[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 18df99b VERSION: Disable GIT_SNAPSHOT for the 4.6.16 release. via cd2839a WHATSNEW: Add release notes for Samba 4.6.16. via 9f166c0 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case via 246e79f CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches via 9605ecc CVE-2018-10919 acl_read: Flip the logic in the dirsync check via 533106a CVE-2018-10919 acl_read: Small refactor to aclread_callback() via fa7bcea CVE-2018-10919 acl_read: Split access_mask logic out into helper function via f6cbad5 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights via 873ccd0 CVE-2018-10919 tests: test ldap searches for non-existent attributes. via 924f87c CVE-2018-10919 tests: Add test case for object visibility with limited rights via 3388706 CVE-2018-10919 tests: Add tests for guessing confidential attributes via 010d1f1 CVE-2018-10919 security: Add more comments to the object-specific access checks via 2878c22 CVE-2018-10919 security: Move object-specific access checks into separate function via 2711b66 CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers. via 6936d3e CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer. via 30428f3 VERSION: Bump version up to 4.6.16... from c4d44b9 VERSION: Disable GIT_SNAPSHOT for the 4.6.15 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 18df99ba0bfc466b877d5875bef3ab1279b0e7dc Author: Karolin Seeger Date: Mon Aug 13 09:25:13 2018 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.6.16 release. o CVE-2018-10858 (Insufficient input validation on client directory listing in libsmbclient.) o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP server.) Signed-off-by: Karolin Seeger commit cd2839a1012c29bd72ad5f85884c93d5ac37442e Author: Karolin Seeger Date: Mon Aug 13 09:24:08 2018 +0200 WHATSNEW: Add release notes for Samba 4.6.16. o CVE-2018-10858 (Insufficient input validation on client directory listing in libsmbclient.) o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP server.) Signed-off-by: Karolin Seeger commit 9f166c0222315393fef9b456f246dfae5a12439c Author: Tim Beale Date: Wed Aug 1 13:51:42 2018 +1200 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case The acl_read.c code contains a special case to allow dirsync to work-around having insufficient access rights. We had a concern that the dirsync module could leak sensitive information for deleted objects. This patch adds a test-case to prove whether or not this is happening. The new test case is similar to the existing dirsync test except: - We make the confidential attribute also preserve-on-delete, so it hangs around for deleted objcts. Because the attributes now persist across test case runs, I've used a different attribute to normal. (Technically, the dirsync search expressions are now specific enough that the regular attribute could be used, but it would make things quite fragile if someone tried to add a new test case). - To handle searching for deleted objects, the search expressions are now more complicated. Currently dirsync adds an extra-filter to the '!' searches to exclude deleted objects, i.e. samaccountname matches the test-objects AND the object is not deleted. We now extend this to include deleted objects with lastKnownParent equal to the test OU. The search expression matches either case so that we can use the same expression throughout the test (regardless of whether the object is deleted yet or not). This test proves that the dirsync corner-case does not actually leak sensitive information on Samba. This is due to a bug in the dirsync code - when the buggy line is removed, this new test promptly fails. Test also passes against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett Reviewed-by: Gary Lockyer commit 246e79f6ed34e6585eb22bb68aa558b85e0a6522 Author: Tim Beale Date: Fri Jul 20 15:42:36 2018 +1200 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches A user that doesn't have access to view an attribute can still guess the attribute's value via repeated LDAP searches. This affects confidential attributes, as well as ACLs applied to an object/attribute to deny access. Currently the code will
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via c4d44b9 VERSION: Disable GIT_SNAPSHOT for the 4.6.15 release. via 46be020 WHATSNEW: Add release notes for Samba 4.6.15. via c90accf torture: Test compound request request counters via fb602bd s3:smb2_server: correctly maintain request counters for compound requests via e1c58ec s3: smbd: Unix extensions attempts to change wrong field in fchown call. via b11b0e0 s3:smbd: map nterror on smb2_flush errorpath via 24354b0 vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async via 94d91c9 s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir() via 8f4202e s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here. via 0afb85c tests/bind.py: Add a bind test with NTLMSSP with no domain via 96d9297 s3:cliconnect.c: remove useless ';' via bb14cec s3:libsmb: allow -U"\administrator" to work via d71e1a2 Merge tag 'samba-4.6.14' into v4-6-test via 2d2fb95 VERSION: Bump version up to 4.6.15... via 85fc0d5 build: fix libceph-common detection via 903 VERSION: Disable GIT_SNAPSHOT for the 4.6.14 release. via 5cabac8 WHATSNEW: Add release notes for Samba 4.6.14. via 58c2418 CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control via 03b1513 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID via 96261a0 CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control via 9e03a09 CVE-2018-1057: s4:dsdb/acl: run password checking only once via 43863fc CVE-2018-1057: s4/dsdb: correctly detect password resets via 0c2ef5f CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights() via 2cce162 CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control via a0e418a CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks via 4a8b22c CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights() via ed471f3 CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights() via a976076 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values via 4b93237 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE via 1610632 CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete via 5365141 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. via ae55cfe s3:smbd: Do not crash if we fail to init the session table via 8fe0589 libsmb: Use smb2 tcon if conn_protocol >= SMB2_02 via 3dadbb3 torture: Add test for channel sequence number handling via 597aba1 smbXcli: Add "force_channel_sequence" via 082c08e smbd: Fix channel sequence number checks for long-running requests via c3bce29 smbd: Remove a "!" from an if-condition for easier readability via 65992c6 torture4: Fix typos via dc5dbc6 smbd: Fix a typo via b726719 s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions via 7118165 s3:smbd: return the correct error for cancelled SMB2 notifies on expired sessions via f0e7a7c s4:torture: add smb2.session.expire2 test via d0c6802 Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData" via c190c37 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()" via e1a5f80 Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key" via 542382a Revert "s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob" via fb65808 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key" via 4afb9bd Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function" via cb60d1c Revert "s4:kdc: use the strongest possible tgs session key" via 0cd6906 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers" via 89f27fa Revert "TODO s4:kdc: indicate support for new encryption types by adding empty keys" via 3a54a04 Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets" via 56a40ab samba: Only use async signal-safe functions in signal handler via 670af37 subnet: Avoid a segfault when renaming subnet objects via f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets via ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys via 075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via d64e68a VERSION: Disable GIT_SNAPSHOT for the 4.6.14 release. via 7d6f329 WHATSNEW: Add release notes for Samba 4.6.14. via 8300e8e CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control via c1de637 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID via 06032bf CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control via aee3832 CVE-2018-1057: s4:dsdb/acl: run password checking only once via c8aa8ff CVE-2018-1057: s4/dsdb: correctly detect password resets via 7f4fef0 CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights() via 39aa58a CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control via ddf8122 CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks via 67ad3bf CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights() via a529401 CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights() via 09eed84 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values via 116c4e3 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE via 429a17f CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete via 189d129 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. via 24df683b VERSION: Bump version up to 4.6.14... from fd09a02 VERSION: Disable GIT_SNAPSHOT for the 4.6.13 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit d64e68abdb0c468467b6ea480dd2ede8c0315374 Author: Karolin SeegerDate: Mon Mar 12 10:10:53 2018 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.6.14 release. CVE-2018-1050 (Denial of Service Attack on external print server.) CVE-2018-1057 (Authenticated users can change other users' password.) Signed-off-by: Karolin Seeger commit 7d6f3297eb5695b32074e05d904e5bc2927d8324 Author: Karolin Seeger Date: Mon Mar 12 10:10:07 2018 +0100 WHATSNEW: Add release notes for Samba 4.6.14. Signed-off-by: Karolin Seeger commit 8300e8e8c5f94fd1873cd856bdd83f89cb771de1 Author: Ralph Boehme Date: Thu Feb 15 23:11:38 2018 +0100 CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control This is not strictly needed to fig bug 13272, but it makes sense to also fix this while fixing the overall ACL checking logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit c1de637a37121d0e28d502d8b2ef507e7e8dd57f Author: Ralph Boehme Date: Fri Feb 16 15:38:19 2018 +0100 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID This is used to pass information about which password change operation (change or reset) the acl module validated, down to the password_hash module. It's very important that both modules treat the request identical. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 06032bffca2352e3e7757214563f6e97d4f162df Author: Ralph Boehme Date: Fri Feb 16 15:30:13 2018 +0100 CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control Will be used to pass "user password change" vs "password reset" from the ACL to the password_hash module, ensuring both modules treat the request identical. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit aee383268a4252d23e12518c973ca0048de56b35 Author: Ralph Boehme Date: Wed Feb 14 19:15:49 2018 +0100 CVE-2018-1057: s4:dsdb/acl: run password checking only once This is needed, because a later commit will let the acl module add a control to the change request msg and we must ensure that this is only done once. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit c8aa8ffa40cf2cfb3ed2f295e55778b96418eebd Author: Ralph Boehme Date: Thu Feb 22 10:54:37 2018 +0100 CVE-2018-1057: s4/dsdb: correctly detect password resets This change ensures we correctly treat the following LDIF dn:
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via fd09a02 VERSION: Disable GIT_SNAPSHOT for the 4.6.13 release. via 38e71ba WHATSNEW: Add release notes for Samba 4.6.13. via 666c680 build: fix ceph_statx check when configured with libcephfs_dir via 3015558 vfs_fruit: set delete-on-close for empty finderinfo via 9e47e9e vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close via c1e0396 vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream() via d95b278 s4/torture/fruit: enhance zero AFP_AfpInfo stream test via 26da45b s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized via 21d0446 vfs_default: use VFS statvfs macro in fs_capabilities via a6b780c vfs_ceph: add fs_capabilities hook to avoid local statvfs via 579b6a4 s3: smbd: Use identical logic to test for kernel oplocks on a share. via 6ba6125 smbd: Fix coredump on failing chdir during logoff via 60eb51d selftest: Add test for failing chdir call in smbd via e6ec5ae selftest: Make location of log file available in tests via 90d87d4 selftest: Add share for error injection testing via 919d16e vfs_error_inject: Add new module via d932fcf ctdb-recovery-helper: Deregister message handler in error paths via a3dc640 sysacls: change datatypes to 32 bits via e64528a pysmbd: fix use of sysacl API via f502340 HEIMDAL:kdc: fix dh->q allocation check in get_dh_param() via c6dfb4e HEIMDAL: don't bother seeing q if not sent via 03c69a5 HEIMDAL: allow optional q in DH DomainParameters via f69814f g_lock: fix cleanup of stale entries in g_lock_trylock() via e39dcec s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HERE via 51fb772 VERSION: Bump version up to 4.6.13... from 1377b56 VERSION: Disable GIT_SNAPSHOT for the 4.6.12 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 74 +- ctdb/server/ctdb_recovery_helper.c | 16 ++- selftest/selftest.pl| 1 + selftest/target/Samba3.pm | 4 + source3/include/smb_acls.h | 10 +- source3/lib/g_lock.c| 6 +- source3/modules/vfs_ceph.c | 15 +++ source3/modules/vfs_default.c | 14 +-- source3/modules/vfs_error_inject.c | 99 ++ source3/modules/vfs_fruit.c | 172 source3/modules/wscript_build | 7 ++ source3/script/tests/test_smbd_error.sh | 56 +++ source3/selftest/tests.py | 3 + source3/smbd/oplock.c | 25 +++-- source3/smbd/pysmbd.c | 43 +++- source3/smbd/server_exit.c | 4 - source3/wscript | 10 +- source4/heimdal/kdc/pkinit.c| 11 +- source4/heimdal/lib/asn1/rfc2459.asn1 | 2 +- source4/heimdal/lib/krb5/pkinit.c | 7 +- source4/kdc/hdb-samba4.c| 24 +++-- source4/torture/vfs/fruit.c | 89 - 23 files changed, 604 insertions(+), 90 deletions(-) create mode 100644 source3/modules/vfs_error_inject.c create mode 100755 source3/script/tests/test_smbd_error.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 0c4ca38..8a613d1 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a759fa9..992007d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,74 @@ == + Release Notes for Samba 4.6.13 + February 14, 2017 + = + + +This is the latest stable release of the Samba 4.6 release series. + + +Changes since 4.6.12: +- + +o Jeremy Allison+ * BUG 13193: s3: smbd: Use identical logic to test for kernel oplocks on a + share. + +o Love Hornquist Astrand + * BUG 12986: Kerberos: PKINIT: Can't decode algorithm parameters in + clientPublicValue. + +o Ralph Boehme + * BUG 13181: vfs_fruit: Fail to copy file with empty FinderInfo from Windows + client to Samba share with fruit. + +o David Disseldorp + * BUG 13208: vfs_default: Use VFS statvfs macro in
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 1377b56 VERSION: Disable GIT_SNAPSHOT for the 4.6.12 release. via d665971 WHATSNEW: Add release notes for Samba 4.6.12. via d9aaf8d messaging: Always register the unique id via 1a8c27f pthreadpool: Add a test for the race condition fixed in the last commit via b181b26 pthreadpool: Fix starvation after fork via 7dcc119 winbindd: idmap_rid: error code for failing id-to-sid mapping request via d85e691 winbindd: idmap_rid: don't rely on the static domain list via 96cc7e0 winbindd: pass domain SID to wbint_UnixIDs2Sids via e16ef9f winbindd: add domain SID to idmap mapping domains via 822b5da s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient. via c441234 s3: client: Rename to in cmd_symlink() and cli_posix_symlink(). via 3fc3531 pthreadpool: Undo put_job when returning error via b51a271 pthreadpool: Move creating of thread to new function via 82f6111 ctdb-daemon: Send STARTUP control after startup event via 0d42cfc ctdb-takeover: Send tcp tickles immediately on STARTUP control via 7d173bf ctdb-takeover: Refactor code to send tickle lists for all public IPs via 730c8f9 vfs_zfsacl: fix compilation error via 9cc7d3d s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(). via 8a37c85 testprogs: Fix a typo in the net ads test via fb542aa testprogs: Test net ads keytab list via 19c9997 s3:libads: net ads keytab list fails with "Key table name malformed" via 3679be1 vfs_fruit: proper VFS-stackable conversion of FinderInfo via 0282d52 vfs_fruit: add AfpInfo prototypes via b7f5e69 s4/torture: fruit: in test_adouble_conversion() also check stream list and AFPINFO_STREAM via 775ec5e s4/torture: fruit: remove use of localdir from test_adouble_conversion test via dba33c9 selftest: add "fruit:veto_appledouble = no" to fruit shares via de13adb s4/torture: let write_stream() deal with stream=NULL via 90ed82b selftest: run AppleDouble sidecar-file conversion test runs against all fruit shares via 79b3ea5 s4/torture: use torture_assert_goto in a vfs.fruit test via 51e21a3 s4/torture: rework stream names tests usage of local xattr call via e266163 selftest: add localdir option to fruit subtests via 2354d2b selftest: reorder arguments for fruit tests via 1b9a0ca s3/loadparm: don't mark IPC$ as autoloaded via e0a08bd s3/loadparm: ensure default service options are not changed via 37e816e s3/loadparm: allocate a fresh sDefault object per lp_ctx via b728d17 Add vfs_zfsacl manpage to the list of manpages if we have this module enabled. via d484d1b Fix typo in the "wide links" description for the getwd cache. via 3af01bd libnet_join: fix "net rpc oldjoin" via b9d0fce s3:selftest: add samba3.blackbox.net_rpc_oldjoin test via eea9b63 ctdb-common: Call missing tevent_wakeup_recv() in sock_daemon via c54477d ctdb-daemon: Allocate deferred calls off calling context via 7e41c94 winbind: Remove winbind_messaging_context via 65bbf31 winbind: winbind_messaging_context -> server_messaging_context via 88a92ba winbind: Remove winbind_event_context via d0b4331 winbind: Replace winbind_event_context with server_event_context via 598cc46 s3: smbclient: tests: Test "volume" command over SMB1 and SMB2+. via 3490bbd s3: smbclient: Implement "volume" command over SMB2. via a7de852 VERSION: Bump version up to 4.6.12... via 3a06a4f Merge tag 'samba-4.6.11' into v4-6-test via d4217c0 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls. via a6db21e libsmbclient: Allow server (NetApp) to return STATUS_INVALID_PARAMETER from an echo. via b196d0e VERSION: Bump version up to 4.6.11... from 4878a25 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 99 - ctdb/common/sock_daemon.c | 8 + ctdb/server/ctdb_call.c| 14 +- ctdb/server/ctdb_daemon.c | 6 - ctdb/server/ctdb_monitor.c | 6 + ctdb/server/ctdb_takeover.c| 59 +++--- docs-xml/smbdotconf/tuning/getwdcache.xml | 2 +- docs-xml/wscript_build | 3 + librpc/idl/winbind.idl | 1 +
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 4878a25 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release via a3a3053 WHATSNEW: Add release notes for Samba 4.6.11. via 3a6b1ba s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via 3ef34e9 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 via 8d7602d VERSION: Re-enable GIT_SNAPSHOT. via 1cd9157 VERSION: Bump version up to 4.6.11... from a56f9ed VERSION: Disable GIT_SNAPSHOT for the 4.6.10 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 4878a25aea72c0bbd43344ab68d72f88406aacb4 Author: Karolin SeegerDate: Mon Nov 20 11:13:55 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release Signed-off-by: Karolin Seeger commit a3a30536fb31c2f48be448cd5b59f7a740855b5d Author: Karolin Seeger Date: Mon Nov 20 11:10:36 2017 +0100 WHATSNEW: Add release notes for Samba 4.6.11. Signed-off-by: Karolin Seeger commit 3a6b1baeb84ada35745109a11dacab328a1d6a5b Author: Jeremy Allison Date: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison commit 3ef34e983d79746d47c5a894d5325e1a8618dc7a Author: Jeremy Allison Date: Tue Sep 19 16:11:33 2017 -0700 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 When setting up the chain, always use 'next->' variables not the 'req->' one. Bug discovered by 连一汉 CVE-2017-14746 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 Signed-off-by: Jeremy Allison commit 8d7602dd0defb30dce6b0c4ac5adc67ba936b84b Author: Karolin Seeger Date: Mon Nov 20 11:09:57 2017 +0100 VERSION: Re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 1cd91577aed6c9952cd2d88905ba1173e679df05 Author: Karolin Seeger Date: Tue Nov 14 13:01:58 2017 +0100 VERSION: Bump version up to 4.6.11... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger (cherry picked from commit b196d0efcfaad6ea42ed0873b430ff3d416dd731) --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 -- source3/smbd/process.c | 7 +++-- source3/smbd/reply.c | 5 source3/smbd/srvstr.c | 14 ++ 5 files changed, 97 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 4ccbdb5..c0e85a2 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 375d340..8199d91 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,75 @@ == + Release Notes for Samba 4.6.11 + November 21, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +=== +Details +=== + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.6.10:
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via a56f9ed VERSION: Disable GIT_SNAPSHOT for the 4.6.10 release. via ee75be8 WHATSNEW: Add release notes for Samba 4.6.10. via c5d7a7d s4: torture: kernel oplocks. Add smb2.kernel-oplocks.kernel_oplocks8 via c64f58e s3: smbd: kernel oplocks. Replace retry_open() with setup_kernel_oplock_poll_open(). via 8e338d8 selftest: Also run smbtorture smb2.compound with aio enabled via 8212d13 torture: Add testcase for compound CREATE-WRITE-CLOSE request via d005547 smbd/aio: Do not go async for SMB2 compound requests via 13da33f smbd: Move check for SMB2 compound request to new function via 13e0f78 python: use communicate to fix Popen deadlock via 2514616 blackbox tests: method to check specific exit codes via 339f19a tevent: version 0.9.34 via 5cb686d tevent: Fix a race condition via 148ab67 lib: tevent: Remove select backend. via 61819d6 tevent: version 0.9.33 via bd4ced8 tevent: handle passing req = NULL to tevent_req_print() via 4cc205c tevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print() via 3bafcb5 tevent: version 0.9.32 via c2159d1 tevent: include the finish location in tevent_req_default_print() via 82572f0 tevent: Simplify create_immediate via 9abf13e tevent_threads: Fix a rundown race introduced with 1828011317b via dd516b9 tevent: Fix a race condition in tevent context rundown via 5a6d5c4 tevent: Fix a memleak on FreeBSD via 1375ed8 tevent: Add tevent_re_initialise to threaded test via 83c8bb7 tevent: Re-init threading in tevent_re_initialise via 1ea66fb tevent: Factor out context initialization via 03b43ed tevent: Fix a typo via d4f07b4 Revert "tevent: Fix a race condition" via 6a43b1b tevent: Fix a race condition via df214a3 s4: torture: Add smb2 FIND_and_set_DOC test case. via b3ac865 s3: smbd: Fix delete-on-close after smb2_find via 38f0d93 s4: torture: kernel_oplocks. Create a regression test case for bug #13058. via 32ee9d1 Revert "s3/smbd: fix deferred open with streams and kernel oplocks" via 003eefb Revert "s3: smbclient: Test we can rename with a name containing." via 5b414d9 s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd() via 35b1523 s4:pyparam: Fix resource leaks on error via 0d04dba s3:passdb: Make sure the salt is fully initialized before passing via 733aa17 s3:secrets: Do not leak memory of pw and old_pw via 781e5a6 ctdb-tests: Process-exists unit tests should wait until PID is registered via 5038300 ctdb-tests: Wait for fake_ctdbd to start, fail if it doesn't via 2340354 ctdb-tests: Skip starting fake_ctdbd when current node is disconnected via b1f422e ctdb-tests: Wait for ctdb_eventd to start, fail if it doesn't via ec36025 ctdb-tests: Allow wait_until() to be used in unit tests via 08100fc s3: smbclient: Test we can rename with a name containing. via f01aac9 s3: smbclient: Ensure we call client_clean_name() before all operations on remote pathnames. via f36e99e s3: client: Add new utility function client_clean_name(). via 992d7dc vfs_glusterfs: Fix exporting subdirs with shadow_copy2 via 6ef07b5 vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR via c1d6a04 VERSION: Bump version up to 4.6.10... from b77f419 VERSION: Disable GIT_SNAPSHOTS for the 4.6.9 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 - ctdb/tests/eventd/scripts/local.sh | 7 +- ctdb/tests/scripts/common.sh | 44 +++ ctdb/tests/scripts/integration.bash| 44 --- ctdb/tests/tool/ctdb.getcapabilities.003.sh| 13 +- ctdb/tests/tool/ctdb.lvs.008.sh| 13 +- ctdb/tests/tool/ctdb.process-exists.001.sh | 2 + ctdb/tests/tool/scripts/local.sh | 6 +- .../ABI/{tevent-0.9.31.sigs => tevent-0.9.32.sigs} | 0 .../ABI/{tevent-0.9.31.sigs => tevent-0.9.33.sigs} | 0 .../ABI/{tevent-0.9.31.sigs => tevent-0.9.34.sigs} | 0 lib/tevent/testsuite.c | 8 + lib/tevent/tevent.c| 78 ++--- lib/tevent/tevent.h| 2 +- lib/tevent/tevent_internal.h | 1 - lib/tevent/tevent_req.c| 11 +- lib/tevent/tevent_select.c | 280 lib/tevent/tevent_threads.c
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via b77f419 VERSION: Disable GIT_SNAPSHOTS for the 4.6.9 release. via b101fa1 WHATSNEW: Add release notes for Samba 4.6.9. via f8da4ab vfs_catia: Fix a potential memleak via bd4d3fb vfs_catia: Fix a memory leak via ff9c618 krb5_wrap: ADDRTYPE_INET6 is available in all supported MIT versions via 60f0e49 krb5_wrap: KRB5_ADDRESS_INET6 is not a define in Heimdal via c7726ee s4/torture: vfs_fruit: test xattr unpacking via d61101b s4/torture: vfs_fruit: replace AppleDouble data blob with xattr data via cbddb21 vfs_fruit: on-access conversion of AppleDouble xattr data via 5fb403f vfs_fruit: static string fruit_catia_maps via 8e95870 vfs_fruit: pass path to ad_convert via f42c878 vfs_fruit: unpack AppleDouble xattr header if present via 8d03598 vfs_fruit: allocate ad_data buffer up to AD_XATTR_MAX_HDR_SIZE bytes via 1e4051b vfs_fruit: add AppleDouble xattr structure definitions via e414f60 vfs_fruit: fix ftruncating resource fork via b866626 vfs_catia: factor out mapping functions via afecdce ctdb-common: Ignore event scripts with multiple '.'s via 595f108 s3: VFS: Protect errno if sys_getwd() fails across free() call. via 42b064a s3: VFS: Ensure sys_getwd() doesn't leak memory on error on really old systems. via 9209c35 net: groupmap cleanup should not delete BUILTIN mappings via c9fa0e9 ctdb-common: Do not queue a packet if queue does not have valid fd via 65af3ee ctdb-tests: Send broadcast to connected nodes, not configured nodes via 9de6540 ctdb-daemon: Send broadcast to connected nodes, not configured nodes via eb47cdd lib: gpo: Put enforced GPOs at the end of the list. via 07c6394 lib: gpo: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE. via 322add1 lib: gpo: Changes order to match GPO application order. via 3cd186f s3/smbd: use correct access in get_file_handle_for_metadata via 096a3f8 s3/smbd: fix access checks in set_ea_dos_attribute() via 88dfaf1 s3/smbd: README.Coding fixes in set_ea_dos_attribute via 18122f0 s3: spoolss: Fix GUID string format on GetPrinter info via a68f0bc s3/mdssvc: missing assignment in sl_pack_float via f5b02e3 s4/torture: add a test for rename change notification with inotify enabled via b5b77ba selftest: run smb2.notify-inotify testsuite against fileserver via d052058 selftest: enable kernel change notifications in the fileserver environment via 1dd367a messaging: Remove messaging_handler_send via 389f2b7 notifyd: Remove notifyd_handler_done via bb6011f notifyd: Use messaging_register for MSG_SMB_NOTIFY_DB via ab6743d notifyd: Use messaging_register for MSG_SMB_NOTIFY_GET_DB via e4dd339 notifyd: Use messaging_register for MSG_SMB_NOTIFY_TRIGGER via 340cde8 notifyd: Use messaging_register for MSG_SMB_NOTIFY_REC_CHANGE via 0f63069 messaging: make messaging_rec_create public via 5549320 notifyd: Avoid an if-expression via 7cf36b2 notifyd: Consolidate two #ifdef CLUSTER into one via ab91b0d notifyd: Only ask for messaging_ctdb_conn when clustering via cbb4750 selftest: prevent interpretation of escape sequences in test_give_owner.sh via 8c79020 selftest: add some debugging to test_give_owner.sh via f4c3b87 vfs_fake_acls: deny give-ownership via ec87dad vfs_acl_common: fix take ownership vs give ownership via 52de163 vfs_acl_common: factor out a variable declaration via da807fe s3/smbd/posix_acls: return correct status in try_chown via 839830f selftest: tests for change ownership on a file via 49e080c selftest: fix samba3.blackbox.inherit_owner.default test script test_inherit_owner.sh via 3044852 selftest: fix acl_xattr test script test_acl_xattr.sh via bc55590 selftest: fix acl_xattr test: sn-devel unreliable gid via 7b72c6f selftest: fix acl_xattr test: group, not user via f9f9687 selftest: fix acl_xattr test: changing owner via da10d811 vfs/nfs4_acls: move special handling of SMB_ACE4_SYNCHRONIZE to vfs_zfsacl via 38c3352 s3/vfs: move ACE4_ADD_FILE/ACE4_DELETE_CHILD mapping from NFSv4 framework to vfs_zfsacl via bda469e vfs_zfsacl: ensure zfs_get_nt_acl_common() has access to stat info via 7657bb6 vfs_zfsacl: pass smb_fname to zfs_get_nt_acl_common via 96a8f4c torture/ioctl: test set_compression(format_none) via bb54467 VERSION: Bump version up to 4.6.9... via adbe2eb Merge tag 'samba-4.6.8' into v4-6-test via c66a4d9 smbd/ioctl: match WS2016 ReFS set compression behaviour via a86c837 ctdb-client: Initialize ctdb_ltdb_header completely for empty record via bb709c1 ctdb-daemon: Free up record data if a call
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via be2ffca VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. via a308007 WHATSNEW: Add release notes for Samba 4.6.8. via 34dea82 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping via c848b10 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 105cc43 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 3157cce CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 2850666 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 28f4a8d CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via d8c6ace CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via f42ffde CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via b760a46 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 97a7ddf CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 9fb5283 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one via 0effa0f VERSION: Bump version up to 4.6.8... from a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit be2ffca00a983bc3e599e0eb84ab35c517e9d07c Author: Karolin SeegerDate: Wed Sep 13 11:12:20 2017 -0700 VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. Signed-off-by: Karolin Seeger commit a308007fd615dcad94bc419d30d689c6f3b6cb32 Author: Karolin Seeger Date: Wed Sep 13 11:07:28 2017 -0700 WHATSNEW: Add release notes for Samba 4.6.8. Signed-off-by: Karolin Seeger commit 34dea826bbfd8ac06230f41b4c7050286c21a966 Author: Stefan Metzmacher Date: Tue Sep 12 05:21:35 2017 +0200 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping This is fixed in master and 4.7. For the backports we can just ignore failures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914 Signed-off-by: Stefan Metzmacher commit c848b104aa2293f55c14722d99cf788dafc442cb Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher commit 105cc438c6cb3dc741e861855e3fa5a94a156ff0 Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 3157ccef61bd0698207054daf060cf2986d1d110 Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 28506663282a1457708c38c58437e9eb9c0002bf Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit d8c6aceb94ab72991eb538ab5dc388686a177052 Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Author: Stefan Metzmacher
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release. via 7f7e329 WHATSNEW: Add release notes for Samba 4.6.7. via f2a0600 s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified via 0ee93fe s4-dsdb/netlogon: allow missing ntver in cldap ping via 38d8f3c s4:torture/ldap: Test netlogon without NtVer via 3a5cf43 s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only) via fd96410 vfs_ceph: fix cephwrap_chdir() via a81b8f2 s3: smbd: Fix a read after free if a chained SMB1 call goes async. via 6155eba s3: libsmb: Fix use-after-free when accessing pointer *p. via 378886b smbd: Fix a connection run-down race condition via c1e5a22 s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init via 8c0f377 ctdb-common: Set close-on-exec when creating PID file via 791b217 vfs_fruit: don't use MS NFS ACEs with Windows clients via 6af5fcc s3:client: The smbspool krb5 wrapper needs negotiate for authentication via 1714d0c vfs_fruit: add fruit:model = parametric option via 1ec8c4a idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN via 73550d1 selftest: Do not force run of kcc at start of selftest via 9251372 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join via dd573c0 s3:secrets: remove unused secrets_store_[prev_]machine_password() via d71aa30 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password() via 15a7a36 net: make use of secrets_*_password_change() for "net changesecretpw" via 13a2325 s3:trusts_util: make use the workstation password change more robust via de1faa7 s3:libnet: make use of secrets_store_JoinCtx() via 56403c7 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust via 835cc12 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials via cc67ccb secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts via d80ef0b netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension via 59e23da netlogon.idl: make netr_TrustFlags [public] via b7e7ac3 lsa.idl: make lsa_DnsDomainInfo [public] via fc98574 s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth() via f7c05a3 libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*() via 5d56612 libcli/auth: add const to set_pw_in_buffer() via 29fa179 libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*() via d41f361 s3:trusts_util: pass dcname to trust_pw_change() via 324af75 s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex() via 7481722 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key via 36ae6bc s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too via fc8506d s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables via bce615d s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete() via c54cf09 s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value via dd0f49a s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync() via 4e649f7 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys via 45ed7f3 s3:secrets: rename secrets_delete() to secrets_delete_entry() via e67bc70 s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync() via f8dc7f3 s3:secrets: add some const to secrets_store_domain_guid() via f297455 s3:secrets: split out a domain_guid_keystr() function via 3341df2 s3:secrets: rework des_salt_key() to take the realm as argument via cfba2c4 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c via f68f8f6 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ() via 0ce8cd8 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry() via bf90563 s3:libnet: make use of kerberos_secrets_fetch_salt_princ() via 14add2c s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ() via 6e1f7e2 s3:libads: provide a simpler kerberos_fetch_salt_princ() function via bfccba4 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback via beb5f2b s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets() via 4e5c9b5 s3:libnet_join: move
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103 via 64a40b5 WHATSNEW: Add release notes for Samba 4.6.6. via 9b0972c CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via 553433a VERSION: Bump version up to 4.6.6... from 1d13a64 VERSION: Disable GIT_SNAPSHOTS for the 4.6.5 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 55d71509595075a17eb2baf0d89c4801ba2f03f3 Author: Andrew BartlettDate: Wed Jul 12 15:07:52 2017 +1200 VERSION: Release Samba 4.6.6 for CVE-2017-11103 Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 64a40b5f64a849c754cfd3ef9d3d59b9ccf67013 Author: Andrew Bartlett Date: Wed Jul 12 15:06:31 2017 +1200 WHATSNEW: Add release notes for Samba 4.6.6. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 9b0972c8e429fee8e15f23ab508a9f0729a4e0b6 Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 8ed646d..8fc1d16 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ab2182c..75d90b7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ = + Release Notes for Samba 4.6.6 +July 12, 2017 + = + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.6.5: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.6.5 June 6, 2017 = @@ -78,8 +131,8 @@ database (https://bugzilla.samba.org/).
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 1d13a64 VERSION: Disable GIT_SNAPSHOTS for the 4.6.5 release. via c9ad5ad WHATSNEW: Add release notes for Samba 4.6.5. via 66529e1 ctdb-common: Fix crash in logging initialisation via 620aac7 s3:smbd: Set up local and remote address for fake connection via b925818 s3:smbd: Pass down remote and local address to get_referred_path() via 4fc1e91 s4/torture: test for bug 12798 via 29196ec s3/smbd: fix exclusive lease optimisation via 44ca450 s3/locking: make find_share_mode_entry public via 06e8eec s3: VFS: Catia: Ensure path name is also converted. via c9b3e8f ctdb-tests: Add some extra tests for "ctdb nodestatus" via 0089a4c ctdb-tools: "ctdb nodestatus" should only display header for "all" via 3c596dc ctdb-tools: Stop "ctdb nodestatus" from always showing all nodes via 5906140 ctdb-readonly: Avoid a tight loop waiting for revoke to complete via 049484b Revert "ctdb-readonly: Avoid a tight loop waiting for revoke to complete" via 96b8f72 VERSION: Bump version up to 4.6.5. via e3f2d7f Merge tag 'samba-4.6.4' into v4-6-test via 4de3ddc s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in share_mode_entry. via f71feca ctdb-tests: Use tighter pattern for matching expected output via 4a33726 ctdb-tests: Explicitly search for the specific log entry via 3e50a50 ctdb-logging: Initialize DEBUGLEVEL before changing the value via 10b04d7 s3:smbcacls add prompt for password via db9553e idmap_rfc2307: Test unix-ids-to-sids with 35 groups via ea5dd00 selftest: Avoid idmap caching when testing idmap_rfc2307 via e0060df idmap_rfc2307: "ldap_next_entry" needs the previous entry, not the start via 0160f27 idmap_rfc2307: Don't stop after 30 entries via c66a8b0 test_idmap_rfc2307: Test wbinfo -r for 35 supplementary group memberships via cbf96d9 test_idmap_rfc2307: Do a recursive delete in ou=idmap via bdea676 test_idmap_rfc2307: Correct usage via 301abae test_idmap_rfc2307: Avoid a tmpfile via c2d7a72 test_idmap_rfc2307: Remove the correct file via c73b49e idmap_rfc2307: "ldap_next_entry" needs the previous entry, not the start via 117547d idmap_rfc2307: Don't stop after 30 entries via c7bead7 samba-tool: let 'samba-tool user syncpasswords' report deletions immediately via ade0e8f4 s3/smbd: update exclusive oplock optimisation to the lease area via 6b3ebfb s3/smbd: update exclusive oplock optimisation to the lease area via 11a866e s3/locking: helper functions for lease types via c82072f s3/locking: add const to fsp_lease_type via 82317ad systemd: fix detection of libsystemd via 17d5052 s3: smbd: inotify_map_mask_to_filter incorrectly indexes an array. via 0636b93 s3-tests: assignement in shell shall have no spaces around equal sign via 249607c _netr_ServerPasswordSet2: use info level 26 to set plain text machine password via 30586d3 vfs_fruit: lp_case_sensitive() does not return a bool via 6ffea89 winbindd: only use the domain name from lookup sids if the domain matches via 37e26bf winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done() via 73e1f00 vfs_acl_xattr|tdb: ensure create mask is at least 0666 if ignore_system_acls is set via 6915ad5 notify: Fix ordering of events in notifyd via 9602cd0 VERSION: Bump version up to 4.6.4... from b0b0bf1 VERSION: Disable GIT_SNAPSHOTS for the 4.6.4 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 87 +- ctdb/common/logging.c | 3 + ctdb/server/ctdb_call.c| 93 +-- ctdb/tests/eventd/eventd_051.sh| 2 +- ctdb/tests/eventd/scripts/local.sh | 2 +- ...db.nodestatus.001.sh => ctdb.nodestatus.003.sh} | 12 +- ...db.nodestatus.001.sh => ctdb.nodestatus.004.sh} | 13 +-- ctdb/tests/tool/ctdb.nodestatus.005.sh | 28 + ctdb/tests/tool/ctdb.nodestatus.006.sh | 40 +++ ctdb/tools/ctdb.c | 29 ++--- lib/util/wscript_configure | 15 +-- nsswitch/tests/test_idmap_rfc2307.sh | 130 - python/samba/netcmd/user.py| 2 +- selftest/target/Samba3.pm | 2 + source3/librpc/idl/open_files.idl | 2 +-
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via b0b0bf1 VERSION: Disable GIT_SNAPSHOTS for the 4.6.4 release. via 85d8992 WHATSNEW: Add release notes for Samba 4.6.4. via 04a3ba4 CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside via 3bb4485 VERSION: Bump version up to 4.6.4... from bbdd585 VERSION: Disable GIT_SNAPSHOTS for the 4.6.3 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit b0b0bf168a4d38dc78e1f5f6d9da0569d0e268ea Author: Karolin SeegerDate: Fri May 19 12:13:57 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.6.4 release. Signed-off-by: Karolin Seeger commit 85d89922befd56adca722f67cedac75f790a05c5 Author: Karolin Seeger Date: Fri May 19 12:13:03 2017 +0200 WHATSNEW: Add release notes for Samba 4.6.4. Signed-off-by: Karolin Seeger commit 04a3ba4dbcc4be0ffc706ccc0b586d151d360015 Author: Volker Lendecke Date: Mon May 8 21:40:40 2017 +0200 CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Reviewed-by: Stefan Metzmacher commit 3bb44854911e0a8b311560a3dbf450f5c2701ae4 Author: Karolin Seeger Date: Fri Apr 21 11:13:49 2017 +0200 VERSION: Bump version up to 4.6.4... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger (cherry picked from commit 9602cd0b5373aacc22c262b04b828b93cadf6df5) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 56 +-- source3/rpc_server/srv_pipe.c | 5 3 files changed, 60 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ce5b2b8..b70a49f 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=3 +SAMBA_VERSION_RELEASE=4 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9a16862..fb533f3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,56 @@ = + Release Notes for Samba 4.6.4 +May 24, 2017 + = + + +This is a security release in order to address the following defect: + +o CVE-2017-7494 (Remote code execution from a writable share) + +=== +Details +=== + +o CVE-2017-7494: + All versions of Samba from 3.5.0 onwards are vulnerable to a remote + code execution vulnerability, allowing a malicious client to upload a + shared library to a writable share, and then cause the server to load + and execute it. + + +Changes since 4.6.3: +- + +o Volker Lendecke + * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable + share. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.6.3 April 25, 2017 = @@ -104,8 +156,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- + = Release Notes for Samba 4.6.2 diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via bbdd585 VERSION: Disable GIT_SNAPSHOTS for the 4.6.3 release. via dcff483 WHATSNEW: Add release notes for Samba 4.6.3. via c13244a cleanupdb: Fix a memory read error via b8c11db s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot via 0a84f16 s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path via 222aa4a s3:vfs:shadow_copy2: fix quoting in debug messages via 312fb3b pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating via 12c24f3 s3:smbd: Fix incorrect use of sys_getgroups() via ee420c1 s3:lib: Fix incorrect logic in sys_broken_getgroups() via 72d1724 lib: debug: Avoid negative array access. via 71abf1a vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr() via ec39296 vfs_acl_xattr: factor out fetching of an extended attribute via fb375e3 vfs_xattr_tdb: handle case of zero size. via 70a2e2e selftest: test fetching a large ACL from vfs_acl_xattr via 7a806d7 ctdb-docs: Fix documentation of -n option to ctdb tool via c9a5199 rpcclient: allow -U'OTHERDOMAIN\user' again via 8719babb winbindd: trigger possible passdb_dsdb initialisation via d0d8663 winbindd: error handling in rpc_lookup_sids() via a323631 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED via 9afba47 s3/rpc_client: use NT_STATUS_LOOKUP_ERR via 6526a27 s3/include: add NT_STATUS_LOOKUP_ERR via b6ea6f7 selftest: fix for wbinfo -s tests for wellknown SIDs via 5083579 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk() via 1a6802e selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs via 1d66d33 selftest: wbinfo -s tests for wellknown SIDs via fd6ec35 winbindd: use passdb backend for well-known SIDs via 50583a6 selftest: tests idmap mapping with idmap_rid via d0643c5 selftest: new environment "ad_member_idmap_rid" via ff5865a winbindd: remove unused single_domains array via b86a793 winbindd: use correct domain name for failed lookupsids via 4c5f50c autobuild: Stop waf uninstall from removing test_tmpdir via dce116d script/autobuild.py: ignore missing test_tmpdir via da065cd script/autobuild.py: try to make TMPDIR handling more verbose via 286a9fd script/autobuild.py: add a do_print() wrapper function that flushes after each message via 5d964e1 script/autobuild.py: export PYTHONUNBUFFERED=1 via a727300 script/autobuild.py: cleanup the task subdirs when they're done. via 3cd5d41 s4/torture: vfs_fruit: test for bug 12565 via fe3fe4f vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY via 981e667 wafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED via 122e46f selftest: Test for bug 12558 via ef48aa4 smbd: Fix smb1 findfirst with DFS via 6f05903 winbindd: Fix password policy for pam authentication via f37537b ctdb-tools: Avoid deferencing argv[0] if argc == 0 via 208dc58 selftest: Define template homedir for 'ad_member' env via 2cad042 s3:tests: Add a subsitution test for %D %u %g via bc93a47 s3:winbind: Use the correct talloc context for user information via 925aa47 VERSION: Bump version up to 4.6.3. via dd75f39 Merge tag 'samba-4.6.2' into v4-6-test via cf02564 s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2 via 30aa17d s3: smbd: Fix "follow symlink = no" regression part 2. via 3f52654 s3: smbd: Fix "follow symlink = no" regression part 2. via 178 s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no" via 35f100d s3: Test for CVE-2017-2619 regression with "follow symlinks = no". via c6199c2 s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). via 07437b0 selftest: tests for vfs_fruite file-id behavior via 6b3cc69 torture: add torture_assert_mem_not_equal_goto() via cdf3f57 vfs_fruit: document added zero_file_id parameter via 9e7cfc4 vfs_fruit: enable zero file id via 2732b0c smbd: add zero_file_id flag via 2e9450a nsswtich: Add negative tests for authentication with wbinfo via 4a6c2da s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds() via 705149d s3: locking: Update oplock optimization for the leases era ! via a619054 s3: locking: Move two leases functions into a new file. via 32f7ba9 Changes to make the Solaris C compiler happy. via 36a2ee2 lib/crypto: implement samba.crypto Python module for RC4 via 137b26f Fix for Solaris C compiler. via e418059 s3:libsmb: Only print error message if kerberos use is forced
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 36d0070 VERSION: Disable GIT_SNAPSHOTS for the 4.6.2 release. via 8f35980 WHATSNEW: Add release notes for 4.6.2. via 2b9a812 s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2 via 9e81c83 s3: smbd: Fix "follow symlink = no" regression part 2. via 9e2ce69 s3: smbd: Fix "follow symlink = no" regression part 2. via 076f01e s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no" via 5a573c2 s3: Test for CVE-2017-2619 regression with "follow symlinks = no". via faea234 s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). via 7b7f6a0 VERSION: Re-enable GIT_SNAPSHOTS. via 6cd0b59 VERSION: Bump version up to 4.6.2. from 1a8f3cf VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 36d0070a6a7b021804a81fe5313cf6678769c7ae Author: Karolin SeegerDate: Fri Mar 31 08:34:16 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.6.2 release. Signed-off-by: Karolin Seeger commit 8f359809bbd21a8e63bee10139db51104819820d Author: Karolin Seeger Date: Fri Mar 31 08:33:25 2017 +0200 WHATSNEW: Add release notes for 4.6.2. Signed-off-by: Karolin Seeger commit 2b9a812c14f4a9599ba71c99fc28fa94e8f63fcf Author: Jeremy Allison Date: Mon Mar 27 22:10:29 2017 -0700 s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2 Add tests for regular access. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144 (cherry picked from commit 4e734fcd1bf82c08aa303ce44e9735acccffcf06) commit 9e81c832f9c90d63569d614edfe655182522abdb Author: Jeremy Allison Date: Mon Mar 27 17:09:38 2017 -0700 s3: smbd: Fix "follow symlink = no" regression part 2. Use the cwd_name parameter to reconstruct the original client name for symlink testing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit e182a4d39e86c9694e255efdf6ee2ea3ccb9af4a) commit 9e2ce6939861e51e5e626426aaf2b7b1075b31bf Author: Jeremy Allison Date: Mon Mar 27 17:04:58 2017 -0700 s3: smbd: Fix "follow symlink = no" regression part 2. Add an extra paramter to cwd_name to check_reduced_name(). If cwd_name == NULL then fname is a client given path relative to the root path of the share. If cwd_name != NULL then fname is a client given path relative to cwd_name. cwd_name is relative to the root path of the share. Not yet used, logic added in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 83e30cb48859b412b76572b6a3ba84d8fde167af) commit 076f01e55a1d5ad77f975dc397b50c9f620e6959 Author: Jeremy Allison Date: Mon Mar 27 22:07:50 2017 -0700 s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no" Use correct bash operators (not string operators). Add missing "return". BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 037297a1c50e90a0092e3b94f472623f41ccc015) commit 5a573c2285e42777282ace19b9b83f27858a4c55 Author: Jeremy Allison Date: Mon Mar 27 11:48:25 2017 -0700 s3: Test for CVE-2017-2619 regression with "follow symlinks = no". BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni Back-ported from commit 782172a9bef0040981d20e49519b13dd744df6a0 commit faea23484be55dad2c0e6eafbcb8ba7d05692e6c Author: Jeremy Allison Date: Mon Mar 27 10:46:47 2017 -0700 s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). In a UNIX filesystem, the names "." and ".." by definition can *never* be symlinks - they are already reserved names. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni (cherry picked from commit
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 1a8f3cf VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release. via 2d44083 WHATSNEW: Add release notes for Samba 4.6.1. via d9475c9 CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function. via 22a8d4e CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races. via 86b913f CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function. via 49edefe CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. via 7a61eb2 CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. via 16de606 CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success. via e558347 CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error. via a98b3a1 CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns. via 556f7dd CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). via a028e01 CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. via 0eae801 CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust. via 7609944 CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag via d7644e3 CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir() via 1325da1 VERSION: Bump version up to 4.6.1... from f17816a VERSION: Disable GIT_SNAPSHOTS for the 4.6.0 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 1a8f3cfb4ebc21a0889c7692591ae41a46d7dfb2 Author: Karolin SeegerDate: Fri Mar 17 11:54:34 2017 +0100 VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release. CVE-2017-2619: Symlink race allows access outside share definition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Karolin Seeger commit 2d44083d28daccdf10934d6badb7a1ef55a90f4b Author: Karolin Seeger Date: Fri Mar 17 11:51:42 2017 +0100 WHATSNEW: Add release notes for Samba 4.6.1. CVE-2017-2619: Symlink race allows access outside share definition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Karolin Seeger commit d9475c95d2eb452f2527f351c1b825dfe45e0fae Author: Jeremy Allison Date: Thu Dec 15 13:06:31 2016 -0800 CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit 22a8d4e802b50a73a78c39d12c33397808debbcd Author: Jeremy Allison Date: Thu Dec 15 13:04:46 2016 -0800 CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit 86b913f59198d1a397f9136c221f74da0ee7f415 Author: Jeremy Allison Date: Thu Dec 15 12:56:08 2016 -0800 CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit 49edefe2ebd9c43e90d4ff295a3fee65c375607a Author: Jeremy Allison Date: Thu Dec 15 12:52:13 2016 -0800 CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit 7a61eb2f964b2930dad423bf23c9697ce2503914 Author: Jeremy Allison Date: Mon Dec 19 12:35:32 2016 -0800 CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit 16de60625cdc678c5d14020a6557cbac3d3bf13d Author: Jeremy Allison Date: Mon Dec 19 12:32:07 2016 -0800 CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison Reviewed-by: Uri Simchoni commit e558347120df675fcf65bd9ddba706405d8af3e9 Author: Jeremy Allison Date: Mon Dec 19 12:15:59 2016 -0800
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via f17816a VERSION: Disable GIT_SNAPSHOTS for the 4.6.0 release. via 93e804a WHATSNEW: Update release notes for Samba 4.6.0. via 5fe0984 Re-enable token groups fallback via 501d5d9 winbindd: find the domain based on the sid within wb_lookupusergroups_send() via d08929e Revert "winbind: Remove wb_lookupusergroups" via 86c025f Revert "winbind: Remove wbint_LookupUserGroups" via 0c68d73 Revert "winbind: Remove wb_cache_lookup_usergroups" via 06f5398 Revert "winbind: Remove wcache_lookup_usergroups" via 3e6f1d5 Revert "winbind: Remove validate_ug" via f4d5d16 Revert "winbind: Remove "lookup_usergroups" winbind method" via d7b5e92 Revert "winbind: Remove rpc_lookup_usergroups" via 76e643c WHATSNEW: Add release notes for Samba 4.6.0. via 53b73f1 s4:ldap_server: match windows in the error messages of failing LDAP Bind requests via 00e45e9 ldb-samba: remember the error string of a failing bind in ildb_connect() via 632c6b5 s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained. via 525752e0 s3:winbindd: fix endless forest trust scan via 605e069 vfs_fruit: enabling AAPL extensions must be a global switch via f9755bf ctdb-logging: CID 1396883 Dereference null return value (NULL_RETURNS) via 888f433 WHATSNEW: Add idmap_hash deprecation warning via 824faf6 idmap_hash: Add a deprecation message via fdb1522 docs: Improve the idmap_hash manpage via 145e98c s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly via f43ff04 gensec:spnego: Add debug message for the failed principal via 83628b4 vfs_fruit: only veto AppleDouble files with fruit:resource=file via f355f68 s4/torture: vfs_fruit: add stream with illegal ntfs characters to copyile test via 9b9e88b vfs_fruit: use stat info from base_fsp via d35e6f6 s4/torture: vfs_fruit: test invalid AFPINFO_STREAM_NAME via 05d0b6d vfs_fruit: ignore or delete invalid AFP_AfpInfo streams via aad3ccc selftest: add shares without vfs_fruit for the vfs_fruit tests via 0631c0e s4/torture: change shares in used torture_suite_add_2ns_smb2_test() via 8478500 docs/vfs_fruit: document known limitations with fruit:encoding=native via 5f1284e s4/torture: add test for AAPL find with name with illegal NTFS characters via 7f3c130 lib/torture: add torture_assert_mem_equal_goto via 72031de s4/torture: add a vfs_fruit renaming test with open rsrc fork via 81c8fd4 s4/torture: vfs_fruit: test deleting a file with resource fork via 3d5674d s4/torture: vfs_fruit: add test_null_afpinfo test via 64feccf selftest: add description to vfs_fruit testsuites via 82b2bb2 selftest: also run vfs_fruit tests with streams_depot via d6197d6 selftest: run vfs_fruit tests against share with fruit:metadata=stream via b98e7ac selftest: move vfs_fruit tests that require "fruit:metadata=netatalk" to vfs.fruit_netatalk via 7fb2f57 selftest: reenable vfs_fruit tests via 31f7562 vfs_fruit: refactor fruit_ftruncate and use new adouble API via 94616d1 vfs_fruit: use fio in fruit_fallocate via 3e1a5bb vfs_fruit: refactor fruit_fstat and use new adouble API via 408d21f vfs_fruit: refactor fruit_pread and fruit_pwrite and use new adouble API via 96b51a4 vfs_fruit: refactor fruit_open and use new adouble API via a55528b vfs_fruit: rework struct adouble API via db79f89 selftest: disable vfs_fruit tests via a6a0583 vfs_fruit: fix fruit_check_access() via abf4ab6 vfs_fruit: remove base_fsp name translation via d8d8360 vfs_fruit: use SMB_VFS_NEXT_OPEN in two places via 3c7331a vfs_fruit: refactor readdir_attr_macmeta() resource fork size via 9870810 vfs_fruit: refactor fruit_ftruncate() and fix stream case via 744a042 vfs_fruit: fix fruit_ntimes() for the fruit:metadata!=netatalk case via 41407c6 vfs_fruit: refactor fruit_streaminfo() via ad59cbc vfs_fruit: add fruit_stat_rsrc_xattr() implementation via 39c321f vfs_fruit: add fruit_stat_rsrc_stream() implementation via 2a76f87 vfs_fruit: refactor fruit_stat_rsrc() via 70842a8 vfs_fruit: refactor fruit_open_rsrc() via 5a54bed vfs_fruit: in fruit_rmdir() check ._ files before deleting them via a3c2db7 vfs_fruit: fix fruit_rmdir() for the fruit:resource!=file case via e59e603 vfs_fruit: fix fruit_chown() for the fruit:resource!=file case via 66c0572 vfs_fruit: fix fruit_chmod() for the fruit:resource!=file case via 0ee7ebd vfs_fruit: refactor fruit_unlink() via 6f43b66 vfs_fruit: fix fruit_rename() for the fruit:resource!=file case via a72ad4f vfs_fruit: correct
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 7600d32 VERSION: Disable git snapshots for the 4.6.0rc4 release. via 351ff91 WHATSNEW: Add release notes for Samba 4.6.0rc4. via 8d0e014 ctdb-build: Fix RPM build via be23d38 ctdb-build: Add WAFLOCK magic to manpages target via e10c2a4 dbchecker: Stop ignoring linked cases where both objects are alive via 9a40cea tests/dbcheck: Add a test for two live objects, with a dangling forward link via ea70487 tests/dbcheck: Add a test for two live objects, with a dangling backlink via e598a66 pidl:Python: use of pytalloc_GenericObject_reference*() for pyrpc_{ex,im}port_union() wrapping via b93c412 pidl:Python: replace pytalloc_CObject_FromTallocPtr() with pytalloc_GenericObject_reference_ex() via 1f144b9 pidl:Python: make sure print HASH references for STRUCT types via 10aebdc py_net: make use of pytalloc_GenericObject_steal() via 9fd7e54 talloc: version 2.1.9 via 3655e7c pytalloc: add pytalloc_GenericObject_{steal,reference}[_ex]() via b359915 talloc: fix TALLOC_VERSION_* mismatch detection via d5f579e talloc/wscript: avoid passing pointless enabled=True to SAMBA_PYTHON() via d96ce9c lib: talloc: Make it clear that talloc_get_size(NULL) returns 0. via ac59b3a s3:idmap_ad: make use of pdb_get_trust_credentials() to get the machine account creds via 3569a97 s3:winbindd: allow a fallback to NTLMSSP for LDAP connections via 94c58e6 s3:libads: add more debugging to ads_sasl_spnego_bind() via e90dead s3:winbindd: rely on the kerberos_state from pdb_get_trust_credentials() via b7e0a56 s3:winbindd: add more debugging to cm_prepare_connection() via 7a96e98 s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials() via 5779c43 s3:winbindd: fix the valid usage anonymous smb authentication via 9e4be46 auth/credentials: try to use kerberos with the machine account unless we're in an AD domain via e084c42 s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains. via 45abd7b Revert "s3-winbind: Fix schannel connections against trusted domain DCs" via 1e6322c s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect via 39582f3 vfs_streams_xattr: use fsp, not base_fsp via 0c9bc50 libcli/auth: use the correct creds value against servers without LogonSamLogonEx via 8ee5fe5 librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping via 8cb9f77 build: Fix generation of CTDB manpages while creating tarball via a39218d ctdb-build: Add make target for generating manpages via 706141a ctdb-build: Split dist() target to generate manpages separately via a2c013b krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key via dfb3795 s4:scripting: use generate_random_machine_password() for machine passwords via 6153b15 samba-tool:provision: use generate_random_machine_password() for machine passwords via f5df4eb samba-tool:domain: use generate_random_machine_password() for machine passwords via f6dc073 samba-tool:domain: use generate_random_machine_password() for trusted domains via 40366fd pyglue: add generate_random_machine_password() wrapper via 705686e python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords via 00d3c8e python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords via c5a4e47 s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets. via 7c75976 s4:libnet: make use of generate_random_machine_password() via 53ef65b s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH via e0119dd s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH via aa79c0d s3:net_rpc_trust: make use of trust_pw_new_value() via 2e125de s3:libnet_join: make use of trust_pw_new_value() via fd09929 s3:libads: use trust_pw_new_value() for krb5 machine passwords via c01b2c2 s3:libsmb: use trust_pw_new_value() in trust_pw_change() via ae300c7 s3:libsmb: add trust_pw_new_value() helper function via 38cfd61 s3:libsmb: let trust_pw_change() verify the new password at the end. via 60d48a8 s3:libsmb: let trust_pw_change() debug more verbose information via 39ebdf7 lib/util: add generate_random_machine_password() function via 7132f093 libcli/auth: add netlogon_creds_cli_debug_string() via bcfa544 libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send() via 7567c0e WHATSNEW: Fix spelling of Messages via e049016 WHATSNEW: Clarify and extend the the AD DC performance improvement text via 632a38e Modify
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via a7d9079 VERSION: Disable git snapshots for the 4.6.0rc3 release. via 2b256a7 WHATSNEW: Add release notes for Samba 4.6.0rc3. via 96f439d waf: Do not install the unit test binary for krb5samba via 6e6cf90 s4:tests/sec_descriptor: use more unique oid values via b641595 ctdb-build: Install CTDB tests correctly from toplevel via 612a3be s3: VFS: Don't allow symlink, link or rename on already converted paths. via a52e728 s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error. via d5b1ef7 s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function. via 5caa093 s3: VFS: shadow_copy2: Fix module to work with variable current working directory. via bc44e33 s3: VFS: Add utility function check_for_converted_path(). via fc6845f s3: VFS: Ensure shadow:format cannot contain a / path separator. via 805a7e3 s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd. via 2caa219 s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables. via d45ee17 s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd. via 7ed2e5c s3: VFS: shadow_copy2: Change a parameter name. via fa24756 s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot(). via 5f0ded3 s3: VFS: shadow_copy2: Add two new variables to the private data. Not yet used. via 5377a0b s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length. via 28bd3b7 s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated. via ba1091c s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables. via 8d5bb11 s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path(). via d3446cd s3: smbtorture: Add new local test LOCAL-CANONICALIZE-PATH via 0cb108f s3: lib: Fix two old, old bugs in set_conn_connectpath(), now in canonicalize_absolute_path(). via 747da44 s3: lib: Add canonicalize_absolute_path(). via 10e63a1 s3: smbd: Correctly canonicalize any incoming shadow copy path. via 3ebe6e4 waf: backport finding of pkg-config via c290e63 torture/drs: expand test for DRSUAPI_DRS_GET_ANC via f0f6c6e getncchanges: implement DRSUAPI_DRS_GET_ANC more correctly via 616767e getncchanges: calculate getnc_state->min_usn calculation based on the uptodateness vector via 5983215 getncchanges: improve get_nc_changes_add_links() by checking uSNChanged via be30185 getncchanges: improve get_nc_changes_build_object() by checking uSNChanged via 8bf05d4 getncchanges: fix highest_usn off by one calculation in get_nc_changes_add_links() via e958fcc getncchanges: remove unused c++ comments/code in getncchanges_collect_objects() via 8d65efb getncchanges: do not replicate links for non critical objects if DRSUAPI_DRS_CRITICAL_ONLY is set via bf69e32 getncchanges: don't process DRSUAPI_DRS_CRITICAL_ONLY for EXOPs via 1f3a081 getncchanges: remember the ncRoot_guid on the getncchanges state via 200b298 getncchanges: pass struct ldb_message as const via b7deef9 getncchanges: only set nc_{object,linked_attributes}_count with DRSUAPI_DRS_GET_NC_SIZE via 8b38bec torture/drs: remove pointless nc_object_count replication checks in test_link_utdv_hwm() via 7016056 python/join: use DRSUAPI_DRS_GET_NC_SIZE for the initial replication via e8d8720 python/join: set common replica_flags in dc_join.__init__() via 58b8958 drsuapi.idl: make drsuapi_DsGetNCChangesRequest10 [public] via 8cb905d drsuapi.idl: add drsuapi_DrsMoreOptions with DRSUAPI_DRS_GET_TGT via 8bcb35a s4:libnet: s/highestCommitedUSN/highestCommittedUSN via cad7d1c s4:dsdb/repl: s/highestCommitedUsn/highestCommittedUSN via 87d6207 dbcheck-links: Test that dbcheck against one-way links does not error via 7890e42 dbcheck: Do not regard old one-way-links as errors via c56b9b8 samba_dsdb: Use and maintain compatibleFeatures and requiredFeatures in @SAMBA_DSDB via d3c8b54 samba-tool: Correct handling of default value for use_ntvfs and use_xattrs via b162acb ctdb-tests: Use replace headers instead of system headers via eb90262 ctdb-tests: Do not build mutex test if robust mutexes are not supported via cb1a9e7 ctdb-common: ioctl(.. FIONREAD ..) returns an int value via 6d83ec9 s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). via 2a0c2b6 smbd: Fix "map acl inherit" = yes via 64a14a3 s3: vfs: dirsort doesn't handle opendir of "." correctly. via de82686 docs:
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 54b08f2 VERSION: Disable git snapshots for the 4.2.0rc2 release. via 0270762 WHATSNEW: Add release notes for Samba 4.6.0rc2. via 4817385 script/release.sh: fix off by 1 error in announce.${tagname}.mail.txt creation via d5eebe5 winbind: Don't add duplicate IDs in wbinfo -r via 4773e25 winbind: Fix a typo via 1166de1 s3/winbindd: fix invalid free via 6a87647 winbind: Fix CID 1398534 Dereference before null check via 8c49f54 winbind: Fix CID 1398530 Resource leak via bfd0fb3 winbind: Fix CID 1398530 Resource leak via f629f59 winbind: Fix CID 1398531 Resource leak via ff102c9 winbind: Fix CID 1398533 Resource leak via bd82056 winbind: Fix CID 1398533 Resource leak via 1a234f5 WHATSNEW: document winbind changes via 56e9090 vfs_default: unlock the right file in copy chunk via 479fd27 ctdb-tests: Add "13.per_ip_routing shutdown" test via bcdf945 ctdb-scripts: Fix regression when cleaning up routing table IDs via 5319e50 ctdb-daemon: Remove stale eventd socket via e3c4968 ctdb-scripts: Fix remaining uses of "ctdb gratiousarp" via 77a80b7 ctdb-tests: Add takeover helper tests with banned/disconnected nodes via e733776 ctdb-takeover: Handle case where there are no RELEASE_IPs to send via 11841d3 ctdb-takeover: Known and available IP lists should be the same size as nodemap via c331736 ctdb-common: Add wait_send/wait_recv to sock_daemon_funcs via a13e48f ctdb-common: Avoid any processing after finishing tevent_req via 2930832 ctdb-common: Pass tevent_req to the computation sub-functions via 6b67083 ctdb-common: Use consistent naming for sock_daemon_run computation functions via bc79bda ctdb-common: Correct name of sock_daemon_run_send/recv state structure via bc8e36a ctdb-tests: Add robust mutex test via f1c8b35 ctdb-locking: Explicitly unlock record/db in lock helper via cb31b71 ctdb-locking: Remove support for locking multiple databases via 28ed3cd python/schema: fix tests flapping due to oid collision via 63b9e1c messaging: Fix dead but not cleaned-up-yet destination sockets via 65313eb s3:winbindd: talloc_steal the extra_data in winbindd_list_users_recv() via bbe371e ctdb-tests: Do not attempt to unregister the join handler multiple times via a01ba6c ctdb-tests: Add tests for generic socket I/O via 554d208 ctdb-common: Fix a bug in packet reading code for generic socket I/O via 6c9d136 ctdb-tests: Add another test for sock_daemon via 969faf5 ctdb-common: Simplify async computation for sock_socket_write_send/recv via 36562d5 VERSION: Bump version up to 4.6.0rc2... from b88d95e VERSION: Diable git snapshots for the 4.6.0rc1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 79 - ctdb/common/sock_daemon.c| 188 +-- ctdb/common/sock_daemon.h| 14 +- ctdb/common/sock_io.c| 28 +- ctdb/config/events.d/10.interface| 4 +- ctdb/config/events.d/13.per_ip_routing | 8 +- ctdb/config/events.d/91.lvs | 2 +- ctdb/doc/ctdb.1.xml | 4 +- ctdb/server/ctdb_lock.c | 6 +- ctdb/server/ctdb_lock_helper.c | 194 +-- ctdb/server/ctdb_takeover_helper.c | 23 +- ctdb/server/eventscript.c| 9 + ctdb/tests/cunit/sock_daemon_test_001.sh | 25 +- ctdb/tests/cunit/sock_io_test_001.sh | 9 + ctdb/tests/eventscripts/13.per_ip_routing.024.sh | 31 ++ ctdb/tests/eventscripts/stubs/ctdb | 2 +- ctdb/tests/src/cluster_wait.c| 40 ++- ctdb/tests/src/sock_daemon_test.c| 400 +-- ctdb/tests/src/sock_io_test.c| 283 ctdb/tests/src/test_mutex_raw.c | 261 +++ ctdb/tests/takeover_helper/{010.sh => 027.sh}| 10 +- ctdb/tests/takeover_helper/{010.sh => 028.sh}| 10 +- ctdb/wscript | 9 +- script/release.sh| 5 +- source3/lib/messages.c | 11 + source3/modules/vfs_default.c| 2 +- source3/winbindd/wb_gettoken.c | 81 +++-- source3/winbindd/wb_sids2xids.c | 2 +- source3/winbindd/winbindd_ads.c