-
samba (2:4.10.0+dfsg-0ubuntu2.8) disco-security; urgency=medium
* SECURITY UPDATE: replication of ACLs set to inherit down a subtree on
AD Directory not automatic
- debian/patches/CVE-2019-14902-1.patch: add test for replication of
inherited security descriptors.
- debian/patches/CVE-2019-14902-2.patch: add test for a special case
around replicated renames.
- debian/patches/CVE-2019-14902-3.patch: add test to confirm ACL
inheritance really happens
- debian/patches/CVE-2019-14902-4.patch: explain that
descriptor_sd_propagation_recursive() is protected by a transaction.
- debian/patches/CVE-2019-14902-5.patch: add comments explaining why SD
propagation needs to be done here.
- debian/patches/CVE-2019-14902-6.patch: ensure we honour both
change->force_self and change->force_children.
- debian/patches/CVE-2019-14902-7.patch: schedule SD propagation to a
renamed DN.
- debian/patches/CVE-2019-14902-8.patch: fix issue where inherited
Security Descriptors were not replicated.
- debian/patches/CVE-2019-14902-9.patch: set renamed = true (and so do
SD inheritance) after any rename.
- debian/patches/CVE-2019-14902-10.patch: change basis of descriptor module
deferred processing to be GUIDs.
- CVE-2019-14902
* SECURITY UPDATE: Crash after failed character conversion at log level 3
or above
- debian/patches/CVE-2019-14907-1.patch: fix Value stored to 'reason'
is never read warning.
- debian/patches/CVE-2019-14907-2.patch: do not print the failed to
convert string into the logs.
- CVE-2019-14907
* SECURITY UPDATE: Use after free during DNS zone scavenging in Samba AD DC
- debian/patches/CVE-2019-19344.patch: fix use after free in
dns_tombstone_records_zone.
- CVE-2019-19344
-- Marc Deslauriers <email address hidden> Tue, 14 Jan 2020 11:02:26 -0500
-
samba (2:4.10.0+dfsg-0ubuntu2.7) disco-security; urgency=medium
* SECURITY UPDATE: Samba AD DC zone-named record Denial of Service in DNS
management server
- debian/patches/CVE-2019-14861-1.patch: confirm sort behaviour in
dcesrv_DnssrvEnumRecords.
- debian/patches/CVE-2019-14861-2.patch: remove special case for @ in
dns_build_tree().
- debian/patches/CVE-2019-14861-3.patch: avoid crash in ldb_qsort() via
dcesrv_DnssrvEnumRecords.
- debian/patches/CVE-2019-14861-4.patch: test to demonstrate the bug.
- debian/patches/CVE-2019-14861-5.patch: reduce flapping in
SambaToolDrsTests.test_samba_tool_replicate_local.
- CVE-2019-14861
* SECURITY UPDATE: DelegationNotAllowed not being enforced in protocol
transition on Samba AD DC
- debian/patches/CVE-2019-14870-1.patch: add user-sensitive command to
set not-delegated flag.
- debian/patches/CVE-2019-14870-2.patch: heimdal: add S4U test for
delegation_not_allowed.
- debian/patches/CVE-2019-14870-3.patch: heimdal: enforce
delegation_not_allowed in S4U2Self.
- debian/patches/CVE-2019-14870-4.patch: mit-kdc: enforce
delegation_not_allowed flag.
- CVE-2019-14870
-- Marc Deslauriers <email address hidden> Fri, 29 Nov 2019 07:40:24 -0500
-
samba (2:4.10.0+dfsg-0ubuntu2.6) disco-security; urgency=medium
* SECURITY UPDATE: client code can return filenames containing path
separators
- debian/patches/CVE-2019-10218-1.patch: protect SMB1 client code
from evil server returned names in source3/libsmb/clilist.c,
source3/libsmb/proto.h.
- debian/patches/CVE-2019-10218-2.patch: Protect SMB2 client code
from evil server returned names in source3/libsmb/cli_smb2_fnum.c.
- CVE-2019-10218
* SECURITY UPDATE: Samba AD DC check password script does not receive the
full password
- debian/patches/CVE-2019-14833-1.patch: use utf8 characters in the
unacceptable password in selftest/target/Samba4.pm.
- debian/patches/CVE-2019-14833-2.patch: send full password to check
password script in source4/dsdb/common/util.c.
- CVE-2019-14833
* SECURITY UPDATE: User with "get changes" permission can crash AD DC
LDAP server via dirsync
- debian/patches/CVE-2019-14847-1.patch: ensure attrs exist in
source4/dsdb/samdb/ldb_modules/dirsync.c.
- debian/patches/CVE-2019-14847-2.patch: demonstrate the correct
interaction of ranged_results style attributes and dirsync in
source4/dsdb/tests/python/dirsync.py.
- debian/patches/CVE-2019-14847-3.patch: correct behaviour of
ranged_results when combined with dirsync in
source4/dsdb/samdb/ldb_modules/dirsync.c,
source4/dsdb/samdb/ldb_modules/ranged_results.c.
- CVE-2019-14847
-- Marc Deslauriers <email address hidden> Mon, 21 Oct 2019 07:40:43 -0400
-
samba (2:4.10.0+dfsg-0ubuntu2.4) disco-security; urgency=medium
* SECURITY UPDATE: restricted share escape by user
- debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
out impersonation debug info into a new function.
- debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
change_to_user_internal() always resets current_user.done_chdir
- debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
reset current_user.{need,done}_chdir in become_root()
- debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
fsrvp_share its own independent subdirectory
- debian/patches/CVE-2019-10197-05-v4-10.patch:
test_smbclient_s3.sh: add regression test for the no permission
on share root problem
- debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
change_to_user_impersonate() out of change_to_user_internal()
- CVE-2019-10197
-- Steve Beattie <email address hidden> Fri, 30 Aug 2019 11:01:29 -0700
-
samba (2:4.10.0+dfsg-0ubuntu2.3) disco; urgency=medium
* CTDB enablement for NFS HA (LP: #722201) and needed fixes:
- d/p/ctdb-config-depend-on-etc-default-nodes-file.patch: do not try to
start daemon without /etc/ctdb/nodes.
- d/rules: installing provided config examples and helper scripts.
- Examples of NFS HA CTDB config files + helper script:
+ d/ctdb.example.enable.nfs.sh
+ d/ctdb.example.nfs-common
+ d/ctdb.example.nfs-kernel-server
+ d/ctdb.example.services
+ d/ctdb.example.sysctl-nfs-static-ports.conf
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: change nfs service
name from nfs to nfs-kernel-server.
- d/p/ctdb-scripts-fix-tcp_tw_recycle-existence-check.patch: fix
tcp_tw_recycle existence check.
* Allow proper ctdb initalization (LP: #1828799):
- d/ctdb.dirs: added /var/lib/ctdb/* directories
- d/ctdb.postrm: remove leftovers from
/var/lib/ctdb/{state,persistent,volatile,scripts}
* d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
to allow pid file to exist (LP: #1821775)
-- Rafael David Tinoco <email address hidden> Thu, 11 Jul 2019 18:00:50 +0000
-
samba (2:4.10.0+dfsg-0ubuntu2.2) disco-security; urgency=medium
* SECURITY UPDATE: zone operations can crash rpc server
- debian/patches/CVE-2019-12435-1.patch: avoid NULL deference if zone
not found in DnssrvOperation in
python/samba/tests/dcerpc/dnsserver.py,
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
- debian/patches/CVE-2019-12435-2.patch: avoid NULL deference if zone
not found in DnssrvOperation2 in
python/samba/tests/dcerpc/dnsserver.py,
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
- CVE-2019-12435
* SECURITY UPDATE: paged_searches crash on LDAP and homes access
- debian/patches/CVE-2019-12436.patch: ignore successful results
without messages in source4/dsdb/samdb/ldb_modules/paged_results.c,
source4/dsdb/tests/python/vlv.py.
- CVE-2019-12436
-- Marc Deslauriers <email address hidden> Wed, 12 Jun 2019 10:01:57 -0400
-
samba (2:4.10.0+dfsg-0ubuntu2.1) disco-security; urgency=medium
* SECURITY UPDATE: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
- debian/patches/CVE-2018-16860-1.patch: add test for S4U2Self with
unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
source4/torture/krb5/kdc-canon-heimdal.c.
- debian/patches/CVE-2018-16860-2.patch: reject PA-S4U2Self with
unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
source4/heimdal/kdc/krb5tgs.c.
- CVE-2018-16860
-- Marc Deslauriers <email address hidden> Wed, 08 May 2019 09:34:42 -0400
-
samba (2:4.10.0+dfsg-0ubuntu2) disco; urgency=medium
* SECURITY UPDATE: world writable files in Samba AD DC private/ dir
- debian/patches/CVE-2019-3870-1.patch: extend smbd tests to check for
umask being overwritten in python/samba/tests/ntacls_backup.py,
python/samba/tests/posixacl.py, python/samba/tests/smbd_base.py,
selftest/knownfail.d/umask-leak.
- debian/patches/CVE-2019-3870-2.patch: add test to check
file-permissions are correct after provision in
selftest/knownfail.d/provision_fileperms, source4/selftest/tests.py,
source4/setup/tests/provision_fileperms.sh.
- debian/patches/CVE-2019-3870-3.patch: include tests to show the
outside umask has no impact in python/samba/tests/ntacls_backup.py,
python/samba/tests/smbd_base.py, selftest/knownfail.d/pymkdir-umask.
- debian/patches/CVE-2019-3870-4.patch: move umask manipuations as
close as possible to users in source3/smbd/pysmbd.c,
selftest/knownfail.d/provision_fileperms,
selftest/knownfail.d/umask-leak.
- debian/patches/CVE-2019-3870-5.patch: ensure a zero umask is set for
smbd.mkdir() in selftest/knownfail.d/pymkdir-umask,
source3/smbd/pysmbd.c.
- CVE-2019-3870
* SECURITY UPDATE: save registry file outside share as unprivileged user
- debian/patches/CVE-2019-3880.patch: remove implementations of
SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
- CVE-2019-3880
-- Marc Deslauriers <email address hidden> Mon, 08 Apr 2019 10:32:30 -0400
-
samba (2:4.10.0+dfsg-0ubuntu1) disco; urgency=medium
* New upstream version: 4.10.0
- d/gbp.conf, d/watch, r/README.source: updated for 4.10
- d/control: update cmocka build-depends to >= 1.1.3
- d/samba-libs.install: bump passdb minor to 0.27.2
* d/p/dlz_bind_zone_update.patch: make b9_has_soa check dc=@ node. Thanks to
Michael Saxl <email address hidden>. (LP: #1820846)
-- Andreas Hasenack <email address hidden> Thu, 21 Mar 2019 14:40:32 -0300
-
samba (2:4.10.0~rc4+dfsg-0ubuntu1) disco; urgency=medium
* New upstream version 4.10.0rc4 (LP: #1818518):
- Removed patches already applied upstream:
+ d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
+ d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
- d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
- d/control: Updated build dependencies:
+ tdb >= 1.3.17
+ talloc >= 2.1.15
+ tevent >= 0.9.38
+ ldb >= 1.5.3
- d/samba-common.docs: README is now README.md
- d/libsmbclient.symbols: update symbols for this version
- d/libwbclient0.symbols: update symbols for this version
- d/ctdb.install: new binary ctdb_local_daemons
- d/samba-dev.install: use globbing for the header files with
exceptions for wbclient.h and libsmbclient.h, which belong in
other packages.
- d/rules: fix globbing used to move the dckeytab python module to the
samba package, and add a comment explaining why this is being done.
* Switch to python3:
- d/rules: calculate the ldb version using python3, and drop the
"really" bit since the real 1.5.x series is being used now.
- d/rules: make sure python3 is used for the build
- d/rules: adjust globbing to remove the python3 version of tevent.so
- d/rules: drop PYVERS, unused
- d/control: adjust dependencies (build and runtime) for python3
- d/python3-samba.install, d/control: new python3-samba package
(LP: #1440381)
- d/control, d/python-samba.install: get rid of python-samba, which is py2
- d/python3-samba.lintian-overrides: use the same overrides we had for
python-samba, now deleted.
- d/samba-dev.install, d/samba-libs.install: update file list
- d/t/control, d/t/python-smoke: use python3
- d/control: use ${python3:Depends} now instead of the python 2
counterpart for samba and samba-common-bin.
* d/control: drop suggests for python-gpgme, it's no longer available.
-- Andreas Hasenack <email address hidden> Sat, 09 Mar 2019 12:45:25 +0000
-
samba (2:4.9.4+dfsg-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
* Dropped:
- d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
failing without a valid idmap configuration. This fixes the smbd startup
on a standalone server where winbind is available and running. Thanks to
Stefan Metzmacher <email address hidden>. (LP #1806035)
[Fixed in 2:4.9.4+dfsg-1]
samba (2:4.9.4+dfsg-1) unstable; urgency=medium
* New upstream release
- Remove patches for previous security fixes, merged
- Remove unused lintian overrides (library-not-linked-against-libc)
* ignore create_builtin_guests() failing without a valid idmap configuration
(Closes: #909465, #899269)
-- Andreas Hasenack <email address hidden> Thu, 17 Jan 2019 18:23:52 -0200
-
samba (2:4.9.2+dfsg-2ubuntu3) disco; urgency=medium
* No-change rebuild for readline soname change.
-- Matthias Klose <email address hidden> Mon, 14 Jan 2019 20:03:58 +0000
-
samba (2:4.9.2+dfsg-2ubuntu2) disco; urgency=medium
* d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
failing without a valid idmap configuration. This fixes the smbd startup
on a standalone server where winbind is available and running. Thanks to
Stefan Metzmacher <email address hidden>. (LP: #1806035)
-- Andreas Hasenack <email address hidden> Fri, 21 Dec 2018 10:39:23 -0200
-
samba (2:4.9.2+dfsg-2ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
* Dropped:
- d/p/fix-rmdir.patch: Fix to make smbclient report directory-not-empty
errors (LP: 1795772)
[Fixed upstream]
samba (2:4.9.2+dfsg-2) unstable; urgency=high
* New upstream security release
- CVE-2018-14629 Unprivileged adding of CNAME record causing loop in AD
Internal DNS server
- CVE-2018-16841 Double-free in Samba AD DC KDC with PKINIT
- CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
- CVE-2018-16852 NULL pointer de-reference in Samba AD DC DNS servers
- because of CVE-2018-16853 (Samba AD DC S4U2Self Crash in experimental
MIT Kerberos configuration (unsupported)), mark the MIT Kerberos build of
the Samba AD DC as experimental (not used in Debian package)
- CVE-2018-16857 Bad password count in AD DC not always effective
* Prepend 1.5.1+really to ldb version
samba (2:4.9.2+dfsg-1) unstable; urgency=medium
* New upstream release
- Bump build-dependencies to ldb 1.4.2
- Update debian/samba-libs.install
* d/gitlab-ci.yml:
- Update to use include
- allow_failure for reprotest until #912340 is fixed
* d/rules: Replace override_dh_perl by override_dh_perl-arch (Closes: #913143)
* debian/gitlab-ci.yml:
- Samba sometimes needs ldb from experimental
- Use ldb from experimental in piuparts
samba (2:4.9.1+dfsg-2) unstable; urgency=medium
[ Mathieu Parent ]
* Enable --accel-aes=intelaesni on DEB_HOST_ARCH_CPU=amd64 instead of
DEB_HOST_ARCH=amd64. This matches samba-libs.install and adds x32
* Allow one to change password via passwd in default config
- third_party: Update pam_wrapper to version 1.0.7
- third_party: Add pam_set_items.so from pam_wrapper
- nsswitch: Add try_authtok option to pam_winbind
- tests: Check pam_winbind pw change with different options
- Patch for previous 4 commits
- debian/winbind.pam-config: Use the new try_authtok option allowing
password change while preserving current behavior with password strength
modules (Closes: #858923, LP: #570944)
* README.source: use gbp pull --track-missing
* Override library-not-linked-against-libc false positives (See #896012)
* Fix wrong-path-for-interpreter for pidl and findsmb
* ctdb.postrm: Fix to disable_legacy (found by piuparts) (Closes: #911530)
[ James Clarke ]
* Fix systemd-related build failures on non-Linux
[ Mathieu Parent ]
* Add Gitlab CI:
- Subscribe to salsa-ci-team/pipeline (See salsa-ci-team/pipeline!27 and
samba-team/samba!10)
- Copy /etc/apt/{sources.list.d,preferences.d} in the dockerbuilder
container (salsa-ci-team/images!9)
- Allow daemons to start during autopkgtest (salsa-ci-team/images!10)
- debian/gitlab-ci.yml: all jobs: Use ldb from experimental
- debian/gitlab-ci.yml: piuparts job: Add --scriptsdir, --allow-database
and --warn-on-leftovers-after-purge options
- debian/gitlab-ci.yml: piuparts job: Copy apt config to allow enabling
extra repositories
- debian/gitlab-ci.yml: piuparts job: Use image with the following changes:
+ Add pre_install_copy_configs and post_install_remove_configs to copy,
resp. remove config files from /etc-target to /etc
+ patch pre_remove_50_find_bad_permissions to workaround findutils bug
#912180. Also proposed another workaround in piuparts as bug #911334
which is merged but not yet released
* Upload to unstable
samba (2:4.9.1+dfsg-1) experimental; urgency=medium
* New upstream release
samba (2:4.9.0+dfsg-1) experimental; urgency=medium
* Upload to experimental
* New upstream release
- Update d/gbp.conf, d/watch and d/README.source for 4.9
- Remove Fix-pidl-manpage-sections.patch, Fix-spelling.patch and
Improve-vfs_linux_xfs_sgid-manpage.patch, merged upstream
- Bump build-depends talloc >= 2.1.14, tdb >= 1.3.16, tevent >= 0.9.37 and
ldb >= 2:1.4.2'
- Update paths
- Update libsmbclient.symbols
- ctdb.lintian-override: Remove script-not-executable override
- Add ctdb.NEWS: "Configuration has been completely overhauled"
- ctdb: Enable/disable legacy script in postinst/presinst
samba (2:4.8.5+dfsg-1) unstable; urgency=medium
* New upstream release
- Bump ldb Build-depends to 2:1.4.0+really1.3.6
- Fixes FTBFS on kFreeBSD (Closes: #883972)
- d/rules: winbind_krb5_locator is now in the correct path
- winbind_krb5_locator manpage has moved from section 7 to 8
* Standards-Version: 4.2.1
-- Andreas Hasenack <email address hidden> Wed, 28 Nov 2018 20:06:47 -0200
-
samba (2:4.8.4+dfsg-2ubuntu3) disco; urgency=medium
* No-change rebuild against libldb1 1.4.2
-- Steve Langasek <email address hidden> Wed, 14 Nov 2018 22:46:24 +0000
-
samba (2:4.8.4+dfsg-2ubuntu2) cosmic; urgency=high
[ Karl Stenerud ]
* d/p/fix-rmdir.patch: Fix to make the samba client library report
directory-not-empty errors (LP: #1795772)
-- Andreas Hasenack <email address hidden> Tue, 09 Oct 2018 14:32:16 -0300
