-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.34) xenial-security; urgency=medium
* SECURITY UPDATE: wrong group entries via negative idmap cache entries
- debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
source3/passdb/lookup_sid.c.
- CVE-2021-20254
-- Marc Deslauriers <email address hidden> Wed, 14 Apr 2021 08:53:58 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.32) xenial-security; urgency=medium
* SECURITY UPDATE: Missing handle permissions check in ChangeNotify
- debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
get set unless the directory handle is open for SEC_DIR_LIST in
source4/torture/smb2/notify.c, source3/smbd/notify.c.
- CVE-2020-14318
* SECURITY UPDATE: Unprivileged user can crash winbind
- debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
source3/winbindd/winbindd_lookupsids.c,
source4/torture/winbind/struct_based.c.
- CVE-2020-14323
* SECURITY UPDATE: DNS server crash via invalid records
- debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
with NULL and do not crash when additional data not found in
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
- CVE-2020-14383
-- Marc Deslauriers <email address hidden> Fri, 16 Oct 2020 06:52:47 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.31) xenial-security; urgency=medium
* SECURITY UPDATE: Unauthenticated domain controller compromise by
subverting Netlogon cryptography (ZeroLogon)
- debian/patches/zerologon-*.patch: backport upstream patches:
+ For compatibility reasons, allow specifying an insecure netlogon
configuration per machine. See the following link for examples:
https://www.samba.org/samba/security/CVE-2020-1472.html
+ Add additional server checks for the protocol attack in the
client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results
when running the proof-of-concept exploit.
- CVE-2020-1472
-- Marc Deslauriers <email address hidden> Thu, 24 Sep 2020 19:25:08 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.30) xenial-security; urgency=medium
* SECURITY UPDATE: Unauthenticated domain controller compromise by
subverting Netlogon cryptography
- debian/patches/CVE-2020-1472-1.patch: switch "client schannel"
default to "yes" instead of "auto".
- debian/patches/CVE-2020-1472-2.patch: switch "server schannel"
default to "yes" instead of "auto".
- CVE-2020-1472
-- Marc Deslauriers <email address hidden> Wed, 16 Sep 2020 09:11:44 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.29) xenial-security; urgency=medium
* SECURITY UPDATE: Empty UDP packet DoS in Samba AD DC nbtd
- debian/patches/CVE-2020-14303.patch: fix busy loop on empty UDP
packet in libcli/nbt/nbtsocket.c.
- CVE-2020-14303
-- Marc Deslauriers <email address hidden> Fri, 07 Aug 2020 13:39:56 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.28) xenial-security; urgency=medium
* SECURITY UPDATE: Parsing and packing of NBT and DNS packets can consume
excessive CPU
- debian/patches/CVE-2020-10745-*.patch: multiple upstream patches to
fix the issue.
- CVE-2020-10745
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2020 09:04:51 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.27) xenial-security; urgency=medium
* SECURITY REGRESSION: new LDAP options not recognized (LP: #1875798)
- debian/patches/CVE-2020-10704-3.patch: move options to appropriate
location in lib/param/loadparm.c.
- debian/patches/CVE-2020-10704-5.patch: move option to appropriate
location in lib/param/loadparm.c.
- debian/patches/CVE-2020-10704-7.patch: add new options to param_table
in lib/param/param_table.c.
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2020 07:50:47 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.26) xenial-security; urgency=medium
* SECURITY UPDATE: Stack overflow in AD DC LDAP server
- debian/patches/CVE-2020-10704-1.patch: add ASN.1 max tree depth in
auth/gensec/gensec_util.c, lib/util/asn1.c, lib/util/asn1.h,
lib/util/tests/asn1_tests.c, libcli/auth/spnego_parse.c,
libcli/cldap/cldap.c, libcli/ldap/ldap_message.c,
source3/lib/tldap.c, source3/lib/tldap_util.c,
source3/libsmb/clispnego.c, source4/auth/gensec/gensec_krb5.c,
source4/ldap_server/ldap_server.c, source4/libcli/ldap/ldap_client.c,
source4/libcli/ldap/ldap_controls.c.
- debian/patches/CVE-2020-10704-2.patch: check parse tree depth in
lib/util/asn1.c.
- debian/patches/CVE-2020-10704-3.patch: add max ldap request sizes in
docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml,
docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml,
lib/param/loadparm.c, source3/param/loadparm.c.
- debian/patches/CVE-2020-10704-4.patch: limit request sizes in
source4/ldap_server/ldap_server.c.
- debian/patches/CVE-2020-10704-5.patch: add search size limits to
ldap_decode in docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml,
lib/param/loadparm.c, libcli/cldap/cldap.c,
libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h,
source3/param/loadparm.c, source4/ldap_server/ldap_server.c,
source4/libcli/ldap/ldap_client.c.
- debian/patches/CVE-2020-10704-6.patch: check search request lengths
in lib/util/asn1.c, lib/util/asn1.h, libcli/ldap/ldap_message.c.
- CVE-2020-10704
-- Marc Deslauriers <email address hidden> Wed, 22 Apr 2020 11:52:53 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.25) xenial-security; urgency=medium
* SECURITY UPDATE: Crash after failed character conversion at log level 3
or above
- debian/patches/CVE-2019-14907-1.patch: fix Value stored to 'reason'
is never read warning.
- debian/patches/CVE-2019-14907-2.patch: do not print the failed to
convert string into the logs.
- CVE-2019-14907
-- Marc Deslauriers <email address hidden> Fri, 17 Jan 2020 08:16:49 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.24) xenial-security; urgency=medium
* SECURITY UPDATE: Samba AD DC zone-named record Denial of Service in DNS
management server
- debian/patches/CVE-2019-14861-1.patch: confirm sort behaviour in
dcesrv_DnssrvEnumRecords.
- debian/patches/CVE-2019-14861-2.patch: remove special case for @ in
dns_build_tree().
- debian/patches/CVE-2019-14861-3.patch: avoid crash in ldb_qsort() via
dcesrv_DnssrvEnumRecords.
- debian/patches/CVE-2019-14861-4.patch: test to demonstrate the bug.
- CVE-2019-14861
* SECURITY UPDATE: DelegationNotAllowed not being enforced in protocol
transition on Samba AD DC
- debian/patches/CVE-2019-14870-1.patch: add user-sensitive command to
set not-delegated flag.
- debian/patches/CVE-2019-14870-2.patch: heimdal: add S4U test for
delegation_not_allowed.
- debian/patches/CVE-2019-14870-3.patch: heimdal: enforce
delegation_not_allowed in S4U2Self.
- debian/patches/CVE-2019-14870-4.patch: mit-kdc: enforce
delegation_not_allowed flag.
- CVE-2019-14870
-- Marc Deslauriers <email address hidden> Fri, 29 Nov 2019 11:22:44 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.23) xenial-security; urgency=medium
* SECURITY UPDATE: client code can return filenames containing path
separators
- debian/patches/CVE-2019-10218-1.patch: protect SMB1 client code
from evil server returned names in source3/libsmb/clilist.c,
source3/libsmb/proto.h.
- debian/patches/CVE-2019-10218-2.patch: Protect SMB2 client code
from evil server returned names in source3/libsmb/cli_smb2_fnum.c.
- CVE-2019-10218
* SECURITY UPDATE: User with "get changes" permission can crash AD DC
LDAP server via dirsync
- debian/patches/CVE-2019-14847-1.patch: ensure attrs exist in
source4/dsdb/samdb/ldb_modules/dirsync.c.
- debian/patches/CVE-2019-14847-2.patch: demonstrate the correct
interaction of ranged_results style attributes and dirsync in
source4/dsdb/tests/python/dirsync.py.
- debian/patches/CVE-2019-14847-3.patch: correct behaviour of
ranged_results when combined with dirsync in
source4/dsdb/samdb/ldb_modules/dirsync.c,
source4/dsdb/samdb/ldb_modules/ranged_results.c.
- CVE-2019-14847
-- Marc Deslauriers <email address hidden> Mon, 21 Oct 2019 08:53:51 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.21) xenial-security; urgency=medium
* SECURITY REGRESSION: panics following recent update (LP: #1827924)
- debian/patches/bug13315.patch: do not crash if we fail to init the
session table in source3/smbd/negprot.c.
-- Marc Deslauriers <email address hidden> Thu, 23 May 2019 08:08:58 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.20) xenial-security; urgency=medium
* SECURITY UPDATE: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
- debian/patches/CVE-2018-16860.patch: reject PA-S4U2Self with unkeyed
checksum in source4/heimdal/kdc/krb5tgs.c.
- CVE-2018-16860
-- Marc Deslauriers <email address hidden> Wed, 08 May 2019 09:44:23 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.19) xenial-security; urgency=medium
* SECURITY UPDATE: save registry file outside share as unprivileged user
- debian/patches/CVE-2019-3880.patch: remove implementations of
SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
- CVE-2019-3880
-- Marc Deslauriers <email address hidden> Mon, 01 Apr 2019 10:09:39 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.18) xenial-security; urgency=medium
* SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
Internal DNS server
- debian/patches/CVE-2018-14629.patch: add CNAME loop prevention using
counter in source4/dns_server/dns_query.c.
- CVE-2018-14629
* SECURITY UPDATE: Double-free in Samba AD DC KDC with PKINIT
- debian/patches/CVE-2018-16841.patch: fix segfault on PKINIT with
mis-matching principal in source4/kdc/db-glue.c.
- CVE-2018-16841
* SECURITY UPDATE: NULL pointer de-reference in Samba AD DC LDAP server
- debian/patches/CVE-2018-16851.patch: check ret before manipulating
blob in source4/ldap_server/ldap_server.c.
- CVE-2018-16851
-- Marc Deslauriers <email address hidden> Fri, 16 Nov 2018 08:43:34 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.17) xenial; urgency=medium
* d/samba.nmbd.init, d/samba.samba-ad-dc.init, d/samba.smbd.init, d/winbind.init
avoid issues due to init scripts misdetecting services (LP: #1792400)
- use --pidfile on --start to not block on same binaries running in
containers
- use --exec on --stop to not cause unintended processes to be acted on,
if the old process terminated without being able to remove the pid-file.
-- Christian Ehrhardt <email address hidden> Mon, 24 Sep 2018 12:08:45 +0200
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.16) xenial; urgency=medium
* d/p/bug_1583324_include_with_macro.patch: don't fail parsing the
config file if it has macros in include directives (LP: #1583324)
-- Andreas Hasenack <email address hidden> Thu, 02 Aug 2018 18:30:26 -0300
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.15) xenial-security; urgency=medium
* SECURITY UPDATE: Insufficient input validation on client directory
listing in libsmbclient
- debian/patches/CVE-2018-10858-*.patch: don't overwrite passed in
buffer in source3/libsmb/libsmb_path.c, add checks to
source3/libsmb/libsmb_dir.c, source3/libsmb/libsmb_path.c.
- CVE-2018-10858
* SECURITY UPDATE: Confidential attribute disclosure AD LDAP server
- debian/patches/CVE-2018-10919-*.patch: fix access checks.
- CVE-2018-10919
-- Marc Deslauriers <email address hidden> Mon, 06 Aug 2018 07:40:17 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.13) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of Service Attack on external print server
- debian/patches/CVE-2018-1050.patch: protect against null pointer
derefs in source3/rpc_server/spoolss/srv_spoolss_nt.c.
- CVE-2018-1050
* SECURITY UPDATE: Authenticated users can change other users password
- debian/patches/CVE-2018-1057-*.patch: fix password changing logic.
- CVE-2018-1057
-- Marc Deslauriers <email address hidden> Tue, 06 Mar 2018 16:49:12 +0100
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.12) xenial-security; urgency=medium
* SECURITY UPDATE: Use-after-free vulnerability
- debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
source3/smbd/process.c, source3/smbd/reply.c.
- CVE-2017-14746
* SECURITY UPDATE: Server heap memory information leak
- debian/patches/CVE-2017-15275.patch: zero out unused grown area in
source3/smbd/srvstr.c.
- CVE-2017-15275
-- Marc Deslauriers <email address hidden> Wed, 15 Nov 2017 15:40:44 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.11) xenial-security; urgency=medium
* SECURITY UPDATE: SMB1/2/3 connections may not require signing where
they should
- debian/patches/CVE-2017-12150-1.patch: add SMB_SIGNING_REQUIRED to
source3/lib/util_cmdline.c.
- debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
source3/libsmb/pylibsmb.c.
- debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
libgpo/gpo_fetch.c.
- debian/patches/CVE-2017-12150-4.patch: add check for
NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
- debian/patches/CVE-2017-12150-5.patch: add
smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
- debian/patches/CVE-2017-12150-6.patch: only fallback to anonymous if
authentication was not requested in source3/libsmb/clidfs.c.
- CVE-2017-12150
* SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
redirects
- debian/patches/CVE-2017-12151-1.patch: add
cli_state_is_encryption_on() helper function to
source3/libsmb/clientgen.c, source3/libsmb/proto.h.
- debian/patches/CVE-2017-12151-2.patch: make use of
cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
source3/libsmb/libsmb_context.c.
- CVE-2017-12151
* SECURITY UPDATE: Server memory information leak over SMB1
- debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
from writing server memory to file in source3/smbd/reply.c.
- CVE-2017-12163
-- Marc Deslauriers <email address hidden> Thu, 21 Sep 2017 08:02:02 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.10) xenial; urgency=medium
* d/p/bug_1702529_EACCESS_with_rootshare.patch:
Handle corner case for / shares. (LP: #1702529)
-- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:43:46 +0200
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.9) xenial-security; urgency=medium
* SECURITY UPDATE: KDC-REP service name impersonation
- debian/patches/CVE-2017-11103.patch: use encrypted service
name rather than unencrypted (and therefore spoofable) version
in heimdal
- CVE-2017-11103
-- Steve Beattie <email address hidden> Thu, 13 Jul 2017 14:03:40 -0700
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.8) xenial-security; urgency=medium
[ Andreas Hasenack ]
* d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
regression which breaks symlinks to directories on certain systems
(LP: #1701073)
[ Marc Deslauriers ]
* SECURITY UPDATE: DoS via bad symlink resolution
- debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
in source3/smbd/open.c.
- CVE-2017-9461
-- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 07:56:30 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share
- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
-- Marc Deslauriers <email address hidden> Fri, 19 May 2017 14:18:13 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium
* SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
- debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
bug #12721.
* Add missing prerequisite for previous update
- debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
files and wildcards in source3/modules/vfs_shadow_copy2.c.
-- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 08:31:57 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: Symlink race allows access outside share definition
- debian/patches/CVE-2017-2619/*.patch: backport security fix and
prerequisite patches from upstream.
- CVE-2017-2619
-- Marc Deslauriers <email address hidden> Mon, 20 Mar 2017 10:50:12 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
- debian/patches/CVE-2016-2123.patch: check lengths in
librpc/ndr/ndr_dnsp.c.
- CVE-2016-2123
* SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
- debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
source4/auth/gensec/gensec_gssapi.c.
- CVE-2016-2125
* SECURITY UPDATE: privilege elevation in Kerberos PAC validation
- debian/patches/CVE-2016-2126.patch: only allow known checksum types
in auth/kerberos/kerberos_pac.c.
- CVE-2016-2126
* This package does _not_ contain the changes from
2:4.3.11+dfsg-0ubuntu0.16.04.2 in xenial-proposed.
-- Marc Deslauriers <email address hidden> Mon, 12 Dec 2016 08:37:28 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.2) xenial; urgency=high
* d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked fixes LP: #1584485.
* d/rules: Compile winbindd/winbindd statically.
-- Jorge Niedbalski <email address hidden> Wed, 09 Nov 2016 15:25:33 +0100
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: client-signing protection mechanism bypass
- Updated to upstream 4.3.11
- CVE-2016-2119
* Removed patches included in new version
- debian/patches/samba-bug11912.patch
- debian/patches/samba-bug11914.patch
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 14:00:16 -0400
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.3) xenial; urgency=medium
* debian/patches/git_smbclient_cpu.patch:
- backport upstream patch to fix smbclient users hanging/eating cpu on
trying to contact a machine which is not there (lp: #1572260)
-- Sebastien Bacher <email address hidden> Thu, 11 Aug 2016 10:39:10 +0200
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
- debian/patches/samba-bug11912.patch: let msrpc_parse() return
talloc'ed empty strings in libcli/auth/msrpc_parse.c.
- debian/patches/samba-bug11914.patch: make
ntlm_auth_generate_session_info() more complete in
source3/utils/ntlm_auth.c.
-- Marc Deslauriers <email address hidden> Fri, 20 May 2016 07:31:37 -0400
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
the previous security updates. (LP: #1577739)
- debian/control: bump tevent Build-Depends to 0.9.28.
-- Marc Deslauriers <email address hidden> Tue, 03 May 2016 07:48:23 -0400
-
samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium
* SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
- CVE-2015-5370: Multiple errors in DCE-RPC code
- CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
- CVE-2016-2111: NETLOGON Spoofing Vulnerability
- CVE-2016-2112: The LDAP client and server don't enforce integrity
protection
- CVE-2016-2113: Missing TLS certificate validation allows man in the
middle attacks
- CVE-2016-2114: "server signing = mandatory" not enforced
- CVE-2016-2115: SMB client connections for IPC traffic are not
integrity protected
- CVE-2016-2118: SAMR and LSA man in the middle attacks possible
* debian/patches/winbind_trusted_domains.patch: make sure domain members
can talk to trusted domains DCs.
-- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:26:29 -0400
-
samba (2:4.3.6+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.3.6+dfsg-1) unstable; urgency=medium
* New upstream release.
+ Fixes:
- CVE-2015-7560: Incorrect ACL get/set allowed on symlink path.
- CVE-2016-0771 (Out-of-bounds read in internal DNS server.
samba (2:4.3.5+dfsg-1) unstable; urgency=medium
* New upstream release.
* Fixed usershare.patch to apply against new version.
* Loosen dependencies on ldb to ldb >= 1.1.21, per upstream.
* Drop patch sockets-with-htons.patch: applied upstream.
* Bump standards version to 3.9.7 (no changes).
samba (2:4.3.3+dfsg-2) unstable; urgency=medium
[ Jelmer Vernooij ]
* Add dependency on libtevent-dev in samba-dev.
[ Mathieu Parent ]
* Fix CTDB behavior since CVE-2015-8543 (Closes: #813406)
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2016 08:49:12 -0500
-
samba (2:4.3.3+dfsg-1ubuntu3) xenial; urgency=medium
* No-change rebuild for gnutls transition.
-- Matthias Klose <email address hidden> Wed, 17 Feb 2016 22:41:43 +0000
-
samba (2:4.3.3+dfsg-1ubuntu2) xenial; urgency=medium
* Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
(LP: #1545750)
-- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 16:05:12 +0100
-
samba (2:4.3.3+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.3.3+dfsg-1) unstable; urgency=medium
* New upstream release. Closes: #808133.
+ Drop subunit dependency, no longer used.
+ Drop ntdb dependencies, no longer used.
+ Fixes:
- CVE-2015-5252: Insufficient symlink verification in smbd
- CVE-2015-5296: Samba client requesting encryption vulnerable
downgrade attack
- CVE-2015-5299: Missing access control check in shadow copy code
- CVE-2015-7540: Remote DoS in Samba (AD) LDAP server
- CVE-2015-8467: Denial of service attack against Windows Active Directory
server
- CVE-2015-3223: Denial of service in Samba Active Directory server
- CVE-2015-5330: Remote memory read in Samba LDAP server
* Remove libpam-smbpasswd, which is broken and slated for removal
upstream. Closes: #799840
* Remove lib/zlib/contrib/dotzlib/DotZLib.chm from excluded files in
copyright; no longer shipped upstream.
* Remove wins2dns.awk example script.
* Remove the samba-doc package, and move examples files from it to
relevant other packages. Closes: #769385
* Move samba-dsdb-modules back from Depends to Recommends, as using
Samba as a standalone server doesn't require the dsdb modules.
samba (2:4.3.0+dfsg-2) experimental; urgency=medium
* Re-enable cluster support.
+ Build samba-cluster-support as built-in library, since its dependencies
are broken.
samba (2:4.3.0+dfsg-1) experimental; urgency=medium
* Fix watch file.
* New upstream release.
* Drop no_wrapper patch: applied upstream.
* Drop patch ctdb_sockpath.patch: applied upstream.
* Drop Fix-CTDB-build-with-PMDA patch: applied upstream.
samba (2:4.2.1+dfsg-1) experimental; urgency=medium
[ Jelmer Vernooij ]
* New upstream release.
+ Drop patch do-not-install-smbclient4-and-nmbclient4: applied upstream.
+ Drop patch
bug_598313_upstream_7499-nss_wins-dont-clobber-daemons-logs.patch:
present upstream.
+ Refresh patch 26_heimdal_compat.26_heimdal_compat.
+ Add build-dependency on libarchive-dev.
* Drop samba_bug_11077_torturetest.patch: applied upstream.
* Drop dependency on ctdb - now bundled with Samba.
* Use bundled Heimdal as the system Heimdal doesn't contain the
changes required for Samba.
* Add patch heimdal-rfc3454.txt: patch in truncated rfc3454.txt for
building bundled heimdal.
* Drop patches 25_heimdal_api_changes and 26_heimdal_compat.
* Disable cluster support; it breaks the build.
* Add patch no_wrapper: avoid dependencies on
{nss,uid,socket}_wrapper.
* Move some libraries around.
* Move ownership of var/lib/samba and var/lib/samba/private to samba-
common, remove obsolete samba4.dirs. Closes: #793866
* Remove ctdb-tests and ctdb-pcp-pmda packages as they contain problems
and unclear what they are useful for, now ctdb now longer provides
an external API.
[ Mathieu Parent ]
* Merge ctdb source package
- initial merge
- libctdb-dev has been dropped
- ctdb-dbg renamed to ctdb-tests, debug files moved to samba-dbg
- ctdb-tests depends on python
* Fix CTDB socketpath parsing
* Fix CTDB build with PMDA
* ctdb: Fix privacy breach on google.com (from documentation)
-- Marc Deslauriers <email address hidden> Wed, 06 Jan 2016 07:41:39 -0500
-
samba (2:4.1.20+dfsg-1ubuntu5) xenial; urgency=medium
* Resolve small merge error in the rules
-- Sebastien Bacher <email address hidden> Wed, 16 Dec 2015 12:02:12 +0100
-
samba (2:4.1.20+dfsg-1ubuntu4) xenial; urgency=medium
* Backport Debian change to remove libpam-smbpasswd, it segfaults
leading to non working session (lp: #1515207)
-- Sebastien Bacher <email address hidden> Wed, 16 Dec 2015 11:47:44 +0100
-
samba (2:4.1.20+dfsg-1ubuntu3) xenial; urgency=medium
* Build with the new ldb
-- Sebastien Bacher <email address hidden> Wed, 18 Nov 2015 11:45:32 +0100
-
samba (2:4.1.20+dfsg-1ubuntu2) xenial; urgency=medium
* debian/samba.logrotate:
- revert to Debian version of the logrotate reload command, fix an
invalid syntax introduced in the upstart->systemd transition
(lp: #1385868)
-- Sebastien Bacher <email address hidden> Tue, 10 Nov 2015 19:01:06 +0100
-
samba (2:4.1.20+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Don't build against or suggest ctdb and tdb.
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ debian/rules:
- Drop explicit configuration options for ctdb and tdb.
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ debian/samba.logrotate: use service command to reload (send SIGHUP) the main
processes such that it works under both upstart and systemd.
+ debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.1.20+dfsg-1) unstable; urgency=medium
* New upstream release (last compatible with current OpenChange).
* samba_bug_11077_torturetest.patch: refresh.
samba (2:4.1.17+dfsg-5) unstable; urgency=medium
* Rebuild against new ldb. Closes: #799569
-- Matthias Klose <email address hidden> Sat, 24 Oct 2015 14:57:47 +0200
-
samba (2:4.1.17+dfsg-4ubuntu2) wily; urgency=medium
* debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
-- Robert Ancell <email address hidden> Tue, 11 Aug 2015 11:34:50 +1200