-
samba (2:4.3.9+dfsg-0ubuntu0.15.10.2) wily-security; urgency=medium
* SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
- debian/patches/samba-bug11912.patch: let msrpc_parse() return
talloc'ed empty strings in libcli/auth/msrpc_parse.c.
- debian/patches/samba-bug11914.patch: make
ntlm_auth_generate_session_info() more complete in
source3/utils/ntlm_auth.c.
-- Marc Deslauriers <email address hidden> Fri, 20 May 2016 08:09:44 -0400
-
samba (2:4.3.9+dfsg-0ubuntu0.15.10.1) wily-security; urgency=medium
* SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
the previous security updates. (LP: #1577739)
- debian/control: bump tevent Build-Depends to 0.9.28.
-- Marc Deslauriers <email address hidden> Tue, 03 May 2016 09:55:17 -0400
-
samba (2:4.3.8+dfsg-0ubuntu0.15.10.2) wily-security; urgency=medium
* SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
- CVE-2015-5370: Multiple errors in DCE-RPC code
- CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
- CVE-2016-2111: NETLOGON Spoofing Vulnerability
- CVE-2016-2112: The LDAP client and server don't enforce integrity
protection
- CVE-2016-2113: Missing TLS certificate validation allows man in the
middle attacks
- CVE-2016-2114: "server signing = mandatory" not enforced
- CVE-2016-2115: SMB client connections for IPC traffic are not
integrity protected
- CVE-2016-2118: SAMR and LSA man in the middle attacks possible
* Backported most packaging changes from (2:4.3.6+dfsg-1ubuntu1) in
Ubuntu 16.04 LTS, except for the following:
- Don't remove samba-doc package
- Don't remove libpam-smbpass package
- Don't remove libsmbsharemodes0 and libsmbsharemodes-dev packages
- Don't build with dh-systemd
- Don't build ctdb and cluster support
* debian/patches/fix_pam_smbpass.patch: fix double free in pam_smbpass.
* debian/patches/winbind_trusted_domains.patch: make sure domain members
can talk to trusted domains DCs.
-- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:23:27 -0400
-
samba (2:4.1.17+dfsg-4ubuntu3.3) wily-security; urgency=medium
* SECURITY UPDATE: incorrect ACL get/set allowed on symlink path
- debian/patches/CVE-2015-7560-pre1.patch: add vfs_stat_smb_basename()
to source3/smbd/proto.h, source3/smbd/vfs.c.
- debian/patches/CVE-2015-7560.patch: properly handle symlinks in
source3/client/client.c, source3/libsmb/clifile.c,
source3/libsmb/proto.h, source3/smbd/nttrans.c,
source3/smbd/trans2.c, added tests to selftest/knownfail,
source3/selftest/tests.py, source3/torture/torture.c.
- CVE-2015-7560
* SECURITY UPDATE: out-of-bounds read in internal DNS server
- debian/patches/CVE-2016-0771.patch: fix dns handling in
librpc/idl/dns.idl, librpc/idl/dnsp.idl, librpc/idl/dnsserver.idl,
librpc/ndr/ndr_dns.c, librpc/ndr/ndr_dnsp.c, librpc/ndr/ndr_dnsp.h,
librpc/wscript_build, source4/dns_server/dns_query.c,
source4/dns_server/dns_update.c, source4/librpc/wscript_build,
added tests to python/samba/tests/dns.py,
python/samba/tests/get_opt.py, selftest/tests.py,
source4/selftest/tests.py.
- CVE-2016-0771
-- Marc Deslauriers <email address hidden> Thu, 03 Mar 2016 09:41:49 -0500
-
samba (2:4.1.17+dfsg-4ubuntu3.2) wily-security; urgency=medium
* Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
(LP: #1545750)
-- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 16:10:40 +0100
-
samba (2:4.1.17+dfsg-4ubuntu3.1) wily-security; urgency=medium
* SECURITY UPDATE: denial of service in ldb_wildcard_compare function
- debian/patches/CVE-2015-3223.patch: handle empty strings and
embedded zeros in lib/ldb/common/ldb_match.c.
- CVE-2015-3223
* SECURITY UPDATE: file-access restrictions bypass via symlink
- debian/patches/CVE-2015-5252.patch: validate matching component in
source3/smbd/vfs.c.
- CVE-2015-5252
* SECURITY UPDATE: man-in-the-middle attack via encrypted-to-unencrypted
downgrade
- debian/patches/CVE-2015-5296.patch: force signing in
libcli/smb/smbXcli_base.c, source3/libsmb/clidfs.c,
source3/libsmb/libsmb_server.c.
- CVE-2015-5296
* SECURITY UPDATE: snapshot access via shadow copy directory
- debian/patches/CVE-2015-5299.patch: fix missing access checks in
source3/modules/vfs_shadow_copy2.c.
- CVE-2015-5299
* SECURITY UPDATE: information leak via incorrect string length handling
- debian/patches/CVE-2015-5330.patch: fix string length handling in
lib/ldb/common/ldb_dn.c, lib/util/charset/charset.h,
lib/util/charset/codepoints.c, lib/util/charset/util_str.c,
lib/util/charset/util_unistr.c.
- CVE-2015-5330
* SECURITY UPDATE: LDAP server denial of service
- debian/patches/CVE-2015-7540.patch: check returns in lib/util/asn1.c,
libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h,
source4/libcli/ldap/ldap_controls.c.
- CVE-2015-7540
* SECURITY UPDATE: access restrictions bypass in machine account creation
- debian/patches/CVE-2015-8467.patch: restrict swapping between account
types in source4/dsdb/samdb/ldb_modules/samldb.c.
- CVE-2015-8467
* debian/control: bump libldb-dev Build-Depends to security update
version.
-- Marc Deslauriers <email address hidden> Mon, 04 Jan 2016 09:30:56 -0500
-
samba (2:4.1.17+dfsg-4ubuntu3) wily; urgency=medium
* debian/samba.logrotate:
- revert to Debian version of the logrotate reload command, fix an
invalid syntax introduced in the upstart->systemd transition
(lp: #1385868)
-- Sebastien Bacher <email address hidden> Tue, 10 Nov 2015 19:04:30 +0100
-
samba (2:4.1.17+dfsg-4ubuntu2) wily; urgency=medium
* debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
-- Robert Ancell <email address hidden> Tue, 11 Aug 2015 11:34:50 +1200
-
samba (2:4.1.17+dfsg-4ubuntu1) wily; urgency=medium
* Merge from Debian unstable. Remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Don't build against or suggest ctdb and tdb.
+ debian/rules:
- Drop explicit configuration options for ctdb and tdb.
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ debian/samba.logrotate: use service command to reload (send SIGHUP) the main
processes such that it works under both upstart and systemd.
+ debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
+ debian/patches/git_timeout_client_error.patch:
- don't let smb mounts timeout that leads to errors when trying to
reuse a mount after idling for a while in e.g nautilus (lp: #310932)
samba (2:4.1.17+dfsg-4) unstable; urgency=medium
* Add pidl_reproducible.patch: Make pidl output reproducible.
samba (2:4.1.17+dfsg-3) unstable; urgency=medium
* Rebuild against new ldb. Closes: #783424
samba (2:4.1.17+dfsg-2) unstable; urgency=medium
[ Andreas Beckmann ]
* Add samba.preinst to temporarily deactivate the old qtsmbstatusd
initscript which has dependencies incompatible with the new samba
initscript. This will ensure a clean upgrade path for samba if the
qtsmbstatus-server package was installed previously. (Closes: #779666)
samba (2:4.1.17+dfsg-1) unstable; urgency=high
* New upstream release. Fixes:
- CVE-2014-8143: Elevation of privilege to Active Directory Domain
Controller. Closes: #776993
- CVE-2015-0240: Unexpected code execution in smbd. Closes: #779033
* Refresh patch add-so-version-to-private-libraries.
* Add new smbtorture test rpc.schannel_anon_setpw to detect the conditions
leading to CVE-2015-0240.
* Add breaks on qtsmbstatus-server (<< 2.2.1-3~). Closes: #775041
* Build-depend on reverted ldb version (with increased epoch).
-- Martin Pitt <email address hidden> Fri, 08 May 2015 10:49:12 +0200
-
samba (2:4.1.13+dfsg-4ubuntu4) wily; urgency=medium
* No-change rebuild against current libldb1. This makes the package
installable again.
-- Martin Pitt <email address hidden> Fri, 08 May 2015 06:09:32 +0200
-
samba (2:4.1.13+dfsg-4ubuntu3) vivid; urgency=medium
* debian/patches/git_timeout_client_error.patch:
- don't let smb mounts timeout that leads to errors when trying to
reuse a mount after idling for a while in e.g nautilus (lp: #310932)
-- Sebastien Bacher <email address hidden> Fri, 03 Apr 2015 17:20:06 +0200
