The annotated tag, samba-4.17.1 has been created at 41ad24dad0c7d4d0eebe0be6634ee6f033ec0749 (tag) tagging ed12d43518f06b05f69a93ba9b20d768c64124bc (commit) replaces samba-4.17.0 tagged by Jule Anger on Wed Oct 19 14:21:55 2022 +0200
- Log ----------------------------------------------------------------- samba: tag release samba-4.17.1 -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNP6+MACgkQqplEL7aA tiBUBQ//dlQiZ2pjrhKRc21FSUzHiEFUVk1L+3pzeTftt3YF/2e0wysbK1hOzJaD Mz+3rtbRwDmAehE9KjscqPrVpmzVPYr47e3lzZFjeqSjEIcNQyO2mApG1e1Zxur4 ua09Sr98kGXnSiFQO0GwPVTkab7lofvBmkQA9Ngrm3QIH+ZgWC0vQl3vMlbmzgPD gyewI0q8raZpyCo7MJGmrER3mm2vm6fsQSjq0pWo4SlzKj6g+LNnXGz7e2wnMYqk 2CXwcqoBSAlSK66okxU+xDc7Ne9Jfq6HOEqfiim9Ab7QZ0JTvcBy2unQkhTurk63 /vXBQS2aRDA5ZFdR54ou3OpIDNzApa/NbvJwJvf8yP4jx0fhx8yeaiJfxQBG5YiE CQ3xrblFVWBNfG7ZBskq09MdGuMlvW+nJb2/H9h+VlnDEvponovR3wFqH9tfdHlO I6NWsOYVIq+Ppi6u0WoU5mXNG5vKSOA5Kdf0StNP2Hdp5h1/CrPLyN/KtBNCIcGN PbNB326Ey2qaQPolul9nQ9pJli2oG3/x83wMxd9mICg92f3rcB+49S/fEOwxKtYr BDM9u4+I6rrN2rXEXn0zZVAXV5Xj5Qm1+nAPxqdzVr3OWMTYEWnAR5BRss+lA6mX 6CwnxeVXL8hkfZu44nd7wyA7OoZB4xg3Gj2dr9gn3qKdvJJTSBo= =WrEk -----END PGP SIGNATURE----- Andreas Schneider (1): s3:auth: Flush the GETPWSID in memory cache for NTLM auth Andrew Bartlett (13): CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user CVE-2021-20251 auth4: Reread the user record if a bad password is noticed. CVE-2021-20251 s4 auth: make bad password count increment atomic CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting() CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT s4-libnet: Add messages to object count mismatch failures python-drs: Add client-side debug and fallback for GET_ANC Anoop C S (1): vfs_glusterfs: Remove special handling of O_CREAT flag Douglas Bagnall (7): pytest: add file removal helpers for TestCaseInTempDir pytest/downgradedatabase: use TestCaseInTempDir.rm_files pytest/samdb_api: use TestCaseInTempDir.rm_files pytest/join: use TestCaseInTempDir.rm_files/dirs pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs Gary Lockyer (4): CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c CVE-2021-20251 auth4: Return only the result message and free the surrounding result Jeremy Allison (6): CVE-2021-20251 s3: ensure bad password count atomic updates s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(). s4: smbtorture: Add fsync_resource_fork test to fruit tests. s3: VFS: fruit. Implement fsync_send()/fsync_recv(). s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file. s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file. Joseph Sutton (28): s3:rpc_server: Fix typo in error message lib:crypto: Zero auth_tag array in encryption test s4:torture: Zero samr_UserInfo union in password set test lib:crypto: Check for overflow before filling pauth_tag array lib:crypto: Use constant time memory comparison to check HMAC CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data with DES CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4 CVE-2021-20251 lib:crypto: Add Python functions for AES SAMR password change CVE-2021-20251 tests/krb5: Add tests for password lockout race CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update CVE-2021-20251 s4:dsdb: Update bad password count inside transaction CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting() CVE-2021-20251 s4:kdc: Check badPwdCount update return status CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting() CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change lib:util: Check memset_s() error code in talloc_keep_secret_destructor() libcli:auth: Keep passwords from convert_string_talloc() secret s3:rpc_server: Use BURN_STR() to zero password CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user CVE-2021-20251 s4-rpc_server: Use user privileges for SAMR password change CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password() CVE-2021-20251 s3:rpc_server: Split change_oem_password() call out of samr_set_password_aes() CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR AES password change Jule Anger (3): VERSION: Bump version up to Samba 4.17.1... WHATSNEW: Add release notes for Samba 4.17.1. VERSION: Disable GIT_SNAPSHOT for the 4.17.1 release. Noel Power (9): s3/rpcclient: Duplicate string returned from poptGetArg s3/param: Fix use after free with popt-1.19 s3/utils: Add missing poptFreeContext s3/utils: Fix use after free with popt 1.19 s3/utils: Fix use after free with popt 1.19 s4/lib/registry: Fix use after free with popt 1.19 s3/param: Check return of talloc_strdup s3/utils: Check return of talloc_strdup s3/utils: check result of talloc_strdup Pavel Filipenský (1): lib:replace: Add macro BURN_STR() to zero memory of a string Ralph Boehme (1): vfs_fruit: add missing calls to tevent_req_received() Stefan Metzmacher (8): smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record() smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send() smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}() s4:messaging: add imessaging_init_discard_incoming() s3:auth_samba4: make use of imessaging_init_discard_incoming() s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming() Volker Lendecke (3): vfs_gpfs: Prevent mangling of GPFS timestamps after 2106 lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW vfs_gpfs: Protect against timestamps before the Unix epoch ----------------------------------------------------------------------- -- Samba Shared Repository