-
samba (3.0.26a-1ubuntu2.5) gutsy-security; urgency=low
* RELIABILITY UPDATE: the patch for CVE-2008-1105 introduced a regression
with certain client and server interactions with large file sizes.
* debian/patches/security-CVE-2008-1105_pt2.patch: adjust cli_negprot()
to properly calculate buffer sizes
* References
LP: #241448
https://bugzilla.samba.org/show_bug.cgi?id=5517
-- Jamie Strandboge <email address hidden> Sat, 28 Jun 2008 09:42:59 -0400
-
samba (3.0.26a-1ubuntu2.4) gutsy-security; urgency=low
* SECURITY UPDATE: heap overflow when processing crafted SMB responses
* debian/patches/security-CVE-2008-1105.patch: update util_sock.c to require
specifying the buffer size and update client.c, smbctool.c, smbfilter.c,
and process.c for these changes
* SECURITY UPDATE: buffer overrun in nmbd when processing crafted GETDC
mailslot requests
* debian/patches/security_CVE-2007-4572.patch: check return values and
sizeof strings in charcnv.c, ntlmssp_parse.c, nmbd_processlogon.c.
Backport regression fixes from upstream.
* References:
CVE-2008-1105
CVE-2007-4572
LP: #235912
-- Jamie Strandboge <email address hidden> Tue, 03 Jun 2008 16:29:05 -0400
-
samba (3.0.26a-1ubuntu2.3) gutsy-security; urgency=low
* SECURITY UPDATE: remote code execution via GETDC mailslot request.
* Add security-CVE-2007-6015.patch: thanks to Steve Langasek.
* References
CVE-2007-6015
-- Kees Cook <email address hidden> Fri, 14 Dec 2007 17:30:50 -0800
-
samba (3.0.26a-1ubuntu2.2) gutsy-security; urgency=low
* removed debian/patches/security_CVE-2007-4572.patch as it
caused regressions. This is believed to be a non-exploitable
DoS, but will provide updated packages when a suitable fix
is found.
* References:
LP #163042
LP #163116
https://bugzilla.samba.org/show_bug.cgi?id=5087
-- Jamie Strandboge <email address hidden> Fri, 16 Nov 2007 18:41:44 +0000
-
samba (3.0.26a-1ubuntu2.1) gutsy-security; urgency=low
* SECURITY UPDATE: buffer overrun in nmbd when processing crafted GETDC
mailslot requests
* debian/patches/security_CVE-2007-4572.patch: check return values and
sizeof strings in charcnv.c, ntlmssp_parse.c, nmbd_processlogon.c
* SECURITY UPDATE: arbitrary code execution in nmbd when configured as
a WINS server when processing name registration and name query requests
* debian/patches/security_CVE-2007-5398.patch: properly check len in
nmbd_packets.c
* References
CVE-2007-4572
CVE-2007-5398
-- Jamie Strandboge <email address hidden> Wed, 14 Nov 2007 19:55:14 +0000
-
samba (3.0.26a-1ubuntu2) gutsy; urgency=low
* debian/patches/chgpasswd.patch:
- Also set the locale to 'C' when using PAM for password changes,
since the PAM conversation is equally affected by PAM l10n support
(LP: #139265).
-- Steve Langasek <email address hidden> Tue, 02 Oct 2007 13:54:23 -0700
-
samba (3.0.26a-1ubuntu1) gutsy; urgency=low
* debian/patches/chgpasswd.patch:
- Set locale to 'C' while calling the passwd change program
* Merge from debian unstable, remaining changes:
* debian/patches/VERSION.patch:
- set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
* debian/control:
- Remove typehandling (not used in Ubuntu)
* debian/samba-common.templates:
- Set default workgroup to MSHOME
* debian/rules:
- Remove type-handling.
* debian/samba.init:
- Make sure $PIDDIR exists (/var/run is a tmpfs)
- Ubuntu's log_progress_msg is a no-op, so to avoid confusion, don't
say specifically which daemons we're handling. (LP #25803)
* debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Change the (commented-out) "printer admin" example to use "@lpadmin"
instead of "@ntadmin", since the lpadmin group is used for spool admin.
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (LP #27608). Also, add a
comment about "valid users = %S" to show users how to restrict access
to \\server\username to only username.
* debian/panic-action:
- Bail out if there's no "mail" command.
- Alter the panic-action script to link to the samba bug reporting page
on Launchpad.
* debian/samba-common.config:
- do not change priority to HIGH if dhclient3 is installed
samba (3.0.26a-1) unstable; urgency=low
* New upstream release.
* Remove the samba-common/unsupported-passdb debconf template and
the associated code in samba-common.postinst, that deals with pre-etch
versions transition
* Remove the samba/tdbsam template and the remaining line referencing
it (for no need) in samba.postinst. That code was removed in 3.0.23c-2
and was dealing with pre-3.0 transitions.
samba (3.0.26-1) unstable; urgency=high
* New upstream release: security update for CVE-2007-4138:
incorrect primary group assignment for domain users using the rfc2307 or
sfu winbind nss info plugin.
samba (3.0.25c-1) unstable; urgency=low
[ Noèl Köthe ]
* new upstream released from 2007-08-20
- added smbfs deprecation information to help and manpage
Closes: #360384
- fixed winbind leaking file descriptors
Closes: #410663
- fixed smbpasswd fails with errorcode SUCCESS as normal user
Closes: #155345
[ Christian Perrier ]
* Drop the (upstream unmaintained) python bindings (python-samba package)
* swat: turn the dependency on samba-doc to a Recommends:
Thanks to Peter Eisentraut for dealing with that issue and bringing it
back. Closes: #391742
samba (3.0.25b-2) unstable; urgency=low
[ Steve Langasek ]
* Don't start nmbd if 'disable netbios' is set in the config.
Closes: #429429.
* missing_userspace_bugzilla999.patch: always use opt_gid and opt_uid,
set to those of the invoking user, when called as non-root.
Closes: #431661.
* Fix up fhs.patch for some new FHS regressions:
- make sure all references to winbindd_idmap.tdb look in /var/lib/samba
- make sure all references to winbindd_cache.tdb look in /var/cache/samba
- share_info.tdb belongs in /var/lib/samba; this is a regression
introduced in 3.0.23-1, so fix up this path on samba upgrade
- move the ADS "gpo" cache directory to /var/cache/samba
- move idmap_cache.tdb to /var/cache/samba, and fix up the path on
winbind upgrade
* linux-cifs-user-perms.patch: also support setting a default uid and gid
value when mount.cifs is called as non-root
* cifs-umount-trailing-slashes.patch: canonicalize mount point names when
umount.cifs is called, to avoid unnecessarily leaving entries behind in
/etc/mtab if invoked with a trailing slash in the mount point name
* cifs-umount-same-user.patch: the CIFS_IOC_CHECKMOUNT ioctl check
in umount.cifs assumed that errors would return a value > 0, when in fact
the return value on failure is -1. Correct this assumption, which was
allowing any user to unmount shares mounted by other users.
* smbpasswd-syslog.patch: Fix pam_smbpass to no longer call openlog()
and closelog(), since this will interfere with syslogging behavior
of the calling application. Closes: #434372.
* swat should depend only on inet-superserver, not update-inetd, per
Marco d'Itri.
[ Christian Perrier ]
* debian/panic-action: bail out if there's no "mail" command
Patch from the Ubuntu samba packagers.
* debian/smb.conf: use the comment from Ubuntu package for the "valid users"
setting of [homes] as a basis for ours. Ubuntu's wording is better.
[ Peter Eisentraut ]
* Don't ignore errors from make distclean, as per lintian check
[ Debconf translations ]
* Gujarati updated. Closes: #436215
-- Andrew Mitchell <email address hidden> Mon, 17 Sep 2007 15:58:10 +1200
-
samba (3.0.25b-1ubuntu4) gutsy; urgency=low
* debian/rules:
- add error-handler=true to samba dh_installinit. Fixes LP: #85194.
-- Mathias Gug <email address hidden> Fri, 17 Aug 2007 12:11:45 -0400
-
samba (3.0.25b-1ubuntu3) gutsy; urgency=low
* Build depend on libacl1-dev on lpia.
-- Matthias Klose <email address hidden> Tue, 14 Aug 2007 10:26:58 +0000
-
samba (3.0.25b-1ubuntu2) gutsy; urgency=low
* debian/smb.conf:
- Fix 'valid users =' option in smb.conf. LP: #131419.
-- Mathias Gug <email address hidden> Thu, 09 Aug 2007 21:39:54 -0400
-
samba (3.0.25b-1ubuntu1) gutsy; urgency=low
* Dropped patches:
+ debian/patches/ubuntu-auxsrc.patch:
- ntlm_auth_proto.h, smbadduser, gen-8bit-gap.sh are all autogenerated at
build time.
* Merge from debian unstable, remaining changes:
* debian/patches/VERSION.patch:
- set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
* debian/control:
- Remove typehandling (not used in Ubuntu)
- Added Conflicts/Replaces on python2.4-samba.
* debian/samba-common.templates:
- Set default workgroup to MSHOME
* debian/rules:
- Remove type-handling.
* debian/samba.init:
- Make sure $PIDDIR exists (/var/run is a tmpfs)
- Ubuntu's log_progress_msg is a no-op, so to avoid confusion, don't
say specifically which daemons we're handling. (LP #25803)
* debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Change the (commented-out) "printer admin" example to use "@lpadmin"
instead of "@ntadmin", since the lpadmin group is used for spool admin.
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (LP #27608). Also, add a
comment about "valid users = %S" to show users how to restrict access
to \\server\username to only username.
* debian/panic-action:
- Bail out if there's no "mail" command.
- Alter the panic-action script to link to the samba bug reporting page
on Launchpad.
* debian/samba-common.config:
- do not change priority to HIGH if dhclient3 is installed
samba (3.0.25b-1) unstable; urgency=low
* New upstream version
* Bugs fixed upstream:
- correct default mentioned for "store dos attribute" in smb.conf(5)
Closes: #367379
- fix typo in pdbedit.c. Closes: #421758
- fixed crashes in idmap_rid. Closes: #428411
- misleading documentation in smb.conf(5). Closes: #218477
- don't crash when no eventlog names are defined in smb.conf
Closes: #424683
- typography errors in manpages. Closes: #427865, #418811
- fix compilation and linking of pam_smbpass.so. Closes: #430755
* Drop patches that have been applied upstream:
- nmbd-signalling.patch
samba (3.0.25a-2) unstable; urgency=low
[ Debconf translations ]
* Danish updated. Closes: #426773
[ Christian Perrier ]
* Clean out some remaining cruft that is not deleted
by "make clean". Taken from Ubuntu patches.
* Add missing userspace patches to properly pass uid and gid with 2.6
kernels. See #408033 and upstream's #999 for rationale
* Drop smbmount-unix-caps.patch as workaraound for #310982 as the issue
is fixed in 2.4 and 2.6 kernels (2.6 kernels need
missing_userspace_bugzilla999.patch, though)
Closes: #408033
* Add the samba-common and winbind packages to samba-dbg to get
debugging symbols for winbindd, net, etc.
* Replace all occurrences of ${Source:Version} by ${$binary:Version} in
dependencies. All these were Arch:any depending on Arch:any (the only
Arch:any depending on Arch:all already used ${source:Version}
[ Steve Langasek ]
* Update samba.config to not override user preference on passdb.tdb
creation after initial configuration. Closes: #350926.
* Drop the last vestiges of the unified samba.patch; this reverts the
change for bug #112195 which it's been determined has no actual security
benefits, and drops the fix for bug #106976 which is superseded
upstream.
[ Debconf translations ]
* Vietnamese updated. Closes: #426979.
samba (3.0.25a-1) unstable; urgency=low
[ Christian Perrier ]
* New upstream version
* Bugs fixed upstream:
- password expiration loog on samba domain controllers. Closes: #425083
- no more login on samba servers that are members of samba domains
Closes: #425680, #426002
- users no longer have access according to their secondary groups
on shares with "force group". Closes: #424629
* Debian packaging fixes:
- Enforce building with "--with-ads" and therefore fail
when the build can't be done with kerberos support.
Closes: #424637
- debian/control: wrap long lines in packages' descriptions
- uncomment out use of type-handling in the clean target, because
type-handling has been fixed to support the new /usr/share/dpkg/ostable
- avoid installing extra COPYING files in /usr/share/doc/* (one was
installed along with the pcap2nbench example)
* Merge Ubuntu changes:
- use of PIDDIR instead of hardcoding it in samba.init and winbind.init
* Patches to upstream source:
- patches/fhs.patch: recreate winbindd_cache.tdb in the cache directory
instead of the lock directory. Thanks to C. K. Jester-Young for the
patch. Closes: #425640
[ Steve Langasek ]
* swat and samba depend on update-inetd instead of on netbase; swat also
depends on "openbsd-inetd | inet-superserver", for samba this is only a
Suggests.
-- Soren Hansen <email address hidden> Mon, 16 Jul 2007 10:58:21 +0200
-
samba (3.0.25-1ubuntu1) gutsy; urgency=low
* Merge from debian unstable, remaining changes:
* debian/smb.conf:
- Do not show the version number by default
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (closes: launchpad.net/27608)
- Add a "valid users = %S" stanza to the commented-out [homes] section,
to show users how to restrict access to \\server\username to only
username.
- Change the (commented-out) "printer admin" example to use "@lpadmin"
instead of "@ntadmin", since the lpadmin group is used for spool admin.
* debian/panic-action:
- Alter the panic-action script to encourage users to report their
bugs in Ubuntu packages to Ubuntu, rather than reporting to Debian.
Modify text to more closely match the Debian script
* debian/samba-common.templates:
- Set default workgroup to MSHOME
* debian/control:
- remove typehandling
- add update-inetd to Depends
* debian/patches/VERSION.patch:
- set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
* debian/samba-common.config:
- do not change priority to HIGH if dhclient3 is installed
* debian/samba.init:
- use of PIDDIR instead of hardcoding it
- Munge our init script to deal with the fact that our implementation
(or lack thereof) of log_daemon_msg and log_progress_msg differs
from Debian's implementation of the same (Ubuntu #19691)
* debian/rules:
- remove type-handling
- properly clean on make clean
- do not install mount.cifs and umount.cifs as suid
* debian/patches/ubuntu-auxsrc.patch:
- some auxilliary sources (undocumented in previous changelogs)
samba (3.0.25-1) unstable; urgency=high
* New upstream version including security fixes
* Bugs fixed upstream:
- nmbd no longer segfaults on bad interface line
Closes: #265577, #386922, #359155, #366800
- documentation issues about displaycharset. Closes: #350790
- documentation makes it clear that case options such as
"default case" can only be set on a per-share basis.
Closes: #231229
- all occurrences of "encypt" fixed in smb.conf(5)
Closes: #408507
- two typos on "account" fixed in source/passdb/pdb_ldap.c and
source/utils/pdbedit.c. Closes: #402392
- no longer panic when using the (deprecated) "only user" option
in user level security. Closes: #388282
- CVE-2007-2444 (User privilege elevation because of a local SID/Name
translation bug)
- CVE-2007-2446 (Multiple heap overflows allow remote code execution)
- CVE-2007-2447 (Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution)
[ Debconf translations ]
* Marathi added. Closes: #416802
* Esperanto added. Closes: #417795.
* Basque updated. Closes: #418196.
* Wolof updated. Closes: #421636
[ Christian Perrier ]
* /etc/dhcp3/dhclient-enter-hooks.d/samba tests for /etc/init.d/samba
before running invoke-rc.d. Closes: #414841
[ Steve Langasek ]
* Comment out use of type-handling in the clean target, because
type-handling is currently broken in unstable and clean shouldn't be
editing debian/control anyway.
-- Andrew Mitchell <email address hidden> Sun, 20 May 2007 21:43:26 +1200
-
samba (3.0.24-6ubuntu1) gutsy; urgency=low
* Merge from debian unstable, remaining changes:
* debian/smb.conf:
- Do not show the version number by default
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (closes: launchpad.net/27608)
- Add a "valid users = %S" stanza to the commented-out [homes] section,
to show users how to restrict access to \\server\username to only
username.
- Change the (commented-out) "printer admin" example to use "@lpadmin"
instead of "@ntadmin", since the lpadmin group is used for spool admin.
* debian/panic-action:
- Alter the panic-action script to encourage users to report their
bugs in Ubuntu packages to Ubuntu, rather than reporting to Debian.
Modify text to more closely match the Debian script
* debian/samba-common.templates:
- Set default workgroup to MSHOME
* debian/control:
- remove typehandling
- add update-inetd to Depends
* debian/patches/VERSION.patch:
- set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
* debian/samba-common.config:
- do not change priority to HIGH if dhclient3 is installed
* debian/samba.init:
- use of PIDDIR instead of hardcoding it
- Munge our init script to deal with the fact that our implementation
(or lack thereof) of log_daemon_msg and log_progress_msg differs
from Debian's implementation of the same (Ubuntu #19691)
* debian/rules:
- remove type-handling
- properly clean on make clean
- do not install mount.cifs and umount.cifs as suid
* debian/patches/ubuntu-auxsrc.patch:
- some auxilliary sources (undocumented in previous changelogs)
samba (3.0.24-6) unstable; urgency=high
* Arrrgh, cut'n'paste error in the regexp in the last upload, so the bug
is still present :/ Fix a missing ] in the regexp for passdb backend
checking, really-closes: #415725.
samba (3.0.24-5) unstable; urgency=high
* The "see what you get for trusting the quality of my packages,
release team? Release team, please unblock this package" release.
* High-urgency brown-paper-upload for etch-targetted fix for
regression introduced in the last version
[ Steve Langasek ]
* Fixed the regexp used for matching broken passdb backend settings,
since we were getting false positives on *all* values. :/ The
correct match should be: one or more non-space, non-comma
characters, followed by a space or a comma, followed by zero or more
spaces, followed by one or more non-space characters. Closes: #415725.
[ Debconf translations ]
* Nepali
* Korean; closes: #414883.
* Russian
* Arabic
* Portuguese
* Greek. Closes: #415122
* Norwegian Nynorsk added.
samba (3.0.24-4) unstable; urgency=medium
[ Steve Langasek ]
* Documentation fix for a problem affecting upgrades from sarge: if
passdb backend is still a comma- or space-separated list after any
attempts at automatic fix-ups, throw a debconf error notifying the
user that they'll need to fix this manually. Closes: #408981.
[ Debconf translations ]
* French
* Spanish
* Galician; closes: #414605.
* Swedish; closes: #414610.
* Brazilian Portuguese; closes: #414603.
* German; closes: #414630.
* Norwegian Bokmål; closes: #414619.
* Bulgarian; closes: #414624.
* Romanian; closes: #414629.
* Tagalog; closes: #414637.
* Khmer; closes: #381833.
* Thai; closes: #414664.
* Slovak; closes: #414665.
* Slovenian
* Simplified Chinese; closes: #414671.
* Japanese; closes: #414673.
* Hungarian; closes: #414677.
* Dzongkha; closes: #414680.
* Estonian; closes: #414679.
* Catalan
* Malayalam; closes: #414728
* Traditional Chinese; closes: #414730
* Turkish
* Italian; closes: #414708
* Finnish; closes: #414736
* Dutch; closes: #414741
* Albanian; closes: #414778.
* Czech; closes: #414793.
samba (3.0.24-3) unstable; urgency=low
[ Christian Perrier ]
* Merge some Ubuntu changes:
- do not expose the Samba version anymore
- default workgroup set to WORKGROUP (default workgroup of
Windows workstations)
* Fix FTBFS on GNU/kFreeBSD. Thanks to Petr Salinger for the patch
Closes: #394830
* Add commented "winbind enum*" settings in smb.conf
This will point users to these important settings which changed
their default behaviour between sarge and etch. Closes: #368251
[ Steve Langasek ]
* samba-common.dhcp: support creating /etc/samba/dhcp.conf the first
time the script is called if the dhcp client was already running at
the time of install, and manually reload samba to get the updated
config files read. Thanks to Bas Zoetekouw for the patch.
Closes: #407408.
* While we're at it, use atomic replace for /etc/samba/dhcp.conf just
in case someone else reloads samba while the script is running. Low
impact, low-risk change.
-- Kees Cook <email address hidden> Tue, 08 May 2007 05:18:16 -0700
-
samba (3.0.24-2ubuntu1) feisty; urgency=low
* Merge from debian unstable, remaining changes:
* debian/smb.conf:
- Do not show the version number by default
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (closes: launchpad.net/27608)
- Add a "valid users = %S" stanza to the commented-out [homes] section,
to show users how to restrict access to \\server\username to only
username.
- Change the (commented-out) "printer admin" example to use "@lpadmin"
instead of "@ntadmin", since the lpadmin group is used for spool admin.
* debian/panic-action:
- Alter the panic-action script to encourage users to report their
bugs in Ubuntu packages to Ubuntu, rather than reporting to Debian.
Modify text to more closely match the Debian script
* debian/samba-common.templates:
- Set default workgroup to MSHOME
* debian/control:
- remove typehandling
- add update-inetd to Depends
* debian/patches/VERSION.patch:
- set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
* debian/samba-common.config:
- do not change priority to HIGH if dhclient3 is installed
* debian/samba.init:
- use of PIDDIR instead of hardcoding it
- Munge our init script to deal with the fact that our implementation
(or lack thereof) of log_daemon_msg and log_progress_msg differs
from Debian's implementation of the same (Ubuntu #19691)
* debian/rules:
- remove type-handling
- properly clean on make clean
- do not install mount.cifs and umount.cifs as suid
* debian/patches/ubuntu-auxsrc.patch:
- some auxilliary sources (undocumented in previous changelogs)
* Really drop debian/patches/ubuntu-fix-ldap.patch:
- Fixed upstream, see Debian #274155
samba (3.0.24-2) unstable; urgency=low
* Re-upload with a proper .orig.tar.gz.
samba (3.0.24-1) unstable; urgency=high
* New upstream release, security update
* Fixes for the following security advisories:
- Directly affecting Debian:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- Not affecting Debian:
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
* Correct paths for the documentation pointers in the default smb.conf
file. Thanks to Ted Percival for his care reporting this. Closes: #408898
samba (3.0.23d-4) unstable; urgency=low
* Debconf translation updates:
- Slovenian added.
samba (3.0.23d-3) unstable; urgency=low
* Debconf translation updates:
- Malayalam added. Closes: #403107
- Tamil added. Closes: #403353
-- Kees Cook <email address hidden> Tue, 6 Feb 2007 20:58:01 -0800