Re: [SECURITY] samba-4.3.8 for 5.9

[Jeremie Courreges-Anglas]

Stuart Henderson  writes:

> On 2016/04/17 15:27, Jeremie Courreges-Anglas wrote:
>> 
>> Note that 5.9 is still using samba-4.1.22, affected by:
>
> It's not what we would normally do for -stable, but I don't think we
> really have another choice. OK sthen.

Thanks, committed.  Note that the patch included the removal of
SHARED_ONLY lines.  I have kept them as is in the commit.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: [SECURITY] samba-4.3.8 for 5.9

[Stuart Henderson]

On 2016/04/17 15:27, Jeremie Courreges-Anglas wrote:
> 
> Note that 5.9 is still using samba-4.1.22, affected by:

It's not what we would normally do for -stable, but I don't think we
really have another choice. OK sthen.

Re: [SECURITY] samba-4.3.8 for 5.9

[Jeremie Courreges-Anglas]

Note that 5.9 is still using samba-4.1.22, affected by:

Fixed in 4.1.23+:
CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
CVE-2016-0771 (Out-of-bounds read in internal DNS server)

Fixed in 4.2.11, 4.3.8 and 4.4.2:
CVE-2015-5370 (Multiple errors in DCE-RPC code)
CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
CVE-2016-2112 (LDAP client and server don't enforce integrity)
CVE-2016-2113 (Missing TLS certificate validation)
CVE-2016-2114 ("server signing = mandatory" not enforced)
CVE-2016-2115 (SMB IPC traffic is not integrity protected)
CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)

For the last security releases, upstream published patches only for 4.2,
4.3 and 4.4.  As I said, I don't volunteer backporting 4.2 patches to
4.1. Upstream's patch is around 1.5MB.

Here's an update to 4.3.8 for -stable.  This involves some libraries
removal/renaming and a major bump for libwbclient; only x11/gvfs and
kde/base3 are affected.  databases/tdb and devel/libtalloc must be
updated, they only get minor lib bumps.

Yes, that's a big jump but I didn't spot/hear about any regression.
Also it brings us in line with upstream.  There will probably be other
security updates during the 5.9 cycle, being on the 4.3.x release means
easy updates instead of no updates.

Thoughts?

tdb/talloc/samba diff below tested on -current, kde/base3 and gnome/gvfs
parts were mechanically backported from -current.


Index: databases/tdb/Makefile
===
RCS file: /cvs/ports/databases/tdb/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- databases/tdb/Makefile  12 Aug 2015 11:24:05 -  1.15
+++ databases/tdb/Makefile  12 Apr 2016 17:38:15 -
@@ -1,14 +1,11 @@
-# $OpenBSD: Makefile,v 1.15 2015/08/12 11:24:05 jca Exp $
-
-SHARED_ONLY=   Yes
+# $OpenBSD: Makefile,v 1.18 2016/04/12 17:38:15 jca Exp $
 
 COMMENT=   trivial database library
 
 # Keep in sync with the version bundled in net/samba4
-DISTNAME=  tdb-1.2.12
-REVISION=  1
+DISTNAME=  tdb-1.3.7
 
-SHARED_LIBS+=  tdb 4.0
+SHARED_LIBS+=  tdb 4.1
 
 CATEGORIES=databases
 
@@ -39,6 +36,7 @@ MAKE_ENV += LIB${_l:S/-/_/g}
 .endfor
 
 CONFIGURE_STYLE= simple
-CONFIGURE_ARGS= --mandir="${PREFIX}/man"
+CONFIGURE_ARGS= --mandir="${PREFIX}/man" \
+   --disable-rpath
 
 .include 
Index: databases/tdb/distinfo
===
RCS file: /cvs/ports/databases/tdb/distinfo,v
retrieving revision 1.5
diff -u -p -r1.5 distinfo
--- databases/tdb/distinfo  18 Jul 2015 02:11:13 -  1.5
+++ databases/tdb/distinfo  12 Apr 2016 17:38:15 -
@@ -1,2 +1,2 @@
-SHA256 (tdb-1.2.12.tar.gz) = KC09scxWrDARrl85Iv0MW7IX7LAyCDbCO2/mfyFjpx8=
-SIZE (tdb-1.2.12.tar.gz) = 462590
+SHA256 (tdb-1.3.7.tar.gz) = pk2VygzAaij+0kxulSrtdmDK4EmDEIc11rwwuSUTZBI=
+SIZE (tdb-1.3.7.tar.gz) = 493847
Index: databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py
===
RCS file: databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py
diff -N databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py
--- databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py 18 Jul 
2015 02:11:13 -  1.1
+++ /dev/null   1 Jan 1970 00:00:00 -
@@ -1,18 +0,0 @@
-$OpenBSD: patch-buildtools_wafadmin_Tools_ccroot_py,v 1.1 2015/07/18 02:11:13 
jca Exp $
-
-- at build time, encode the full library name + version in the SONAME
-
 buildtools/wafadmin/Tools/ccroot.py.orig   Sun Jan 27 04:51:43 2013
-+++ buildtools/wafadmin/Tools/ccroot.pyThu Jul 16 12:55:30 2015
-@@ -588,7 +588,10 @@ def apply_vnum(self):
-   name2 = libname + '.' + nums[0]
- 
-   if self.env.SONAME_ST:
--  v = self.env.SONAME_ST % name2
-+  if sys.platform.startswith('openbsd'):
-+  v = self.env.SONAME_ST % name3
-+  else:
-+  v = self.env.SONAME_ST % name2
-   self.env.append_value('LINKFLAGS', v.split())
- 
-   bld = self.bld
Index: databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py
===
RCS file: 
/cvs/ports/databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py,v
retrieving revision 1.1
diff -u -p -r1.1 patch-buildtools_wafsamba_samba_install_py
--- databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py18 Jul 
2015 02:11:13 -  1.1
+++ databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py12 Apr 
2016 17:38:15 -
@@ -1,25 +1,32 @@
-$OpenBSD: patch-buildtools_wafsamba_samba_install_py,v 1.1 2015/07/18 02:11:13 
jca Exp $
+$OpenBSD: patch-buildtools_wafsamba_samba_install_py,v 1.2 2016/04/12 17:38:15 
jca Exp $
 
-- install_link is used so encode the 

Re: [SECURITY] samba-4.3.8

[Jeremie Courreges-Anglas]

Ian McWilliam  writes:

> On 13 April 2016 at 04:41, Jeremie Courreges-Anglas  wrote:
>
>>
>> I've just committed an update to 4.3.6.  Here's another diff for the
>> security releases published today.
>>
>> Release notes excerpt and diff below.
>>
>>
>
> Apart from the extra libs in the checks that I haven't investigated
> yet

I've been ignoring those since some time already.  Now that we're not at
the back of the pack anymore this kind of minor issue can be dealt with.
If not done already, I'll do it during p2k16 at the end of the month.

> and
> one error installing gdbm that I need to look at everything else appears ok.

I think I've already seen that but failed to track it down.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: [SECURITY] samba-4.3.8

[Vijay Sankar]

 Quoting Amit Kulkarni :


I was able to build it on 4.9 without any issues and provision an AD DC
in
a test network. I plan to test Windows 10/8/7/XP clients running Office
2016 applications over the weekend.



 

4.9? You really meant 5.9, right? :)


Yes, meant to say 5.9 -- I blame autocorrect :)
--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

Re: [SECURITY] samba-4.3.8

[Amit Kulkarni]

>
>
> I was able to build it on 4.9 without any issues and provision an AD DC in
> a test network. I plan to test Windows 10/8/7/XP clients running Office
> 2016 applications over the weekend.
>


4.9? You really meant 5.9, right? :)

Re: [SECURITY] samba-4.3.8

[Vijay Sankar]

 Quoting Ian McWilliam :


On 13 April 2016 at 04:41, Jeremie Courreges-Anglas 
wrote:


I've just committed an update to 4.3.6.  Here's another diff for the
security releases published today.

Release notes excerpt and diff below.
 


Apart from the extra libs in the checks that I haven't investigated yet
and
one error installing gdbm that I need to look at everything else appears
ok.

make lib-depends-check

samba-4.3.8(net/samba,-main):
Extra:  gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12

ldb-1.1.21(net/samba,-ldb):
Extra:  m.9 replace.0 tdb.4 util-setid.0 util.12

tevent-0.9.25(net/samba,-tevent):
Extra:  m.9 replace.0 util-setid.0 util.12

samba-util-4.3.8(net/samba,-util):
Extra:  m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12
Scanning: ok

---

make port-lib-depends-check

samba-4.3.8(net/samba,-main):
Extra:  gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12

ldb-1.1.21(net/samba,-ldb):
Extra:  m.9 replace.0 tdb.4 util-setid.0 util.12

tevent-0.9.25(net/samba,-tevent):
Extra:  m.9 replace.0 util-setid.0 util.12

samba-util-4.3.8(net/samba,-util):
Extra:  m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12

-

ianm-openbsd:all {107} pkg_add samba-4.3.8.tgz
UNSIGNED PACKAGE file:./openpam-20141014.tgz: install anyway ? [y/N/a] a
samba-4.3.8:openpam-20141014: ok
samba-4.3.8:popt-1.16p1: ok
samba-4.3.8:python-2.7.11p0: ok
samba-4.3.8:libtalloc-2.1.3: ok
samba-4.3.8:samba-util-4.3.8: ok
samba-4.3.8:tevent-0.9.25: ok
samba-4.3.8:tdb-1.3.7: ok
samba-4.3.8:ldb-1.1.21: ok
samba-4.3.8:e2fsprogs-1.42.12p3: ok
samba-4.3.8:libexecinfo-0.3v0: ok
samba-4.3.8:py-dnspython-1.12.0p0: ok
samba-4.3.8:cyrus-sasl-2.1.26p16: ok
samba-4.3.8:openldap-client-2.4.44: ok
samba-4.3.8:libgpg-error-1.21p0: ok
samba-4.3.8:libgcrypt-1.6.5p0: ok
samba-4.3.8:dbus-1.10.8v0: ok
samba-4.3.8:dbus-daemon-launch-helper-1.10.8: ok
samba-4.3.8:pcre-8.38p0: ok
samba-4.3.8:libelf-0.8.13p3: ok
samba-4.3.8:glib2-2.46.2p0: ok
install-info: menu item `gdbm_load' already exists, for file `(none)'
system(/usr/bin/install-info, --info-dir=/usr/local/info, --,
/usr/local/info/gdbm.info) failed: exit(1)
samba-4.3.8:gdbm-1.11p1: ok
samba-4.3.8:libdaemon-0.14p1: ok
samba-4.3.8:avahi-0.6.31p24: ok
samba-4.3.8:libtasn1-4.7: ok
samba-4.3.8:p11-kit-0.23.2p0: ok
samba-4.3.8:gmp-5.0.2p3: ok
samba-4.3.8:libnettle-3.2: ok
samba-4.3.8:libidn-1.32p0: ok
samba-4.3.8:gnutls-3.4.10p0: ok
samba-4.3.8:cups-libs-2.1.3p0: ok
samba-4.3.8:iniparser-3.1p1: ok
samba-4.3.8:gamin-0.1.10p21: ok
samba-4.3.8: ok
The following new rcscripts were installed: /etc/rc.d/avahi_daemon
/etc/rc.d/avahi_dnsconfd /etc/rc.d/messagebus /etc/rc.d/nmbd
/etc/rc.d/samba /etc/rc.d/samba_ad_dc /etc/rc.d/saslauthd /etc/rc.d/smbd
/etc/rc.d/winbindd
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.
--- +python-2.7.11p0 ---
If you want to use this package as your default system python, as root
create symbolic links like so (overwriting any previous default):
ln -sf /usr/local/bin/python2.7 /usr/local/bin/python
ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3
ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config
ln -sf /usr/local/bin/pydoc2.7  /usr/local/bin/pydoc
UNSIGNED PACKAGES: libelf-0.8.13p3, iniparser-3.1p1, dbus-1.10.8v0,
tdb-1.3.7, libnettle-3.2, tevent-0.9.25, gamin-0.1.10p21,

libtalloc-2.1.3,

avahi-0.6.31p24, gmp-5.0.2p3, py-dnspython-1.12.0p0, libgpg-error-1.21p0,
p11-kit-0.23.2p0, libdaemon-0.14p1, popt-1.16p1, cyrus-sasl-2.1.26p16,
pcre-8.38p0, libtasn1-4.7, samba-util-4.3.8, glib2-2.46.2p0, ldb-1.1.21,
cups-libs-2.1.3p0, libgcrypt-1.6.5p0, dbus-daemon-launch-helper-1.10.8,
gnutls-3.4.10p0, python-2.7.11p0, libidn-1.32p0, samba-4.3.8,
openpam-20141014, openldap-client-2.4.44, e2fsprogs-1.42.12p3,
libexecinfo-0.3v0, gdbm-1.11p1

-Ian McWilliam


This is great! Many thanks to JCA and yourself for the 4.3.8 port.

I was able to build it on 4.9 without any issues and provision an AD DC in
a test network. I plan to test Windows 10/8/7/XP clients running Office
2016 applications over the weekend.

vm3.vmlab.foretell.ca# sysctl kern.version
kern.version=OpenBSD 5.9 (GENERIC) #2: Thu Mar 31 12:27:22 CDT 2016
    r...@n59.lab.foretell.ca:/usr/src/sys/arch/amd64/compile/GENERIC

vm3.vmlab.foretell.ca# samba-tool domain provision --use-rfc2307
--interactive
Realm [VMLAB.FORETELL.CA]:
 Domain [VMLAB]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding)
[10.72.3.10]:
Administrator password:
Retype password:
You are not root or your system do not support xattr, using tdb backend for
attributes.
not using extended attributes to store ACLs and other metadata. If you
intend to use this provision in production, rerun the script as root on a
system supporting xattrs.
Looking up IPv4 addresses
Looking up 

Re: [SECURITY] samba-4.3.8

[Ian McWilliam]

On 13 April 2016 at 04:41, Jeremie Courreges-Anglas  wrote:

>
> I've just committed an update to 4.3.6.  Here's another diff for the
> security releases published today.
>
> Release notes excerpt and diff below.
>
>

Apart from the extra libs in the checks that I haven't investigated yet and
one error installing gdbm that I need to look at everything else appears ok.

make lib-depends-check

samba-4.3.8(net/samba,-main):
Extra:  gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12

ldb-1.1.21(net/samba,-ldb):
Extra:  m.9 replace.0 tdb.4 util-setid.0 util.12

tevent-0.9.25(net/samba,-tevent):
Extra:  m.9 replace.0 util-setid.0 util.12

samba-util-4.3.8(net/samba,-util):
Extra:  m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12
Scanning: ok

---

make port-lib-depends-check

samba-4.3.8(net/samba,-main):
Extra:  gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12

ldb-1.1.21(net/samba,-ldb):
Extra:  m.9 replace.0 tdb.4 util-setid.0 util.12

tevent-0.9.25(net/samba,-tevent):
Extra:  m.9 replace.0 util-setid.0 util.12

samba-util-4.3.8(net/samba,-util):
Extra:  m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12

-

ianm-openbsd:all {107} pkg_add samba-4.3.8.tgz
UNSIGNED PACKAGE file:./openpam-20141014.tgz: install anyway ? [y/N/a] a
samba-4.3.8:openpam-20141014: ok
samba-4.3.8:popt-1.16p1: ok
samba-4.3.8:python-2.7.11p0: ok
samba-4.3.8:libtalloc-2.1.3: ok
samba-4.3.8:samba-util-4.3.8: ok
samba-4.3.8:tevent-0.9.25: ok
samba-4.3.8:tdb-1.3.7: ok
samba-4.3.8:ldb-1.1.21: ok
samba-4.3.8:e2fsprogs-1.42.12p3: ok
samba-4.3.8:libexecinfo-0.3v0: ok
samba-4.3.8:py-dnspython-1.12.0p0: ok
samba-4.3.8:cyrus-sasl-2.1.26p16: ok
samba-4.3.8:openldap-client-2.4.44: ok
samba-4.3.8:libgpg-error-1.21p0: ok
samba-4.3.8:libgcrypt-1.6.5p0: ok
samba-4.3.8:dbus-1.10.8v0: ok
samba-4.3.8:dbus-daemon-launch-helper-1.10.8: ok
samba-4.3.8:pcre-8.38p0: ok
samba-4.3.8:libelf-0.8.13p3: ok
samba-4.3.8:glib2-2.46.2p0: ok
install-info: menu item `gdbm_load' already exists, for file `(none)'
system(/usr/bin/install-info, --info-dir=/usr/local/info, --,
/usr/local/info/gdbm.info) failed: exit(1)
samba-4.3.8:gdbm-1.11p1: ok
samba-4.3.8:libdaemon-0.14p1: ok
samba-4.3.8:avahi-0.6.31p24: ok
samba-4.3.8:libtasn1-4.7: ok
samba-4.3.8:p11-kit-0.23.2p0: ok
samba-4.3.8:gmp-5.0.2p3: ok
samba-4.3.8:libnettle-3.2: ok
samba-4.3.8:libidn-1.32p0: ok
samba-4.3.8:gnutls-3.4.10p0: ok
samba-4.3.8:cups-libs-2.1.3p0: ok
samba-4.3.8:iniparser-3.1p1: ok
samba-4.3.8:gamin-0.1.10p21: ok
samba-4.3.8: ok
The following new rcscripts were installed: /etc/rc.d/avahi_daemon
/etc/rc.d/avahi_dnsconfd /etc/rc.d/messagebus /etc/rc.d/nmbd
/etc/rc.d/samba /etc/rc.d/samba_ad_dc /etc/rc.d/saslauthd /etc/rc.d/smbd
/etc/rc.d/winbindd
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.
--- +python-2.7.11p0 ---
If you want to use this package as your default system python, as root
create symbolic links like so (overwriting any previous default):
 ln -sf /usr/local/bin/python2.7 /usr/local/bin/python
 ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3
 ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config
 ln -sf /usr/local/bin/pydoc2.7  /usr/local/bin/pydoc
UNSIGNED PACKAGES: libelf-0.8.13p3, iniparser-3.1p1, dbus-1.10.8v0,
tdb-1.3.7, libnettle-3.2, tevent-0.9.25, gamin-0.1.10p21, libtalloc-2.1.3,
avahi-0.6.31p24, gmp-5.0.2p3, py-dnspython-1.12.0p0, libgpg-error-1.21p0,
p11-kit-0.23.2p0, libdaemon-0.14p1, popt-1.16p1, cyrus-sasl-2.1.26p16,
pcre-8.38p0, libtasn1-4.7, samba-util-4.3.8, glib2-2.46.2p0, ldb-1.1.21,
cups-libs-2.1.3p0, libgcrypt-1.6.5p0, dbus-daemon-launch-helper-1.10.8,
gnutls-3.4.10p0, python-2.7.11p0, libidn-1.32p0, samba-4.3.8,
openpam-20141014, openldap-client-2.4.44, e2fsprogs-1.42.12p3,
libexecinfo-0.3v0, gdbm-1.11p1


-
Ian McWilliam

[SECURITY] samba-4.3.8

[Jeremie Courreges-Anglas]

I've just committed an update to 4.3.6.  Here's another diff for the
security releases published today.

Release notes excerpt and diff below.

--8<--
   =
   Release Notes for Samba 4.3.8
   April 12, 2016
   =

This is a security release containing one additional
regression fix for the security release 4.3.7.

This fixes a regression that prevents things like 'net ads join'
from working against a Windows 2003 domain.

Changes since 4.3.7:


o  Stefan Metzmacher 
   * Bug 11804 - prerequisite backports for the security release on
 April 12th, 2016

Release notes for the original 4.3.7 release follows:
-

   =
   Release Notes for Samba 4.3.7
   April 12, 2016
   =


This is a security release in order to address the following CVEs:

o  CVE-2015-5370 (Multiple errors in DCE-RPC code)

o  CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)

o  CVE-2016-2111 (NETLOGON Spoofing Vulnerability)

o  CVE-2016-2112 (LDAP client and server don't enforce integrity)

o  CVE-2016-2113 (Missing TLS certificate validation)

o  CVE-2016-2114 ("server signing = mandatory" not enforced)

o  CVE-2016-2115 (SMB IPC traffic is not integrity protected)

o  CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
[...]
-->8--

No packaging differences, but some behavior changes, eg simple LDAP
binds aren't allowed by default anymore.  No regression observed at
$WORK for the 4.3.6->4.3.8 transition (on Linux).

ok?

Index: Makefile
===
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.219
diff -u -p -r1.219 Makefile
--- Makefile12 Apr 2016 17:42:09 -  1.219
+++ Makefile12 Apr 2016 18:36:22 -
@@ -1,6 +1,6 @@
 # $OpenBSD: Makefile,v 1.219 2016/04/12 17:42:09 jca Exp $
 
-VERSION =  4.3.6
+VERSION =  4.3.8
 DISTNAME = samba-${VERSION}
 
 COMMENT-main = SMB and CIFS client and server for UNIX
Index: distinfo
===
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.48
diff -u -p -r1.48 distinfo
--- distinfo12 Apr 2016 17:42:09 -  1.48
+++ distinfo12 Apr 2016 18:36:22 -
@@ -1,2 +1,2 @@
-SHA256 (samba-4.3.6.tar.gz) = MlHspbGWhU55l49KktX9K1W9ewolKmUTGpvgK+Z1SSQ=
-SIZE (samba-4.3.6.tar.gz) = 20445038
+SHA256 (samba-4.3.8.tar.gz) = N53GbDoKSDv1vtN75uXRgpNNt8QQKyGSmmxGArMrKxA=
+SIZE (samba-4.3.8.tar.gz) = 20568773


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE