[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5fa7f73b147 s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat(). from 20c85cc1da8 pam_winbind: add new pwd_change_prompt option (defaults to off). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5fa7f73b14790f4c581fb2bd4d67cd5561e79b6a Author: Jeremy Allison Date: Wed Dec 15 10:41:39 2021 -0800 s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat(). After openat_pathref_fsp() is successful we know we have a VALID_STAT(). It either returns NT_STATUS_OK or we look at the stat struct for S_ISLNK so we know we have VALID_STAT(). If it's not successful we error out, so we don't need another vfs_stat() here. Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Dec 16 07:33:09 UTC 2021 on sn-devel-184 --- Summary of changes: source3/smbd/smb2_close.c | 6 -- 1 file changed, 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c index c218d12b668..648080f1a8c 100644 --- a/source3/smbd/smb2_close.c +++ b/source3/smbd/smb2_close.c @@ -163,7 +163,6 @@ static void setup_close_full_information(connection_struct *conn, uint32_t *out_file_attributes) { NTSTATUS status; - int ret; status = openat_pathref_fsp(conn->cwd_fsp, smb_fname); if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && @@ -176,11 +175,6 @@ static void setup_close_full_information(connection_struct *conn, return; } - ret = vfs_stat(conn, smb_fname); - if (ret != 0) { - return; - } - *out_flags = SMB2_CLOSE_FLAGS_FULL_INFORMATION; *out_file_attributes = fdos_mode(smb_fname->fsp); *out_last_write_ts = smb_fname->st.st_ex_mtime; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 20c85cc1da8 pam_winbind: add new pwd_change_prompt option (defaults to off). from eae4c54e2b1 s3:winbind: Fix using normalized name in sam_name_to_sid() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472 Author: Günther Deschner Date: Wed Nov 17 09:56:09 2021 +0100 pam_winbind: add new pwd_change_prompt option (defaults to off). This change disables the prompt for the change of an expired password by default (using the PAM_RADIO_TYPE mechanism if present). BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Alexander Bokovoy Reviewed-by: Andreas Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184 --- Summary of changes: docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++ nsswitch/pam_winbind.c | 12 ++-- nsswitch/pam_winbind.h | 1 + 3 files changed, 18 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 0bc288f91a1..bae9298fc32 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -194,6 +194,13 @@ + + pwd_change_prompt = yes|no + + Generate prompt for changing an expired password. Defaults to "no". + + + diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 5d168e2715e..e7ae605b341 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, ctrl |= WINBIND_MKHOMEDIR; } + if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { + ctrl |= WINBIND_PWD_CHANGE_PROMPT; + } + config_from_pam: /* step through arguments */ for (i=argc,v=argv; i-- > 0; ++v) { @@ -522,6 +526,8 @@ config_from_pam: else if (!strncasecmp(*v, "warn_pwd_expire", strlen("warn_pwd_expire"))) ctrl |= WINBIND_WARN_PWD_EXPIRE; + else if (!strcasecmp(*v, "pwd_change_prompt")) + ctrl |= WINBIND_PWD_CHANGE_PROMPT; else if (type != PAM_WINBIND_CLEANUP) { __pam_log(pamh, ctrl, LOG_ERR, "pam_parse: unknown option: %s", *v); @@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, * successfully sent the warning message. * Give the user a chance to change pwd. */ - if (ret == PAM_SUCCESS) { + if (ret == PAM_SUCCESS && + (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { if (change_pwd) { retval = _pam_winbind_change_pwd(ctx); if (retval) { @@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, * successfully sent the warning message. * Give the user a chance to change pwd. */ - if (ret == PAM_SUCCESS) { + if (ret == PAM_SUCCESS && + (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { if (change_pwd) { retval = _pam_winbind_change_pwd(ctx); if (retval) { diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h index c6786d65a4d..2f4a25729bd 100644 --- a/nsswitch/pam_winbind.h +++ b/nsswitch/pam_winbind.h @@ -157,6 +157,7 @@ do { \ #define WINBIND_WARN_PWD_EXPIRE0x2000 #define WINBIND_MKHOMEDIR 0x4000 #define WINBIND_TRY_AUTHTOK_ARG0x8000 +#define WINBIND_PWD_CHANGE_PROMPT 0x0001 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) #define _(string) dgettext(MODULE_NAME, string) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eae4c54e2b1 s3:winbind: Fix using normalized name in sam_name_to_sid() via 4e9a58f376f lib:util: Initialize pid via 31b9208d839 lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str() via 092e11295a9 s3:winbindd: Remove dead code from sam_rids_to_names() via 116123e9214 s4:dns_server: Remove less-than-zero comparison of an unsigned value via 90fd7674f81 ctdb:client: Initialize structs and pointers in ctdb_ctrl_(en|dis)able_node() via 3397e04d714 s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO via e25af2bc4f1 lib:util: Check return value of tdb_parse_record() via e8e1a74da3f s3:lib: Do not close fd = -1 on fail in netapi example via 9bd0fbf5e8d s3:lib: Fix memory leak in netapi examples from c8c3c547646 s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eae4c54e2b15c0022010b75c3117edce39d6c204 Author: Andreas Schneider Date: Tue Dec 14 16:27:17 2021 +0100 s3:winbind: Fix using normalized name in sam_name_to_sid() name is never read again, we want lsa_name to be set. Found by covscan. Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Dec 15 20:22:47 UTC 2021 on sn-devel-184 commit 4e9a58f376f60b16e88f0e34f35168fc3e260326 Author: Andreas Schneider Date: Tue Dec 14 16:13:51 2021 +0100 lib:util: Initialize pid Found by covscan Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 31b9208d8390d2cb6fc784ff3486cab27a187b98 Author: Andreas Schneider Date: Tue Dec 14 16:12:43 2021 +0100 lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str() Found by covscan. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 092e11295a9cfaed1cc0b70a4d1e25a6a106826c Author: Andreas Schneider Date: Tue Dec 14 15:46:05 2021 +0100 s3:winbindd: Remove dead code from sam_rids_to_names() domain_name is never NULL in this case. Found by covscan. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 116123e9214cfc9a2c2c0f5ffe223f65ae03da05 Author: Andreas Schneider Date: Tue Dec 14 15:42:06 2021 +0100 s4:dns_server: Remove less-than-zero comparison of an unsigned value This will never be true. Found by covscan Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 90fd7674f81ca03485908ea483d6c9a5631a0179 Author: Andreas Schneider Date: Tue Dec 14 15:38:45 2021 +0100 ctdb:client: Initialize structs and pointers in ctdb_ctrl_(en|dis)able_node() Found by covscan. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 3397e04d7149f22604e6213e833190da7ce1a5ac Author: Andreas Schneider Date: Fri Dec 10 15:10:39 2021 +0100 s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit e25af2bc4f18e2c497c64e654b3059a1949c909e Author: Andreas Schneider Date: Fri Dec 10 15:06:03 2021 +0100 lib:util: Check return value of tdb_parse_record() This makes covscan happy. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit e8e1a74da3f5ba4850a6f4ad8b54ea2ac5703710 Author: Andreas Schneider Date: Fri Dec 10 15:03:20 2021 +0100 s3:lib: Do not close fd = -1 on fail in netapi example Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison commit 9bd0fbf5e8d2e4cf65d5d26311a8b510eef3eba5 Author: Andreas Schneider Date: Fri Dec 10 14:56:08 2021 +0100 s3:lib: Fix memory leak in netapi examples Found by covscan. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison --- Summary of changes: ctdb/client/client_control_sync.c| 12 lib/krb5_wrap/krb5_samba.c | 5 + lib/util/pidfile.c | 2 +- lib/util/util_tdb.c | 7 +-- source3/lib/netapi/examples/common.c | 12 +--- source3/libnet/libnet_join_offline.c | 4 +++- source3/winbindd/winbindd_samr.c | 11 ++- source4/dns_server/pydns.c | 2 +- 8 files changed, 34 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/client/client_control_sync.c b/ctdb/client/client_control_sync.c index e9f97dd0f30..1459dc09b46 100644 --- a/ctdb/client/client_control_sync.c +++ b/ctdb/client/client_control_sync.c @@ -2667,8 +2667,10 @@ int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx, int destnode, struct
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c8c3c547646 s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat(). via 6000d3408e3 s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object in the QPATHINFO case. via 834aa7bb011 s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, we don't need to re-stat. via d508dff6345 s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from filename_convert(). via eabcaa2e554 s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use helper function vfs_stat(). via de88369c358 s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO, use helper function vfs_stat(). via 80e3f4e5ca6 s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO on a named stream case, use helper function vfs_stat(). via 8c0f34f0570 s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QFILEINFO case, use helper function vfs_stat(). via eb0e68d0e7a s3: smbd: In parent_dirname_compatible_open(), use helper function vfs_stat(). via 04a4cd2ada7 s3: smbd: In vfs_stat_smb_basename() use vfs_stat() helper function. via b0a41119f4c s3: smbd: In smbd_smb2_getinfo_send(), use vfs_stat() utility function. via da2d61ba80d s3: smbd: In stat_cache_lookup(), remove unused posix_paths param. via d8f09c1bf09 s3: smbd: In stat_cache_lookup(), use vfs_stat() utility function. via c94d919fd9c s3: smbd: In setup_close_full_information() the posix_open parameter is not needed anymore. via 89574ed33ba s3: smbd: In setup_close_full_information() use vfs_stat() helper function. via 8767f60a0a2 s3: smbd: In check_parent_exists() use utility function vfs_stat(). from 0f4eca775aa tests/krb5: Add tests for AS-REQ to self with FAST https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c8c3c547646c2f91c63b5a195476d5bed88ae2a1 Author: Jeremy Allison Date: Tue Dec 14 09:50:12 2021 -0800 s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat(). We know at this point that we have VALID_STAT(smb_fname->st). Signed-off-by: Jeremy Allison Reviewed-by: Noel Power Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Dec 15 19:26:50 UTC 2021 on sn-devel-184 commit 6000d3408e303936eaccdc06d4e7f3087834ce13 Author: Jeremy Allison Date: Tue Dec 14 09:46:51 2021 -0800 s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object in the QPATHINFO case. qpathinfo must operate on an existing file, so we can exit early if filename_convert() returned the "new file" NT_STATUS_OK, !VALID_STAT case. Signed-off-by: Jeremy Allison Reviewed-by: Noel Power commit 834aa7bb0118ad3fab7cc2bb80d9be48f2e5b7e4 Author: Jeremy Allison Date: Mon Dec 13 16:54:07 2021 -0800 s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, we don't need to re-stat. If we need a valid filesystem object, and we have a !VALID_STAT() return from filename_convert(), the previous commit has already errored out. We don't need a re-stat call here. Signed-off-by: Jeremy Allison Reviewed-by: Noel Power commit d508dff634509eb9c3a69ef628f618eeeda34d9b Author: Jeremy Allison Date: Mon Dec 13 16:48:14 2021 -0800 s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from filename_convert(). Remember, filename_convert() can return NT_STATUS_OK with !VALID_STAT() if the last component doesn't exist, as this may be an object create. For call_trans2setfilepathinfo(), there are only 4 info levels for the TRANSACT2_SETPATHINFO (pathname) case that don't require an existing filesystem object (i.e. a VALID_STAT()) in the return from filename_convert() as they can create an object in the filesystem. If we don't get a VALID_STAT() and the info level isn't one of those 4, error out. Signed-off-by: Jeremy Allison Reviewed-by: Noel Power commit eabcaa2e5545abce9363b729a8128046e10a6191 Author: Jeremy Allison Date: Mon Dec 13 14:19:35 2021 -0800 s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use helper function vfs_stat(). This isn't a change in behavior, even though the old comment says: "Always do lstat for UNIX calls". A previous commit enforces POSIX pathname negotiation before allowing UNIX info levels to be processed here, so we can guarantee that SMB_FILENAME_POSIX_PATH is set on smb_fname if we're allowing a UNIX info level. Signed-off-by: Jeremy Allison Reviewed-by: Noel Power commit
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 31b3f67 Add Samba 4.14.11 via 4bdb81c NEWS[4.14.11]: Samba 4.14.11 Available for Download from d2cf214 Add Samba 4.13.15 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 31b3f67002f39691137ca1a92dcd264124830b43 Author: Jule Anger Date: Wed Dec 15 15:53:53 2021 +0100 Add Samba 4.14.11 Signed-off-by: Jule Anger commit 4bdb81c3703bd8723cea4b4cf6389de00f6e7d3f Author: Jule Anger Date: Wed Dec 15 15:52:32 2021 +0100 NEWS[4.14.11]: Samba 4.14.11 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html| 1 + history/{samba-4.13.15.html => samba-4.14.11.html} | 35 +++--- posted_news/20211215-145316.4.14.11.body.html | 13 posted_news/20211215-145316.4.14.11.headline.html | 3 ++ 4 files changed, 41 insertions(+), 11 deletions(-) copy history/{samba-4.13.15.html => samba-4.14.11.html} (56%) create mode 100644 posted_news/20211215-145316.4.14.11.body.html create mode 100644 posted_news/20211215-145316.4.14.11.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 780d609..54db929 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -13,6 +13,7 @@ samba-4.15.2 samba-4.15.1 samba-4.15.0 + samba-4.14.11 samba-4.14.10 samba-4.14.9 samba-4.14.8 diff --git a/history/samba-4.13.15.html b/history/samba-4.14.11.html similarity index 56% copy from history/samba-4.13.15.html copy to history/samba-4.14.11.html index cda5ff1..bb2a0e9 100644 --- a/history/samba-4.13.15.html +++ b/history/samba-4.14.11.html @@ -2,38 +2,38 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> http://www.w3.org/1999/xhtml;> -Samba 4.13.15 - Release Notes +Samba 4.14.11 - Release Notes -Samba 4.13.15 Available for Download +Samba 4.14.11 Available for Download -https://download.samba.org/pub/samba/stable/samba-4.13.15.tar.gz;>Samba 4.13.15 (gzipped) -https://download.samba.org/pub/samba/stable/samba-4.13.15.tar.asc;>Signature +https://download.samba.org/pub/samba/stable/samba-4.14.11.tar.gz;>Samba 4.14.11 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.14.11.tar.asc;>Signature -https://download.samba.org/pub/samba/patches/samba-4.13.14-4.13.15.diffs.gz;>Patch (gzipped) against Samba 4.13.14 -https://download.samba.org/pub/samba/patches/samba-4.13.14-4.13.15.diffs.asc;>Signature +https://download.samba.org/pub/samba/patches/samba-4.14.10-4.14.11.diffs.gz;>Patch (gzipped) against Samba 4.14.10 +https://download.samba.org/pub/samba/patches/samba-4.14.10-4.14.11.diffs.asc;>Signature === - Release Notes for Samba 4.13.15 + Release Notes for Samba 4.14.11 December 15, 2021 === -This is the latest stable release of the Samba 4.13 release series. +This is the latest stable release of the Samba 4.14 release series. Important Notes === -There have been a few regressions in the security release 4.13.14: +There have been a few regressions in the security release 4.14.10: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds - initially adviced for 4.13.14 are no longer required and + initially adviced for 4.14.10 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg FredspacespaceNurk) become @@ -41,29 +41,42 @@ o BUG-14902: User with multiple spaces (eg FredspacespaceNurk) b adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. -Changes since 4.13.14 +Changes since 4.14.10 - +o Jeremy Allison j...@samba.org + * BUG 14878: Recursive directory delete with veto files is broken. + * BUG 14879: A directory containing dangling symlinks cannot be deleted by + SMB2 alone when they are the only entry in the directory. + o Andrew Bartlett abart...@samba.org * BUG 14656: Spaces incorrectly collapsed in ldb attributes. + * BUG 14694: Ensure that the LDB request has not timed out during filter + processing as the LDAP server M
[SCM] Samba Shared Repository - branch v4-14-stable updated
The branch, v4-14-stable has been updated via ae3229e76d0 VERSION: Disable GIT_SNAPSHOT for the 4.14.11 release. via 808afc79cc9 WHATSNEW: Add release notes for Samba 4.14.11. via 08eb470b9c5 smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids via 25c97fc3a0f smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done() via 016d9c40bca smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO via fd82e1e4bad smb2_server: decouple IOCTL check from signing/encryption states via ea6db15c314 smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes via 8eb06f10a12 s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE via fd8864ef4fe libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon* via 4d2d5a3c66a s3:smbd: remove dead code from smbd_smb2_request_dispatch() via 3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0 via ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression via aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter. via b61fb49a7a9 s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks. via 7034f9b765d s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks. via 66d688cea2b s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set. via 3d4761cf04d s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks. via 37804062ea7 s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks. via 67c85f0ce8e s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting. via db8eb865b53 s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2. via 3e8d6e681f8 CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts via 3a4eb50cf74 CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it via d92dfb0dabf CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details via 08c9016cb9f CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing via f9b2267c6eb CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero via f72090064bd CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration via dc71ae17782 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts via 8ccb26c679b CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails via ff3798418e8 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs via 9bef6bc6cf0 CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss via f00c993f0c7 CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts via 8bed2c3f7a9 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials via 1bd06f8cb35 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain via 75ab0a306fc IPA DC: add missing checks via 5b1d789632f s3:winbindd: fix "allow trusted domains = no" regression via 4a106c2322c lib: handle NTTIME_THAW in nt_time_to_full_timespec() via 4e2c7c66c96 torture: add a test for NTTIME_FREEZE and NTTIME_THAW via 7e1a65ed980 lib: add a test for null_nttime(NTTIME_THAW) via 38ac4c09474 lib: update null_nttime() of -1: -1 is NTTIME_FREEZE via f8fec80020e lib: use NTTIME_FREEZE in a null_nttime() test via 43f873d52ab lib: fix null_nttime() tests via ac6f4c093b8 lib: add NTTIME_THAW via a1dae6a208a VERSION: Bump version up to Samba 4.14.11... from 9312b1832e5 VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 90 +- auth/gensec/schannel.c | 1 + docs-xml/smbdotconf/filename/deletevetofiles.xml | 9 +- lib/ldb/ldb_key_value/ldb_kv.c | 2 + lib/ldb/ldb_key_value/ldb_kv.h | 10 + lib/ldb/ldb_key_value/ldb_kv_index.c | 41 +++ lib/ldb/ldb_key_value/ldb_kv_search.c | 33 +- lib/util/tests/time.c
[SCM] Samba Shared Repository - annotated tag samba-4.14.11 created
The annotated tag, samba-4.14.11 has been created at 8a8cde240a953ac46920742e628cd77b1837459e (tag) tagging ae3229e76d04e79addb2fa03319365a2f7675a82 (commit) replaces samba-4.14.10 tagged by Jule Anger on Wed Dec 15 15:52:11 2021 +0100 - Log - samba: tag release samba-4.14.11 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmG6ARsACgkQqplEL7aA tiAShQ//TZF4iO2dlExzmvgZnqn7XqsiJb6JXBaY5cIxvrdpOy+w61c4Ks3OIbqq CZsJzqlBbuAkKbzL1TeDkfpWg70TmDNw0Etdt7pny/PD/og7T4AZ2wI5I6SucLb2 cDAxWZ7v/reZ6/7tZH1MgmUvpgU5czcFoeJ1jk06D/96ypOpMgVOnIW0Q64caDN2 1t7LmHb2eBudpO4hHGL0aFEqKHCHtIJVkRhQ2+qBT+aoss00QwKyZDfCgesKu6pj IpgMFsTraIsYouqCxudpZ/oXQBNWzCJJjONA3d9m6caHpHpCjaSrq+q1nM74QFcp Zep8hNQDJKLliZwtq8AUX/YzLhjhJiSQ46ak4ryPgozLDf69l+vnCGWNjLVbuhK1 d83nuP99u5oltTD1R9NAviPtT8vEzYt0NECe71OuV/0k+fIiP+j86NqQZChexMr/ +Dq036wtdsSJaPoYsoZ1m47efpQkQE5w0k4bGb0rLjCbWWQIWNi93UB4A8vpdRM1 JOu8Y4GBij8jxaS0414P086RmdM6GWV0KblA0vWEobaAZflD2PD/psnJOrmFImsX owzjmvbjdiHOzDohzX8i/2vMobeWSimnUMl78YDDiCatDoE//tT6qvutdI7kEZNW 5PaFpuTAhoCheCmL03UvNNdD7M3wWy2lSYAojMAWSP6GplhLx6k= =pTSX -END PGP SIGNATURE- Alexander Bokovoy (1): IPA DC: add missing checks Andrew Bartlett (6): CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object Jeremy Allison (8): s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2. s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting. s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks. s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks. s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set. s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks. s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks. s3: docs-xml: Clarify the "delete veto files" paramter. Joseph Sutton (7): CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero Jule Anger (2): WHATSNEW: Add release notes for Samba 4.14.11. VERSION: Disable GIT_SNAPSHOT for the 4.14.11 release. Ralph Boehme (9): lib: add NTTIME_THAW lib: fix null_nttime() tests lib: use NTTIME_FREEZE in a null_nttime() test lib: update null_nttime() of -1: -1 is NTTIME_FREEZE lib: add a test for null_nttime(NTTIME_THAW) torture: add a test for NTTIME_FREEZE and NTTIME_THAW lib: handle NTTIME_THAW in nt_time_to_full_timespec() CVE-2020-25717: s3-auth: fix MIT Realm regression smbd: s3-dsgetdcname: handle num_ips == 0 Stefan Metzmacher (11): VERSION: Bump version up to Samba 4.14.11... s3:winbindd: fix "allow trusted domains = no" regression CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain s3:smbd: remove dead code from smbd_smb2_request_dispatch() libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon* s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes smb2_server: decouple IOCTL check from signing/encryption states smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done() smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 1d27e85826a VERSION: Bump version up to Samba 4.14.12... via ae3229e76d0 VERSION: Disable GIT_SNAPSHOT for the 4.14.11 release. via 808afc79cc9 WHATSNEW: Add release notes for Samba 4.14.11. from 08eb470b9c5 smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 1d27e85826afb4571bc2c6dcda7c2c4f984a6726 Author: Jule Anger Date: Wed Dec 15 15:47:30 2021 +0100 VERSION: Bump version up to Samba 4.14.12... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit ae3229e76d04e79addb2fa03319365a2f7675a82 Author: Jule Anger Date: Wed Dec 15 15:46:52 2021 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.14.11 release. Signed-off-by: Jule Anger commit 808afc79cc9ac85e094c87d47537e6b5fa2f9f5b Author: Jule Anger Date: Wed Dec 15 15:46:22 2021 +0100 WHATSNEW: Add release notes for Samba 4.14.11. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 90 ++-- 2 files changed, 89 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 96e3ed0ae96..4b80d608672 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=14 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f81a31d49b0..ea20a3ea952 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,90 @@ + === + Release Notes for Samba 4.14.11 + December 15, 2021 + === + + +This is the latest stable release of the Samba 4.14 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.14.10: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.14.10 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.14.10 +- + +o Jeremy Allison + * BUG 14878: Recursive directory delete with veto files is broken. + * BUG 14879: A directory containing dangling symlinks cannot be deleted by + SMB2 alone when they are the only entry in the directory. + +o Andrew Bartlett + * BUG 14656: Spaces incorrectly collapsed in ldb attributes. + * BUG 14694: Ensure that the LDB request has not timed out during filter + processing as the LDAP server MaxQueryDuration is otherwise not honoured. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredNurk) become un- + deletable. + +o Ralph Boehme + * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + * BUG 14923: Segmentation fault when joining the domain. + +o Alexander Bokovoy + * BUG 14903: Support for ROLE_IPA_DC is incomplete. + +o Stefan Metzmacher + * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before + smbd_smb2_ioctl_send. + * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + +o Joseph Sutton + * BUG 14694: Ensure that the LDB request has not timed out during filter + processing as the LDAP server MaxQueryDuration is otherwise not honoured. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via d2cf214 Add Samba 4.13.15 via 431842b NEWS[4.13.15]: Samba 4.13.15 Available for Download from 0dccc6d Add Samba 4.15.3 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit d2cf21444c4ef0bc9f401ff75e8e889c4d43f85a Author: Jule Anger Date: Wed Dec 15 15:23:56 2021 +0100 Add Samba 4.13.15 Signed-off-by: Jule Anger commit 431842b0adb0a54282599a07f30d69429fc56a4c Author: Jule Anger Date: Wed Dec 15 15:21:55 2021 +0100 NEWS[4.13.15]: Samba 4.13.15 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.13.15.html| 74 +++ posted_news/20211215-142249.4.13.15.body.html | 13 posted_news/20211215-142249.4.13.15.headline.html | 3 + 4 files changed, 91 insertions(+) create mode 100644 history/samba-4.13.15.html create mode 100644 posted_news/20211215-142249.4.13.15.body.html create mode 100644 posted_news/20211215-142249.4.13.15.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 25c3521..780d609 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -24,6 +24,7 @@ samba-4.14.2 samba-4.14.1 samba-4.14.0 + samba-4.13.15 samba-4.13.14 samba-4.13.13 samba-4.13.12 diff --git a/history/samba-4.13.15.html b/history/samba-4.13.15.html new file mode 100644 index 000..cda5ff1 --- /dev/null +++ b/history/samba-4.13.15.html @@ -0,0 +1,74 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.13.15 - Release Notes + + +Samba 4.13.15 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.13.15.tar.gz;>Samba 4.13.15 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.13.15.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.13.14-4.13.15.diffs.gz;>Patch (gzipped) against Samba 4.13.14 +https://download.samba.org/pub/samba/patches/samba-4.13.14-4.13.15.diffs.asc;>Signature + + + + === + Release Notes for Samba 4.13.15 + December 15, 2021 + === + + +This is the latest stable release of the Samba 4.13 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.13.14: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.13.14 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredspacespaceNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.13.14 +- + +o Andrew Bartlett abart...@samba.org + * BUG 14656: Spaces incorrectly collapsed in ldb attributes. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredspacespaceNurk) become un- + deletable. + +o Ralph Boehme s...@samba.org + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + +o Alexander Bokovoy a...@samba.org + * BUG 14903: Support for ROLE_IPA_DC is incomplete. + +o Stefan Metzmacher me...@samba.org + * BUG 14899: winbindd doesnt start when allow trusted domains is off. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + +o Joseph Sutton josephsut...@catalyst.net.nz + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + + + + + + diff --git a/posted_news/20211215-142249.4.13.15.body.html b/posted_news/20211215-142249.4.13.15.body.html new file mode 100644 index 000..9830913 --- /dev/null +++ b/posted_news/20211215-142249.4.13.15.body.html @@ -0,0 +1,13 @@ + +15 December 2021 +Samba 4.13.15 Available for Download + +This is the latest stable release of the Samba 4.13 release series. + + +The uncompressed tarball has been sign
[SCM] Samba Shared Repository - branch v4-13-stable updated
The branch, v4-13-stable has been updated via c02edb51e7f VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release. via 0bdce27ce0e WHATSNEW: Add release notes for Samba 4.13.15. via dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 1e27b820dff CVE-2020-25717: s3-auth: fix MIT Realm regression via 105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails via 32ba258cd75 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs via a40c007fb55 CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss via 0a56d233bfd CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts via 302bb70ebc9 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials via a6eddc3bd7a CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain via fadf4963450 IPA DC: add missing checks via b7158d4ce85 s3:winbindd: fix "allow trusted domains = no" regression via 959fb5a4c69 VERSION: Bump version up to Samba 4.13.15... from db11778b576 VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 77 +++- auth/gensec/schannel.c | 1 + nsswitch/nsstest.c | 2 +- python/samba/tests/krb5/kdc_base_test.py| 42 + python/samba/tests/krb5/test_idmap_nss.py | 232 python/samba/tests/usage.py | 1 + selftest/target/Samba.pm| 2 +- selftest/target/Samba3.pm | 24 ++- source3/auth/auth_util.c| 34 +++- source3/auth/user_krb5.c| 9 + source3/rpc_server/lsa/srv_lsa_nt.c | 1 + source3/winbindd/idmap_nss.c| 26 ++- source3/winbindd/winbindd_util.c| 2 +- source4/dsdb/samdb/ldb_modules/operational.c| 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +- source4/selftest/tests.py | 18 +- 17 files changed, 469 insertions(+), 19 deletions(-) create mode 100755 python/samba/tests/krb5/test_idmap_nss.py Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 50b46ed4289..06b6f42b27a 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 40753b2b500..60b7c75f90b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,77 @@ + === + Release Notes for Samba 4.13.15 + December 15, 2021 + === + + +This is the latest stable release of the Samba 4.13 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.13.14: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.13.14 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.13.14 +- + +o Andrew Bartlett + * BUG 14656: Spaces incorrectly collapsed in ldb attributes. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredNurk) become un- + deletable. + +o Ralph Boehme + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + +o Alexander Bokovoy + * BUG 14903: Support for ROLE_IPA_DC is incomplete. + +o Stefan Metzmacher + * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. + * BUG 14901: The CVE-2020-25717 username map [script]
[SCM] Samba Shared Repository - annotated tag samba-4.13.15 created
The annotated tag, samba-4.13.15 has been created at 765fbab91fc5af992b3ebe1542ffd5e0b010a891 (tag) tagging c02edb51e7f276337a99974c74d522c3069051be (commit) replaces samba-4.13.14 tagged by Jule Anger on Wed Dec 15 15:21:41 2021 +0100 - Log - samba: tag release samba-4.13.15 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmG5+fUACgkQqplEL7aA tiCy0hAAu+9KtUeuUeb2OYN8LOfZfkxtUy4gwKrX9CaNg5966NFnnhDIPCq4mkhi poDGXFBluamk7kzVecfIWX372KvQptKD+ZfhsGNK+K9Khv1h/lBQdZ5Vuco1bp8Z Ylvm4itfIZDObfq2XLRH/+tW+jVBF/sS8QOycX5dmicX9Hyq5pJErkil4Cluo2i5 t3+OxPoZYEmd0a41VL90Hn5KMtQolddkVd2GkB3wSfCRzMUowjYnWSF+9TXrURIH e0aZoDdu99FSWh1b5VaNS1mayuViJwM2ALrx0ebpNw59c9D87P5BU6DXFrJYwhcA LlHOW+am679kbHCORlbJ+Qj7SFsiflU4KXc78RZohRm3UZ9v8PmnCFeqGbpjX1CK 6DBPwPVvABxf/qRr/3bq3KJsHRGyK+YsvA5lFTC1VOyPHKFW3mXNDxUU3BWP9AOS gR8MLQbXUwMSaG0X5jifXBXrkrV9h6RCgYRlqVgUmIohGJFAxQR+0+HPvm72XUX6 LXFpd4X74QuefPkPUwdob59gwnS94gU1C2SN7+uJnNDR/rU1eVuSp0gVWmiXIZou HXdOcclO3+OkbVzXxRqMEK2fwsjYTGzDEln1SP1NkOwfj1jJW8Ttg6SWedcITBAH 8PAtwtsvISEgGAGtK/8tSTJACxaS16SmZB/ndXDc1jF3j4A1iOE= =Z5yu -END PGP SIGNATURE- Alexander Bokovoy (1): IPA DC: add missing checks Andrew Bartlett (2): CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object Joseph Sutton (4): CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs Jule Anger (2): WHATSNEW: Add release notes for Samba 4.13.15. VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release. Ralph Boehme (1): CVE-2020-25717: s3-auth: fix MIT Realm regression Stefan Metzmacher (3): VERSION: Bump version up to Samba 4.13.15... s3:winbindd: fix "allow trusted domains = no" regression CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via c3f170643bb VERSION: Bump version up to Samba 4.13.16... via c02edb51e7f VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release. via 0bdce27ce0e WHATSNEW: Add release notes for Samba 4.13.15. from dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit c3f170643bbc3024aba3dae819cf9c5ba35733f8 Author: Jule Anger Date: Wed Dec 15 15:14:27 2021 +0100 VERSION: Bump version up to Samba 4.13.16... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit c02edb51e7f276337a99974c74d522c3069051be Author: Jule Anger Date: Wed Dec 15 15:12:59 2021 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release. Signed-off-by: Jule Anger commit 0bdce27ce0e5a90d1167a73da9f4d1c073283571 Author: Jule Anger Date: Wed Dec 15 15:12:25 2021 +0100 WHATSNEW: Add release notes for Samba 4.13.15. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 77 ++-- 2 files changed, 76 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 15f13761633..7a649fa0fc9 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=16 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 40753b2b500..60b7c75f90b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,77 @@ + === + Release Notes for Samba 4.13.15 + December 15, 2021 + === + + +This is the latest stable release of the Samba 4.13 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.13.14: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.13.14 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.13.14 +- + +o Andrew Bartlett + * BUG 14656: Spaces incorrectly collapsed in ldb attributes. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredNurk) become un- + deletable. + +o Ralph Boehme + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + +o Alexander Bokovoy + * BUG 14903: Support for ROLE_IPA_DC is incomplete. + +o Stefan Metzmacher + * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + +o Joseph Sutton + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + === Release Notes for Samba 4.13.14 November 9, 2021 @@ -103,8 +177,7 @@ database