-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.12) xenial-security; urgency=medium
* SECURITY UPDATE: Use-after-free vulnerability
- debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
source3/smbd/process.c, source3/smbd/reply.c.
- CVE-2017-14746
* SECURITY UPDATE: Server heap memory information leak
- debian/patches/CVE-2017-15275.patch: zero out unused grown area in
source3/smbd/srvstr.c.
- CVE-2017-15275
-- Marc Deslauriers <email address hidden> Wed, 15 Nov 2017 15:40:44 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.11) xenial-security; urgency=medium
* SECURITY UPDATE: SMB1/2/3 connections may not require signing where
they should
- debian/patches/CVE-2017-12150-1.patch: add SMB_SIGNING_REQUIRED to
source3/lib/util_cmdline.c.
- debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
source3/libsmb/pylibsmb.c.
- debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
libgpo/gpo_fetch.c.
- debian/patches/CVE-2017-12150-4.patch: add check for
NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
- debian/patches/CVE-2017-12150-5.patch: add
smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
- debian/patches/CVE-2017-12150-6.patch: only fallback to anonymous if
authentication was not requested in source3/libsmb/clidfs.c.
- CVE-2017-12150
* SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
redirects
- debian/patches/CVE-2017-12151-1.patch: add
cli_state_is_encryption_on() helper function to
source3/libsmb/clientgen.c, source3/libsmb/proto.h.
- debian/patches/CVE-2017-12151-2.patch: make use of
cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
source3/libsmb/libsmb_context.c.
- CVE-2017-12151
* SECURITY UPDATE: Server memory information leak over SMB1
- debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
from writing server memory to file in source3/smbd/reply.c.
- CVE-2017-12163
-- Marc Deslauriers <email address hidden> Thu, 21 Sep 2017 08:02:02 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.10) xenial; urgency=medium
* d/p/bug_1702529_EACCESS_with_rootshare.patch:
Handle corner case for / shares. (LP: #1702529)
-- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:43:46 +0200
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.9) xenial-security; urgency=medium
* SECURITY UPDATE: KDC-REP service name impersonation
- debian/patches/CVE-2017-11103.patch: use encrypted service
name rather than unencrypted (and therefore spoofable) version
in heimdal
- CVE-2017-11103
-- Steve Beattie <email address hidden> Thu, 13 Jul 2017 14:03:40 -0700
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.8) xenial-security; urgency=medium
[ Andreas Hasenack ]
* d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
regression which breaks symlinks to directories on certain systems
(LP: #1701073)
[ Marc Deslauriers ]
* SECURITY UPDATE: DoS via bad symlink resolution
- debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
in source3/smbd/open.c.
- CVE-2017-9461
-- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 07:56:30 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share
- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
-- Marc Deslauriers <email address hidden> Fri, 19 May 2017 14:18:13 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium
* SECURITY REGRESSION: follow symlinks issue (LP: #1675698)
- debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba
bug #12721.
* Add missing prerequisite for previous update
- debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant
files and wildcards in source3/modules/vfs_shadow_copy2.c.
-- Marc Deslauriers <email address hidden> Tue, 28 Mar 2017 08:31:57 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: Symlink race allows access outside share definition
- debian/patches/CVE-2017-2619/*.patch: backport security fix and
prerequisite patches from upstream.
- CVE-2017-2619
-- Marc Deslauriers <email address hidden> Mon, 20 Mar 2017 10:50:12 -0400
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
- debian/patches/CVE-2016-2123.patch: check lengths in
librpc/ndr/ndr_dnsp.c.
- CVE-2016-2123
* SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
- debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
source4/auth/gensec/gensec_gssapi.c.
- CVE-2016-2125
* SECURITY UPDATE: privilege elevation in Kerberos PAC validation
- debian/patches/CVE-2016-2126.patch: only allow known checksum types
in auth/kerberos/kerberos_pac.c.
- CVE-2016-2126
* This package does _not_ contain the changes from
2:4.3.11+dfsg-0ubuntu0.16.04.2 in xenial-proposed.
-- Marc Deslauriers <email address hidden> Mon, 12 Dec 2016 08:37:28 -0500
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.2) xenial; urgency=high
* d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked fixes LP: #1584485.
* d/rules: Compile winbindd/winbindd statically.
-- Jorge Niedbalski <email address hidden> Wed, 09 Nov 2016 15:25:33 +0100
-
samba (2:4.3.11+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: client-signing protection mechanism bypass
- Updated to upstream 4.3.11
- CVE-2016-2119
* Removed patches included in new version
- debian/patches/samba-bug11912.patch
- debian/patches/samba-bug11914.patch
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 14:00:16 -0400
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.3) xenial; urgency=medium
* debian/patches/git_smbclient_cpu.patch:
- backport upstream patch to fix smbclient users hanging/eating cpu on
trying to contact a machine which is not there (lp: #1572260)
-- Sebastien Bacher <email address hidden> Thu, 11 Aug 2016 10:39:10 +0200
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
- debian/patches/samba-bug11912.patch: let msrpc_parse() return
talloc'ed empty strings in libcli/auth/msrpc_parse.c.
- debian/patches/samba-bug11914.patch: make
ntlm_auth_generate_session_info() more complete in
source3/utils/ntlm_auth.c.
-- Marc Deslauriers <email address hidden> Fri, 20 May 2016 07:31:37 -0400
-
samba (2:4.3.9+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
the previous security updates. (LP: #1577739)
- debian/control: bump tevent Build-Depends to 0.9.28.
-- Marc Deslauriers <email address hidden> Tue, 03 May 2016 07:48:23 -0400
-
samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium
* SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
- CVE-2015-5370: Multiple errors in DCE-RPC code
- CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
- CVE-2016-2111: NETLOGON Spoofing Vulnerability
- CVE-2016-2112: The LDAP client and server don't enforce integrity
protection
- CVE-2016-2113: Missing TLS certificate validation allows man in the
middle attacks
- CVE-2016-2114: "server signing = mandatory" not enforced
- CVE-2016-2115: SMB client connections for IPC traffic are not
integrity protected
- CVE-2016-2118: SAMR and LSA man in the middle attacks possible
* debian/patches/winbind_trusted_domains.patch: make sure domain members
can talk to trusted domains DCs.
-- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:26:29 -0400
-
samba (2:4.3.6+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.3.6+dfsg-1) unstable; urgency=medium
* New upstream release.
+ Fixes:
- CVE-2015-7560: Incorrect ACL get/set allowed on symlink path.
- CVE-2016-0771 (Out-of-bounds read in internal DNS server.
samba (2:4.3.5+dfsg-1) unstable; urgency=medium
* New upstream release.
* Fixed usershare.patch to apply against new version.
* Loosen dependencies on ldb to ldb >= 1.1.21, per upstream.
* Drop patch sockets-with-htons.patch: applied upstream.
* Bump standards version to 3.9.7 (no changes).
samba (2:4.3.3+dfsg-2) unstable; urgency=medium
[ Jelmer Vernooij ]
* Add dependency on libtevent-dev in samba-dev.
[ Mathieu Parent ]
* Fix CTDB behavior since CVE-2015-8543 (Closes: #813406)
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2016 08:49:12 -0500
-
samba (2:4.3.3+dfsg-1ubuntu3) xenial; urgency=medium
* No-change rebuild for gnutls transition.
-- Matthias Klose <email address hidden> Wed, 17 Feb 2016 22:41:43 +0000
-
samba (2:4.3.3+dfsg-1ubuntu2) xenial; urgency=medium
* Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
(LP: #1545750)
-- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 16:05:12 +0100
-
samba (2:4.3.3+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.3.3+dfsg-1) unstable; urgency=medium
* New upstream release. Closes: #808133.
+ Drop subunit dependency, no longer used.
+ Drop ntdb dependencies, no longer used.
+ Fixes:
- CVE-2015-5252: Insufficient symlink verification in smbd
- CVE-2015-5296: Samba client requesting encryption vulnerable
downgrade attack
- CVE-2015-5299: Missing access control check in shadow copy code
- CVE-2015-7540: Remote DoS in Samba (AD) LDAP server
- CVE-2015-8467: Denial of service attack against Windows Active Directory
server
- CVE-2015-3223: Denial of service in Samba Active Directory server
- CVE-2015-5330: Remote memory read in Samba LDAP server
* Remove libpam-smbpasswd, which is broken and slated for removal
upstream. Closes: #799840
* Remove lib/zlib/contrib/dotzlib/DotZLib.chm from excluded files in
copyright; no longer shipped upstream.
* Remove wins2dns.awk example script.
* Remove the samba-doc package, and move examples files from it to
relevant other packages. Closes: #769385
* Move samba-dsdb-modules back from Depends to Recommends, as using
Samba as a standalone server doesn't require the dsdb modules.
samba (2:4.3.0+dfsg-2) experimental; urgency=medium
* Re-enable cluster support.
+ Build samba-cluster-support as built-in library, since its dependencies
are broken.
samba (2:4.3.0+dfsg-1) experimental; urgency=medium
* Fix watch file.
* New upstream release.
* Drop no_wrapper patch: applied upstream.
* Drop patch ctdb_sockpath.patch: applied upstream.
* Drop Fix-CTDB-build-with-PMDA patch: applied upstream.
samba (2:4.2.1+dfsg-1) experimental; urgency=medium
[ Jelmer Vernooij ]
* New upstream release.
+ Drop patch do-not-install-smbclient4-and-nmbclient4: applied upstream.
+ Drop patch
bug_598313_upstream_7499-nss_wins-dont-clobber-daemons-logs.patch:
present upstream.
+ Refresh patch 26_heimdal_compat.26_heimdal_compat.
+ Add build-dependency on libarchive-dev.
* Drop samba_bug_11077_torturetest.patch: applied upstream.
* Drop dependency on ctdb - now bundled with Samba.
* Use bundled Heimdal as the system Heimdal doesn't contain the
changes required for Samba.
* Add patch heimdal-rfc3454.txt: patch in truncated rfc3454.txt for
building bundled heimdal.
* Drop patches 25_heimdal_api_changes and 26_heimdal_compat.
* Disable cluster support; it breaks the build.
* Add patch no_wrapper: avoid dependencies on
{nss,uid,socket}_wrapper.
* Move some libraries around.
* Move ownership of var/lib/samba and var/lib/samba/private to samba-
common, remove obsolete samba4.dirs. Closes: #793866
* Remove ctdb-tests and ctdb-pcp-pmda packages as they contain problems
and unclear what they are useful for, now ctdb now longer provides
an external API.
[ Mathieu Parent ]
* Merge ctdb source package
- initial merge
- libctdb-dev has been dropped
- ctdb-dbg renamed to ctdb-tests, debug files moved to samba-dbg
- ctdb-tests depends on python
* Fix CTDB socketpath parsing
* Fix CTDB build with PMDA
* ctdb: Fix privacy breach on google.com (from documentation)
-- Marc Deslauriers <email address hidden> Wed, 06 Jan 2016 07:41:39 -0500
-
samba (2:4.1.20+dfsg-1ubuntu5) xenial; urgency=medium
* Resolve small merge error in the rules
-- Sebastien Bacher <email address hidden> Wed, 16 Dec 2015 12:02:12 +0100
-
samba (2:4.1.20+dfsg-1ubuntu4) xenial; urgency=medium
* Backport Debian change to remove libpam-smbpasswd, it segfaults
leading to non working session (lp: #1515207)
-- Sebastien Bacher <email address hidden> Wed, 16 Dec 2015 11:47:44 +0100
-
samba (2:4.1.20+dfsg-1ubuntu3) xenial; urgency=medium
* Build with the new ldb
-- Sebastien Bacher <email address hidden> Wed, 18 Nov 2015 11:45:32 +0100
-
samba (2:4.1.20+dfsg-1ubuntu2) xenial; urgency=medium
* debian/samba.logrotate:
- revert to Debian version of the logrotate reload command, fix an
invalid syntax introduced in the upstart->systemd transition
(lp: #1385868)
-- Sebastien Bacher <email address hidden> Tue, 10 Nov 2015 19:01:06 +0100
-
samba (2:4.1.20+dfsg-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
+ debian/VERSION.patch: Update vendor string to "Ubuntu".
+ debian/smb.conf;
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
+ debian/samba-common.config:
- Do not change prioritiy to high if dhclient3 is installed.
+ debian/control:
- Don't build against or suggest ctdb and tdb.
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
+ debian/rules:
- Drop explicit configuration options for ctdb and tdb.
+ Add ufw integration:
- Created debian/samba.ufw.profile:
- debian/rules, debian/samba.install: install profile
+ Add apport hook:
- Created debian/source_samba.py.
- debian/rules, debia/samb-common-bin.install: install hook.
+ debian/samba.logrotate: use service command to reload (send SIGHUP) the main
processes such that it works under both upstart and systemd.
+ debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
+ d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
samba (2:4.1.20+dfsg-1) unstable; urgency=medium
* New upstream release (last compatible with current OpenChange).
* samba_bug_11077_torturetest.patch: refresh.
samba (2:4.1.17+dfsg-5) unstable; urgency=medium
* Rebuild against new ldb. Closes: #799569
-- Matthias Klose <email address hidden> Sat, 24 Oct 2015 14:57:47 +0200
-
samba (2:4.1.17+dfsg-4ubuntu2) wily; urgency=medium
* debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
-- Robert Ancell <email address hidden> Tue, 11 Aug 2015 11:34:50 +1200
