The annotated tag, samba-4.16.8 has been created
at f9306effc2e65cfe0e2646679db644e3ce76ee0f (tag)
tagging 6cc6e233b5ceb2a579400f020b61c67ca7bbeb78 (commit)
replaces samba-4.16.7
tagged by Jule Anger
on Thu Dec 15 17:09:57 2022 +0100
- Log -----------------------------------------------------------------
samba: tag release samba-4.16.8
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRtUACgkQqplEL7aA
tiBGjQ//eupPXw2XUz8FgDJukC2FR8IdtFZO8OQ75BEfko7Y0Jek2KKaiylIGPmX
nekyY8TXwtO/9aQxGyqBRfTNIOK/SSPI++S5quaAIC+XhGL8/2QW9cWO+VKJXvdS
56Mn01Qxcc3T9ytaBMGxDA0an+1dhfikU6DpQannyloKUU5bydcnfgjJfviTKC8Z
M8yJJenf++YY81O8jHoafLTne5xmF0/qMmi0KOk3qEbshYpLeafk1LDlEaoC/T75
WslqYGUbn3FAdfz9TGk/Emuwgy1EeHa8B187sPJjitbge/cBuqMBlgx4NplP0ROe
p6gO9YxYDmf9/8Z8WLFtigmjUImBarkzay7cjBNl2Og6VWjGcu3UjN9FM3ywL5Kj
usNccB9vRMUry1cLnPSMNzLhgggNujE8w2GyEC3Zx0A0hD+rgcwhyrDLkE03EXBN
7Qcj2juT3neri/TpDQfQNScJKbAdfHwAU5V2JuH1uASVC7isIwb+cg3T0KA3hRfM
jIqkXre0tTe2zRTRajD5MgbhkTtA0J2kYd7+9mRFbPKZM01Lhz6wEQ2mqwUcrpbU
b+wwXg9guB0hu0gR9WQjafzcvUZE7OOSHZnyYtjA019P0knU6lrXhgXQunSttK/C
dXiYFcVY+2P9ajubtZz9VbE5r4E2oRdxyF/3FGJWmk6/gN2dBwI=
=+8J7
-----END PGP SIGNATURE-----
Andreas Schneider (12):
third_party: Update socket_wrapper to version 1.3.4
s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
s3:auth: Flush the GETPWSID in memory cache for NTLM auth
s3:tests: Add substitution test for include directive
s3:tests: Add substitution test for listing shares
s3:rpc_server: Fix include directive substitution when enumerating shares
s3:utils: Fix stack smashing in net offlinejoin
CVE-2022-37966 s3:param: Fix old-style function definition
CVE-2022-37966 s3:client: Fix old-style function definition
CVE-2022-37966 s3:utils: Fix old-style function definition
Andrew Bartlett (21):
CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the
user
CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.
CVE-2021-20251 s4 auth: make bad password count increment atomic
CVE-2021-20251 auth4: Add missing newline to debug message on PSO read
failure
CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval()
out
CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in
authsam_logon_success_accounting()
CVE-2021-20251 auth4: Avoid reading the database twice by precaculating
some variables
selftest: Prepare for "old Samba" mode regarding getncchanges
GET_ANC/GET_TGT
selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs
clone-dc-database
s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT
s4-libnet: Add messages to object count mismatch failures
python-drs: Add client-side debug and fallback for GET_ANC
lib/tsocket: Add tests for loop on EAGAIN
CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars
test
selftest: make filter-subunit much more efficient for large knownfail
lists
CVE-2022-37966 s4:kdc: Move supported enc-type handling out of
samba_kdc_message2entry_keys()
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using
the target_hostname binding string
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients
etype list to select a session key
CVE-2022-37966 param: Add support for new option "kdc force enable rc4
weak session keys"
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since
ENC_HMAC_SHA1_96_AES256_SK was added
Douglas Bagnall (7):
pytest: add file removal helpers for TestCaseInTempDir
pytest/downgradedatabase: use TestCaseInTempDir.rm_files
pytest/samdb_api: use TestCaseInTempDir.rm_files
pytest/join: use TestCaseInTempDir.rm_files/dirs
pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs
Gary Lockyer (4):
CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow()
out
CVE-2021-20251 s4 auth: Prepare to make bad password count increment
atomic
CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c
CVE-2021-20251 auth4: Return only the result message and free the
surrounding result
Jeremy Allison (7):
CVE-2021-20251 s3: ensure bad password count atomic updates
s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
s4: smbtorture: Add fsync_resource_fork test to fruit tests.
s3: VFS: fruit. Implement fsync_send()/fsync_recv().
s4: torture: libsmbclient: Add a torture test to ensure smbc_stat()
returns ENOENT on a non-existent file.
s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file.
nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t,
not try and embedd it directly.
Joseph Sutton (34):
CVE-2021-20251 tests/krb5: Add PasswordKey_from_creds()
CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data
with DES
CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4
CVE-2021-20251 tests/krb5: Add tests for password lockout race
CVE-2021-20251 tests/krb5: Convert password lockout tests to use
os.fork() and os.pipe()
CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change
CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update
CVE-2021-20251 s4:dsdb: Update bad password count inside transaction
CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
CVE-2021-20251 s4:kdc: Move logon success accounting code into existing
branch
CVE-2021-20251 s4:kdc: Check return status of
authsam_logon_success_accounting()
CVE-2021-20251 s4:kdc: Check badPwdCount update return status
CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status
CVE-2021-20251 s4:auth_winbind: Check return status of
authsam_logon_success_accounting()
CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR
password change
lib:util: Check memset_s() error code in talloc_keep_secret_destructor()
libcli:auth: Keep passwords from convert_string_talloc() secret
s3:rpc_server: Use BURN_STR() to zero password
CVE-2021-20251 s4-rpc_server: Extend scope of transaction for
ChangePasswordUser3
CVE-2021-20251 dsdb/common: Remove transaction logic from
samdb_set_password()
third_party/heimdal: Introduce macro for common plugin structure elements
CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various
encryption types
CVE-2022-37967 Add new PAC checksum
CVE-2022-37966 param: Add support for new option "kdc default domain
supportedenctypes"
CVE-2022-37966 third_party/heimdal: Fix error message typo
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour
since ENC_HMAC_SHA1_96_AES256_SK was added
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
CVE-2022-37966 kdc: Assume trust objects support AES by default
Jule Anger (6):
Merge tag 'samba-4.16.6' into v4-16-test
VERSION: Bump version up to Samba 4.16.7...
Merge tag 'samba-4.16.7' into v4-16-test
VERSION: Bump version up to Samba 4.16.8...
WHATSNEW: Add release notes for Samba 4.16.8.
VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
Nicolas Williams (1):
CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Noel Power (10):
s3/rpcclient: Duplicate string returned from poptGetArg
s3/param: Fix use after free with popt-1.19
s3/utils: Add missing poptFreeContext
s3/utils: Fix use after free with popt 1.19
s3/utils: Fix use after free with popt 1.19
s4/lib/registry: Fix use after free with popt 1.19
s3/param: Check return of talloc_strdup
s3/utils: Check return of talloc_strdup
s3/utils: check result of talloc_strdup
nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
Pavel Filipenský (1):
lib:replace: Add macro BURN_STR() to zero memory of a string
Ralph Boehme (5):
vfs_fruit: add missing calls to tevent_req_received()
torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
CVE-2022-38023 docs-xml: improve wording for several options: "takes
precedence" -> "overrides"
CVE-2022-38023 docs-xml: improve wording for several options: "yields
precedence" -> "is over-riden"
Stefan Metzmacher (79):
smbXsrv_client: correctly check in negotiate_request.length
smbXsrv_client_connection_pass[ed]_*
smbXsrv_client: notify a different node to drop a connection by client
guid.
smbXsrv_client: ignore NAME_NOT_FOUND from
smb2srv_client_connection_passed
smbXsrv_client: fix a debug message in
smbXsrv_client_global_verify_record()
smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before
dbwrap_watched_watch_send()
smbXsrv_client: make sure we only wait for
smb2srv_client_mc_negprot_filter once and only when needed
smbXsrv_client: handle NAME_NOT_FOUND from
smb2srv_client_connection_{pass,drop}()
s4:messaging: add imessaging_init_discard_incoming()
s3:auth_samba4: make use of imessaging_init_discard_incoming()
s4:messaging: let imessaging_client_init() use
imessaging_init_discard_incoming()
lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
lib/tsocket: check for errors indicated by poll() before getsockopt(fd,
SOL_SOCKET, SO_ERROR)
lib/tsocket: remember the first error as tstream_bsd->error
lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit
the time
lib/replace: fix memory leak in snprintf replacements
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where
'unsigned long' is just 32-bit
CVE-2021-20251: s4:auth: fix use after free in
authsam_logon_success_accounting()
CVE-2022-38023 libcli/auth: pass lp_ctx to
netlogon_creds_cli_set_global_db()
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed
pipes:DOMAIN" and "require strong key:DOMAIN"
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default
to yes
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning
to dcesrv_interface_netlogon_bind
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon)
debug messages
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticate3_check_downgrade()
CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is
disabled
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default
to yes
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we
found the account in our SAM
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5
schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4
crypto:COMPUTERACCOUNT = no"
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5
schannel:COMPUTERACCOUNT"
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and
'allow nt4 crypto' misconfigurations
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and
'reject md5 clients = no'
CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_check_schannel() function
CVE-2022-38023 s4:rpc_server/netlogon: make sure all
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require
seal[:COMPUTERACCOUNT]" options
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to
dcesrv_netr_check_schannel()
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require
seal[:COMPUTERACCOUNT]"
CVE-2022-38023 testparm: warn about server/client schannel != yes
CVE-2022-38023 testparm: warn about unsecure schannel related options
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy"
should not be used
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about
"kerberos encryption types=legacy"
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
CVE-2022-37966 s3:libads: no longer reference des encryption types
CVE-2022-37966 s3:libnet: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print
AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
CVE-2022-37966 s4:kdc: use the strongest possible keys
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments
explicitly to zero by default.
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18
to set nthash only
CVE-2022-37966 s4:libnet: allow python bindings to force setting an
nthash via SAMR level 18
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows
2022
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be
passed KdcTgsBaseTests._{as,tgs}_req()
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials
attributes
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account
creation of KDCBaseTest
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES
assert message
CVE-2022-37966 python:tests/krb5: test much more etype combinations
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4
weak session keys" to false/"no"
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean
the default
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
CVE-2022-37966 samba-tool: add 'domain trust modify' command
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python")
before any other imports
Volker Lendecke (4):
vfs_gpfs: Prevent mangling of GPFS timestamps after 2106
lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW
vfs_gpfs: Protect against timestamps before the Unix epoch
heimdal: Fix the 32-bit build on FreeBSD
-----------------------------------------------------------------------
--
Samba Shared Repository
