-
samba (2:4.6.7+dfsg-1ubuntu3.2) artful-security; urgency=medium
* SECURITY UPDATE: Denial of Service Attack on external print server
- debian/patches/CVE-2018-1050.patch: protect against null pointer
derefs in source3/rpc_server/spoolss/srv_spoolss_nt.c.
- CVE-2018-1050
* SECURITY UPDATE: Authenticated users can change other users password
- debian/patches/CVE-2018-1057-*.patch: fix password changing logic.
- CVE-2018-1057
-- Marc Deslauriers <email address hidden> Tue, 06 Mar 2018 16:43:27 +0100
-
samba (2:4.6.7+dfsg-1ubuntu3.1) artful-security; urgency=medium
* SECURITY UPDATE: Use-after-free vulnerability
- debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
source3/smbd/process.c, source3/smbd/reply.c.
- CVE-2017-14746
* SECURITY UPDATE: Server heap memory information leak
- debian/patches/CVE-2017-15275.patch: zero out unused grown area in
source3/smbd/srvstr.c.
- CVE-2017-15275
-- Marc Deslauriers <email address hidden> Wed, 15 Nov 2017 15:36:05 -0500
-
samba (2:4.6.7+dfsg-1ubuntu3) artful; urgency=medium
* SECURITY UPDATE: SMB1/2/3 connections may not require signing where
they should
- debian/patches/CVE-2017-12150-1.patch: don't turn a guessed username
into a specified one in source3/include/auth_info.h,
source3/lib/popt_common.c, source3/lib/util_cmdline.c.
- debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
source3/lib/util_cmdline.c.
- debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
source3/libsmb/pylibsmb.c.
- debian/patches/CVE-2017-12150-4.patch: add SMB_SIGNING_REQUIRED to
libgpo/gpo_fetch.c.
- debian/patches/CVE-2017-12150-5.patch: add check for
NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
- debian/patches/CVE-2017-12150-6.patch: add
smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
- debian/patches/CVE-2017-12150-7.patch: only fallback to anonymous if
authentication was not requested in source3/libsmb/clidfs.c.
- CVE-2017-12150
* SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
redirects
- debian/patches/CVE-2017-12151-1.patch: add
cli_state_is_encryption_on() helper function to
source3/libsmb/clientgen.c, source3/libsmb/proto.h.
- debian/patches/CVE-2017-12151-2.patch: make use of
cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
source3/libsmb/libsmb_context.c.
- CVE-2017-12151
* SECURITY UPDATE: Server memory information leak over SMB1
- debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
from writing server memory to file in source3/smbd/reply.c.
- CVE-2017-12163
-- Marc Deslauriers <email address hidden> Thu, 21 Sep 2017 08:10:03 -0400
-
samba (2:4.6.7+dfsg-1ubuntu2) artful; urgency=medium
* d/source_samba.py: use the new recommended findmnt(8) tool to list
mountpoints and correctly filter by the cifs filesystem type.
(LP: #1703604)
-- Andreas Hasenack <email address hidden> Fri, 01 Sep 2017 09:47:58 -0300
-
samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1710281).
- Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
symlinks to directories (LP: #1701073)
* Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- Add extra DEP8 tests to samba (LP #1696823):
+ d/t/control: enable the new DEP8 tests
+ d/t/smbclient-anonymous-share-list: list available shares anonymously
+ d/t/smbclient-authenticated-share-list: list available shares using
an authenticated connection
+ d/t/smbclient-share-access: create a share and download a file from it
+ d/t/cifs-share-access: access a file in a share using cifs
- Ask the user if we can run testparm against the config file. If yes,
include its stderr and exit status in the bug report. Otherwise, only
include the exit status. (LP #1694334)
- If systemctl is available, use it to query the status of the smbd
service before trying to reload it. Otherwise, keep the same check
as before and reload the service based on the existence of the
initscript. (LP #1579597)
- d/rules: Compile winbindd/winbindd statically.
- Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
-- Andreas Hasenack <email address hidden> Mon, 21 Aug 2017 17:27:08 -0300
-
samba (2:4.6.5+dfsg-8ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1700644). Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- Add extra DEP8 tests to samba (LP #1696823):
+ d/t/control: enable the new DEP8 tests
+ d/t/smbclient-anonymous-share-list: list available shares anonymously
+ d/t/smbclient-authenticated-share-list: list available shares using
an authenticated connection
+ d/t/smbclient-share-access: create a share and download a file from it
+ d/t/cifs-share-access: access a file in a share using cifs
- Ask the user if we can run testparm against the config file. If yes,
include its stderr and exit status in the bug report. Otherwise, only
include the exit status. (LP #1694334)
- If systemctl is available, use it to query the status of the smbd
service before trying to reload it. Otherwise, keep the same check
as before and reload the service based on the existence of the
initscript. (LP #1579597)
* Drop:
- d/rules: Compile winbindd/winbindd statically. (LP: #1700527)
[This hunk was missed in 2:4.5.8+dfsg-2ubuntu2 when patch
fix-1584485.patch was dropped there.]
- d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure
[Replaced by d/p/s3-gse_krb5-fix-a-possible-crash-in-fill_mem_keytab.patch
in 2:4.6.5+dfsg-3 that closed Debian's bug #739768]
- debian/patches/winbind_trusted_domains.patch: make sure domain
members can talk to trusted domains DCs.
[Upstream committed a different fix, see updated patch attached to
https://bugzilla.samba.org/show_bug.cgi?id=11830]
- d/control: add libcephfs-dev as b-d to build vfs_ceph
[Adopted by Debian in 2:4.6.5+dfsg-1]
- debian/patches/CVE-2017-11103.patch: use encrypted service
name rather than unencrypted (and therefore spoofable) version
in heimdal
[Adopted by Debian as
d/p/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch]
- Cherrypick upstream patch to fix FTBFS with new ceph lib.
[Merged upstream in 4.6.0rc1]
* Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
-- Andreas Hasenack <email address hidden> Thu, 10 Aug 2017 22:20:22 -0300
-
samba (2:4.5.8+dfsg-2ubuntu5) artful; urgency=medium
* Cherrypick upstream patch to fix FTBFS with new ceph lib.
samba (2:4.5.8+dfsg-2ubuntu4) artful; urgency=medium
* SECURITY UPDATE: KDC-REP service name impersonation
- debian/patches/CVE-2017-11103.patch: use encrypted service
name rather than unencrypted (and therefore spoofable) version
in heimdal
- CVE-2017-11103
-- Dimitri John Ledkov <email address hidden> Wed, 26 Jul 2017 08:34:24 +0100
-
samba (2:4.5.8+dfsg-2ubuntu4) artful; urgency=medium
* SECURITY UPDATE: KDC-REP service name impersonation
- debian/patches/CVE-2017-11103.patch: use encrypted service
name rather than unencrypted (and therefore spoofable) version
in heimdal
- CVE-2017-11103
-- Steve Beattie <email address hidden> Mon, 17 Jul 2017 16:22:28 -0700
-
samba (2:4.5.8+dfsg-2ubuntu3) artful; urgency=medium
* No-change rebuild against libldb 1.1.29
-- Steve Langasek <email address hidden> Sun, 25 Jun 2017 16:09:33 -0700
-
samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium
* Add extra DEP8 tests to samba (LP: #1696823):
- d/t/control: enable the new DEP8 tests
- d/t/smbclient-anonymous-share-list: list available shares anonymously
- d/t/smbclient-authenticated-share-list: list available shares using
an authenticated connection
- d/t/smbclient-share-access: create a share and download a file from it
- d/t/cifs-share-access: access a file in a share using cifs
* Ask the user if we can run testparm against the config file. If yes,
include its stderr and exit status in the bug report. Otherwise, only
include the exit status. (LP: #1694334)
* If systemctl is available, use it to query the status of the smbd
service before trying to reload it. Otherwise, keep the same check
as before and reload the service based on the existence of the
initscript. (LP: #1579597)
* Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
module. There is a fixed version of that patch attached to
#1677329 but it has not been vetted yet, so for now it's best
to revert (again) so that pam_winbind can be used.
(LP: #1677329, LP: #1644428)
-- Andreas Hasenack <email address hidden> Mon, 19 Jun 2017 10:49:29 -0700
-
samba (2:4.5.8+dfsg-2ubuntu1) artful; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure
- debian/patches/winbind_trusted_domains.patch: make sure domain
members can talk to trusted domains DCs.
- d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked
- d/rules: Compile winbindd/winbindd statically.
- d/control: add libcephfs-dev as b-d to build vfs_ceph
samba (2:4.5.8+dfsg-2) unstable; urgency=high
* CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
samba (2:4.5.8+dfsg-1) unstable; urgency=high
* New upstream version
- Drop CVE-2017-2619.patch: merged upstream
- Fix CVE-2017-2619 regression with "follow symlink = no" (Closes: #858564)
-- Marc Deslauriers <email address hidden> Thu, 15 Jun 2017 14:17:43 -0400
-
samba (2:4.5.8+dfsg-0ubuntu1) artful; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share
- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
-- Marc Deslauriers <email address hidden> Wed, 24 May 2017 07:39:13 -0400
-
samba (2:4.5.8+dfsg-0ubuntu0.17.04.1) zesty-security; urgency=medium
* SECURITY UPDATE: Symlink race allows access outside share definition
- Updated to new upstream release 4.5.8.
- CVE-2017-2619
-- Marc Deslauriers <email address hidden> Fri, 21 Apr 2017 07:33:25 -0400
-
samba (2:4.5.4+dfsg-1ubuntu2) zesty; urgency=medium
* d/control: add libcephfs-dev as b-d to build vfs_ceph
(LP: #1668940).
-- Nishanth Aravamudan <email address hidden> Mon, 06 Mar 2017 11:13:41 -0800
