The annotated tag, samba-4.17.0rc1 has been created
at b5e2f4454ff30d89e06d55041d47d2605775dada (tag)
tagging abc2296a67013d167f3b5a8e16e9621963928481 (commit)
replaces ldb-2.6.1
tagged by Jule Anger
on Mon Aug 8 16:34:05 2022 +0200
- Log -----------------------------------------------------------------
samba: tag release samba-4.17.0rc1
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLxHt0ACgkQqplEL7aA
tiDoCxAAnU3+fEiXrChVSHXtBfQou/4xEHUoEGyWZWjRUfgGR6efgdc3wkoO2P42
R5GzfC38f6NRIgo27qIU1ztkEpAdGh2E/hv5LjVV3fOTeEA4nUoB4Ogib/MDDhJ3
te8oeB5EdKgU8MyeDoxynO8ct3g6tZGCB3OEzCumvNRgvwinjr+Zw/qhLdjdbtgz
F6XoPDgVXjfDmBYUzq6Z74HiYCKDg1tvCJIl9sObtUhRQvVAxqO6jQf8mVMpzNUY
B4ERxQlVIwEEqN9/shGy50ishBoey9a/TDWYkRoHP9dZBSWoTpTdCi2TwaSDuRUY
uqCDxY3FG9MZMOVTDe4SgecXA/iDIioGuqvUTizbrweMLyeWduIF4q9ruKFrFxi5
ejg4dDocWbKrBzkEkdemz+dxxdtUcQ4eGqLo99ky/vNzBaMwDf0w82Bl1nwoj33m
PgllhjhyuwxIs2K/AEHDKkLfWwPDQKoDLqqIJr79HR6hCu+N283ouBqoh4fefBjj
qQZJ1c+yE3R1COVhNlrR+Ew1ca3WNK0TMOaBiyriVx0wI25HICH2u5yyRuvJGZPe
sbZHHT8pp5JotFoXYmrWgsA5Sy+HJBBta0jl3Gr/CX8mhrP1xYMXv/j9K4TfwGdT
MPHHdfeRKqto8Ke+R0lYypoIBs+ubVW2OXZn8ixVzjCqYhWw6l4=
=iayZ
-----END PGP SIGNATURE-----
Andreas Schneider (92):
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with
MIT kpasswd
CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
lib:crypto: Reformat wscript
lib:crypto: Merge wscript_configure into wscript
lib:crypto: Merge wscript_build into wscript
lib:replace: Add macros to burn data from memory
lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
librpc:rpc: Add SAMR encryption and mac key salt definitions
lib:crypto: Add test for
samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
lib:crypto: Add samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
lib:crypto: Add test for
samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
libcli:auth: Remove trailing spaces from proto.h
libcli:auth: Implement a generic encode_pwd_buffer_from_str()
libcli:auth: Add encode_pw_buffer_from_str()
libcli:auth: Add test for encode_pwd_buffer514_from_str()
samr.idl: Add support for new AES encrypted password buffer
samr:idl: add samr_SupportedFeatures for samr_Connect5()
samr.idl: Add samr_ChangePasswordUser4()
s3:rpc_client: Implement init_samr_CryptPasswordAES()
s3:rpcclient: Encrypt the password buffers only if really needed
s3:rpcclient: Implement setuserinfo2 level 31
libcli:auth: Keep data of extract_pw_from_buffer() secret
libcli:auth: Use extract_pw_from_buffer() in decode_pw_buffer()
libcli:auth: Implment a common create_pw_buffer_from_blob()
libcli:auth: Add extract_pwd_blob_from_buffer514()
libcli:auth: Add test for extract_pwd_blob_from_buffer514()
s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
s4:rpc_server: Add samr_set_password_aes()
s4:rpc_server: Implement support for SAMR SetUserInfo(2) level 31
libcli:auth: Add decode_pwd_string_from_buffer514()
libcli:auth: Add test for decode_pwd_string_from_buffer514()
s3:rpc_server: Set missing debug class for srv_samr_chgpasswd
s3:rpc_server: Add copy_pwd_expired_to_sam_passwd() for SAMR
s3:rpc_server: Use copy_pwd_expired_to_sam_passwd() in set_user_info_26()
s3:rpc_server: Remove obosolete copy_id26_to_sam_passwd()
s3:rpc_server: Implement support for SAMR SetUserInfo level 31
s4:torture: Implement test for SAMR SetUserInfo(2) level 31
s4:rpc_server: Implement support for SetUserInfo(2) level 32
s3:rpc_server: Implement SAMR SetUserInfo(2) level 32
s4:torture: Implement test for SAMR SetUserInfo(2) level 32
waf: Check for gnutls_pbkdf2()
lib:crypto: Add test for pbkdf2
lib:util: Remove trailing whitespaces in samba_util.h
lib:util: Add generate_random_u64_range()
s3:rpc_client: Fix trailing whitespaces in cli_samr.c
s3:rpc_client: Implement dcerpc_samr_chgpasswd_user4()
docs-xml: Remove trailing whitespaces in rpcclient.1.xml
s3:rpcclient: Implement cmd chpasswd4
s4:dsdb: Remove trailing whitespaces from util.c
s4:dsdb: Burn the memory of hashes returned by samdb_result_hashes()
s4:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
s3:passdb: Remove trailing whitespaces
s3:passdb: Correctly burn the plaintext_pw with samu_destroy()
s3:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
s4:torture: Add test for dcerpc_samr_ChangePasswordUser4
s4:libnet: Remove unused code in libnet_ChangePassword_samr()
s4:libnet: Move code using RC4 into its own function
s4:libnet: Add support for samr_ChangePasswordUser4()
s3:test: Print the output to understand what was going wrong
s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()
s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for
PamAuthChangePassword
lib:replace: Remove <sys/mount.h> from filesys.h
Revert "lib:replace: Remove <sys/mount.h> from filesys.h"
lib:replace: Only include <sys/mount.h> on non-Linux systems
testprogs: Reformat dbcheck-links.sh
testprogs: Reformat dbcheck-oldrelease.sh
testprogs: Reformat dbcheck.sh
testprogs: Reformat demote-saveddb.sh
testprogs: Reformat dfree.sh
testprogs: Reformat dom_parse.sh
testprogs: Reformat functionalprep.sh
testprogs: Reformat join_ldapcmp.sh
testprogs: Reformat ldapcmp_restoredc.sh
testprogs: Reformat nsstest.sh
testprogs: Reformat renamedc.sh
testprogs: Reformat runtime-links.sh
testprogs: Reformat schemaupgrade.sh
testprogs: Reformat subunit.sh
testprogs: Reformat test_chgdcpass.sh
testprogs: Reformat test_client_etypes.sh
testprogs: Reformat test_client_kerberos.sh
testprogs: Reformat test_export_keytab_heimdal.sh
testprogs: Reformat test_export_keytab_mit.sh
testprogs: Reformat test_kinit_heimdal.sh
testprogs: Reformat test_kinit_mit.sh
testprogs: Reformat test_kinit_trusts_heimdal.sh
testprogs: Reformat test_kinit_trusts_mit.sh
testprogs: Reformat test_kpasswd_heimdal.sh
testprogs: Reformat test_kpasswd_mit.sh
testprogs: Reformat test_ktpass.sh
Douglas Bagnall (6):
util/genrand: don't ignore errors in random number generation
py/uptodateness: more details in missing dn report
pytest/netcmd: test samba-tool testparm global section
pyparam: expose lpcfg_dump_globals()
samba-tool: allow testparm to dump global section only
samba-tool gpo: clean up tmpdir after create
Jeremy Allison (67):
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
s3: smbd: In openat_pathref_dirfsp_nosymlink() ensure we call
fsp_smb_fname_link() to set smb_fname->fsp in the returned smb_fname.
s3: smbd: Inside filename_convert_dirfsp_nosymlink() ensure the returned
smb_fname is always allocated off mem_ctx.
s3: smbd: Convert call_nt_transact_create() to use
filename_convert_dirfsp().
s3: smbd: Ensure we set fsp->file_id in openat_pathref_dirfsp_nosymlink().
s3: smbd: In filename_split_lcomp() ensure we never return a streamname
if posix is set.
s3: smbd: Fix the error processing in filename_convert_dirfsp_nosymlink()
to match unix_convert() 100%
s3: smbd: Convert reply_open() to use filename_convert_dirfsp().
s3: smbd: Convert reply_open_and_X() to use filename_convert_dirfsp().
s3: smbd: Convert reply_mknew() to use filename_convert_dirfsp().
s3: smbd: Convert reply_ctemp() to use filename_convert_dirfsp().
s3: smbd: Convert reply_rmdir() to use filename_convert_dirfsp().
s3: smbd: Convert call_trans2open() to use filename_convert_dirfsp().
s3: smbd: Convert call_trans2mkdir() to use filename_convert_dirfsp().
s3: smbd: Convert reply_checkpath() to use filename_convert_dirfsp().
s3: smbd: In filename_convert_dirfsp(), allow SMB1+POSIX to traverse
non-terminal symlinks.
s3: smbd: In filename_convert_dirfsp_nosymlink(), in SMB1-only POSIX
mode, allow a pathname referencing a symlink to be returned.
s3: smbd: In filename_convert_dirfsp(), don't let an SMB1+POSIX client
see a symlink to a directory with no permissions.
s3: smbd: Inside filename_convert_dirfsp_nosymlink(), don't require
UCF_PREP_CREATEFILE when parsing a stream name that doesn't already exist.
s3: smbd: Tweak the logic of smb2_file_rename_information().
s3: smbd: In reply_ntrename(), don't call filename_convert() if we know
it's a stream rename.
s3: smbd: Add src_dirfsp and dst_dirfsp parameters to rename_internals().
s3: smbd: Add dirfsp parameter to unlink_internals().
s3: smbd: Add dst_dirfsp parameter to rename_internals_fsp().
s3: smbd: Add old_dirfsp and new_dirfsp parameters to
hardlink_internals().
s3: smbd: Add src_dirfsp and dst_dirfsp parameters to copy_internals().
s3: smbd: Add dirfsp parameter to create_directory().
s3: smbd: Convert reply_getatr() to use filename_convert_dirfsp().
s3: smbd: Convert reply_setatr() to use filename_convert_dirfsp().
s3: smbd: Convert call_trans2qfilepathinfo() to use
filename_convert_dirfsp().
s3: smbd: Convert call_trans2setfilepathinfo() to use
filename_convert_dirfsp().
s3: smbd: Convert _srvsvc_NetGetFileSecurity() to use
filename_convert_dirfsp().
s3: smbd: Convert _srvsvc_NetSetFileSecurity() to use
filename_convert_dirfsp().
s3: smbd: Convert smbd_smb2_create_durable_lease_check() to use
filename_convert_dirfsp().
s3: smbd: Convert cmd_utime() to use filename_convert_dirfsp().
s3: smbd: Convert reply_unlink() to use filename_convert_dirfsp().
s3: smbd: Convert reply_mkdir() to use filename_convert_dirfsp().
s3: smbd: Convert reply_mv() to use filename_convert_dirfsp().
s3: smbd: Convert reply_ntrename() to use filename_convert_dirfsp().
s3: smbd: Convert smb_set_file_unix_hlink() to use
filename_convert_dirfsp().
s3: smbd: Convert smb2_file_rename_information() to use
filename_convert_dirfsp().
s3: smbd: Convert smb_file_link_information() to use
filename_convert_dirfsp().
s3: smbd: Convert smb_file_rename_information() to use
filename_convert_dirfsp().
s3: smbd: Add ucf_flags parameter to extract_snapshot_token().
s3: smbd: Allow extract_snapshot_token() to cope with MSDFS paths.
s3: smbd: Remove separate talloc_stackframe() from
filename_convert_smb1_search_path().
s3: smbd: Remove const from name_in parameter to
filename_convert_smb1_search_path().
s3: smbd: Change filename_convert_smb1_search_path() to use
extract_snapshot_token().
s3: smbd: Remove code for unused strip_gmt_from_raw_dfs().
s3: smbd: In reply_ntrename(), move the call to
get_original_lcomp(..newname..) after the call to
extract_snapshot_token(..newname..).
s3: smbd: Remove TWRP handing inside get_original_lcomp().
s3: smbd: In filename_convert_smb1_search_path(), after we have called
dfs_redirect(), the path separator is always '/'.
s3: smbd: We now know get_original_lcomp() never has to deal with an
MSDFS pathname.
s3: smbd: Add returned dirfsp pointer to
filename_convert_smb1_search_path().
s3: smbd: Convert filename_convert_smb1_search_path() to use
filename_convert_dirfsp().
s3: smbd: Remove filename_convert().
s3: smbd: In filename_convert_dirfsp_nosymlink() only use
synthetic_smb_fname_split() for fake_files, not printer shares too.
s3: smbd: Add dirfsp return parameter to driver_unix_convert().
s3: smbd: Convert driver_unix_convert() to use filename_convert_dirfsp().
s3: smbd: Change srvstr_get_path_internal() to always call
check_path_syntaxXXX(), even on DFS pathnames.
s3: smbd: Remove 'bool posix_path' from struct dfs_path.
s3: smbd: Minor cleanup in parse_dfs_path().
s3: smbd: Cleanup - integer align. consumedcnt should be a size_t.
s3: smbd: Remove the ucf_flags parameter from extract_snapshot_token().
s3: smbd: Remove ugly SMB1-specific hack to filename_convert_dirfsp()
s3: smbd: Oops. DBG_ERR messages I used to debug parse_dfs_path(), should
have been DBG_DEBUG.
Joseph Sutton (61):
CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
CVE-2022-2031 s4:kpasswd: Account for missing target principal
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing
accounts
CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
tests/krb5: Fix enum typo
tests/krb5: Add option for creating accounts with expired passwords
CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and
realm
CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT
KRB5 >= 1.20
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
CVE-2022-2031 s4:kpasswd: Correctly generate error strings
CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in
smb_krb5_mk_error()
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an
initial ticket
CVE-2022-2031 s4:kpasswd: Require an initial ticket
s4:kpasswd: Restructure code for clarity
CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their
life
CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
s4:kdc: Remove kadmin mode from HDB plugin
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal
into krb5_rd_req_ctx()
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and
auth_session_info
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
CVE-2022-2031 testprogs: Add test for short-lived ticket across an
incoming trust
CVE-2022-32743 s4-acl: Add tests for validated dNSHostName write
CVE-2022-32743 tests/py_credentials: Add tests for setting dNSHostName
with LogonGetDomainInfo()
CVE-2022-32743 s4:torture/rpc: Fix tests to match Windows
CVE-2022-32743 s4/dsdb/util: Add dsdb_msg_get_single_value()
CVE-2022-32743 s4/dsdb/util: Add function to check for a subclass
relationship
CVE-2022-32743 dsdb: Implement validated dNSHostName write
CVE-2022-32743 dsdb/common: Add
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE control
CVE-2022-32743 dsdb/modules/acl: Handle
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE control
CVE-2022-32743 s4:rpc_server/netlogon: Remove dNSHostName prefix check
CVE-2022-32743 s4:rpc_server/netlogon: Always observe
NETR_WS_FLAG_HANDLES_SPN_UPDATE flag
CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb as a user, rather
than as system
CVE-2022-32743 dsdb/modules/acl: Account for sAMAccountName without $
CVE-2022-32743 dsdb/modules/acl: Allow simultaneous sAMAccountName,
dNSHostName, and servicePrincipalName change
CVE-2022-32743 s4:rpc_server/common: Add
dcesrv_samdb_connect_session_info()
CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to samdb as workstation
account
Jule Anger (49):
smbstatus: delete wrong EXCLUSIVE+BATCH oplock
audit_logging: add method to replace the object for a given key with a
new object
smbstatus: print errors to stderr instead of stdout
smbstatus: use variables in print_share_mode instead of printing directly
smbstatus: add struct traverse_state
smbstatus: pass the traverse_state to the traverse methods
smbstatus: move the output of the title lines to their own methods
smbstatus: move the output of the content to their own methods
smbstatus: add enum to handle partial encryption and signing
smbstatus: use new enum crypto_degree
smbstatus: add frame files for json specific methods
smbstatus: add json items to traverse_struct
smbstatus: add method add_section_to_json
smbstatus: add general information to the json output
smbstatus: add a connections dictionary
smbstatus: add server_id to connections
conn_tdb: add sess_id to struct connections_data
smbstatus: add session_id to connections dictionary
conn_tdb: change type of connections_data.start to NTTIME
smbstatus: add machine readable time to connections
smbstatus: add encryption and signing to connections
smbstatus: add a sessions dictionary
smbstatus: add server_id to sessions
smbstatus: add encryption and signing to sessions
smbstatus: add a basic dictionary with open files
smbstatus: add file_id information about open files to json output
smbstatus: add opens to files in json output
smbstatus: add access mode information about open files to json output
smbstatus: add oplock information about open files to json output
smbstatus: add lease information about open files to json output
smbstatus: add server_id to open files dictionary
smbstatus: add sharemode information about open files to json output
smbstatus: add general caching information about open files to json output
smbstatus: add machine readable time info to locked files
smbstatus: add service path to byte-range locks
smbstatus: add a basic byte-range locks dictionary
smbstatus: add server_id to byte-range locks
smbstatus: add locks to byte-range locked files in json output
smbstatus: add file_id information to byte-range locks in json output
smbstatus: add a notifies dictionary
smbstatus: add server_id to notifies
smbstatus: add machine readable creation_time to notify
smbstatus: add JSON support for smbstatus
s3:tests: Add a test to check json output of smbstatus
smbstatus: add a method to add profile items to json
smbstatus: add JSON support for smbstatus --profile
s3:tests: Add a test to check json output of smbstatus profile
WHATSNEW: Up to Samba 4.17.0rc1.
VERSION: Disable GIT_SNAPSHOT for the Samba 4.17.0rc1 release.
Martin Schwenke (17):
ctdb-daemon: Fix printing of tickle ACKs
ctdb-build: Sort sources in ctdb-util and ctdb_unit_tests
ctdb-build: Separate test backtrace support into separate subsystem
ctdb-build: Link in backtrace support for ctdb_util_tests
ctdb-common: Add trivial FD monitoring abstraction
ctdb-tests: Add tests for trivial FD monitoring
ctdb-mutex: Consistently use progname in error messages
ctdb-mutex: Rename recheck_time to recheck_interval
ctdb-mutex: Rename wait_for_lost to lock_io_check
ctdb-mutex: Do inode checks in a child process
ctdb-mutex: Handle pings from lock checking child to parent
ctdb-mutex: Factor out function fcntl_lock_fd()
ctdb-mutex: open() and fstat() when testing lock file
ctdb-mutex: Test the lock by locking a 2nd byte range
ctdb-tests: Terminate event loop if lock is no longer held
ctdb-tests: Add tests for cluster mutex I/O timeout
ctdb-common: CID 1507498: Control flow issues (DEADCODE)
Ralph Boehme (11):
mdssvc: fix a comment
mdssvc: update a comment
mdssvc: consolidate calls of mds_es_search_unset_pending()
mdssvc: move calling mds_es_search_set_pending() to
mds_es_next_search_trigger()
mdssvc: prevent a crash when pending search finishes after the client
closed the search connection
mdssvc: reapply default search destructor when marking a search
non-pending
mdssvc: fix check if search connection state is gone
mdssvc: don't trigger http reconnect if a search was cancelled
mdssvc: fold two if blocks into one
mdssvc: check if the user closed the query before trying to read the HTTP
response from Elasticsearch
smbstatus: fix indentation in profile_separator()
Stefan Metzmacher (1):
vfs_glusterfs: add missing END_PROFILE(syscall_openat) to
vfs_gluster_openat()
Volker Lendecke (9):
smbd: Fix the build on FreeBSD
lib: Align an integer type
smbd: Security fix for systems without O_PATH
smbd: Fix a "set but not used" warning
vfs: change openat propotype to match linux openat2
smbd: Pass vfs_open_how through non_widelink_open
smbd: Pass vfs_open_how through fd_openat
smbd: Hand vfs_open_how to openat_pathref_fullname
vfs: Add struct vfs_open_how.resolve
Yury Lunev (1):
examples/winexe: fix fetching return code of the remote command
listout (2):
nsswitch/wins: Define NETDB_* for other libc's
lib/util/access: source3/auth/user_util: Check for INNETGR
-----------------------------------------------------------------------
--
Samba Shared Repository
