-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.8) focal; urgency=medium
* d/p/lp2046994-spotlight-doesnt-work-with-latest-macos-ventura.patch: fix
spotlight search function on macos ventura (LP: #2046994).
-- Mitchell Dzurick <email address hidden> Thu, 01 Feb 2024 11:24:27 -0700
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.7) focal-security; urgency=medium
* No-change rebuild to fix build issue resulting in regressions.
(LP: #2039031)
-- Marc Deslauriers <email address hidden> Wed, 11 Oct 2023 13:30:13 -0400
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.6) focal-security; urgency=medium
* SECURITY UPDATE: SMB clients can truncate files with read-only
permissions
- debian/patches/CVE-2023-4091-*.patch
- CVE-2023-4091
* SECURITY UPDATE: Samba AD DC password exposure to privileged users and
RODCs
- debian/patches/CVE-2023-4154-*.patch
- CVE-2023-4154
* SECURITY UPDATE: rpcecho development server allows Denial of Service
via sleep() call on AD DC
- debian/patches/CVE-2023-42669.patch
- CVE-2023-42669
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2023 09:02:06 -0400
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.5) focal; urgency=medium
* d/p/issue-when-updating-old-passwd-containing-regex-metachars.patch:
Add changes to fix uncaught exception when updating old password
containing regex metacharacters by simplifying samba-tool password
redaction (LP: #2002949).
-- Michal Maloszewski <email address hidden> Fri, 18 Aug 2023 22:56:58 +0200
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.4) focal; urgency=medium
* d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
after Windows KB5028166 update (LP: #2027716)
* Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu
releases (LP: #1977746, LP: #2011745):
- d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
samba AD DC provisioning and domain join tests with internal DNS
+ d/t/control: adjust package dependencies
+ d/t/samba-ad-dc-provisioning-internal-dns: handle the case where
libnss-winbind does not automatically add winbind to
/etc/nsswitch.conf (that is done only in Lunar and later)
+ d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive
match when inspecting kerberos tickets, as the hostname may be
capitalized
+ d/t/samba-ad-dc-provisioning-internal-dns: Adjust regexp for
slightly different resolvectl output
+ d/t/util: several lxc command output parsing changes, needed for
this older version of the lxd snap
+ d/t/samba-ad-dc-provisioning-internal-dns: more dependencies for
the winbind and sssd domain join tests, which don't get
installed automatically for us by this version of realmd
+ d/t/util: increase the RLIMIT_MEMLOCK limit for lxd containers,
as the default of 64kb is too low for at least ppc64el on focal
-- Andreas Hasenack <email address hidden> Sun, 23 Jul 2023 17:19:48 -0300
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium
* SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP
- debian/patches/CVE-2022-2127-*.patch
- CVE-2022-2127
* SECURITY UPDATE: Spotlight mdssvc RPC Request Infinite Loop DoS
- debian/patches/CVE-2023-34966-*.patch
- CVE-2023-34966
* SECURITY UPDATE: Spotlight mdssvc RPC Request Type Confusion DoS
- debian/patches/CVE-2023-34967-*.patch
- CVE-2023-34967
* SECURITY UPDATE: Spotlight server-side Share Path Disclosure
- debian/patches/CVE-2023-34968-*.patch
- CVE-2023-34968
-- Marc Deslauriers <email address hidden> Tue, 11 Jul 2023 08:45:47 -0400
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: Access controlled AD LDAP attributes can be discovered
- debian/patches/CVE-2023-0614-*.patch: upstream patches to fix the
issue (some of these aren't directly used in this package as they
apply to the ldb library which is updated separately).
- debian/control: bump ldb Build-Depends to security update version.
- CVE-2023-0614
* SECURITY UPDATE: admin tool samba-tool sends passwords in cleartext
- debian/patches/CVE-2023-0922.patch: set default ldap client sasl
wrapping to seal.
- CVE-2023-0922
-- Marc Deslauriers <email address hidden> Thu, 30 Mar 2023 09:25:19 -0400
-
samba (2:4.15.13+dfsg-0ubuntu0.20.04.1) focal-security; urgency=medium
* Update to 4.15.13 as a security update
- Removed patches included in new version:
+ CVE-*.patch
+ win-22H2-fix*.patch
+ Rename-mdfind-to-mdsearch.patch
+ lp-1951490-fix-printing-KB5006743.patch
- d/rules: remove --with-dnsupdate, it was merged with --with-ads.
- debian/control: bump libldb-dev Build-Depends to 2.4.4, bump
libtalloc to 2.3.3, libtdb to 1.4.4, and libtevent to 0.11.0.
- debian/control: added python3-markdown to Build-Depends.
- debian/{gpb.conf,watch,README.source}: updated for 4.15.
- debian/{*.install,*.symbols,*.lintian-overrides}: updated for 4.15.
- debian/rules: drop fixing of findsmb shebang.
- debian/rules: drop removal of ctdb tests, they are no longer
installed.
- CVE-2022-3437, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023,
CVE-2022-42898, CVE-2022-45141
-- Marc Deslauriers <email address hidden> Fri, 24 Feb 2023 07:31:43 -0500
-
samba (2:4.13.17~dfsg-0ubuntu1.20.04.5) focal-security; urgency=medium
* SECURITY UPDATE: Multiple regressions (LP: #2003867) (LP: #2003891)
- debian/patches/series: disable all security fixes from the previous
update pending further investigation. This reverts the following
CVEs: CVE-2022-3437, CVE-2022-42898, CVE-2022-45141, CVE-2022-38023,
CVE-2022-37966, CVE-2022-37967.
-- Marc Deslauriers <email address hidden> Thu, 26 Jan 2023 09:03:40 -0500
-
samba (2:4.13.17~dfsg-0ubuntu1.20.04.4) focal-security; urgency=medium
* SECURITY UPDATE: Buffer overflow in Heimdal unwrap_des3()
- debian/patches/CVE-2022-3437-*.patch
- CVE-2022-3437
* SECURITY UPDATE: Buffer overflow vulnerabilities on 32-bit systems
- debian/patches/CVE-2022-42898-*.patch
- CVE-2022-42898
* SECURITY UPDATE: Samba AD DC can be forced to issue rc4-hmac encrypted
Kerberos tickets
- debian/patches/CVE-2022-45141-*.patch
- CVE-2022-45141
* SECURITY UPDATE: RC4/HMAC-MD5 NetLogon Secure Channel is weak and
should be avoided
- debian/patches/CVE-2022-38023-*.patch
- CVE-2022-38023
* SECURITY UPDATE: rc4-hmac Kerberos session keys issued to modern servers
- debian/patches/CVE-2022-3796x-*.patch
- CVE-2022-37966
* SECURITY UPDATE: Kerberos constrained delegation ticket forgery
possible against Samba AD DC
- debian/patches/CVE-2022-3796x-*.patch
- CVE-2022-37967
* debian/patches/win-22H2-fix.patch: split git-style patch into three
individual patches so that it can be manipulated properly with quilt.
* debian/patches/CVE-2022-44640-*.patch: Heimdal issue that did not
affect Samba, but patches included for completeness.
-- Marc Deslauriers <email address hidden> Wed, 11 Jan 2023 11:12:16 -0500
-
samba (2:4.13.17~dfsg-0ubuntu1.20.04.2) focal; urgency=medium
* d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
clients (LP: #1993934)
-- Andreas Hasenack <email address hidden> Tue, 08 Nov 2022 11:35:28 -0300
-
samba (2:4.13.17~dfsg-0ubuntu1.20.04.1) focal-security; urgency=medium
* SECURITY UPDATE: MaxQueryDuration not honoured in Samba AD DC LDAP
- debian/patches/CVE-2021-3670-*.patch
- CVE-2021-3670
* SECURITY UPDATE: Samba AD users can bypass certain restrictions
associated with changing passwords
- debian/patches/CVE-2022-2031-*.patch
- CVE-2022-2031
* SECURITY UPDATE: Server memory information leak via SMB1
- debian/patches/CVE-2022-32742-*.patch
- CVE-2022-32742
* SECURITY UPDATE: Samba AD users can forge password change requests for
any user
- debian/patches/CVE-2022-2031-*.patch
- CVE-2022-32744
* SECURITY UPDATE: Samba AD users can crash the server process with an
LDAP add or modify request
- debian/patches/CVE-2022-32745_6-*.patch
- CVE-2022-32745
* SECURITY UPDATE: Samba AD users can induce a use-after-free in the
server process with an LDAP add or modify request
- debian/patches/CVE-2022-32745_6-*.patch
- CVE-2022-32746
* debian/control: Build-Depends on ldb security update.
* Fix version string to match focal.
-- Marc Deslauriers <email address hidden> Mon, 18 Jul 2022 08:52:26 -0400
-
samba (2:4.13.17~dfsg-0ubuntu0.21.04.2) focal; urgency=medium
* d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
Windows 2021-10 Monthly Rollup patch (LP: #1951490)
-- Andreas Hasenack <email address hidden> Thu, 10 Mar 2022 10:48:01 -0300
-
samba (2:4.13.17~dfsg-0ubuntu0.21.04.1) focal-security; urgency=medium
* Update to 4.13.17 as a security update
- CVE-2021-43566, CVE-2021-44142, CVE-2022-0336
* Removed patches included in new version:
- debian/patches/trusted_domain_regression_fix.patch
- debian/patches/bug14901-*.patch
- debian/patches/bug14922.patch
-- Marc Deslauriers <email address hidden> Mon, 31 Jan 2022 08:11:13 -0500
-
samba (2:4.13.14+dfsg-0ubuntu0.20.04.4) focal-security; urgency=medium
* SECURITY REGRESSION: Kerberos authentication on standalone server in
MIT realm broken
- debian/patches/bug14922.patch: fix MIT Realm regression in
source3/auth/user_krb5.c.
-- Marc Deslauriers <email address hidden> Mon, 13 Dec 2021 07:12:25 -0500
-
samba (2:4.13.14+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium
* SECURITY REGRESSION: undesired side effects for the local nt token
- debian/patches/bug14901-*.patch: upstream patches to fix some
mapping issues.
* SECURITY REGRESSION: backup command raises FileNotFoundError
(LP: #1952187)
- debian/patches/bug14918-*.patch: upstream patches to properly handle
dangling symlinks.
-- Marc Deslauriers <email address hidden> Thu, 02 Dec 2021 08:03:56 -0500
-
samba (2:4.13.14+dfsg-0ubuntu0.20.04.2) focal; urgency=medium
* samba.postinst: do not populate sambashare from the Ubuntu admin group
(LP: #1942195)
-- Paride Legovini <email address hidden> Fri, 12 Nov 2021 14:42:02 +0100
-
samba (2:4.13.14+dfsg-0ubuntu0.20.04.1) focal-security; urgency=medium
* Update to 4.13.14 as a security update (LP: #1950363)
- Removed patches included in new version:
+ CVE-*.patch
+ zerologon*.patch
+ 0023-libsmb-Don-t-try-to-find-posix-stat-info-in-SMBC_get.patch
+ build-Remove-tests-for-getdents-and-getdirentries.patch
+ fix-double-free-with-unresolved-credentia-cache.patch
+ wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
+ wscript-split-function-check-to-one-per-line-and-sor.patch
- Add/Refresh patches from Hirsute package:
+ Rename-mdfind-to-mdsearch.patch
+ bug_221618_precise-64bit-prototype.patch
+ fix-nfs-service-name-to-nfs-kernel-server.patch
- debian/control: bump libldb-dev Build-Depends to 2.2.3, bump
libtalloc to 2.3.1, libtdb to 1.4.3, and libtevent to 0.10.2.
- debian/*.install, debian/*.symbols: sync with Hirsute package, added
libdcerpc-pkt-auth.so.0.
- debian/rules: build with --enable-spotlight, remove --accel-aes as it
is no longer used with gnutls.
- debian/control: add libicu-dev to Build-Depends.
- debian/patches/trusted_domain_regression_fix.patch: fix regression
introduced in 4.13.14.
- CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192
-- Marc Deslauriers <email address hidden> Mon, 01 Nov 2021 07:33:25 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.10) focal; urgency=medium
* d/p/fix-double-free-with-unresolved-credentia-cache.patch: Fix
double free with unresolved credential cache. (LP: #1892145)
-- Paride Legovini <email address hidden> Fri, 06 Aug 2021 14:17:29 +0200
-
samba (2:4.11.6+dfsg-0ubuntu1.9) focal; urgency=medium
* Fix samba-common-bin postinst errors (LP: #1905387)
- d/rules: ensure systemd-tmpfiles runs for samba-common-bin postinst
through dh_installsystemd
- d/samba-common-bin.postinst: ensure systemd-tmpfiles is called before
testparm
- d/t/reinstall-samba-common-bin: make sure /run/samba is created by the
samba-common-bin installation process (postinst script)
- d/t/control: run new reinstall-samba-common-bin test case
-- Athos Ribeiro <email address hidden> Mon, 24 May 2021 16:45:27 -0300
-
samba (2:4.11.6+dfsg-0ubuntu1.8) focal-security; urgency=medium
* SECURITY UPDATE: wrong group entries via negative idmap cache entries
- debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
source3/passdb/lookup_sid.c.
- CVE-2021-20254
-- Marc Deslauriers <email address hidden> Wed, 14 Apr 2021 07:02:48 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.6) focal-security; urgency=medium
* SECURITY UPDATE: Missing handle permissions check in ChangeNotify
- debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
get set unless the directory handle is open for SEC_DIR_LIST in
source4/torture/smb2/notify.c, source3/smbd/notify.c.
- CVE-2020-14318
* SECURITY UPDATE: Unprivileged user can crash winbind
- debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
source3/winbindd/winbindd_lookupsids.c,
source4/torture/winbind/struct_based.c.
- CVE-2020-14323
* SECURITY UPDATE: DNS server crash via invalid records
- debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
with NULL and do not crash when additional data not found in
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
- CVE-2020-14383
-- Marc Deslauriers <email address hidden> Fri, 16 Oct 2020 06:48:54 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.5) focal-security; urgency=medium
* SECURITY UPDATE: Unauthenticated domain controller compromise by
subverting Netlogon cryptography (ZeroLogon)
- debian/patches/zerologon-*.patch: backport upstream patches:
+ For compatibility reasons, allow specifying an insecure netlogon
configuration per machine. See the following link for examples:
https://www.samba.org/samba/security/CVE-2020-1472.html
+ Add additional server checks for the protocol attack in the
client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results
when running the proof-of-concept exploit.
- CVE-2020-1472
-- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 12:33:05 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.4) focal-security; urgency=medium
* SECURITY UPDATE: Empty UDP packet DoS in Samba AD DC nbtd
- debian/patches/CVE-2020-14303.patch: fix busy loop on empty UDP
packet in libcli/nbt/nbtsocket.c.
- CVE-2020-14303
-- Marc Deslauriers <email address hidden> Fri, 07 Aug 2020 13:31:00 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.3) focal-security; urgency=medium
* SECURITY UPDATE: NULL pointer de-reference and use-after-free in Samba
AD DC LDAP Server with ASQ, VLV and paged_results
- debian/patches/CVE-2020-10730-*.patch: multiple upstream patches to
fix the issue.
- CVE-2020-10730
* SECURITY UPDATE: Parsing and packing of NBT and DNS packets can consume
excessive CPU
- debian/patches/CVE-2020-10745-*.patch: multiple upstream patches to
fix the issue.
- CVE-2020-10745
* SECURITY UPDATE: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV
- debian/patches/CVE-2020-10760-*.patch: multiple upstream patches to
fix the issue.
- CVE-2020-10760
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2020 08:34:26 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.2) focal; urgency=medium
* Fix "Shared files are shown as folders" (LP: #1872476)
- d/p/0023-libsmb-Don-t-try-to-find-posix-stat-info-in-SMBC_get.patch:
Don't obtain stat(2) information if dealing with older protocols on
UNIX-like systems.
-- Sergio Durigan Junior <email address hidden> Thu, 30 Apr 2020 15:17:24 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: Use-after-free in AD DC LDAP server
- debian/patches/CVE-2020-10700-1.patch: add test for ASQ and ASQ in
combination with paged_results in selftest/knownfail.d/asq,
source4/dsdb/tests/python/asq.py, source4/selftest/tests.py.
- debian/patches/CVE-2020-10700-3.patch: do not permit the ASQ control
for the GUID search in paged_results in selftest/knownfail.d/asq,
source4/dsdb/samdb/ldb_modules/paged_results.c.
- debian/control: bump libldb-dev, python3-ldb, and python3-ldb-dev
Build-Depends to 2.0.10.
- CVE-2020-10700
* SECURITY UPDATE: Stack overflow in AD DC LDAP server
- debian/patches/CVE-2020-10704-1.patch: add ASN.1 max tree depth in
auth/gensec/gensec_util.c, lib/util/asn1.c, lib/util/asn1.h,
lib/util/tests/asn1_tests.c, libcli/auth/spnego_parse.c,
libcli/cldap/cldap.c, libcli/ldap/ldap_message.c,
source3/lib/tldap.c, source3/lib/tldap_util.c,
source3/libsmb/clispnego.c, source3/torture/torture.c,
source4/auth/gensec/gensec_krb5.c, source4/ldap_server/ldap_server.c,
source4/libcli/ldap/ldap_client.c,
source4/libcli/ldap/ldap_controls.c.
- debian/patches/CVE-2020-10704-3.patch: check parse tree depth in
lib/util/asn1.c.
- debian/patches/CVE-2020-10704-5.patch: add max ldap request sizes in
docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml,
docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml,
lib/param/loadparm.c, source3/param/loadparm.c.
- debian/patches/CVE-2020-10704-6.patch: limit request sizes in
source4/ldap_server/ldap_server.c.
- debian/patches/CVE-2020-10704-7.patch: add search size limits to
ldap_decode in docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml,
lib/param/loadparm.c, libcli/cldap/cldap.c,
libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h,
source3/param/loadparm.c, source4/ldap_server/ldap_server.c,
source4/libcli/ldap/ldap_client.c.
- debian/patches/CVE-2020-10704-8.patch: check search request lengths
in lib/util/asn1.c, lib/util/asn1.h, libcli/ldap/ldap_message.c.
- CVE-2020-10704
-- Marc Deslauriers <email address hidden> Fri, 24 Apr 2020 08:08:38 -0400
-
samba (2:4.11.6+dfsg-0ubuntu1) focal; urgency=medium
* New upstream release: 4.11.6
* d/p/samba-tool-py38-*.patch: dropped, fixed upstream
-- Andreas Hasenack <email address hidden> Wed, 26 Feb 2020 11:55:16 -0300
-
samba (2:4.11.5+dfsg-1ubuntu2) focal; urgency=medium
* d/p/samba-tool-py38-*.patch: use correct method flags (LP: #1864324)
-- Andreas Hasenack <email address hidden> Sat, 22 Feb 2020 17:22:21 -0300
-
samba (2:4.11.5+dfsg-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
change nfs service name from nfs to nfs-kernel-server
(LP #722201)
- d/p/ctdb-config-enable-syslog-by-default.patch:
enable syslog and systemd journal by default
- debian/rules: Ubuntu i386 binary compatibility:
+ drop ceph support
+ disable the following binary packages:
- ctdb
- libnss-winbind
- libpam-winbind
- python3-samba
- samba
- samba-common-bin
- samba-testsuite
- winbind
- debian/control: Ubuntu i386 binary compatibility:
+ drop ceph support
- debian/rules: Ubuntu i386 binary compatibility:
+ re-enable the following binary packages:
- libnss-winbind
- samba-common-bin
- python3-samba
- winbind
* Dropped:
- d/control: drop python3-matplotlib. It's only used in
script/attr_count_read which is not installed with the
samba packages.
[In 2:4.11.3+dfsg-1]
samba (2:4.11.5+dfsg-1) unstable; urgency=medium
* New upstream security release
- CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
- CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
- CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
- Bump build-depends ldb >= 2.0.8
samba (2:4.11.3+dfsg-1) unstable; urgency=high
* New upstream security release
- Drop merged patches for previous security fixes
- CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management
server by creating records with matching the zone name.
- CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was
not being applied when processing protocol transition requests (S4U2Self),
in the AD DC KDC.
* d/control: drop python3-matplotlib
* d/control: Fix stronger-dependency-implies-weaker
(samba depends -> recommends python3-dnspython)
-- Andreas Hasenack <email address hidden> Mon, 17 Feb 2020 15:29:35 -0300
-
samba (2:4.11.1+dfsg-3ubuntu4) focal; urgency=medium
* Ubuntu i386 binary compatibility effort: (LP: #1861316)
- debian/rules:
+ re-enable the following binary packages generation:
- libnss-winbind
- samba-common-bin
- python3-samba
- winbind
-- Rafael David Tinoco <email address hidden> Thu, 06 Feb 2020 14:42:38 +0000
-
samba (2:4.11.1+dfsg-3ubuntu3) focal; urgency=medium
* No-change rebuild to build with python3.8.
-- Matthias Klose <email address hidden> Sat, 25 Jan 2020 06:06:11 +0000
-
samba (2:4.11.1+dfsg-3ubuntu2) focal; urgency=medium
* Ubuntu i386 binary compatibility effort: (LP: #1858479)
- debian/control:
+ drop ceph support
- debian/rules:
+ drop ceph support
+ disable the following binary packages generation:
- ctdb
- libnss-winbind
- libpam-winbind
- python3-samba
- samba
- samba-common-bin
- samba-testsuite
- winbind
-- Rafael David Tinoco <email address hidden> Thu, 09 Jan 2020 00:40:31 +0000
-
samba (2:4.11.1+dfsg-3ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
change nfs service name from nfs to nfs-kernel-server
(LP #722201)
[Adopted the Debian version and added a couple of extra hunks
we had]
- d/p/ctdb-config-enable-syslog-by-default.patch:
enable syslog and systemd journal by default
* Dropped:
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
[In 2:4.9.4+dfsg-2]
- Removed patches already applied upstream:
+ d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
[Removed in 2:4.10.7+dfsg-1]
+ d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
[Removed in 4.9.5+dfsg-1]
- d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
[Refreshed in 2:4.1.17+dfsg-1]
- d/control: Updated build dependencies (already updated in Debian):
+ tdb >= 1.3.17
+ talloc >= 2.1.15
+ tevent >= 0.9.38
+ ldb >= 1.5.3
- d/samba-common.docs: README is now README.md
[In 2:4.10.7+dfsg-1]
- d/libsmbclient.symbols: update symbols for this version
- d/libwbclient0.symbols: update symbols for this version
- d/ctdb.install: new binary ctdb_local_daemons
[In 2:4.10.7+dfsg-1]
- d/samba-dev.install: use globbing for the header files with
exceptions for wbclient.h and libsmbclient.h, which belong in
other packages.
[In 2:4.10.7+dfsg-1]
- d/rules: fix globbing used to move the dckeytab python module to the
samba package, and add a comment explaining why this is being done.
[In 2:4.10.7+dfsg-1]
- Switch to python3 (in 2:4.10.7+dfsg-1):
+ d/rules: calculate the ldb version using python3, and drop the
"really" bit since the real 1.5.x series is being used now.
+ d/rules: make sure python3 is used for the build
+ d/rules: adjust globbing to remove the python3 version of tevent.so
+ d/rules: drop PYVERS, unused
+ d/control: adjust dependencies (build and runtime) for python3
+ d/python3-samba.install, d/control: new python3-samba package
(LP #1440381)
+ d/control, d/python-samba.install: get rid of python-samba, which is py2
+ d/python3-samba.lintian-overrides: use the same overrides we had for
python-samba, now deleted.
+ d/samba-dev.install, d/samba-libs.install: update file list
+ d/t/control, d/t/python-smoke: use python3
+ d/control: use ${python3:Depends} now instead of the python 2
counterpart for samba and samba-common-bin.
- d/control: drop suggests for python-gpgme, it's no longer available.
[In 2:4.10.7+dfsg-1]
- d/gbp.conf, d/watch, r/README.source: updated for 4.10
[In 2:4.10.7+dfsg-1]
- d/control: update cmocka build-depends to >= 1.1.3
[In 2:4.10.7+dfsg-1]
- d/samba-libs.install: bump passdb minor to 0.27.2
[In 2:4.10.7+dfsg-1]
- d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
to allow pid file to exist (LP #1821775)
[In 2:4.10.7+dfsg-1]
- Allow proper ctdb initalization (LP #1828799):
+ d/ctdb.dirs: added /var/lib/ctdb/* directories
+ d/ctdb.postrm: remove leftovers from:
/var/lib/ctdb/{state,persistent,volatile,scripts}
[In 2:4.10.7+dfsg-1]
- d/rules: installing provided config examples and helper scripts
- Examples of NFS HA CTDB config files + helper script:
+ d/ctdb.example.enable.nfs.sh
+ d/ctdb.example.nfs-common
+ d/ctdb.example.nfs-kernel-server
+ d/ctdb.example.services
+ d/ctdb.example.sysctl-nfs-static-ports.conf
[In 2:4.10.7+dfsg-1]
- debian/rules: Make DEB_HOST_ARCH_CPU initialized through
dpkg-architecture (Closes: #931138)
[In 2:4.10.7+dfsg-1]
- d/control: update ldb build-deps to 1.5.5
[In 2:4.10.7+dfsg-1]
- SECURITY UPDATE: restricted share escape by user (LP #1842533)
[fixed upstream in 4.11.0rc2]
+ debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
out impersonation debug info into a new function.
+ debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
change_to_user_internal() always resets current_user.done_chdir
+ debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
reset current_user.{need,done}_chdir in become_root()
+ debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
fsrvp_share its own independent subdirectory
+ debian/patches/CVE-2019-10197-05-v4-10.patch:
test_smbclient_s3.sh: add regression test for the no permission
on share root problem
+ debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
change_to_user_impersonate() out of change_to_user_internal()
+ CVE-2019-10197
* Added:
- d/control: drop python3-matplotlib. It's only used in
script/attr_count_read which is not installed with the
samba packages.
samba (2:4.11.1+dfsg-3) unstable; urgency=medium
* Add some python dependencies:
- python3-matplotlib : samba-tool visualize
- python3-markdown : samba-tool domain schemaupgrade
- python3-dnspython : samba-tool dns
* Only build with default python3 (Closes: #943635)
samba (2:4.11.1+dfsg-2) unstable; urgency=high
* New upstream security release
- CVE-2019-10218: Malicious servers can cause Samba client code to return
filenames containing path separators to calling code.
- CVE-2019-14833: When the password contains multi-byte (non-ASCII)
characters, the check password script does not receive the full password
string.
samba (2:4.11.1+dfsg-1) unstable; urgency=medium
* New upstream release
samba (2:4.11.0+dfsg-11) unstable; urgency=medium
* Stop building with spotlight support which pulls glib (Closes: #941654)
* Force quota support (Closes: #941899)
* Standards-Version: 4.4.1, no change
samba (2:4.11.0+dfsg-10) unstable; urgency=medium
* Add libwbclient-dev to samba-dev depends as samba-util was moved there
(Closes: #941750)
samba (2:4.11.0+dfsg-9) unstable; urgency=medium
* Remove versioned depends on libtdb-dev (>= 2) and add libldb-dev (>= 2:2)
samba (2:4.11.0+dfsg-8) unstable; urgency=medium
* d/gbp.conf: sign-tags = True
* Do not check smb.conf with testparm when server role=active directory domain
controller (Closes: #931734)
* Force one job during configure step with -j 1 (Closes: #941467).
Not setting -j leads to default which is number of cpus
samba (2:4.11.0+dfsg-7) unstable; urgency=medium
* Always evaluate WAF_NO_PARALLEL to ensure correct value (Closes: #941467)
* This version is built with talloc from sid (Closes: #940963)
samba (2:4.11.0+dfsg-6) unstable; urgency=medium
* Do not run waf configure in parallel. Fix FTBFS on arm (Closes: #941467)
samba (2:4.11.0+dfsg-5) experimental; urgency=medium
* d/gitlabracadabra.yml: only_allow_merge_if_pipeline_succeeds: false
* Remove patches:
- "build: Remove tests for _readdir() and __readdir()"
- "build: Remove tests for rdchk()"
- "build: Remove tests for _pwrite() and __pwrite()"
* Add patches by Ralph Boehme:
- "wscript: remove all checks for _FUNC and __FUNC"
- "wscript: split function check to one per line and sort alphabetically"
samba (2:4.11.0+dfsg-4) experimental; urgency=medium
* Use the same arches for librados-dev than libcephfs-dev (Fix missing
build-depends on alpha and sh4)
* Split vfsmods:Recommends substvar into
{vfsceph,vfsglusterfs,vfssnapper}:Recommends to make the code more readable
and fix FTBFS on linux platforms without ceph (hppa and sparc64, and also
alpha and sh4)
* Add patch for "build: Remove tests for _readdir() and _readdir()", to
hopefully fix FTBFS on armel
samba (2:4.11.0+dfsg-3) experimental; urgency=medium
* Try to fix FTBFS on armel (armhf is fixed):
- Add patch for build: Remove tests for rdchk()
samba (2:4.11.0+dfsg-2) experimental; urgency=medium
* d/gitlabracadabra.yml: Add samba-team/libsmb2
* Try to fix FTBFS on armel and armhf:
- Add patch for build: Remove tests for _pwrite() and __pwrite()
samba (2:4.11.0+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
* Upload to experimental
* New upstream major release
- Update d/gbp.conf, d/watch and d/README.source for 4.11
- Import upstream release
- Update fix-nfs-service-name-to-nfs-kernel-server.patch
- Bump build-depends talloc >= 2.2.0, tdb >= 1.4.2, tevent >= 0.10.0 and
ldb >= 2:2.0.7
- libsamba-passdb.so bumped to 0.28.0
- libnon-posix-acls is now a subsystem
- Drop libparse-pidl-perl package (Closes: #939419)
- Add new files to d/*.install
- Move libsamba-util.so.* to libwbclient0, to avoid circular dependencies
- Move libsamba-util deps to libwbclient0
* Add build-Remove-tests-for-getdents-and-getdirentries.patch, to fix FTBFS on
armel and armhf
* salsa-ci: Build on experimental
[ John Paul Adrian Glaubitz ]
* Disable cephfs support on architectures where it's not stable
(Closes: #940697)
[ Louis van Belle ]
* d/control, d/samba.install: added libtasn1-bin, libtasn1-6-dev to build
dumpmscat
* d/control, d/rules: Enable spotlight (TimeMachine)
* d/control: Bump libtdb-dev (>= 2) in samba-dev deps
* Update libwbclient0.symbols
* d/rules: adjust LDB_DEPENDS
samba (2:4.10.8+dfsg-1) unstable; urgency=medium
* Upload to unstable
* New upstream release:
- CVE-2019-10197: Combination of parameters and permissions can allow user
to escape from the share path definition
samba (2:4.10.7+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
* New upstream release
- Update patches
- Drop nsswitch-Add-try_authtok-option-to-pam_winbind.patch, merged
- libsamba-passdb.so bumped to 0.27.2
- Update symbols
- Update installed files
* samba-libs: Fix Breaks+Replaces: libndr-standard0 (<< 2:4.0.9)
(Closes: #910242)
* Add missing Breaks+Replace found by piuparts (Closes: #929217)
* Enable vfs_nfs4acl_xattr (Closes: #930540)
* ctdb:
- enable ceph and etcd recovery lock
- Downgrade ctdb_mutex_ceph_rados_helper shlibdeps to recommends
* Add gitlabracadabra.yml
* Update salsa-ci.yml
[ Rafael David Tinoco ]
* debian/rules: Make DEB_HOST_ARCH_CPU initialized through dpkg-architecture
(Closes: #931138)
* CTDB NFS fixes from Ubuntu (Closes: #929931, LP: #722201):
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: change nfs service
name from nfs to nfs-kernel-server
- ctdb-config: depend on /etc/ctdb/nodes file
- d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d to
allow pid file to exist
- added /var/lib/ctdb/* directories
- d/ctdb.postrm: remove leftovers from /var/lib/ctdb/*
- Add examples of NFS HA CTDB config files + helper script
[ Mathieu Parent ]
* Update d/gbp.conf, d/watch and d/README.source for 4.10
* Drop ctdb-config-depend-on-etc-default-nodes-file.patch, merged upstream
* Bump build-depends talloc >= 2.1.16, tdb >= 1.3.18, tevent >= 0.9.39 and
ldb >= 2:1.5.5
* Bump libcmocka-dev builddep to 1.1.3
* d/rules: Remove 1.5.1+really prefix from LDB_DEPENDS
* d/copyright:
- s/GPL-3+/GPL-3.0+/ and s/LGPL-3+/LGPL-3.0+/
- Move License details to end of file
- Add waf licences
- Add lib/replace licences
- Update lib/{ldb,talloc,tdb} licences
* Move to Python3 (from Ubuntu)
* Bump debhelper from old 11 to 12.
* Standards-Version: 4.4.0
* Replace all reference of /var/run to /run (Closes: #934540)
* Replace python shbang by python3 in d/*.py
-- Andreas Hasenack <email address hidden> Fri, 29 Nov 2019 18:00:22 -0300
-
samba (2:4.10.7+dfsg-0ubuntu3) focal; urgency=medium
* No-change rebuild to build with python3.8.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 18:53:34 +0000
-
samba (2:4.10.7+dfsg-0ubuntu2) eoan; urgency=medium
* SECURITY UPDATE: restricted share escape by user (LP: #1842533)
- debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
out impersonation debug info into a new function.
- debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
change_to_user_internal() always resets current_user.done_chdir
- debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
reset current_user.{need,done}_chdir in become_root()
- debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
fsrvp_share its own independent subdirectory
- debian/patches/CVE-2019-10197-05-v4-10.patch:
test_smbclient_s3.sh: add regression test for the no permission
on share root problem
- debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
change_to_user_impersonate() out of change_to_user_internal()
- CVE-2019-10197
-- Steve Beattie <email address hidden> Fri, 30 Aug 2019 11:07:19 -0700
