[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b74b9f4b06c CVE-2023-0922 set default ldap client sasl wrapping to seal via c33e78a27fb CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values via 62cc4302b67 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user via 8b4e6f7b3fb s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG via 82d2ec786f7 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL via d2bbb47a7ce ldb: Use correct member of union via dfe7b057304 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN via 9b8dd83fd02 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes via f6e93e2b3d9 CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests via f188b6a978f CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED via 15eac7676b2 CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed via 449c2e99e27 CVE-2023-0614 ldb: Filter on search base before redacting message via 9f31e4139c1 CVE-2023-0614 ldb: Centralise checking for inaccessible matches via 197633cc2ad CVE-2023-0614 ldb: Use binary search to check whether attribute is secret via 3a70c6464de CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it via d5d0e712797 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes via 748bbbe70d2 CVE-2023-0614 s4-acl: Split out function to set up access checking variables via da8138c50e6 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() via 5c334918a22 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes via fdeb6ea15c7 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() via f995c3805dd CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences via 16487691c02 CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID via d3fa2cb5ddd CVE-2023-0614 s4:dsdb:tests: Fix search in confidential attributes test via f154fad3c1b CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own via fffea590017 CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() via f25b1756aac CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place via 131d4176044 CVE-2023-0614 ldb: Add function to filter message in place via 784a342785f CVE-2023-0614 ldb: Add function to add distinguishedName to message via 721493f4bde CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message via b18ed9ae975 CVE-2023-0614 ldb: Add function to take ownership of an ldb message via 294a4f6e286 CVE-2023-0614 ldb:tests: Ensure all tests are accounted for via 1debb6584e4 CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated via a43977499c0 CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements via ca9c467e413 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements via 17feef18bf5 CVE-2023-0614 s4-acl: Make some parameters const via a7222faade7 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently via 6d2d1e7df43 CVE-2023-0614 libcli/security: Make some parameters const via 5fd0811ffac CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects from f5d04a43cf6 python:join: fix reused variable name in provision func https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b74b9f4b06c24b16bf3daac96127e62b75f5b9ed Author: Rob van der Linde Date: Mon Feb 27 14:06:23 2023 +1300 CVE-2023-0922 set default ldap client sasl wrapping to seal This avoids sending new or reset passwords in the clear (integrity protected only) from samba-tool in particular. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315 Signed-off-by: Rob van der Linde Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 5 03:08:51 UTC 2023 on atb-devel-224 commit c33e78a27fbeb913b08ef7f74343c1f652d1aa41 Author: Joseph Sutton Date: Mon Jan 9 11:22:34 2023 +1300 CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values This early return would mistakenly allow an unprivileged user to delete the dNSHostName attribute by making an LDAP modify request with no values. We should no longer allow this. Add or replace operations with no values and no privileges are disallowed. BUG:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f5d04a43cf6 python:join: fix reused variable name in provision func via e258ea12b01 s4:kdc: Allocate claim value on values context via 3b72dde2027 tests/krb5: Add tests for constructed (authentication silo) claims via 75aecbe6203 tests/krb5: Add method to create authentication silo claim via dc4c51f353a tests/krb5: Add method to create an authentication silo via 8855b525ce1 tests/krb5: Add methods to get authentication policy DNs via 9b96855f370 tests/krb5: Check only for the canonical representation of a security descriptor via f1174c6e0c4 librpc/ndr: Fix NULL pointer dereference via d0d588558d9 Update WHATSNEW.txt via 960fe1ca273 s3:utils: s3:utils: Correctly wire winbind ccache support for smbget via e22eccbe889 s3:utils: Correctly wire NT hash support for smbget via 61424dd2218 auth: Add cli_credentials_is_password_nt_hash() via 97c0982bad9 auth: Remove trailing white spaces in credentials_ntlm.c via 96914246d36 auth: Remove trailing white spaces in credentials.h via de702cb5b18 s3:tests: Add test with testdenied_...@realm.upn via 3fa25a77ca9 s3:tests: Add a kerberos trust test for smbget via 9392a581dbb s3:tests: Add kerberos test for smbget via 267ea547129 s3:utils: Correctly wire Kerberos support for smbget via a2ba787780c s3:tests: Add encryption test for smbget via ada8cd6a627 s3:utils: Correctly wire encryption for smbget via f531dd19826 docs-xml: Remove smbgetrc manpage via 7f8a814c7ad docs-xml: Update smbget manpage via 20b5d98ce58 s3:utils: Use common command line parser for smbget via 42b47e20e71 s3:tests: Use long options for smbget in test_smbget.sh via 0e07d0ac220 s3:utils: Add support for parsing domain/UPN in username for smbget via 34d4ac9907c s3:utils: Always cleanup when leaving smbget main() via 1f3f88603a4 s3:tests: Add smbget msdfs link test with domain and UPN via d81acef3924 s3:tests: Add domain and UPN test for smbget via 1104916d227 s3:tests: Also clear the download area in smbget msdfs_link test via 9c76563ba24 s3:selftest: Pass REALM to samba.blackbox.smbget via badbbceb76f s3:selftest: Move samba3.blackbox.smbget to ad_member via acf259c7e0b s3:selftest: Move the smbget share to the provision function from 925b026a235 lib:ldb:tests: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f5d04a43cf6b32aa8ea443bc5ac485581d77d200 Author: John Mulligan Date: Fri Mar 24 15:11:59 2023 -0400 python:join: fix reused variable name in provision func Recent updates to run adprep during the provision function re-used a variable name that was already in use as a string. This reassignment changed the type of the referenced object. This variable name is later used to setup the mit krb5 kdc conf and expects the var to contain a string. When executed with default cli options on a mit krb5 based build samba tool fails with a traceback: ``` INFO 2023-03-23 21:22:50,399 pid:6 /usr/lib64/python3.10/site-packages/samba/provision/__init__.py #2021: Fixing provision GUIDs ERROR(): uncaught exception - 'DomainUpdate' object has no attribute 'upper' File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py", line 230, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py", line 555, in run result = provision(self.logger, File "/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line 2408, in provision create_kdc_conf(paths.kdcconf, realm, domain, os.path.dirname(lp.get("log file"))) File "/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line 43, in create_kdc_conf domain = domain.upper() ``` This change removes the re-use of the existing var name by chaining the calls. Fixes: 4bba26579d1 Signed-off-by: John Mulligan Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 5 02:02:29 UTC 2023 on atb-devel-224 commit e258ea12b01c2f01f049f95c9c7e4c7ec0ada6d6 Author: Joseph Sutton Date: Mon Apr 3 13:07:30 2023 +1200 s4:kdc: Allocate claim value on values context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3b72dde2027fe7bffa03f6022fd2a5aef26845fa Author: Joseph Sutton Date: Mon Apr 3 13:24:12 2023 +1200 tests/krb5: Add tests for constructed (authentication silo) claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 75aecbe62030c386e93d179e1cb1aebb6e916df9
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 925b026a235 lib:ldb:tests: Fix code spelling via a8c571e9831 lib:ldb:nssldb: Fix code spelling via 73d04200bc0 lib:ldb:ldb_sqlite3: Fix code spelling via 4eac2614b3d lib:ldb:ldb_map: Fix code spelling via 594d6ef444f lib:ldb:ldb_key_value: Fix code spelling via f75adc4871b lib:ldb:include: Fix code spelling via fc28daa6c72 lib:ldb:common: Fix code spelling via 1bb75c5471d docs-xml: Fix spelling in Samba-Developers-Guide via a9d4915cd62 docs-xml: Fix spelling in smb.conf manpage via 0007102d2b5 docs-xml: Fix spelling in manpages via 409ede2d1f1 ctdb:doc: Fix code spelling via e081fa4cc9e bootstrap: Fix spelling in README.md via 856f584107a Fix spelling in README.Coding.md from 38d2ca0a670 smbd: Indicate posix pathnames if SMB311 POSX cc requested https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 925b026a2351bead78b622d026429a45809475a3 Author: Andreas Schneider Date: Mon Apr 3 10:21:21 2023 +0200 lib:ldb:tests: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue Apr 4 08:30:28 UTC 2023 on atb-devel-224 commit a8c571e98319f6e96dd08cd530146bd08954c3f3 Author: Andreas Schneider Date: Mon Apr 3 10:17:14 2023 +0200 lib:ldb:nssldb: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 73d04200bc0d19ec3c0649237d2be8af0757e3bd Author: Andreas Schneider Date: Mon Apr 3 10:16:26 2023 +0200 lib:ldb:ldb_sqlite3: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 4eac2614b3d98c12578b1050cee5aa16377082e1 Author: Andreas Schneider Date: Mon Apr 3 10:15:08 2023 +0200 lib:ldb:ldb_map: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 594d6ef444fddde6d3b451df5671bdcd148a644b Author: Andreas Schneider Date: Mon Apr 3 10:13:18 2023 +0200 lib:ldb:ldb_key_value: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f75adc4871bdd5230fda97642a5929f4610b508b Author: Andreas Schneider Date: Mon Apr 3 10:10:17 2023 +0200 lib:ldb:include: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit fc28daa6c7269cb94d0f7c52b4293dc0d3f10acc Author: Andreas Schneider Date: Mon Apr 3 10:07:39 2023 +0200 lib:ldb:common: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1bb75c5471d729177071d95d3286616ed50a9184 Author: Andreas Schneider Date: Mon Apr 3 10:00:27 2023 +0200 docs-xml: Fix spelling in Samba-Developers-Guide Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a9d4915cd62ccd263f68143f82aa1aea28bb50c3 Author: Andreas Schneider Date: Mon Apr 3 09:58:47 2023 +0200 docs-xml: Fix spelling in smb.conf manpage Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 0007102d2b56b4f870a89989ec9e7fb31b514edc Author: Andreas Schneider Date: Mon Apr 3 09:56:46 2023 +0200 docs-xml: Fix spelling in manpages Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 409ede2d1f15cebc3f8cb57e5074d5997da587fa Author: Andreas Schneider Date: Mon Apr 3 09:48:38 2023 +0200 ctdb:doc: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit e081fa4cc9e02e230e0e9704b873be17030ed53e Author: Andreas Schneider Date: Mon Apr 3 09:45:42 2023 +0200 bootstrap: Fix spelling in README.md Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 856f584107af60364ae58137f26d89a90ee3f4a0 Author: Andreas Schneider Date: Mon Apr 3 09:44:45 2023 +0200 Fix spelling in README.Coding.md Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: README.Coding.md
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 38d2ca0a670 smbd: Indicate posix pathnames if SMB311 POSX cc requested from 4b1d2051383 lib:krb5_wrap: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 38d2ca0a67087c202c380dd56422889fd0fc3c48 Author: Volker Lendecke Date: Sun Feb 12 12:35:28 2023 +0100 smbd: Indicate posix pathnames if SMB311 POSX cc requested Avoid making smb311 posix extensions a global thing. Posix clients could request non-posix behaviour on individual create calls. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Apr 4 07:04:13 UTC 2023 on atb-devel-224 --- Summary of changes: source3/smbd/smb2_create.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index 93c345f5809..c8f5bbbe471 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -747,7 +747,7 @@ static NTSTATUS smbd_smb2_create_fetch_create_ctx( * ucf_flags_from_smb_request() to * return UCF_POSIX_PATHNAMES in ucf_flags. */ - state->smb1req->posix_pathnames = true; + state->smb1req->posix_pathnames = (state->posx != NULL); } return NT_STATUS_OK; -- Samba Shared Repository