The annotated tag, samba-4.17.4 has been created
at 1f69e1cdbf2ac348c965617e3a5e58d530cca50d (tag)
tagging ab48448c650c96095fa183c3531a3dd244983664 (commit)
replaces samba-4.17.3
tagged by Jule Anger
on Thu Dec 15 17:10:17 2022 +0100
- Log -----------------------------------------------------------------
samba: tag release samba-4.17.4
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRukACgkQqplEL7aA
tiAgYhAArxRBMOO5bM+1LiTbqtktI6JtXZarhZkCZwLoNxnqIiHE0IES/GxSwsAM
SkWqjT8bzmhXoiNexl/I+HKskirJnQemZFAOzv+K+QT1Uzl5qhtuhO++QK+XqfxJ
Aj8OnGbBs9zxHDrNFWPe8ezOdIIDl7k2g0LrvCgYGMFN7dl2wr4Xi3aMUnwlOpSx
zMirI/qleexaM5N1QVEu3lpFVEsj17mzHGlUrSFOCl5VsuTyczEfAoXRaDP3Db8R
mcDJYkxcuwLM5H71FZS5DX+iJymQlpbnDZLAIV8jCrS5os8M8kurrxxbUDH9idsR
SPUK880NsUn958NJKvZfCZgWa+qoKtlArcLBdOASNgT48Ow8jwZOV0Q50GXLy8B5
h938smFmHxUHGWERBbmFZMCldKq0NJZqmIomVZQMsoS/R8+0JMhadfP5BAbdhgpm
JHvhpaahGAZP6T3toQ92TwB6pOV1S3VvDO/3d7UV+cPJ4aI/Lorqzp6Ftjv/uq57
qdRQVJO0WPV+/PhOA75SbHyVaGED6pdT20bfyBPrf6oVwaOJ1qiVL7KQZZ2yOPPE
FBt6rpTBxWEGvpUjuKxH3UkZqbmbJlhoIwDK8mqZXCV+FAc5QaZOCeAgJY5nmNiL
nSwy7Wx1L2SSYo8OA6r1fS4pkLDWq8piVr6/S8wodOR8+Ofp+3s=
=GmAE
-----END PGP SIGNATURE-----
Andreas Schneider (10):
s3:librpc: Improve GSE error message
s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
s4:libnet: If we successfully changed the password we are done
s3:tests: Add substitution test for include directive
s3:tests: Add substitution test for listing shares
s3:rpc_server: Fix include directive substitution when enumerating shares
s3:utils: Fix stack smashing in net offlinejoin
CVE-2022-37966 s3:param: Fix old-style function definition
CVE-2022-37966 s3:client: Fix old-style function definition
CVE-2022-37966 s3:utils: Fix old-style function definition
Andrew Bartlett (7):
lib/tsocket: Add tests for loop on EAGAIN
CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars
test
selftest: make filter-subunit much more efficient for large knownfail
lists
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using
the target_hostname binding string
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients
etype list to select a session key
CVE-2022-37966 param: Add support for new option "kdc force enable rc4
weak session keys"
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since
ENC_HMAC_SHA1_96_AES256_SK was added
Anoop C S (5):
vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
vfs_glusterfs: Do not use glfs_fgetxattr() for
SMB_VFS_GET_REAL_FILENAME_AT
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES
Daniel Kobras (2):
s3: smbd: Consistently map EAs to user namespace
docs-xml: ea support option restricted to user ns
Jeremy Allison (1):
nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t,
not try and embedd it directly.
Joseph Sutton (14):
third_party/heimdal: Introduce macro for common plugin structure elements
CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various
encryption types
CVE-2022-37967 Add new PAC checksum
CVE-2022-37966 param: Add support for new option "kdc default domain
supportedenctypes"
CVE-2022-37966 third_party/heimdal: Fix error message typo
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected
Users group
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour
since ENC_HMAC_SHA1_96_AES256_SK was added
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
CVE-2022-37966 kdc: Assume trust objects support AES by default
Jule Anger (4):
Merge tag 'samba-4.17.3' into v4-17-test
VERSION: Bump version up to Samba 4.17.4...
WHATSNEW: Add release notes for Samba 4.17.4.
VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
Nicolas Williams (1):
CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Noel Power (3):
s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
Ralph Boehme (4):
torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
CVE-2022-38023 docs-xml: improve wording for several options: "takes
precedence" -> "overrides"
CVE-2022-38023 docs-xml: improve wording for several options: "yields
precedence" -> "is over-riden"
Stefan Metzmacher (72):
lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
lib/tsocket: check for errors indicated by poll() before getsockopt(fd,
SOL_SOCKET, SO_ERROR)
lib/tsocket: remember the first error as tstream_bsd->error
lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit
the time
lib/replace: fix memory leak in snprintf replacements
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where
'unsigned long' is just 32-bit
CVE-2021-20251: s4:auth: fix use after free in
authsam_logon_success_accounting()
CVE-2022-38023 libcli/auth: pass lp_ctx to
netlogon_creds_cli_set_global_db()
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed
pipes:DOMAIN" and "require strong key:DOMAIN"
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default
to yes
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning
to dcesrv_interface_netlogon_bind
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in
dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon)
debug messages
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticate3_check_downgrade()
CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is
disabled
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default
to yes
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we
found the account in our SAM
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5
schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4
crypto:COMPUTERACCOUNT = no"
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5
schannel:COMPUTERACCOUNT"
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and
'allow nt4 crypto' misconfigurations
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and
'reject md5 clients = no'
CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_check_schannel() function
CVE-2022-38023 s4:rpc_server/netlogon: make sure all
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require
seal[:COMPUTERACCOUNT]" options
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to
dcesrv_netr_check_schannel()
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require
seal[:COMPUTERACCOUNT]"
CVE-2022-38023 testparm: warn about server/client schannel != yes
CVE-2022-38023 testparm: warn about unsecure schannel related options
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy"
should not be used
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about
"kerberos encryption types=legacy"
CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest
keys
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
CVE-2022-37966 s3:libads: no longer reference des encryption types
CVE-2022-37966 s3:libnet: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print
AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
CVE-2022-37966 s4:kdc: use the strongest possible keys
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments
explicitly to zero by default.
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18
to set nthash only
CVE-2022-37966 s4:libnet: allow python bindings to force setting an
nthash via SAMR level 18
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows
2022
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be
passed KdcTgsBaseTests._{as,tgs}_req()
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials
attributes
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account
creation of KDCBaseTest
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES
assert message
CVE-2022-37966 python:tests/krb5: test much more etype combinations
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4
weak session keys" to false/"no"
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean
the default
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
CVE-2022-37966 samba-tool: add 'domain trust modify' command
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python")
before any other imports
s4:libnet: fix error string for failing samr_ChangePasswordUser4()
s4:libnet: correctly handle gnutls_pbkdf2() errors
Volker Lendecke (2):
heimdal: Fix the 32-bit build on FreeBSD
smbd: Fix Bug 15221
-----------------------------------------------------------------------
--
Samba Shared Repository
