Change log for samba package in Ubuntu

175 of 423 results
Published in bionic-release on 2017-12-07
Deleted in bionic-proposed (Reason: moved to release)
samba (2:4.7.3+dfsg-1ubuntu1) bionic; urgency=medium

  * Merge with Debian; remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247
    - d/source_samba.py: use the new recommended findmnt(8) tool to list
      mountpoints and correctly filter by the cifs filesystem type.

Published in trusty-updates on 2017-11-21
Published in trusty-security on 2017-11-21
samba (2:4.3.11+dfsg-0ubuntu0.14.04.13) trusty-security; urgency=medium

  * SECURITY UPDATE: Use-after-free vulnerability
    - debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
      source3/smbd/process.c, source3/smbd/reply.c.
    - CVE-2017-14746
  * SECURITY UPDATE: Server heap memory information leak
    - debian/patches/CVE-2017-15275.patch: zero out unused grown area in
      source3/smbd/srvstr.c.
    - CVE-2017-15275

 -- Marc Deslauriers <email address hidden>  Wed, 15 Nov 2017 15:41:27 -0500
Published in zesty-updates on 2017-11-21
Published in zesty-security on 2017-11-21
samba (2:4.5.8+dfsg-0ubuntu0.17.04.8) zesty-security; urgency=medium

  * SECURITY UPDATE: Use-after-free vulnerability
    - debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
      source3/smbd/process.c, source3/smbd/reply.c.
    - CVE-2017-14746
  * SECURITY UPDATE: Server heap memory information leak
    - debian/patches/CVE-2017-15275.patch: zero out unused grown area in
      source3/smbd/srvstr.c.
    - CVE-2017-15275

 -- Marc Deslauriers <email address hidden>  Wed, 15 Nov 2017 15:39:57 -0500
Published in xenial-updates on 2017-11-21
Published in xenial-security on 2017-11-21
samba (2:4.3.11+dfsg-0ubuntu0.16.04.12) xenial-security; urgency=medium

  * SECURITY UPDATE: Use-after-free vulnerability
    - debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
      source3/smbd/process.c, source3/smbd/reply.c.
    - CVE-2017-14746
  * SECURITY UPDATE: Server heap memory information leak
    - debian/patches/CVE-2017-15275.patch: zero out unused grown area in
      source3/smbd/srvstr.c.
    - CVE-2017-15275

 -- Marc Deslauriers <email address hidden>  Wed, 15 Nov 2017 15:40:44 -0500
Published in artful-updates on 2017-11-21
Published in artful-security on 2017-11-21
samba (2:4.6.7+dfsg-1ubuntu3.1) artful-security; urgency=medium

  * SECURITY UPDATE: Use-after-free vulnerability
    - debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
      source3/smbd/process.c, source3/smbd/reply.c.
    - CVE-2017-14746
  * SECURITY UPDATE: Server heap memory information leak
    - debian/patches/CVE-2017-15275.patch: zero out unused grown area in
      source3/smbd/srvstr.c.
    - CVE-2017-15275

 -- Marc Deslauriers <email address hidden>  Wed, 15 Nov 2017 15:36:05 -0500
Superseded in bionic-release on 2017-12-07
Deleted in bionic-proposed on 2017-12-08 (Reason: moved to release)
samba (2:4.7.1+dfsg-1ubuntu1) bionic; urgency=medium

  * Merge with Debian; remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247
    - d/source_samba.py: use the new recommended findmnt(8) tool to list
      mountpoints and correctly filter by the cifs filesystem type.

Superseded in bionic-release on 2017-11-22
Published in artful-release on 2017-09-21
Deleted in artful-proposed (Reason: moved to release)
samba (2:4.6.7+dfsg-1ubuntu3) artful; urgency=medium

  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
    they should
    - debian/patches/CVE-2017-12150-1.patch: don't turn a guessed username
      into a specified one in source3/include/auth_info.h,
      source3/lib/popt_common.c, source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
      source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
      source3/libsmb/pylibsmb.c.
    - debian/patches/CVE-2017-12150-4.patch: add SMB_SIGNING_REQUIRED to
      libgpo/gpo_fetch.c.
    - debian/patches/CVE-2017-12150-5.patch: add check for
      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
    - debian/patches/CVE-2017-12150-6.patch: add
      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
    - debian/patches/CVE-2017-12150-7.patch: only fallback to anonymous if
      authentication was not requested in source3/libsmb/clidfs.c.
    - CVE-2017-12150
  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
    redirects
    - debian/patches/CVE-2017-12151-1.patch: add
      cli_state_is_encryption_on() helper function to
      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
    - debian/patches/CVE-2017-12151-2.patch: make use of
      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
      source3/libsmb/libsmb_context.c.
    - CVE-2017-12151
  * SECURITY UPDATE: Server memory information leak over SMB1
    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
      from writing server memory to file in source3/smbd/reply.c.
    - CVE-2017-12163

 -- Marc Deslauriers <email address hidden>  Thu, 21 Sep 2017 08:10:03 -0400
Superseded in xenial-updates on 2017-11-21
Superseded in xenial-security on 2017-11-21
samba (2:4.3.11+dfsg-0ubuntu0.16.04.11) xenial-security; urgency=medium

  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
    they should
    - debian/patches/CVE-2017-12150-1.patch: add SMB_SIGNING_REQUIRED to
      source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
      source3/libsmb/pylibsmb.c.
    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
      libgpo/gpo_fetch.c.
    - debian/patches/CVE-2017-12150-4.patch: add check for
      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
    - debian/patches/CVE-2017-12150-5.patch: add
      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
    - debian/patches/CVE-2017-12150-6.patch: only fallback to anonymous if
      authentication was not requested in source3/libsmb/clidfs.c.
    - CVE-2017-12150
  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
    redirects
    - debian/patches/CVE-2017-12151-1.patch: add
      cli_state_is_encryption_on() helper function to
      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
    - debian/patches/CVE-2017-12151-2.patch: make use of
      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
      source3/libsmb/libsmb_context.c.
    - CVE-2017-12151
  * SECURITY UPDATE: Server memory information leak over SMB1
    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
      from writing server memory to file in source3/smbd/reply.c.
    - CVE-2017-12163

 -- Marc Deslauriers <email address hidden>  Thu, 21 Sep 2017 08:02:02 -0400
Superseded in trusty-updates on 2017-11-21
Superseded in trusty-security on 2017-11-21
samba (2:4.3.11+dfsg-0ubuntu0.14.04.12) trusty-security; urgency=medium

  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
    they should
    - debian/patches/CVE-2017-12150-1.patch: add SMB_SIGNING_REQUIRED to
      source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
      source3/libsmb/pylibsmb.c.
    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
      libgpo/gpo_fetch.c.
    - debian/patches/CVE-2017-12150-4.patch: add check for
      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
    - debian/patches/CVE-2017-12150-5.patch: add
      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
    - debian/patches/CVE-2017-12150-6.patch: only fallback to anonymous if
      authentication was not requested in source3/libsmb/clidfs.c.
    - CVE-2017-12150
  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
    redirects
    - debian/patches/CVE-2017-12151-1.patch: add
      cli_state_is_encryption_on() helper function to
      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
    - debian/patches/CVE-2017-12151-2.patch: make use of
      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
      source3/libsmb/libsmb_context.c.
    - CVE-2017-12151
  * SECURITY UPDATE: Server memory information leak over SMB1
    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
      from writing server memory to file in source3/smbd/reply.c.
    - CVE-2017-12163

 -- Marc Deslauriers <email address hidden>  Thu, 21 Sep 2017 08:05:11 -0400
Superseded in zesty-updates on 2017-11-21
Superseded in zesty-security on 2017-11-21
samba (2:4.5.8+dfsg-0ubuntu0.17.04.7) zesty-security; urgency=medium

  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
    they should
    - debian/patches/CVE-2017-12150-1.patch: add SMB_SIGNING_REQUIRED to
      source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
      source3/libsmb/pylibsmb.c.
    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
      libgpo/gpo_fetch.c.
    - debian/patches/CVE-2017-12150-4.patch: add check for
      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
    - debian/patches/CVE-2017-12150-5.patch: add
      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
    - debian/patches/CVE-2017-12150-6.patch: only fallback to anonymous if
      authentication was not requested in source3/libsmb/clidfs.c.
    - CVE-2017-12150
  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
    redirects
    - debian/patches/CVE-2017-12151-1.patch: add
      cli_state_is_encryption_on() helper function to
      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
    - debian/patches/CVE-2017-12151-2.patch: make use of
      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
      source3/libsmb/libsmb_context.c.
    - CVE-2017-12151
  * SECURITY UPDATE: Server memory information leak over SMB1
    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
      from writing server memory to file in source3/smbd/reply.c.
    - CVE-2017-12163

 -- Marc Deslauriers <email address hidden>  Thu, 21 Sep 2017 07:52:29 -0400
Superseded in artful-release on 2017-09-21
Deleted in artful-proposed on 2017-09-22 (Reason: moved to release)
samba (2:4.6.7+dfsg-1ubuntu2) artful; urgency=medium

  * d/source_samba.py: use the new recommended findmnt(8) tool to list
    mountpoints and correctly filter by the cifs filesystem type.
    (LP: #1703604)

 -- Andreas Hasenack <email address hidden>  Fri, 01 Sep 2017 09:47:58 -0300
Superseded in trusty-updates on 2017-09-21
Deleted in trusty-proposed on 2017-09-23 (Reason: moved to -updates)
samba (2:4.3.11+dfsg-0ubuntu0.14.04.11) trusty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden>  Wed, 23 Aug 2017 11:36:59 +0200
Superseded in xenial-updates on 2017-09-21
Deleted in xenial-proposed on 2017-09-23 (Reason: moved to -updates)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.10) xenial; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden>  Wed, 23 Aug 2017 11:43:46 +0200
Superseded in zesty-updates on 2017-09-21
Deleted in zesty-proposed on 2017-09-23 (Reason: moved to -updates)
samba (2:4.5.8+dfsg-0ubuntu0.17.04.6) zesty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden>  Wed, 23 Aug 2017 11:50:15 +0200
Superseded in artful-release on 2017-09-07
Deleted in artful-proposed on 2017-09-08 (Reason: moved to release)
samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1710281).
    - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
      symlinks to directories (LP: #1701073)
  * Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247

 -- Andreas Hasenack <email address hidden>  Mon, 21 Aug 2017 17:27:08 -0300
Superseded in artful-release on 2017-08-22
Deleted in artful-proposed on 2017-08-24 (Reason: moved to release)
samba (2:4.6.5+dfsg-8ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1700644). Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
  * Drop:
    - d/rules: Compile winbindd/winbindd statically. (LP: #1700527)
      [This hunk was missed in 2:4.5.8+dfsg-2ubuntu2 when patch
      fix-1584485.patch was dropped there.]
    - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure
      [Replaced by d/p/s3-gse_krb5-fix-a-possible-crash-in-fill_mem_keytab.patch
      in 2:4.6.5+dfsg-3 that closed Debian's bug #739768]
    - debian/patches/winbind_trusted_domains.patch: make sure domain
      members can talk to trusted domains DCs.
      [Upstream committed a different fix, see updated patch attached to
      https://bugzilla.samba.org/show_bug.cgi?id=11830]
    - d/control: add libcephfs-dev as b-d to build vfs_ceph
      [Adopted by Debian in 2:4.6.5+dfsg-1]
    - debian/patches/CVE-2017-11103.patch: use encrypted service
      name rather than unencrypted (and therefore spoofable) version
      in heimdal
      [Adopted by Debian as
      d/p/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch]
    - Cherrypick upstream patch to fix FTBFS with new ceph lib.
      [Merged upstream in 4.6.0rc1]
  * Disable glusterfs support because it's not in main.
    MIR bug is https://launchpad.net/bugs/1274247

 -- Andreas Hasenack <email address hidden>  Thu, 10 Aug 2017 22:20:22 -0300
Superseded in artful-release on 2017-08-17
Deleted in artful-proposed on 2017-08-18 (Reason: moved to release)
samba (2:4.5.8+dfsg-2ubuntu5) artful; urgency=medium

  * Cherrypick upstream patch to fix FTBFS with new ceph lib.

Superseded in zesty-updates on 2017-08-31
Deleted in zesty-proposed on 2017-09-02 (Reason: moved to -updates)
samba (2:4.5.8+dfsg-0ubuntu0.17.04.5) zesty; urgency=medium

  * Remove the fix for LP #1584485 as it builds a broken pam_winbind
    module. There is a revised version of that patch attached to
    #1584485 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)
    - d/p/fix-1584485.patch: drop
    - d/rules: remove winbind static build option

 -- Andreas Hasenack <email address hidden>  Thu, 13 Jul 2017 14:44:16 -0300
Superseded in artful-proposed on 2017-07-26
samba (2:4.5.8+dfsg-2ubuntu4) artful; urgency=medium

  * SECURITY UPDATE: KDC-REP service name impersonation
    - debian/patches/CVE-2017-11103.patch: use encrypted service
      name rather than unencrypted (and therefore spoofable) version
      in heimdal
    - CVE-2017-11103

 -- Steve Beattie <email address hidden>  Mon, 17 Jul 2017 16:22:28 -0700
Superseded in xenial-updates on 2017-08-31
Superseded in xenial-security on 2017-09-21
samba (2:4.3.11+dfsg-0ubuntu0.16.04.9) xenial-security; urgency=medium

  * SECURITY UPDATE: KDC-REP service name impersonation
    - debian/patches/CVE-2017-11103.patch: use encrypted service
      name rather than unencrypted (and therefore spoofable) version
      in heimdal
    - CVE-2017-11103

 -- Steve Beattie <email address hidden>  Thu, 13 Jul 2017 14:03:40 -0700
Superseded in trusty-updates on 2017-08-31
Superseded in trusty-security on 2017-09-21
samba (2:4.3.11+dfsg-0ubuntu0.14.04.10) trusty-security; urgency=medium

  * SECURITY UPDATE: KDC-REP service name impersonation
    - debian/patches/CVE-2017-11103.patch: use encrypted service
      name rather than unencrypted (and therefore spoofable) version
      in heimdal
    - CVE-2017-11103

 -- Steve Beattie <email address hidden>  Thu, 13 Jul 2017 14:06:03 -0700
Published in yakkety-updates on 2017-07-14
Published in yakkety-security on 2017-07-14
samba (2:4.4.5+dfsg-2ubuntu5.8) yakkety-security; urgency=medium

  * SECURITY UPDATE: KDC-REP service name impersonation
    - debian/patches/CVE-2017-11103: use encrypted service name rather
      than unencrypted (and therefore spoofable) version in heimdal
    - CVE-2017-11103

 -- Steve Beattie <email address hidden>  Thu, 13 Jul 2017 13:27:39 -0700
Superseded in zesty-updates on 2017-08-14
Superseded in zesty-security on 2017-09-21
samba (2:4.5.8+dfsg-0ubuntu0.17.04.4) zesty-security; urgency=medium

  * SECURITY UPDATE: KDC-REP service name impersonation
    - debian/patches/CVE-2017-11103: use encrypted service name rather
      than unencrypted (and therefore spoofable) version in heimdal
    - CVE-2017-11103

 -- Steve Beattie <email address hidden>  Thu, 13 Jul 2017 13:21:50 -0700
Superseded in xenial-updates on 2017-07-14
Superseded in xenial-security on 2017-07-14
samba (2:4.3.11+dfsg-0ubuntu0.16.04.8) xenial-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden>  Tue, 04 Jul 2017 07:56:30 -0400
Superseded in trusty-updates on 2017-07-14
Superseded in trusty-security on 2017-07-14
samba (2:4.3.11+dfsg-0ubuntu0.14.04.9) trusty-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden>  Tue, 04 Jul 2017 08:01:55 -0400
Superseded in yakkety-updates on 2017-07-14
Superseded in yakkety-security on 2017-07-14
samba (2:4.4.5+dfsg-2ubuntu5.7) yakkety-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden>  Fri, 30 Jun 2017 17:02:20 -0300
Superseded in zesty-updates on 2017-07-14
Superseded in zesty-security on 2017-07-14
samba (2:4.5.8+dfsg-0ubuntu0.17.04.3) zesty-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden>  Fri, 30 Jun 2017 17:02:20 -0300
Superseded in artful-release on 2017-07-26
Deleted in artful-proposed on 2017-07-28 (Reason: moved to release)
samba (2:4.5.8+dfsg-2ubuntu3) artful; urgency=medium

  * No-change rebuild against libldb 1.1.29

 -- Steve Langasek <email address hidden>  Sun, 25 Jun 2017 16:09:33 -0700
Superseded in artful-release on 2017-06-26
Deleted in artful-proposed on 2017-06-27 (Reason: moved to release)
samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium

  * Add extra DEP8 tests to samba (LP: #1696823):
    - d/t/control: enable the new DEP8 tests
    - d/t/smbclient-anonymous-share-list: list available shares anonymously
    - d/t/smbclient-authenticated-share-list: list available shares using
      an authenticated connection
    - d/t/smbclient-share-access: create a share and download a file from it
    - d/t/cifs-share-access: access a file in a share using cifs
  * Ask the user if we can run testparm against the config file. If yes,
    include its stderr and exit status in the bug report. Otherwise, only
    include the exit status. (LP: #1694334)
  * If systemctl is available, use it to query the status of the smbd
    service before trying to reload it. Otherwise, keep the same check
    as before and reload the service based on the existence of the
    initscript. (LP: #1579597)
  * Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
    module. There is a fixed version of that patch attached to
    #1677329 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)

 -- Andreas Hasenack <email address hidden>  Mon, 19 Jun 2017 10:49:29 -0700
Superseded in artful-release on 2017-06-20
Deleted in artful-proposed on 2017-06-21 (Reason: moved to release)
samba (2:4.5.8+dfsg-2ubuntu1) artful; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure
    - debian/patches/winbind_trusted_domains.patch: make sure domain
      members can talk to trusted domains DCs.
    - d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
      to be statically linked
    - d/rules: Compile winbindd/winbindd statically.
    - d/control: add libcephfs-dev as b-d to build vfs_ceph

Superseded in artful-release on 2017-06-19
Deleted in artful-proposed on 2017-06-21 (Reason: moved to release)
samba (2:4.5.8+dfsg-0ubuntu1) artful; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

 -- Marc Deslauriers <email address hidden>  Wed, 24 May 2017 07:39:13 -0400
Superseded in trusty-updates on 2017-07-05
Superseded in trusty-security on 2017-07-05
samba (2:4.3.11+dfsg-0ubuntu0.14.04.8) trusty-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

 -- Marc Deslauriers <email address hidden>  Fri, 19 May 2017 14:18:37 -0400
Superseded in xenial-updates on 2017-07-05
Superseded in xenial-security on 2017-07-05
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

 -- Marc Deslauriers <email address hidden>  Fri, 19 May 2017 14:18:13 -0400
Superseded in yakkety-updates on 2017-07-05
Superseded in yakkety-security on 2017-07-05
samba (2:4.4.5+dfsg-2ubuntu5.6) yakkety-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

 -- Marc Deslauriers <email address hidden>  Fri, 19 May 2017 14:17:51 -0400
Superseded in zesty-updates on 2017-07-05
Superseded in zesty-security on 2017-07-05
samba (2:4.5.8+dfsg-0ubuntu0.17.04.2) zesty-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

 -- Marc Deslauriers <email address hidden>  Fri, 19 May 2017 14:16:09 -0400
Superseded in artful-release on 2017-05-25
Superseded in zesty-updates on 2017-05-24
Deleted in artful-proposed on 2017-05-26 (Reason: moved to release)
Superseded in zesty-security on 2017-05-24
samba (2:4.5.8+dfsg-0ubuntu0.17.04.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Symlink race allows access outside share definition
    - Updated to new upstream release 4.5.8.
    - CVE-2017-2619

 -- Marc Deslauriers <email address hidden>  Fri, 21 Apr 2017 07:33:25 -0400
Superseded in trusty-updates on 2017-05-24
Superseded in trusty-security on 2017-05-24
samba (2:4.3.11+dfsg-0ubuntu0.14.04.7) trusty-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Mar 2017 09:28:06 -0400
Published in precise-updates on 2017-03-30
Published in precise-security on 2017-03-30
samba (2:3.6.25-0ubuntu0.12.04.10) precise-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/bug12721-*.patch: add backported fixes from Samba bug
      #12721.
  * debian/patches/*: fix CVE number in patch filenames.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Mar 2017 09:43:30 -0400
Superseded in yakkety-updates on 2017-05-24
Superseded in yakkety-security on 2017-05-24
samba (2:4.4.5+dfsg-2ubuntu5.5) yakkety-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Mar 2017 07:31:03 -0400
Superseded in xenial-updates on 2017-05-24
Superseded in xenial-security on 2017-05-24
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium

  * SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
    - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
      bug #12721.
  * Add missing prerequisite for previous update
    - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
      files and wildcards in source3/modules/vfs_shadow_copy2.c.

 -- Marc Deslauriers <email address hidden>  Tue, 28 Mar 2017 08:31:57 -0400
Superseded in precise-updates on 2017-03-30
Superseded in precise-security on 2017-03-30
samba (2:3.6.25-0ubuntu0.12.04.9) precise-security; urgency=medium

  * SECURITY UPDATE: Symlink race allows access outside share definition
    - debian/patches/CVE-2017-2619-*.patch: security fix and prerequisite
      patches from upstream.
    - CVE-2017-2619

 -- Marc Deslauriers <email address hidden>  Tue, 21 Mar 2017 08:06:46 -0400
Superseded in xenial-updates on 2017-03-30
Superseded in xenial-security on 2017-03-30
samba (2:4.3.11+dfsg-0ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Symlink race allows access outside share definition
    - debian/patches/CVE-2017-2619/*.patch: backport security fix and
      prerequisite patches from upstream.
    - CVE-2017-2619

 -- Marc Deslauriers <email address hidden>  Mon, 20 Mar 2017 10:50:12 -0400
Superseded in trusty-updates on 2017-03-30
Superseded in trusty-security on 2017-03-30
samba (2:4.3.11+dfsg-0ubuntu0.14.04.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Symlink race allows access outside share definition
    - debian/patches/CVE-2017-2619/*.patch: backport security fix and
      prerequisite patches from upstream.
    - CVE-2017-2619

 -- Marc Deslauriers <email address hidden>  Mon, 20 Mar 2017 10:50:12 -0400
Superseded in yakkety-updates on 2017-03-30
Superseded in yakkety-security on 2017-03-30
samba (2:4.4.5+dfsg-2ubuntu5.4) yakkety-security; urgency=medium

  * SECURITY UPDATE: Symlink race allows access outside share definition
    - debian/patches/CVE-2017-2619/*.patch: backport security fix and
      prerequisite patches from upstream.
    - CVE-2017-2619

 -- Marc Deslauriers <email address hidden>  Mon, 20 Mar 2017 10:47:39 -0400
Superseded in artful-release on 2017-04-25
Published in zesty-release on 2017-03-16
Deleted in zesty-proposed (Reason: moved to release)
samba (2:4.5.4+dfsg-1ubuntu2) zesty; urgency=medium

  * d/control: add libcephfs-dev as b-d to build vfs_ceph
    (LP: #1668940).

 -- Nishanth Aravamudan <email address hidden>  Mon, 06 Mar 2017 11:13:41 -0800
Superseded in zesty-release on 2017-03-16
Deleted in zesty-proposed on 2017-03-18 (Reason: moved to release)
samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #1659707, LP: #1639962). Remaining
    changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
    + debian/patches/winbind_trusted_domains.patch: make sure domain members
      can talk to trusted domains DCs.
      [ update patch based upon upstream discussion ]
    + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
      to be statically linked fixes LP #1584485.
    + d/rules: Compile winbindd/winbindd statically.
  * Drop:
    - Delete debian/.gitignore
    [ Previously undocumented ]
    - debian/patches/git_smbclient_cpu.patch:
      + backport upstream patch to fix smbclient users hanging/eating cpu on
        trying to contact a machine which is not there (lp #1572260)
    [ Fixed upstream ]
    - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
      + debian/patches/CVE-2016-2123.patch: check lengths in
        librpc/ndr/ndr_dnsp.c.
      + CVE-2016-2123
    [ Fixed in Debian ]
    - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
      + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
        source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
        source4/auth/gensec/gensec_gssapi.c.
      + CVE-2016-2125
    [ Fixed in Debian ]
    - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
      + debian/patches/CVE-2016-2126.patch: only allow known checksum types
        in auth/kerberos/kerberos_pac.c.
      + CVE-2016-2126
    [ Fixed in Debian ]

 -- Nishanth Aravamudan <email address hidden>  Thu, 26 Jan 2017 17:20:15 -0800
Superseded in zesty-release on 2017-02-09
Deleted in zesty-proposed on 2017-02-10 (Reason: moved to release)
samba (2:4.4.5+dfsg-2ubuntu7) zesty; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
    - debian/patches/CVE-2016-2123.patch: check lengths in
      librpc/ndr/ndr_dnsp.c.
    - CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
      source4/auth/gensec/gensec_gssapi.c.
    - CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
      in auth/kerberos/kerberos_pac.c.
    - CVE-2016-2126

 -- Marc Deslauriers <email address hidden>  Fri, 20 Jan 2017 12:32:25 -0500
Superseded in precise-updates on 2017-03-23
Superseded in precise-security on 2017-03-23
samba (2:3.6.25-0ubuntu0.12.04.5) precise-security; urgency=medium

  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125-v3.6.patch: don't use GSS_C_DELEG_FLAG in
      source3/librpc/crypto/gse.c and source3/libsmb/clifsinfo.c.
    - CVE-2016-2125

 -- Steve Beattie <email address hidden>  Tue, 13 Dec 2016 11:00:51 -0800
Superseded in trusty-updates on 2017-03-23
Superseded in trusty-security on 2017-03-23
samba (2:4.3.11+dfsg-0ubuntu0.14.04.4) trusty-security; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
    - debian/patches/CVE-2016-2123.patch: check lengths in
      librpc/ndr/ndr_dnsp.c.
    - CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
      source4/auth/gensec/gensec_gssapi.c.
    - CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
      in auth/kerberos/kerberos_pac.c.
    - CVE-2016-2126

 -- Marc Deslauriers <email address hidden>  Mon, 12 Dec 2016 08:40:01 -0500
Superseded in xenial-updates on 2017-03-23
Superseded in xenial-security on 2017-03-23
samba (2:4.3.11+dfsg-0ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
    - debian/patches/CVE-2016-2123.patch: check lengths in
      librpc/ndr/ndr_dnsp.c.
    - CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
      source4/auth/gensec/gensec_gssapi.c.
    - CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
      in auth/kerberos/kerberos_pac.c.
    - CVE-2016-2126
  * This package does _not_ contain the changes from
    2:4.3.11+dfsg-0ubuntu0.16.04.2 in xenial-proposed.

 -- Marc Deslauriers <email address hidden>  Mon, 12 Dec 2016 08:37:28 -0500
Superseded in yakkety-updates on 2017-03-23
Superseded in yakkety-security on 2017-03-23
samba (2:4.4.5+dfsg-2ubuntu5.2) yakkety-security; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
    - debian/patches/CVE-2016-2123.patch: check lengths in
      librpc/ndr/ndr_dnsp.c.
    - CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
      source4/auth/gensec/gensec_gssapi.c.
    - CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
      in auth/kerberos/kerberos_pac.c.
    - CVE-2016-2126
  * This package does _not_ contain the changes from
    2:4.4.5+dfsg-2ubuntu5.1 in yakkety-proposed.

 -- Marc Deslauriers <email address hidden>  Mon, 12 Dec 2016 08:12:03 -0500
Superseded in trusty-updates on 2016-12-19
Deleted in trusty-proposed on 2016-12-20 (Reason: moved to -updates)
samba (2:4.3.11+dfsg-0ubuntu0.14.04.3) trusty; urgency=high

  * Revert to version prior to the 2:4.3.11+dfsg-0ubuntu0.14.04.2
    which is causing regression with statically linked libpam_winbind.
    Removes d/p/fix-1584485.patch. LP: #1644428

 -- Louis Bouchard <email address hidden>  Thu, 24 Nov 2016 15:40:40 +0100
Deleted in yakkety-proposed on 2016-12-21 (Reason: moved to -updates)
samba (2:4.4.5+dfsg-2ubuntu5.1) yakkety; urgency=high

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
    to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden>  Wed, 09 Nov 2016 16:00:31 +0100
Deleted in xenial-proposed on 2016-12-09 (Reason: SRU failed verification)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.2) xenial; urgency=high

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
   to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden>  Wed, 09 Nov 2016 15:25:33 +0100
Superseded in trusty-updates on 2016-11-25
Superseded in trusty-proposed on 2016-11-24
samba (2:4.3.11+dfsg-0ubuntu0.14.04.2) trusty; urgency=medium

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
   to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden>  Wed, 09 Nov 2016 15:09:11 +0100
Superseded in zesty-release on 2017-01-20
Deleted in zesty-proposed on 2017-01-22 (Reason: moved to release)
samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
    to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden>  Wed, 02 Nov 2016 13:59:10 +0100
Superseded in trusty-updates on 2016-11-23
Superseded in trusty-security on 2016-12-19
samba (2:4.3.11+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: client-signing protection mechanism bypass
    - Updated to upstream 4.3.11
    - CVE-2016-2119
  * Removed patches included in new version
    - debian/patches/samba-bug11912.patch
    - debian/patches/samba-bug11914.patch
  * debian/patches/git_smbclient_cpu.patch:
    - backport upstream patch to fix smbclient users hanging/eating cpu on
      trying to contact a machine which is not there.

 -- Marc Deslauriers <email address hidden>  Fri, 23 Sep 2016 14:14:05 -0400
Superseded in xenial-updates on 2016-12-19
Superseded in xenial-security on 2016-12-19
samba (2:4.3.11+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: client-signing protection mechanism bypass
    - Updated to upstream 4.3.11
    - CVE-2016-2119
  * Removed patches included in new version
    - debian/patches/samba-bug11912.patch
    - debian/patches/samba-bug11914.patch

 -- Marc Deslauriers <email address hidden>  Fri, 23 Sep 2016 14:00:16 -0400
Superseded in zesty-release on 2016-11-05
Published in yakkety-release on 2016-09-28
Deleted in yakkety-proposed (Reason: moved to release)
samba (2:4.4.5+dfsg-2ubuntu5) yakkety; urgency=medium

  * No-change rebuild for readline soname change.

 -- Matthias Klose <email address hidden>  Sun, 18 Sep 2016 10:26:52 +0000
Superseded in yakkety-proposed on 2016-09-18
samba (2:4.4.5+dfsg-2ubuntu4) yakkety; urgency=medium

  * No-change rebuild for readline soname change.

 -- Matthias Klose <email address hidden>  Sat, 17 Sep 2016 12:09:21 +0000
Superseded in xenial-updates on 2016-09-28
Deleted in xenial-proposed on 2016-09-30 (Reason: moved to -updates)
samba (2:4.3.9+dfsg-0ubuntu0.16.04.3) xenial; urgency=medium

  * debian/patches/git_smbclient_cpu.patch:
    - backport upstream patch to fix smbclient users hanging/eating cpu on
      trying to contact a machine which is not there (lp: #1572260)

 -- Sebastien Bacher <email address hidden>  Thu, 11 Aug 2016 10:39:10 +0200
Superseded in yakkety-release on 2016-09-28
Deleted in yakkety-proposed on 2016-09-29 (Reason: moved to release)
samba (2:4.4.5+dfsg-2ubuntu3) yakkety; urgency=medium

  * debian/patches/git_smbclient_cpu.patch:
    - backport upstream patch to fix smbclient users hanging/eating cpu on
      trying to contact a machine which is not there (lp: #1572260)

 -- Sebastien Bacher <email address hidden>  Fri, 05 Aug 2016 17:32:43 +0200
Superseded in yakkety-proposed on 2016-08-05
samba (2:4.4.5+dfsg-2ubuntu1) yakkety; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
    + debian/patches/winbind_trusted_domains.patch: make sure domain members
      can talk to trusted domains DCs.
  * Dropped changes:
    - build-depends on libgnutls-dev instead of libgnutsl28-dev: rename was
      never done in Debian, revert.
    - ufw integration: included in Debian.

Superseded in yakkety-release on 2016-08-06
Deleted in yakkety-proposed on 2016-08-07 (Reason: moved to release)
samba (2:4.3.9+dfsg-0ubuntu1) yakkety; urgency=medium

  * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
    the previous security updates. (LP: #1577739)
    - debian/control: bump tevent Build-Depends to 0.9.28.
  * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
    - debian/patches/samba-bug11912.patch: let msrpc_parse() return
      talloc'ed empty strings in libcli/auth/msrpc_parse.c.
    - debian/patches/samba-bug11914.patch: make
      ntlm_auth_generate_session_info() more complete in
      source3/utils/ntlm_auth.c.

 -- Marc Deslauriers <email address hidden>  Wed, 25 May 2016 09:29:15 -0400
Superseded in trusty-updates on 2016-09-28
Superseded in trusty-security on 2016-09-28
samba (2:4.3.9+dfsg-0ubuntu0.14.04.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
    - debian/patches/samba-bug11912.patch: let msrpc_parse() return
      talloc'ed empty strings in libcli/auth/msrpc_parse.c.
    - debian/patches/samba-bug11914.patch: make
      ntlm_auth_generate_session_info() more complete in
      source3/utils/ntlm_auth.c.
  * debian/rules: work around amd64 build failure (LP: #1585174)

 -- Marc Deslauriers <email address hidden>  Tue, 24 May 2016 07:47:59 -0400
Published in wily-updates on 2016-05-25
Published in wily-security on 2016-05-25
samba (2:4.3.9+dfsg-0ubuntu0.15.10.2) wily-security; urgency=medium

  * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
    - debian/patches/samba-bug11912.patch: let msrpc_parse() return
      talloc'ed empty strings in libcli/auth/msrpc_parse.c.
    - debian/patches/samba-bug11914.patch: make
      ntlm_auth_generate_session_info() more complete in
      source3/utils/ntlm_auth.c.

 -- Marc Deslauriers <email address hidden>  Fri, 20 May 2016 08:09:44 -0400
Superseded in xenial-updates on 2016-09-22
Superseded in xenial-security on 2016-09-28
samba (2:4.3.9+dfsg-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
    - debian/patches/samba-bug11912.patch: let msrpc_parse() return
      talloc'ed empty strings in libcli/auth/msrpc_parse.c.
    - debian/patches/samba-bug11914.patch: make
      ntlm_auth_generate_session_info() more complete in
      source3/utils/ntlm_auth.c.

 -- Marc Deslauriers <email address hidden>  Fri, 20 May 2016 07:31:37 -0400
Superseded in precise-updates on 2016-12-19
Superseded in precise-security on 2016-12-19
samba (2:3.6.25-0ubuntu0.12.04.4) precise-security; urgency=medium

  * SECURITY REGRESSION: compatibility with NetAPP SAN (LP: #1576109)
    - debian/patches/fix_netapp.patch: don't require NTLMSSP_SIGN for smb
      connections in source3/libsmb/ntlmssp.c.
  * SECURITY REGRESSION: compatibility with 3.6 servers (LP: #1574403)
    - debian/patches/relax_client_ipc_signing.patch: relax the
      "client ipc signing" parameter to "auto" so a 3.6 client can still
      connect to a 3.6 server. Administrators in environments that
      exclusively connect to more recent servers might want to manually
      configure this back to "mandatory".

 -- Marc Deslauriers <email address hidden>  Thu, 12 May 2016 11:51:56 -0400
Superseded in precise-updates on 2016-05-18
Superseded in precise-security on 2016-05-18
samba (2:3.6.25-0ubuntu0.12.04.3) precise-security; urgency=medium

  * SECURITY REGRESSION: Add additional backported commits to fix
    regressions in the previous security updates. (LP: #1577739)
    - debian/patches/security_trailer_regression.patch: fix a regression
      verifying the security trailer in source3/rpc_server/srv_pipe.c.
    - debian/patches/bug9669_regression.patch: fix a crash when running
      net rpc join against an older Samba PDC in
      source3/rpc_client/cli_pipe.c.
    - debian/patches/netlogon_credentials_regression.patch: fix updating
      netlogon credentials in source3/rpc_client/cli_pipe.c.
    - Thanks to Andreas Schneider for the additional backports to
      Samba 3.6!

 -- Marc Deslauriers <email address hidden>  Tue, 03 May 2016 12:51:09 -0400
Superseded in wily-updates on 2016-05-25
Superseded in wily-security on 2016-05-25
samba (2:4.3.9+dfsg-0ubuntu0.15.10.1) wily-security; urgency=medium

  * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
    the previous security updates. (LP: #1577739)
    - debian/control: bump tevent Build-Depends to 0.9.28.

 -- Marc Deslauriers <email address hidden>  Tue, 03 May 2016 09:55:17 -0400
Superseded in trusty-updates on 2016-05-25
Superseded in trusty-security on 2016-05-25
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
    the previous security updates. (LP: #1577739)
    - debian/control: bump tevent Build-Depends to 0.9.28.

 -- Marc Deslauriers <email address hidden>  Tue, 03 May 2016 09:58:20 -0400
Superseded in xenial-updates on 2016-05-25
Superseded in xenial-security on 2016-05-25
samba (2:4.3.9+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
    the previous security updates. (LP: #1577739)
    - debian/control: bump tevent Build-Depends to 0.9.28.

 -- Marc Deslauriers <email address hidden>  Tue, 03 May 2016 07:48:23 -0400
Superseded in yakkety-release on 2016-05-27
Published in xenial-release on 2016-04-13
Deleted in xenial-proposed (Reason: moved to release)
samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
    - CVE-2015-5370: Multiple errors in DCE-RPC code
    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
    - CVE-2016-2112: The LDAP client and server don't enforce integrity
      protection
    - CVE-2016-2113: Missing TLS certificate validation allows man in the
      middle attacks
    - CVE-2016-2114: "server signing = mandatory" not enforced
    - CVE-2016-2115: SMB client connections for IPC traffic are not
      integrity protected
    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
  * debian/patches/winbind_trusted_domains.patch: make sure domain members
    can talk to trusted domains DCs.

 -- Marc Deslauriers <email address hidden>  Tue, 12 Apr 2016 07:26:29 -0400
Superseded in trusty-updates on 2016-05-04
Superseded in trusty-security on 2016-05-04
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
    - CVE-2015-5370: Multiple errors in DCE-RPC code
    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
    - CVE-2016-2112: The LDAP client and server don't enforce integrity
      protection
    - CVE-2016-2113: Missing TLS certificate validation allows man in the
      middle attacks
    - CVE-2016-2114: "server signing = mandatory" not enforced
    - CVE-2016-2115: SMB client connections for IPC traffic are not
      integrity protected
    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
  * Backported most packaging changes from (2:4.3.6+dfsg-1ubuntu1) in
    Ubuntu 16.04 LTS, except for the following:
    - Don't remove samba-doc package
    - Don't remove libpam-smbpass package
    - Don't remove libsmbsharemodes0 and libsmbsharemodes-dev packages
    - Don't build with dh-systemd
    - Don't build ctdb and cluster support
    - Restore recommends for the separate libnss-winbind and libpam-winbind
    - Use correct epoch for ldb
    - Don't remove samba init script in postinst
  * debian/patches/fix_pam_smbpass.patch: fix double free in pam_smbpass.
  * debian/patches/winbind_trusted_domains.patch: make sure domain members
    can talk to trusted domains DCs.

 -- Marc Deslauriers <email address hidden>  Tue, 12 Apr 2016 07:27:15 -0400
Superseded in wily-updates on 2016-05-04
Superseded in wily-security on 2016-05-04
samba (2:4.3.8+dfsg-0ubuntu0.15.10.2) wily-security; urgency=medium

  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
    - CVE-2015-5370: Multiple errors in DCE-RPC code
    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
    - CVE-2016-2112: The LDAP client and server don't enforce integrity
      protection
    - CVE-2016-2113: Missing TLS certificate validation allows man in the
      middle attacks
    - CVE-2016-2114: "server signing = mandatory" not enforced
    - CVE-2016-2115: SMB client connections for IPC traffic are not
      integrity protected
    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
  * Backported most packaging changes from (2:4.3.6+dfsg-1ubuntu1) in
    Ubuntu 16.04 LTS, except for the following:
    - Don't remove samba-doc package
    - Don't remove libpam-smbpass package
    - Don't remove libsmbsharemodes0 and libsmbsharemodes-dev packages
    - Don't build with dh-systemd
    - Don't build ctdb and cluster support
  * debian/patches/fix_pam_smbpass.patch: fix double free in pam_smbpass.
  * debian/patches/winbind_trusted_domains.patch: make sure domain members
    can talk to trusted domains DCs.

 -- Marc Deslauriers <email address hidden>  Tue, 12 Apr 2016 07:23:27 -0400
175 of 423 results