-
samba (2:3.6.6-3ubuntu5.4) quantal-security; urgency=medium
* SECURITY UPDATE: Password lockout not enforced for SAMR password
changes
- debian/patches/CVE-2013-4496.patch: refactor password lockout code in
source3/auth/check_samsec.c,
source3/rpc_server/samr/srv_samr_chgpasswd.c,
source3/rpc_server/samr/srv_samr_nt.c,
source3/smbd/lanman.c,
source4/rpc_server/samr/samr_password.c,
source4/torture/rpc/samr.c.
- CVE-2013-4496
-- Marc Deslauriers <email address hidden> Mon, 17 Mar 2014 08:53:51 -0400
-
samba (2:3.6.6-3ubuntu5.3) quantal-security; urgency=low
* SECURITY UPDATE: file restrictions bypass via alternate data streams
- debian/patches/CVE-2013-4475.patch: properly check base file access
in source3/smbd/open.c.
- CVE-2013-4475
* SECURITY UPDATE: pam_winbind access restriction bypass via invalid
group names
- debian/patches/CVE-2012-6150.patch: ensure valid groups in
nsswitch/pam_winbind.c.
- CVE-2012-6150
* SECURITY UPDATE: arbitrary code execution via incorrect DCE-RPC
fragment length field checking
- debian/patches/CVE-2013-4408.patch: apply massive upstream fix to
lib/async_req/async_sock.c, libcli/util/tstream.c,
librpc/idl/dcerpc.idl, librpc/rpc/dcerpc_util.c,
librpc/rpc/rpc_common.h, nsswitch/libwbclient/wbc_sid.c,
nsswitch/wbinfo.c, source3/lib/netapi/{group,localgroup,user}.c,
source3/lib/util_tsock.c, source3/libnet/libnet_join.c,
source3/librpc/rpc/dcerpc_helpers.c,
source3/rpc_client/{cli_lsarpc,cli_pipe}.c,
source3/rpc_server/netlogon/srv_netlog_nt.c,
source3/rpcclient/{cmd_lsarpc,cmd_samr}.c, source3/smbd/lanman.c,
source3/utils/net_rpc.c, source3/utils/net_rpc_join.c,
source3/winbindd/{wb_lookupsids,winbindd_msrpc,winbindd_rpc}.c,
source4/libcli/util/clilsa.c, source4/libnet/{groupinfo,groupman,
libnet_join,libnet_lookup,libnet_passwd,userinfo,userman}.c,
source4/librpc/rpc/{dcerpc,dcerpc_smb,dcerpc_smb2,dcerpc_sock}.c,
source4/winbind/wb_async_helpers.c.
- CVE-2013-4408
-- Marc Deslauriers <email address hidden> Mon, 09 Dec 2013 10:34:07 -0500
-
samba (2:3.6.6-3ubuntu5.2) quantal-security; urgency=low
* SECURITY UPDATE: denial of service via integer wrap in EA list reading
- debian/patches/CVE-2013-4124.patch: check offsets in
source3/smbd/nttrans.c.
- CVE-2013-4124
* debian/patches/waf-as-source.patch: removed part that fails to apply
using saucy's quilt.
* This package does _not_ contain the changes from 2:3.6.6-3ubuntu5.1 in
quantal-proposed.
-- Marc Deslauriers <email address hidden> Mon, 23 Sep 2013 15:02:09 -0400
-
samba (2:3.6.6-3ubuntu5.1) quantal-proposed; urgency=low
* Fix login with expiring user passwords (LP: #1003296)
- Fixed in Samba 3.6.9 (Samba bug: 9013)
-- Bryan Quigley <email address hidden> Wed, 10 Jul 2013 14:45:45 -0400
-
samba (2:3.6.6-3ubuntu5) quantal; urgency=low
* Change "net share allowedusers" to use RPC call that works with
Microsoft Windows 2008 r2 (LP: #1061244).
-- Olly Betts <email address hidden> Fri, 05 Oct 2012 12:52:33 +0100
-
samba (2:3.6.6-3ubuntu4) quantal; urgency=low
* Drop --upstart-only option when installing upstart configuration for
winbind - its not required in this case.
-- James Page <email address hidden> Wed, 12 Sep 2012 21:08:52 +0100
-
samba (2:3.6.6-3ubuntu3) quantal; urgency=low
* Decouple startup of smbd from cups (LP: #1047262):
- d/samba.smbd.upstart: Revert changes made in 2:3.6.6-3ubuntu2.
- d/samba.reload-smbd.upstart: Add upstart task which reloads smbd
once cups has started, ensuring that smbd startup is decoupled
from cups.
- d/rules: Install reload-smbd upstart configuration, don't try to
start on install.
* Install winbind upstart configuration file with --upstart-only option
for consistency with samba package.
-- James Page <email address hidden> Wed, 12 Sep 2012 13:24:16 +0100
-
samba (2:3.6.6-3ubuntu2) quantal; urgency=low
* Ensure samba can query cups for printer information on startup
(LP: #1047262):
- d/samba.smbd.upstart: Optionally wait for cups to be in state
'running' if cups is installed.
-- James Page <email address hidden> Fri, 07 Sep 2012 10:58:08 +0100
-
samba (2:3.6.6-3ubuntu1) quantal; urgency=low
* Merge from Debian unstable; remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- add "(Samba, Ubuntu)" to server string.
- comment out the default [homes] share, and add a comment about
"valid users = %S" to show users how to restrict access to
\\server\username to only username.
+ debian/samba-common.config:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/control:
- Don't build against or suggest ctdb.
- Add dependency on samba-common-bin to samba.
+ Add ufw integration:
- Created debian/samba.ufw.profile
- debian/rules, debian/samba.install: install profile.
- debian/control: have samba suggest ufw.
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba-common-bin.install: install hook.
+ Switch to upstart:
- Added debian/samba.{nmbd,smbd}.upstart.
- Added debian/winbind.upstart.
- debian/samba.logrotate, debian/samba-common.dhcp, debian/samba.if-up:
Make upstart compatible.
+ d/rules: Drop explicit configuration options for ctdb.
* d/patches/cups-1.6.1_compat.patch: Cherry picked patch from upstream VCS
for compatibility with cups >= 1.6.
-- James Page <email address hidden> Wed, 08 Aug 2012 10:36:23 +0000
-
samba (2:3.6.6-2ubuntu1) quantal; urgency=low
* Merge from Debian unstable; remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- add "(Samba, Ubuntu)" to server string.
- comment out the default [homes] share, and add a comment about
"valid users = %S" to show users how to restrict access to
\\server\username to only username.
+ debian/samba-common.config:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/control:
- Don't build against or suggest ctdb.
- Add dependency on samba-common-bin to samba.
+ Add ufw integration:
- Created debian/samba.ufw.profile
- debian/rules, debian/samba.install: install profile.
- debian/control: have samba suggest ufw.
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba-common-bin.install: install hook.
+ Switch to upstart:
- Added debian/samba.{nmbd,smbd}.upstart.
- debian/samba.logrotate, debian/samba-common.dhcp, debian/samba.if-up:
Make upstart compatible.
* Dropped:
+ d/patches/lp_970679_fix-large-groups.patch: included in 3.6.6 release.
* d/winbind.upstart: converted winbind init script to upstart (LP: #612958).
* d/rules: Drop explicit configuration options for ctdb.
samba (2:3.6.6-2) unstable; urgency=low
* Restore the DHCP hook.
samba (2:3.6.6-1) unstable; urgency=low
[ Ivo De Decker ]
* Only enable swat in inetd.conf on first install. Closes: #658245
* Minor lintian fixes.
* Remove DHCP hook. Closes: #652942, #629406, #649100
* Don't reload smbd when running from inetd. Closes: #678741
* Don't start smbd when guest account doesn't exist. Closes: #653382
* Only export public symbols in libsmbclient and libwbclient.
[ Christian Perrier ]
* New upstream version
samba (2:3.6.5-7) unstable; urgency=low
* Allow installing smbclient package together with newer versions of
samba4-clients, which no longer ship the smbclient and nmblookup
binaries.
samba (2:3.6.5-6) unstable; urgency=high
[ Ivo De Decker ]
* Update symbols file for linux-only symbols in libsmbclient. This should
fix the FTBFS on kfreebsd and hurd. Closes: #676170
* Enable ctdb for non-linux archs.
* Remove old if-up script during upgrade.
samba (2:3.6.5-5) unstable; urgency=low
[ Christian Perrier ]
* Make libpam-winbind depend on libnss-winbind.
[ Ivo De Decker ]
* Update symbols file for libsmbclient and libwbclient0
* Add lintian overrides for examples in samba-doc
* libpam-winbind: change Depends on libnss-winbind to Recommends
* libnss-winbind: Suggests libpam-winbind
* Update package description for winbind, libpam-winbind and libnss-winbind
to better reflect their content
* Backport vfs_shadow_copy2 from master, to allow shadow copy to work
without wide links
[ Luk Claes ]
* Ship wbclient.pc file in multiarch safe directory (Closes: #674215).
[ Sam Morris ]
* Add libutil_drop_AI_ADDRCONFIG.patch that allows running nmbd when
no network interfaces have been assigned an address, therefore
removing the need for an if-up script. Closes: #640668,#640508
-- James Page <email address hidden> Wed, 04 Jul 2012 16:12:32 +0100
-
samba (2:3.6.5-3ubuntu2) quantal; urgency=low
* d/samba.nmbd.upstart: Ignore the return code of testparm in pre-start;
it's used to query the configuration NOT to validate it in this context
which generates alot of bug reports for unrelated configuration issues
(LP: #791944).
-- James Page <email address hidden> Wed, 30 May 2012 21:52:39 +0100
-
samba (2:3.6.5-3ubuntu1) quantal; urgency=low
* Merge from Debian unstable, remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- add "(Samba, Ubuntu)" to server string.
- comment out the default [homes] share, and add a comment about
"valid users = %S" to show users how to restrict access to
\\server\username to only username.
+ debian/samba-common.config:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/control:
- Don't build against or suggest ctdb.
- Add dependency on samba-common-bin to samba.
+ Add ufw integration:
- Created debian/samba.ufw.profile
- debian/rules, debian/samba.install: install profile.
- debian/control: have samba suggest ufw.
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba-common-bin.install: install hook.
+ Switch to upstart:
- Added debian/samba.{nmbd,smbd}.upstart.
- debian/samba.logrotate, debian/samba-common.dhcp, debian/samba.if-up:
Make upstart compatible.
+ d/patches/lp_970679_fix-large-groups.patch: Cherry picked patch from
upstream VCS to resolve issue with winbind crashing with groups
containing more than 1000 members (LP: #970679).
samba (2:3.6.5-3) unstable; urgency=low
[ Luk Claes ]
* Ship wbclient.pc so cifs-utils can be built again (Closes: #672733).
* Activate parallel building. Might need DEB_BUILD_OPTIONS as usual.
[ Christian Perrier ]
* Add Breaks and Replaces on libpam-winbind for newly created
libnss-winbind. Thanks to Clin Watson for pointing this and shame
on me for not properly checking the transition. Closes: #673122
-- James Page <email address hidden> Fri, 18 May 2012 13:10:40 +0100
-
samba (2:3.6.5-2ubuntu2) quantal; urgency=low
* d/patches/lp_970679_fix-large-groups.patch: Cherry picked patch from
upstream VCS to resolve issue with winbind crashing with groups
containing more than 1000 members (LP: #970679).
* d/control: Fixup Breaks/Replaces on libnss-winbind so that upgrades
from libpam-winbind don't break. Thanks to Colin Watson for identifying
this issue.
-- James Page <email address hidden> Wed, 16 May 2012 12:07:40 +0100
-
samba (2:3.6.5-2ubuntu1) quantal; urgency=low
* Merge from Debian unstable, remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- add "(Samba, Ubuntu)" to server string.
- comment out the default [homes] share, and add a comment about
"valid users = %S" to show users how to restrict access to
\\server\username to only username.
- Other changes now in Debian packaging.
+ debian/samba-common.config:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/control:
- Don't build against or suggest ctdb.
- Add dependency on samba-common-bin to samba.
+ Add ufw integration:
- Created debian/samba.ufw.profile
- debian/rules, debian/samba.install: install profile.
- debian/control: have samba suggest ufw.
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba-common-bin.install: install hook.
+ Switch to upstart:
- Added debian/samba.{nmbd,smbd}.upstart.
- debian/samba.logrotate, debian/samba-common.dhcp, debian/samba.if-up:
Make upstart compatible.
* d/samba.install, d/samba-common-bin.install: Restore apport hook and ufw
profile (LP: #999764).
* Dropped:
+ debian/patches/CVE-2012-1182-*.patch: fixed in upstream release 3.6.4.
+ debian/patches/CVE-2012-2111.patch: fixed in upstream release 3.6.5.
+ debian/patches/fix-debuglevel-name-conflict.patch: fixed upstream -
debug_level is no longer used as a global variable name.
+ debian/patches/error-trans.fix-276472: fixed upstream.
samba (2:3.6.5-2) unstable; urgency=low
* The yearly "SambaXP bug cleaning party" release. 11 years
SambaXP, 20 years Samba and counting...
* Make samba-common "Multi-Arch: foreign"
* Adapt patch in upstream #7499 and stop nss_wins clobbering other
daemon's logfiles. Closes: #598313
* Add some mention about some use for the user information in Kerberos
environments in the smbspool manpage. Closes: #387266
* Drop link to no longer provided "Using Samba" documentation in
HTML documentation summary file. Closes: #604768
* Provide WHATSNEW.txt in samba-doc too as it is linked from the
documentation summary file. Do not compress that file.
* Fix link to WHATSNEW.txt in HTML documentation summary file. This
is the second part of the fix for #604768
* Use lp_state_dir() instead of get_dyn_STATEDIR() in
fhs-filespaths.patch as the latter does indeed hardcode the
location for passdb.tdb and secrets.tdb to /var/lib/samba
(the compile-time option for state directory and NOT the configurable
value). This is left to "state directory" instead of "private dir"
at least as of now, because if doesn't change anything to the
current behaviour, but allows the files' location to be configurable
through "state directory" (and not "private dir").
Closes: #249873
* Disable useless smbtorture4 build. Thanks to Ivo De Decker for the patch.
Closes: #670561
* Add upstream commit that adds waf source to the buildtools/
directory. As upstream will, one day or another, merge this, I
prefer this over removing the waf binary and repack upstream
tarball.
Closes: #654499
* Build-Conflict with python-ldb and python-ldb-dev to avoid build
failures when some versions of these packages are locally installed.
Closes: #657314
* Rename fix-samba.ldip-syntax.patch to fix-samba.ldif-syntax.patch
* Split NSS modules into a new libnss-winbind binary package.
Closes: #646292
* Add a NEWS.Debian entry about the libnss-winbind split and, while at
it, add an entry for libpam-winbind too (as it will affect upgrades
from squeeze).
* Drop code that was moving files around in samba.postinst and
winbind.postinst for pre-squeeze versions of the package.
* Drop code that was modifying a deprecated "passdb backend" setting
in smb.conf for pre-squeeze versions of the package (in
samba-common.config).
* Add Should-Start dependency to winbind init script to guarantee
that the samba init script is started before winbind if present.
Closes: #638066
* Provide a (basic) manpage to smbtorture(1). Closes: #528735
* Turkish debconf translation update (Atila KOÇ). Closes: #672447
* Drop the code that generates an smbpasswd file from the system's
user list. This adds very long delays on systems with many users,
including those with external user backends. It also makes much
less sense nowadays and the use of libpam-smbpass can easily
fill most of the needs. Closes: #671926
* Merged from Ubuntu:
- Set 'usershare allow guests', so that usershare admins are
allowed to create public shares in addition to authenticated
ones.
- add map to guest = Bad user, maps bad username to guest access.
This allows for anonymous user shares. Closes: #672497
samba (2:3.6.5-1) unstable; urgency=low
* New upstream release. Fixes CVE-2012-2111: Incorrect permission
checks when granting/removing privileges can compromise file
server security.
* Build-Depend on debhelper >= 9~ (which is in unstable for a few
months now)
* Use "set -e" in maintainer scripts instead of passing -e in the
shebang line
* Update Standards to 3.9.3 (checked, no change)
samba (2:3.6.4-1) unstable; urgency=low
[ Christian Perrier ]
* Two changes in the previous version should indeed read:
- samba.postinst: Avoid scary pdbedit warnings on first import.
- samba-common.postinst: Add more informative error message for the case
where smb.conf was manually deleted.
Closes: #664509
[ Jelmer Vernooij ]
* New upstream release.
+ Fixes CVE-2012-1182: PIDL based autogenerated code allows overwriting
beyond of allocated array.
-- James Page <email address hidden> Tue, 15 May 2012 17:00:56 +0100
-
samba (2:3.6.3-2ubuntu2) precise-proposed; urgency=low
* SECURITY UPDATE: Unauthenticated remote code execution via
RPC calls (LP: #978458)
- debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code
that uses the same value for array allocation and array length checks.
Based on upstream patch.
- debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files
with the patched PIDL compiler
- CVE-2012-1182
-- Tyler Hicks <email address hidden> Thu, 12 Apr 2012 05:28:44 -0500
