Ubuntu
samba package

Please merge with Debian unstable 2:4.5.4+dfsg-1

Bug #1659707 reported by Nish Aravamudan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Nish Aravamudan

Bug Description

samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #, LP: #). Remaining changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
    + debian/patches/winbind_trusted_domains.patch: make sure domain members
      can talk to trusted domains DCs.
      [ update patch based upon upstream discussion ]
    + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
      to be statically linked fixes LP #1584485.
    + d/rules: Compile winbindd/winbindd statically.
  * Drop:
    - Delete debian/.gitignore
    [ Previously undocumented ]
    - debian/patches/git_smbclient_cpu.patch:
      + backport upstream patch to fix smbclient users hanging/eating cpu on
        trying to contact a machine which is not there (lp #1572260)
    [ Fixed upstream ]
    - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
      + debian/patches/CVE-2016-2123.patch: check lengths in
        librpc/ndr/ndr_dnsp.c.
      + CVE-2016-2123
    [ Fixed in Debian ]
    - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
      + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
        source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
        source4/auth/gensec/gensec_gssapi.c.
      + CVE-2016-2125
    [ Fixed in Debian ]
    - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
      + debian/patches/CVE-2016-2126.patch: only allow known checksum types
        in auth/kerberos/kerberos_pac.c.
      + CVE-2016-2126
    [ Fixed in Debian ]

 -- Nishanth Aravamudan <email address hidden> Thu, 26 Jan 2017 17:20:15 -0800

CVE References

Nish Aravamudan (nacc)
Changed in samba (Ubuntu):
importance: Undecided → High
assignee: nobody → Nish Aravamudan (nacc)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.4+dfsg-1ubuntu1

---------------
samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #1659707, LP: #1639962). Remaining
    changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
    + debian/patches/winbind_trusted_domains.patch: make sure domain members
      can talk to trusted domains DCs.
      [ update patch based upon upstream discussion ]
    + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
      to be statically linked fixes LP #1584485.
    + d/rules: Compile winbindd/winbindd statically.
  * Drop:
    - Delete debian/.gitignore
    [ Previously undocumented ]
    - debian/patches/git_smbclient_cpu.patch:
      + backport upstream patch to fix smbclient users hanging/eating cpu on
        trying to contact a machine which is not there (lp #1572260)
    [ Fixed upstream ]
    - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
      + debian/patches/CVE-2016-2123.patch: check lengths in
        librpc/ndr/ndr_dnsp.c.
      + CVE-2016-2123
    [ Fixed in Debian ]
    - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
      + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
        source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
        source4/auth/gensec/gensec_gssapi.c.
      + CVE-2016-2125
    [ Fixed in Debian ]
    - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
      + debian/patches/CVE-2016-2126.patch: only allow known checksum types
        in auth/kerberos/kerberos_pac.c.
      + CVE-2016-2126
    [ Fixed in Debian ]

 -- Nishanth Aravamudan <email address hidden> Thu, 26 Jan 2017 17:20:15 -0800

Changed in samba (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.