Re: [SECURITY] samba-4.3.8 for 5.9
Stuart Hendersonwrites: > On 2016/04/17 15:27, Jeremie Courreges-Anglas wrote: >> >> Note that 5.9 is still using samba-4.1.22, affected by: > > It's not what we would normally do for -stable, but I don't think we > really have another choice. OK sthen. Thanks, committed. Note that the patch included the removal of SHARED_ONLY lines. I have kept them as is in the commit. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: [SECURITY] samba-4.3.8 for 5.9
On 2016/04/17 15:27, Jeremie Courreges-Anglas wrote: > > Note that 5.9 is still using samba-4.1.22, affected by: It's not what we would normally do for -stable, but I don't think we really have another choice. OK sthen.
Re: [SECURITY] samba-4.3.8 for 5.9
Note that 5.9 is still using samba-4.1.22, affected by: Fixed in 4.1.23+: CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) CVE-2016-0771 (Out-of-bounds read in internal DNS server) Fixed in 4.2.11, 4.3.8 and 4.4.2: CVE-2015-5370 (Multiple errors in DCE-RPC code) CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) CVE-2016-2111 (NETLOGON Spoofing Vulnerability) CVE-2016-2112 (LDAP client and server don't enforce integrity) CVE-2016-2113 (Missing TLS certificate validation) CVE-2016-2114 ("server signing = mandatory" not enforced) CVE-2016-2115 (SMB IPC traffic is not integrity protected) CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) For the last security releases, upstream published patches only for 4.2, 4.3 and 4.4. As I said, I don't volunteer backporting 4.2 patches to 4.1. Upstream's patch is around 1.5MB. Here's an update to 4.3.8 for -stable. This involves some libraries removal/renaming and a major bump for libwbclient; only x11/gvfs and kde/base3 are affected. databases/tdb and devel/libtalloc must be updated, they only get minor lib bumps. Yes, that's a big jump but I didn't spot/hear about any regression. Also it brings us in line with upstream. There will probably be other security updates during the 5.9 cycle, being on the 4.3.x release means easy updates instead of no updates. Thoughts? tdb/talloc/samba diff below tested on -current, kde/base3 and gnome/gvfs parts were mechanically backported from -current. Index: databases/tdb/Makefile === RCS file: /cvs/ports/databases/tdb/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- databases/tdb/Makefile 12 Aug 2015 11:24:05 - 1.15 +++ databases/tdb/Makefile 12 Apr 2016 17:38:15 - @@ -1,14 +1,11 @@ -# $OpenBSD: Makefile,v 1.15 2015/08/12 11:24:05 jca Exp $ - -SHARED_ONLY= Yes +# $OpenBSD: Makefile,v 1.18 2016/04/12 17:38:15 jca Exp $ COMMENT= trivial database library # Keep in sync with the version bundled in net/samba4 -DISTNAME= tdb-1.2.12 -REVISION= 1 +DISTNAME= tdb-1.3.7 -SHARED_LIBS+= tdb 4.0 +SHARED_LIBS+= tdb 4.1 CATEGORIES=databases @@ -39,6 +36,7 @@ MAKE_ENV += LIB${_l:S/-/_/g} .endfor CONFIGURE_STYLE= simple -CONFIGURE_ARGS= --mandir="${PREFIX}/man" +CONFIGURE_ARGS= --mandir="${PREFIX}/man" \ + --disable-rpath .include Index: databases/tdb/distinfo === RCS file: /cvs/ports/databases/tdb/distinfo,v retrieving revision 1.5 diff -u -p -r1.5 distinfo --- databases/tdb/distinfo 18 Jul 2015 02:11:13 - 1.5 +++ databases/tdb/distinfo 12 Apr 2016 17:38:15 - @@ -1,2 +1,2 @@ -SHA256 (tdb-1.2.12.tar.gz) = KC09scxWrDARrl85Iv0MW7IX7LAyCDbCO2/mfyFjpx8= -SIZE (tdb-1.2.12.tar.gz) = 462590 +SHA256 (tdb-1.3.7.tar.gz) = pk2VygzAaij+0kxulSrtdmDK4EmDEIc11rwwuSUTZBI= +SIZE (tdb-1.3.7.tar.gz) = 493847 Index: databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py === RCS file: databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py diff -N databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py --- databases/tdb/patches/patch-buildtools_wafadmin_Tools_ccroot_py 18 Jul 2015 02:11:13 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,18 +0,0 @@ -$OpenBSD: patch-buildtools_wafadmin_Tools_ccroot_py,v 1.1 2015/07/18 02:11:13 jca Exp $ - -- at build time, encode the full library name + version in the SONAME - buildtools/wafadmin/Tools/ccroot.py.orig Sun Jan 27 04:51:43 2013 -+++ buildtools/wafadmin/Tools/ccroot.pyThu Jul 16 12:55:30 2015 -@@ -588,7 +588,10 @@ def apply_vnum(self): - name2 = libname + '.' + nums[0] - - if self.env.SONAME_ST: -- v = self.env.SONAME_ST % name2 -+ if sys.platform.startswith('openbsd'): -+ v = self.env.SONAME_ST % name3 -+ else: -+ v = self.env.SONAME_ST % name2 - self.env.append_value('LINKFLAGS', v.split()) - - bld = self.bld Index: databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py === RCS file: /cvs/ports/databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py,v retrieving revision 1.1 diff -u -p -r1.1 patch-buildtools_wafsamba_samba_install_py --- databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py18 Jul 2015 02:11:13 - 1.1 +++ databases/tdb/patches/patch-buildtools_wafsamba_samba_install_py12 Apr 2016 17:38:15 - @@ -1,25 +1,32 @@ -$OpenBSD: patch-buildtools_wafsamba_samba_install_py,v 1.1 2015/07/18 02:11:13 jca Exp $ +$OpenBSD: patch-buildtools_wafsamba_samba_install_py,v 1.2 2016/04/12 17:38:15 jca Exp $ -- install_link is used so encode the
Re: [SECURITY] samba-4.3.8
Ian McWilliamwrites: > On 13 April 2016 at 04:41, Jeremie Courreges-Anglas wrote: > >> >> I've just committed an update to 4.3.6. Here's another diff for the >> security releases published today. >> >> Release notes excerpt and diff below. >> >> > > Apart from the extra libs in the checks that I haven't investigated > yet I've been ignoring those since some time already. Now that we're not at the back of the pack anymore this kind of minor issue can be dealt with. If not done already, I'll do it during p2k16 at the end of the month. > and > one error installing gdbm that I need to look at everything else appears ok. I think I've already seen that but failed to track it down. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: [SECURITY] samba-4.3.8
Quoting Amit Kulkarni: I was able to build it on 4.9 without any issues and provision an AD DC in a test network. I plan to test Windows 10/8/7/XP clients running Office 2016 applications over the weekend. 4.9? You really meant 5.9, right? :) Yes, meant to say 5.9 -- I blame autocorrect :) -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca
Re: [SECURITY] samba-4.3.8
> > > I was able to build it on 4.9 without any issues and provision an AD DC in > a test network. I plan to test Windows 10/8/7/XP clients running Office > 2016 applications over the weekend. > 4.9? You really meant 5.9, right? :)
Re: [SECURITY] samba-4.3.8
Quoting Ian McWilliam: On 13 April 2016 at 04:41, Jeremie Courreges-Anglas wrote: I've just committed an update to 4.3.6. Here's another diff for the security releases published today. Release notes excerpt and diff below. Apart from the extra libs in the checks that I haven't investigated yet and one error installing gdbm that I need to look at everything else appears ok. make lib-depends-check samba-4.3.8(net/samba,-main): Extra: gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12 ldb-1.1.21(net/samba,-ldb): Extra: m.9 replace.0 tdb.4 util-setid.0 util.12 tevent-0.9.25(net/samba,-tevent): Extra: m.9 replace.0 util-setid.0 util.12 samba-util-4.3.8(net/samba,-util): Extra: m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12 Scanning: ok --- make port-lib-depends-check samba-4.3.8(net/samba,-main): Extra: gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12 ldb-1.1.21(net/samba,-ldb): Extra: m.9 replace.0 tdb.4 util-setid.0 util.12 tevent-0.9.25(net/samba,-tevent): Extra: m.9 replace.0 util-setid.0 util.12 samba-util-4.3.8(net/samba,-util): Extra: m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12 - ianm-openbsd:all {107} pkg_add samba-4.3.8.tgz UNSIGNED PACKAGE file:./openpam-20141014.tgz: install anyway ? [y/N/a] a samba-4.3.8:openpam-20141014: ok samba-4.3.8:popt-1.16p1: ok samba-4.3.8:python-2.7.11p0: ok samba-4.3.8:libtalloc-2.1.3: ok samba-4.3.8:samba-util-4.3.8: ok samba-4.3.8:tevent-0.9.25: ok samba-4.3.8:tdb-1.3.7: ok samba-4.3.8:ldb-1.1.21: ok samba-4.3.8:e2fsprogs-1.42.12p3: ok samba-4.3.8:libexecinfo-0.3v0: ok samba-4.3.8:py-dnspython-1.12.0p0: ok samba-4.3.8:cyrus-sasl-2.1.26p16: ok samba-4.3.8:openldap-client-2.4.44: ok samba-4.3.8:libgpg-error-1.21p0: ok samba-4.3.8:libgcrypt-1.6.5p0: ok samba-4.3.8:dbus-1.10.8v0: ok samba-4.3.8:dbus-daemon-launch-helper-1.10.8: ok samba-4.3.8:pcre-8.38p0: ok samba-4.3.8:libelf-0.8.13p3: ok samba-4.3.8:glib2-2.46.2p0: ok install-info: menu item `gdbm_load' already exists, for file `(none)' system(/usr/bin/install-info, --info-dir=/usr/local/info, --, /usr/local/info/gdbm.info) failed: exit(1) samba-4.3.8:gdbm-1.11p1: ok samba-4.3.8:libdaemon-0.14p1: ok samba-4.3.8:avahi-0.6.31p24: ok samba-4.3.8:libtasn1-4.7: ok samba-4.3.8:p11-kit-0.23.2p0: ok samba-4.3.8:gmp-5.0.2p3: ok samba-4.3.8:libnettle-3.2: ok samba-4.3.8:libidn-1.32p0: ok samba-4.3.8:gnutls-3.4.10p0: ok samba-4.3.8:cups-libs-2.1.3p0: ok samba-4.3.8:iniparser-3.1p1: ok samba-4.3.8:gamin-0.1.10p21: ok samba-4.3.8: ok The following new rcscripts were installed: /etc/rc.d/avahi_daemon /etc/rc.d/avahi_dnsconfd /etc/rc.d/messagebus /etc/rc.d/nmbd /etc/rc.d/samba /etc/rc.d/samba_ad_dc /etc/rc.d/saslauthd /etc/rc.d/smbd /etc/rc.d/winbindd See rcctl(8) for details. Look in /usr/local/share/doc/pkg-readmes for extra documentation. --- +python-2.7.11p0 --- If you want to use this package as your default system python, as root create symbolic links like so (overwriting any previous default): ln -sf /usr/local/bin/python2.7 /usr/local/bin/python ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3 ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config ln -sf /usr/local/bin/pydoc2.7 /usr/local/bin/pydoc UNSIGNED PACKAGES: libelf-0.8.13p3, iniparser-3.1p1, dbus-1.10.8v0, tdb-1.3.7, libnettle-3.2, tevent-0.9.25, gamin-0.1.10p21, libtalloc-2.1.3, avahi-0.6.31p24, gmp-5.0.2p3, py-dnspython-1.12.0p0, libgpg-error-1.21p0, p11-kit-0.23.2p0, libdaemon-0.14p1, popt-1.16p1, cyrus-sasl-2.1.26p16, pcre-8.38p0, libtasn1-4.7, samba-util-4.3.8, glib2-2.46.2p0, ldb-1.1.21, cups-libs-2.1.3p0, libgcrypt-1.6.5p0, dbus-daemon-launch-helper-1.10.8, gnutls-3.4.10p0, python-2.7.11p0, libidn-1.32p0, samba-4.3.8, openpam-20141014, openldap-client-2.4.44, e2fsprogs-1.42.12p3, libexecinfo-0.3v0, gdbm-1.11p1 -Ian McWilliam This is great! Many thanks to JCA and yourself for the 4.3.8 port. I was able to build it on 4.9 without any issues and provision an AD DC in a test network. I plan to test Windows 10/8/7/XP clients running Office 2016 applications over the weekend. vm3.vmlab.foretell.ca# sysctl kern.version kern.version=OpenBSD 5.9 (GENERIC) #2: Thu Mar 31 12:27:22 CDT 2016 r...@n59.lab.foretell.ca:/usr/src/sys/arch/amd64/compile/GENERIC vm3.vmlab.foretell.ca# samba-tool domain provision --use-rfc2307 --interactive Realm [VMLAB.FORETELL.CA]: Domain [VMLAB]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [10.72.3.10]: Administrator password: Retype password: You are not root or your system do not support xattr, using tdb backend for attributes. not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs. Looking up IPv4 addresses Looking up
Re: [SECURITY] samba-4.3.8
On 13 April 2016 at 04:41, Jeremie Courreges-Anglaswrote: > > I've just committed an update to 4.3.6. Here's another diff for the > security releases published today. > > Release notes excerpt and diff below. > > Apart from the extra libs in the checks that I haven't investigated yet and one error installing gdbm that I need to look at everything else appears ok. make lib-depends-check samba-4.3.8(net/samba,-main): Extra: gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12 ldb-1.1.21(net/samba,-ldb): Extra: m.9 replace.0 tdb.4 util-setid.0 util.12 tevent-0.9.25(net/samba,-tevent): Extra: m.9 replace.0 util-setid.0 util.12 samba-util-4.3.8(net/samba,-util): Extra: m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12 Scanning: ok --- make port-lib-depends-check samba-4.3.8(net/samba,-main): Extra: gcrypt.19 iniparser.0 m.9 ncurses.14 sasl2.3 util.12 ldb-1.1.21(net/samba,-ldb): Extra: m.9 replace.0 tdb.4 util-setid.0 util.12 tevent-0.9.25(net/samba,-tevent): Extra: m.9 replace.0 util-setid.0 util.12 samba-util-4.3.8(net/samba,-util): Extra: m.9 pytalloc-util.0 python2.7.0 talloc.1 util.12 - ianm-openbsd:all {107} pkg_add samba-4.3.8.tgz UNSIGNED PACKAGE file:./openpam-20141014.tgz: install anyway ? [y/N/a] a samba-4.3.8:openpam-20141014: ok samba-4.3.8:popt-1.16p1: ok samba-4.3.8:python-2.7.11p0: ok samba-4.3.8:libtalloc-2.1.3: ok samba-4.3.8:samba-util-4.3.8: ok samba-4.3.8:tevent-0.9.25: ok samba-4.3.8:tdb-1.3.7: ok samba-4.3.8:ldb-1.1.21: ok samba-4.3.8:e2fsprogs-1.42.12p3: ok samba-4.3.8:libexecinfo-0.3v0: ok samba-4.3.8:py-dnspython-1.12.0p0: ok samba-4.3.8:cyrus-sasl-2.1.26p16: ok samba-4.3.8:openldap-client-2.4.44: ok samba-4.3.8:libgpg-error-1.21p0: ok samba-4.3.8:libgcrypt-1.6.5p0: ok samba-4.3.8:dbus-1.10.8v0: ok samba-4.3.8:dbus-daemon-launch-helper-1.10.8: ok samba-4.3.8:pcre-8.38p0: ok samba-4.3.8:libelf-0.8.13p3: ok samba-4.3.8:glib2-2.46.2p0: ok install-info: menu item `gdbm_load' already exists, for file `(none)' system(/usr/bin/install-info, --info-dir=/usr/local/info, --, /usr/local/info/gdbm.info) failed: exit(1) samba-4.3.8:gdbm-1.11p1: ok samba-4.3.8:libdaemon-0.14p1: ok samba-4.3.8:avahi-0.6.31p24: ok samba-4.3.8:libtasn1-4.7: ok samba-4.3.8:p11-kit-0.23.2p0: ok samba-4.3.8:gmp-5.0.2p3: ok samba-4.3.8:libnettle-3.2: ok samba-4.3.8:libidn-1.32p0: ok samba-4.3.8:gnutls-3.4.10p0: ok samba-4.3.8:cups-libs-2.1.3p0: ok samba-4.3.8:iniparser-3.1p1: ok samba-4.3.8:gamin-0.1.10p21: ok samba-4.3.8: ok The following new rcscripts were installed: /etc/rc.d/avahi_daemon /etc/rc.d/avahi_dnsconfd /etc/rc.d/messagebus /etc/rc.d/nmbd /etc/rc.d/samba /etc/rc.d/samba_ad_dc /etc/rc.d/saslauthd /etc/rc.d/smbd /etc/rc.d/winbindd See rcctl(8) for details. Look in /usr/local/share/doc/pkg-readmes for extra documentation. --- +python-2.7.11p0 --- If you want to use this package as your default system python, as root create symbolic links like so (overwriting any previous default): ln -sf /usr/local/bin/python2.7 /usr/local/bin/python ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3 ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config ln -sf /usr/local/bin/pydoc2.7 /usr/local/bin/pydoc UNSIGNED PACKAGES: libelf-0.8.13p3, iniparser-3.1p1, dbus-1.10.8v0, tdb-1.3.7, libnettle-3.2, tevent-0.9.25, gamin-0.1.10p21, libtalloc-2.1.3, avahi-0.6.31p24, gmp-5.0.2p3, py-dnspython-1.12.0p0, libgpg-error-1.21p0, p11-kit-0.23.2p0, libdaemon-0.14p1, popt-1.16p1, cyrus-sasl-2.1.26p16, pcre-8.38p0, libtasn1-4.7, samba-util-4.3.8, glib2-2.46.2p0, ldb-1.1.21, cups-libs-2.1.3p0, libgcrypt-1.6.5p0, dbus-daemon-launch-helper-1.10.8, gnutls-3.4.10p0, python-2.7.11p0, libidn-1.32p0, samba-4.3.8, openpam-20141014, openldap-client-2.4.44, e2fsprogs-1.42.12p3, libexecinfo-0.3v0, gdbm-1.11p1 - Ian McWilliam
[SECURITY] samba-4.3.8
I've just committed an update to 4.3.6. Here's another diff for the security releases published today. Release notes excerpt and diff below. --8<-- = Release Notes for Samba 4.3.8 April 12, 2016 = This is a security release containing one additional regression fix for the security release 4.3.7. This fixes a regression that prevents things like 'net ads join' from working against a Windows 2003 domain. Changes since 4.3.7: o Stefan Metzmacher* Bug 11804 - prerequisite backports for the security release on April 12th, 2016 Release notes for the original 4.3.7 release follows: - = Release Notes for Samba 4.3.7 April 12, 2016 = This is a security release in order to address the following CVEs: o CVE-2015-5370 (Multiple errors in DCE-RPC code) o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) o CVE-2016-2111 (NETLOGON Spoofing Vulnerability) o CVE-2016-2112 (LDAP client and server don't enforce integrity) o CVE-2016-2113 (Missing TLS certificate validation) o CVE-2016-2114 ("server signing = mandatory" not enforced) o CVE-2016-2115 (SMB IPC traffic is not integrity protected) o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) [...] -->8-- No packaging differences, but some behavior changes, eg simple LDAP binds aren't allowed by default anymore. No regression observed at $WORK for the 4.3.6->4.3.8 transition (on Linux). ok? Index: Makefile === RCS file: /cvs/ports/net/samba/Makefile,v retrieving revision 1.219 diff -u -p -r1.219 Makefile --- Makefile12 Apr 2016 17:42:09 - 1.219 +++ Makefile12 Apr 2016 18:36:22 - @@ -1,6 +1,6 @@ # $OpenBSD: Makefile,v 1.219 2016/04/12 17:42:09 jca Exp $ -VERSION = 4.3.6 +VERSION = 4.3.8 DISTNAME = samba-${VERSION} COMMENT-main = SMB and CIFS client and server for UNIX Index: distinfo === RCS file: /cvs/ports/net/samba/distinfo,v retrieving revision 1.48 diff -u -p -r1.48 distinfo --- distinfo12 Apr 2016 17:42:09 - 1.48 +++ distinfo12 Apr 2016 18:36:22 - @@ -1,2 +1,2 @@ -SHA256 (samba-4.3.6.tar.gz) = MlHspbGWhU55l49KktX9K1W9ewolKmUTGpvgK+Z1SSQ= -SIZE (samba-4.3.6.tar.gz) = 20445038 +SHA256 (samba-4.3.8.tar.gz) = N53GbDoKSDv1vtN75uXRgpNNt8QQKyGSmmxGArMrKxA= +SIZE (samba-4.3.8.tar.gz) = 20568773 -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE