[SCM] Samba Shared Repository - annotated tag samba-4.15.13 created

Jule Anger Thu, 15 Dec 2022 08:31:06 -0800

The annotated tag, samba-4.15.13 has been created
        at  98d538ce7afc999a8198f839cd4cda97acb5bde1 (tag)
   tagging  861b4f9fde0128609abcb4eafce6192fbf0a959a (commit)
  replaces  samba-4.15.12
 tagged by  Jule Anger
        on  Thu Dec 15 17:08:50 2022 +0100


- Log -----------------------------------------------------------------
samba: tag release samba-4.15.13
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRpIACgkQqplEL7aA
tiDeQg//XZIydI6R5nJmiTuxcEJam+BAgll0kXihX7UmNXyngBYAdJoHHwmaQTsJ
bhCq/+zTFX6Udb53yQVuXB2amxm1H0IzyzafjCvX+xnrJ6bO29WnFQGFB6fG4Pu5
H3YcuexusmkehpZXmjQJk8nKmUgslyilqXNBOU9I10XUS8n4ehNBrPvVEIV/D1UH
GMe1Vuct6rbSVH2nDZQwpkB0WYqxGOpBCBvAkcvXGaB2bDibYODYjtdzyyafHNk7
54yA7v4yL/6dDZoIyHeui7Dj2hK5iFE+Ik5oSNS20DXmODtX3EVsJsn5x9cfKln/
hbfEtI3rEBU5SW7u+ovbm+yeiRrN1GJn90CtoRdIBqpVEa3rc+URNR+62mp20bMA
LVLnnu1xnF9yZS0ivj+H/6MmMBPjc4zKexoT1/px9KGjMQC2APmyPhrM6mDcbr2Q
VagHQh7H6aid6sEODdu+J88q7INTOdkTdEwp89foZxd4b+KEPqLEw1RV6M2PoRl4
Tha/W9sCrt7dNu1aT433xFomtZtll3/O1HWQyYba5hNtoWf2oq0BRj3qdwLSZ4+u
Cu5oRQC6edYXEKn9C4SJKjglb7UOnPeChXg4QmmFwAEwJj/opmcaDNkBfPDYM+QH
doelZoQR1v+jwYZK7yMjGirLFTq2gRW5KSYK9lCOTQiUPijj9QM=
=ykFd
-----END PGP SIGNATURE-----

Andreas Schneider (3):
      CVE-2022-37966 s3:param: Fix old-style function definition
      CVE-2022-37966 s3:client: Fix old-style function definition
      CVE-2022-37966 s3:utils: Fix old-style function definition

Andrew Bartlett (6):
      selftest: make filter-subunit much more efficient for large knownfail 
lists
      CVE-2022-37966 s4:kdc: Move supported enc-type handling out of 
samba_kdc_message2entry_keys()
      CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using 
the target_hostname binding string
      CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients 
etype list to select a session key
      CVE-2022-37966 param: Add support for new option "kdc force enable rc4 
weak session keys"
      CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since 
ENC_HMAC_SHA1_96_AES256_SK was added

Joseph Sutton (22):
      CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding 
PA-ENC-TS-ENC
      CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
      CVE-2022-37966 tests/krb5: Update supported enctype checking
      CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
      CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
      CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
      CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
      CVE-2022-37966 tests/krb5: Add a test requesting tickets with various 
encryption types
      CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a 
TGT
      CVE-2022-37967 Add new PAC checksum
      CVE-2022-37966 param: Add support for new option "kdc default domain 
supportedenctypes"
      CVE-2022-37966 third_party/heimdal: Fix error message typo
      CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
      CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
      CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour 
since ENC_HMAC_SHA1_96_AES256_SK was added
      CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
      CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
      CVE-2022-37966 auth/credentials: Allow specifying password to 
cli_credentials_get_aes256_key()
      CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with 
AES256 rather than RC4
      CVE-2022-37966 kdc: Assume trust objects support AES by default
      tests/krb5: Add test requesting a service ticket expiring post-2038
      tests/krb5: Add test requesting a TGT expiring post-2038

Jule Anger (3):
      VERSION: Bump version up to Samba 4.15.13...
      WHATSNEW: Add release notes for Samba 4.15.13.
      VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.

Luke Howard (1):
      kdc: avoid re-encoding KDC-REQ-BODY

Nicolas Williams (4):
      CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
      CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
      CVE-2022-45141 source4/heimdal: Fix check-des
      CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data 
signatures

Ralph Boehme (2):
      CVE-2022-38023 docs-xml: improve wording for several options: "takes 
precedence" -> "overrides"
      CVE-2022-38023 docs-xml: improve wording for several options: "yields 
precedence" -> "is over-riden"

Stefan Metzmacher (61):
      CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 
'unsigned long' is just 32-bit
      CVE-2022-38023 libcli/auth: pass lp_ctx to 
netlogon_creds_cli_set_global_db()
      CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
      CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
      CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed 
pipes:DOMAIN" and "require strong key:DOMAIN"
      CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default 
to yes
      CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning 
to dcesrv_interface_netlogon_bind
      CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to 
dcesrv_netr_creds_server_step_check()
      CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to 
dcesrv_netr_creds_server_step_check()
      CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in 
dcesrv_netr_creds_server_step_check()
      CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) 
debug messages
      CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
      CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
      CVE-2022-38023 s4:rpc_server/netlogon: split out 
dcesrv_netr_ServerAuthenticate3_check_downgrade()
      CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default 
to yes
      CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we 
found the account in our SAM
      CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 
schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
      CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 
crypto:COMPUTERACCOUNT = no"
      CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 
schannel:COMPUTERACCOUNT"
      CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 
'allow nt4 crypto' misconfigurations
      CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 
'reject md5 clients = no'
      CVE-2022-38023 s4:rpc_server/netlogon: split out 
dcesrv_netr_check_schannel() function
      CVE-2022-38023 s4:rpc_server/netlogon: make sure all 
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
      CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require 
seal[:COMPUTERACCOUNT]" options
      CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to 
dcesrv_netr_check_schannel()
      CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require 
seal[:COMPUTERACCOUNT]"
      CVE-2022-38023 testparm: warn about server/client schannel != yes
      CVE-2022-38023 testparm: warn about unsecure schannel related options
      CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" 
should not be used
      CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
      CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about 
"kerberos encryption types=legacy"
      CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
      CVE-2022-37966 system_mitkrb5: require support for aes enctypes
      CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
      CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
      CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
      CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
      CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
      CVE-2022-37966 s3:libads: no longer reference des encryption types
      CVE-2022-37966 s3:libnet: no longer reference des encryption types
      CVE-2022-37966 s3:net_ads: no longer reference des encryption types
      CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print 
AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
      CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
      CVE-2022-37966 s4:kdc: use the strongest possible keys
      CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
      CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments 
explicitly to zero by default.
      CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 
to set nthash only
      CVE-2022-37966 s4:libnet: allow python bindings to force setting an 
nthash via SAMR level 18
      CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 
2022
      CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be 
passed KdcTgsBaseTests._{as,tgs}_req()
      CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials 
attributes
      CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account 
creation of KDCBaseTest
      CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES 
assert message
      CVE-2022-37966 python:tests/krb5: test much more etype combinations
      CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
      CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 
weak session keys" to false/"no"
      CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean 
the default
      CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
      CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
      CVE-2022-37966 samba-tool: add 'domain trust modify' command
      CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") 
before any other imports

-----------------------------------------------------------------------


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - annotated tag samba-4.15.13 created

Reply via email to