function required by
cve_2015_7560.diff.
* Add patch cve_2015_7560.diff, fixes:
- CVE-2015-7560: Incorrect ACL get/set allowed on symlink path.
* Add patch cve_2016_0771.diff, fixes:
- CVE-2016-0771: Out-of-bounds read in internal DNS server.
* Add patch root-share-path.patch, to fix regression sharing root
directory introduced by fix for CVE-2015-5252. Closes: #812429
-- Jelmer Vernooij <email address hidden> Sun, 06 Mar 2016 22:20:45 +0000
-
samba (2:4.1.17+dfsg-2+deb8u1) jessie-security; urgency=high
* Add patch cve_2015_5252.diff, fixes:
- CVE-2015-5252: Insufficient symlink verification in smbd
* Add patch cve_2015_5296.diff, fixes:
- CVE-2015-5296: Samba client requesting encryption vulnerable
downgrade attack
* Add patch cve_2015_5299.diff, fixes:
- CVE-2015-5299: Missing access control check in shadow copy code
* Add patch cve_2015_7540.diff, fixes:
- CVE-2015-7540: Remote DoS in Samba (AD) LDAP server
* Add patch cve_2015_8467.diff, fixes:
- CVE-2015-8467: Denial of service attack against Windows Active Directory
server
* Add patch cve_2015_3223_5330.diff, fixes:
- CVE-2015-3223: Denial of service in Samba Active Directory server
- CVE-2015-5330: Remote memory read in Samba LDAP server
* Bump build dependency for ldb to >= 2:1.1.17-2+deb8u1~.
-- Jelmer Vernooij <email address hidden> Wed, 16 Dec 2015 01:59:37 +0000
-
samba (2:4.1.17+dfsg-2) unstable; urgency=medium
[ Andreas Beckmann ]
* Add samba.preinst to temporarily deactivate the old qtsmbstatusd
initscript which has dependencies incompatible with the new samba
initscript. This will ensure a clean upgrade path for samba if the
qtsmbstatus-server package was installed previously. (Closes: #779666)
-- Ivo De Decker <email address hidden> Sat, 07 Mar 2015 13:09:23 +0100
-
samba (2:4.1.17+dfsg-1) unstable; urgency=high
* New upstream release. Fixes:
- CVE-2014-8143: Elevation of privilege to Active Directory Domain
Controller. Closes: #776993
- CVE-2015-0240: Unexpected code execution in smbd. Closes: #779033
* Refresh patch add-so-version-to-private-libraries.
* Add new smbtorture test rpc.schannel_anon_setpw to detect the conditions
leading to CVE-2015-0240.
* Add breaks on qtsmbstatus-server (<< 2.2.1-3~). Closes: #775041
* Build-depend on reverted ldb version (with increased epoch).
-- Ivo De Decker <email address hidden> Mon, 23 Feb 2015 20:20:21 +0100
-
samba (2:4.1.13+dfsg-2) unstable; urgency=medium
* Mask /etc/init.d/samba init script for systemd. This should make systemd
ignore the samba init script. Thanks to Michael Biebl for the suggestion.
Closes: #740942
* Disable samba init script on upgrade from wheezy to jessie.
Thanks again to Michael Biebl for the report.
Closes: #766690
-- Ivo De Decker <email address hidden> Sat, 25 Oct 2014 00:49:12 +0200
-
samba (2:4.1.11+dfsg-2) unstable; urgency=medium
* Updated Italian translation. Thanks Luca Monducci. Closes: #760743
* Use HTTP in watch file, as ftp.samba.org is not working reliably for
me.
* Use Excluded-Files in debian/copyright for DFSG-nonfree files.
* Update Dutch translation. Thanks Frans Spiesschaert. Closes: #763650
-- Jelmer Vernooij <email address hidden> Sun, 07 Sep 2014 20:52:27 +0200
-
samba (2:4.1.11+dfsg-1) unstable; urgency=high
* New upstream release. Fixes:
+ CVE-2014-3560: Remote code execution in nmbd. Closes: #756759
-- Jelmer Vernooij <email address hidden> Sun, 03 Aug 2014 03:47:07 +0200
-
samba (2:4.1.9+dfsg-2) unstable; urgency=medium
[ Jelmer Vernooij ]
* Depend on libgnutls28-dev rather than libgnutls-dev. Closes: #753146
* Remove outdated-autotools-helper-file overrides for config.guess and
config.sub; files are no longer present upstream.
* Add branch to Vcs-Git header.
* samba.smbd.upstart: Remove leftover code for RUN_MODE=inetd, which
was already removed elsewhere.
* Move dsdb-module library from samba-dsdb-modules to samba-libs, to
prevent circular dependencies between samba-dsdb-modules and samba-
libs. This is necessary since dsdb-module is now used by the dcerpc-
server library.
[ Debconf translations ]
* New Brazilian Portugese translation from Adriano Rafael Gomes.
Closes: #752719
-- Jelmer Vernooij <email address hidden> Sun, 29 Jun 2014 19:43:52 +0200
-
samba (2:4.1.9+dfsg-1) unstable; urgency=high
* New upstream security release. Fixes:
- CVE-2014-0244: nmbd denial of service
- CVE-2014-3493: smbd denial of service: server crash/memory corruption
-- Ivo De Decker <email address hidden> Mon, 23 Jun 2014 18:33:27 +0200
-
samba (2:4.1.8+dfsg-1) unstable; urgency=medium
[ Jelmer Vernooij ]
* Remove smbd and nmbd from required-start and required-stop in
samba.init. Closes: #739887
[ Ivo De Decker ]
* Remove workaround for #745233.
* New upstream release. Fixes:
- CVE-2014-0239: dns: Don't reply to replies. Closes: #749845
- CVE-2014-0178: Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response.
* Use the upstream version of the smb.conf.5 manpage, instead of building
it. This is an ugly temporary workaround because xsltproc crashes on some
architectures when building this manpage (due to #750593).
This fixes the FTBFS, and should make samba installable with the new ldb
version. Closes: #750541, 750796
-- Ivo De Decker <email address hidden> Sun, 08 Jun 2014 23:37:53 +0200
-
samba (2:4.1.7+dfsg-2) unstable; urgency=medium
* Build-depend on heimdal-dev instead of libkrb5-dev.
* Add versioned build-dep on libgmp10 for now, which should be pulled in by
libhogweed2, to be able to build in outdated build environments (like on
most buildds). This is a workaround for #745233.
-- Ivo De Decker <email address hidden> Sun, 20 Apr 2014 13:44:39 +0200
-
samba (2:4.1.6+dfsg-1) unstable; urgency=high
* New upstream security release. Fixes:
- CVE-2013-4496: password lockout not enforced for SAMR password changes
- CVE-2013-6442: smbcacls can remove a file or directory ACL by mistake
* Backport fix for readline 6.3 from master
-- Ivo De Decker <email address hidden> Sat, 15 Mar 2014 12:13:59 +0100
-
samba (2:4.1.5+dfsg-1) unstable; urgency=medium
[ Jelmer Vernooij ]
* Fix watch file.
[ Ivo De Decker ]
* New upstream release.
* Remove the part of patch 26_heimdal_compat integrated upstream.
-- Ivo De Decker <email address hidden> Sat, 22 Feb 2014 23:17:59 +0100
-
samba (2:4.1.4+dfsg-3) unstable; urgency=medium
* Move samba.dckeytab module to samba package, as it relies on hdb.
Closes: #736405, #736430
-- Jelmer Vernooij <email address hidden> Fri, 24 Jan 2014 23:35:14 +0000
-
samba (2:4.1.3+dfsg-2) unstable; urgency=medium
* Add debug symbols for all binaries to samba-dbg. Closes: #732493
* Add lintian overrides for empty prerm scripts.
-- Ivo De Decker <email address hidden> Fri, 27 Dec 2013 12:39:54 +0100
-
samba (2:4.0.13+dfsg-1) unstable; urgency=high
[ Steve Langasek ]
* Move update-alternatives upgrade removal handling to the postinst, where
it belongs. Closes: #730090.
* Really remove all references to encrypted passwords: the
samba-common.config script still included references, which could cause
upgrade failures in some cases. Closes: #729167.
[ Ivo De Decker ]
* New upstream security release. Fixes:
- CVE-2013-4408: DCE-RPC fragment length field is incorrectly checked
- CVE-2012-6150: pam_winbind login without require_membership_of
restrictions
* Add empty prerm scripts for samba and samba-common-bin.prerm, to allow
upgrades from earlier versions with broken prerm script (bug introduced in
2:4.0.10+dfsg-3)
* Don't fail in postinst when removing old alternatives fails.
[ Jelmer Vernooij ]
* Fix invocations of 'update-alternatives --remove-all'. Closes: #731192
-- Ivo De Decker <email address hidden> Mon, 09 Dec 2013 18:34:07 +0100
-
samba (2:4.0.12+dfsg-1) unstable; urgency=low
[ Ivo De Decker ]
* New upstream release.
[ Debconf translations ]
* Thai (Theppitak Karoonboonyanan). Closes: #728525
* Norwegian Bokmål (Bjørn Steensrud). Closes: #729070
* German (Holger Wansing). Closes: #729210
[ Jelmer Vernooij ]
* Add 26_heimdal_compat: Fix compatibility with newer versions of
Heimdal.
-- Ivo De Decker <email address hidden> Sun, 24 Nov 2013 07:48:20 +0100
-
samba (2:4.0.11+dfsg-1) unstable; urgency=high
* New upstream security release. Fixes:
- CVE-2013-4475: ACLs are not checked on opening an alternate data stream
on a file or directory
- CVE-2013-4476: Private key in key.pem world readable
* Move world-readable private key file on upgrade to allow
auto-regeneration.
* Add check in samba-ad-dc init script for wrong permission on private key
file that would prevent samba to start.
* Update samba-libs.lintian-overrides for moved libtorture0.
-- Ivo De Decker <email address hidden> Mon, 11 Nov 2013 15:42:40 +0100
-
samba (2:4.0.10+dfsg-4) unstable; urgency=low
[ Christian Perrier ]
* Mark one debconf string as non-translatable
[ Debconf translations ]
* French updated (Christian Perrier).
* Swedish (Martin Bagge / brother). Closes: #727186
* Hebrew (Omer Zak).
* Japanese (Kenshi Muto). Closes: #727218
* Indonesian (Al Qalit). Closes: #727543
* Russian (Yuri Kozlov). Closes: #727612
* Esperanto (Felipe Castro). Closes: #727619
* Polish (Michał Kułach). Closes: #727646
* Danish (Joe Hansen). Closes: #727764
* Czech (Miroslav Kure). Closes: #728100
* Basque (Iñaki Larrañaga Murgoitio). Closes: #728315
[ Jelmer Vernooij ]
* Move libtorture0 to samba-testsuite to reduce size of samba-libs and
prevent dependency on libsubunit0.
[ Ivo De Decker ]
* Handle move of tdb files to private dir in samba-libs.preinst.
Closes: #726472
* Also do the tdb move in libpam-smbpass.preinst, to avoid breaking the pam
module if the upgrade fails.
-- Ivo De Decker <email address hidden> Sat, 02 Nov 2013 11:27:25 +0100
-
samba (2:3.6.19-1) unstable; urgency=low
* Team upload.
* New upstream release
-- Ivo De Decker <email address hidden> Wed, 25 Sep 2013 20:01:48 +0200
-
samba (2:3.6.18-1) unstable; urgency=low
* Team upload.
[ Steve Langasek ]
* Split the samba init script into nmbd and smbd init scripts, for better
alignment with how init systems other than sysvinit work. This also
drops the override of the arguments to update-rc.d in debian/rules,
no longer needed in the post-insserv world.
* Add upstart jobs from Ubuntu for smbd, nmbd, and winbind.
[ Ivo De Decker ]
* New upstream release
-- Ivo De Decker <email address hidden> Tue, 20 Aug 2013 22:06:45 +0200
-
samba (2:3.6.17-1) unstable; urgency=high
* Team upload.
* New upstream security release. Closes: #718781
Fixes CVE-2013-4124: Denial of service - CPU loop and memory allocation
-- Ivo De Decker <email address hidden> Mon, 05 Aug 2013 13:46:23 +0200
-
samba (2:3.6.16-2) unstable; urgency=high
* Team upload.
* Make build-dep on libtevent-dev explicit.
* Fix waf-as-source.patch to make sure unpacking works in recent build
environment. Closes: #716932
-- Ivo De Decker <email address hidden> Tue, 16 Jul 2013 22:01:04 +0200
-
samba (2:3.6.16-1) unstable; urgency=low
* Team upload.
[ Steve Langasek ]
* Drop support for running smbd from inetd; this is not well-supported
upstream, and can't correctly handle all of the long-running services
that are needed as part of modern samba. Closes: #707622.
[ Ivo De Decker ]
* New upstream release
-- Ivo De Decker <email address hidden> Wed, 19 Jun 2013 21:05:07 +0200
-
samba (2:3.6.15-1) unstable; urgency=high
* Team upload.
* New upstream bugfix release. Closes: #707042
* Update VCS URL's for new git repo.
* The recommends for the separate libnss-winbind and libpam-winbind
packages needed for the upgrade of winbind from squeeze to wheezy are no
longer needed. Lowering them to suggests.
Closes: #706434, #674853
-- Ivo De Decker <email address hidden> Thu, 09 May 2013 11:55:03 +0200
-
samba (2:3.6.6-6) unstable; urgency=low
* Team upload.
* Move binary files out of /etc/samba to /var/lib/samba,
where they belong according to the FHS:
- schannel_store.tdb
- idmap2.tdb
- MACHINE.sid
Closes: #454770
-- Ivo De Decker <email address hidden> Mon, 15 Apr 2013 23:56:23 +0200
