14409 lines
605 KiB
Plaintext
14409 lines
605 KiB
Plaintext
|
-------------------------------------------------------------------
|
|||
|
Tue Jan 7 10:22:16 UTC 2025 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.21.3
|
|||
|
* More possible replication loops against Azure AD;
|
|||
|
(bso#15701).
|
|||
|
* Compound rename from Mac clients can fail with
|
|||
|
NT_STATUS_INTERNAL_ERROR if the file has a lease;
|
|||
|
(bso#15697).
|
|||
|
* vfs crossrename seems not work correctly; (bso#15724).
|
|||
|
* After 'machine password timeout' /etc/krb5.keytab is not
|
|||
|
updated; (bso#6750).
|
|||
|
* Memory leak wbcCtxLookupSid; (bso#15771).
|
|||
|
* Fix heap-user-after-free with association groups;
|
|||
|
(bso#15765).
|
|||
|
* Segfault in vfs_btrfs; (bso#15758).
|
|||
|
* Avoid event failure race when disabling an event script;
|
|||
|
(bso#15755).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Dec 6 09:09:04 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update shipped /etc/samba/smb.conf to point to smb.conf
|
|||
|
man page;(bsc#1233880).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Nov 25 17:35:43 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.21.2
|
|||
|
* smbd fails to correctly check sharemode against OVERWRITE
|
|||
|
dispositions; (bso#15732).
|
|||
|
* Panic in close_directory; (bso#15754).
|
|||
|
* winexe no longer works with samba 4.21; (bso#15752).
|
|||
|
* protocol error - Unclear debug message "pad length mismatch"
|
|||
|
for invalid bind packet; (bso#14356).
|
|||
|
* NetrGetLogonCapabilities QueryLevel 2 needs to be
|
|||
|
implemented; (bso#15425).
|
|||
|
* gss_accept_sec_context() from Heimdal does not imply
|
|||
|
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
|
|||
|
* winbindd should call process_set_title() for locator child;
|
|||
|
(bso#15749).
|
|||
|
* Update CTDB to track all TCP connections to public IP
|
|||
|
addresses; (bso#15320).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Oct 31 13:20:25 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Add placeholder changelog for sle15-sp7; (jsc#PED-11210).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Oct 16 13:52:25 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Adjust spec to split out rpcd_* binaries into a separate
|
|||
|
sub package; (bsc#1231414).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Oct 15 13:23:26 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.21.1
|
|||
|
* DH reconnect error handling can lead to stale sharemode
|
|||
|
entries; (bso#15624).
|
|||
|
* "inherit permissions = yes" triggers assert() in vfs_default
|
|||
|
when creating a stream; (bso#15695).
|
|||
|
* Samba 4.21.0 broke FreeIPA domain member integration;
|
|||
|
(bso#15715).
|
|||
|
* Missing conversion for msDS-UserTGTLifetime, msDS-
|
|||
|
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
|
|||
|
tool domain auth policy modify"; (bso#15692).
|
|||
|
* irpc_destructor may crash during shutdown; (bso#15280).
|
|||
|
* Durable handle is not granted when a previous OPEN exists
|
|||
|
with NoOplock; (bso#15649).
|
|||
|
* Durable handle is granted but reconnect fails; (bso#15651).
|
|||
|
* Disconnected durable handles with RH lease should not be
|
|||
|
purged by a new non conflicting open; (bso#15708).
|
|||
|
* net ads testjoin and other commands use the wrong secrets.tdb
|
|||
|
in a cluster; (bso#15714).
|
|||
|
* 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
|
|||
|
rfc 8009 etypes are used; (bso#15726).
|
|||
|
* VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
|
|||
|
(bso#15730).
|
|||
|
* Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
|
|||
|
* Cannot build libldb lmdb backend on a build without AD DC;
|
|||
|
(bso#15721).
|
|||
|
* Consistent log level for sighup handler; (bso#15706).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Sep 25 14:52:10 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Support needed packaging changes required update to samba-4.21.0
|
|||
|
Update samba.spec, baselibs.conf to deliver libldb packages.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Sep 5 07:29:17 UTC 2024 - David Disseldorp <ddiss@suse.com>
|
|||
|
|
|||
|
- Package ceph_new VFS module.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Sep 5 07:13:01 UTC 2024 - David Disseldorp <ddiss@suse.com>
|
|||
|
|
|||
|
- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
|
|||
|
(bso#15699); (bsc#1229684).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Aug 28 17:31:35 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Bad variable definition for ParseTuple causing test failure for
|
|||
|
Smb3UnixTests.test_create_context_reparse; (bso#15702).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Aug 28 09:01:29 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.21.0
|
|||
|
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
|
|||
|
truncated; (bso#15699).
|
|||
|
* Bad variable definition for ParseTuple causing test failure
|
|||
|
for Smb3UnixTests.test_create_context_reparse; (bso#15702).
|
|||
|
* Add new vfs_ceph module (based on low level API);
|
|||
|
(bso#15686).
|
|||
|
* samba-tool can not load the default configuration file;
|
|||
|
(bso#15698).
|
|||
|
* Crash when readlinkat fails; (bso#15700).
|
|||
|
* Can't add/delete special keys to keytab for nfs, cifs, http
|
|||
|
etc; (bso#15689).
|
|||
|
* Compound SMB2 requests don't return
|
|||
|
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
|
|||
|
MacOSX clients; (bso#15696).
|
|||
|
* --version-* options are still not ergonomic, and they reject
|
|||
|
tilde characters; (bso#15673).
|
|||
|
* ldb_version.h is missing from ldb public library;
|
|||
|
(bso#15690).
|
|||
|
* Can not add/delete special keys to keytab for nfs, cifs, http
|
|||
|
etc; (bso#15689).
|
|||
|
* undefined reference to winbind_lookup_name_ex; (bso#15687).
|
|||
|
* per user veto and hide file syntax is to complex;
|
|||
|
(bso#15688).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Aug 7 09:47:14 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Fix a crash when joining offline and 'kerberos method' includes
|
|||
|
keytab; (bsc#1228732).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Aug 6 10:51:13 UTC 2024 - Noel Power <noel.power@suse.com>
|
|||
|
|
|||
|
- Update to 4.20.4
|
|||
|
* --version-* options are still not ergonomic, and they reject
|
|||
|
tilde characters; (bso#15673).
|
|||
|
|
|||
|
- Update to 4.20.3
|
|||
|
* Running samba-bgqd a a standalone systemd service does not
|
|||
|
work; (bso#15683).
|
|||
|
* When claims enabled with heimdal kerberos, unable to log on
|
|||
|
to a Windows computer when user account need to change their
|
|||
|
own password; (bso#15655).
|
|||
|
* Invalid client warning about command line passwords;
|
|||
|
(bso#15671).
|
|||
|
* Version string is truncated in manpages; (bso#15672).
|
|||
|
* cmdline_burn does not always burn secrets; (bso#15674).
|
|||
|
* Samba does not parse SDDL found in defaultSecurityDescriptor
|
|||
|
in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
|
|||
|
* The images don\'t build after the git security release and
|
|||
|
CentOS 8 Stream is EOL; (bso#15660).
|
|||
|
* Fix clock skew error message and memory cache clock skew
|
|||
|
recovery; (bso#15676).
|
|||
|
* Heimdal ignores _gsskrb5_decapsulate errors in
|
|||
|
init_sec_context/repl_mutual; (bso#15603).
|
|||
|
* s4:ldap_server: does not support tls channel bindings for
|
|||
|
sasl binds; (bso#15621).
|
|||
|
* CTDB socket output queues may suffer unbounded delays under
|
|||
|
some special conditions; (bso#15678).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jul 17 11:18:52 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update samba-tool package to require python3-Markdown also in
|
|||
|
the Heimdal ADDC build.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jul 4 10:34:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Fix named crash when using samba's DLZ plugin; (bsc#1224003);
|
|||
|
(bso#15643);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jul 4 10:30:10 UTC 2024 - pgajdos@suse.com
|
|||
|
|
|||
|
- remove dependency on /usr/bin/python3 using
|
|||
|
%python3_fix_shebang macro, [bsc#1212476]
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jun 19 15:02:44 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.20.2
|
|||
|
* vfs_widelinks with DFS shares breaks case insensitivity;
|
|||
|
(bso#15662); (bsc#1213607).
|
|||
|
* Samba build is not reproducible; (bso#13213).
|
|||
|
* ldb qsort might r/w out of bounds with an intransitive
|
|||
|
compare function; (bso#15569).
|
|||
|
* Many qsort() comparison functions are non-transitive, which
|
|||
|
can lead to out-of-bounds access in some circumstances;
|
|||
|
(bso#15625).
|
|||
|
* Need to change gitlab-ci.yml tags in all branches to avoid CI
|
|||
|
bill; (bso#15638).
|
|||
|
* We have added new options --vendor-name and --vendor-patch-
|
|||
|
revision arguments to ./configure to allow distributions and
|
|||
|
packagers to put their name in the Samba version string so
|
|||
|
that when debugging Samba the source of the binary is
|
|||
|
obvious; (bso#15654).
|
|||
|
* CTDB RADOS mutex helper misses namespace support;
|
|||
|
(bso#15665).
|
|||
|
* Dynamic DNS updates with the internal DNS are not working;
|
|||
|
(bso#13019).
|
|||
|
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
|
|||
|
SysvolReady=0; (bso#14981).
|
|||
|
* Anonymous smb3 signing/encryption should be allowed (similar
|
|||
|
to Windows Server 2022); (bso#15412).
|
|||
|
* Panic in dreplsrv_op_pull_source_apply_changes_trigger;
|
|||
|
(bso#15573).
|
|||
|
* s4:nbt_server: does not provide unexpected handling, so
|
|||
|
winbindd can't use nmb requests instead cldap; (bso#15620).
|
|||
|
* winbindd, net ads join and other things don't work on an ipv6
|
|||
|
only host; (bso#15642).
|
|||
|
* Segmentation fault when deleting files in vfs_recycle;
|
|||
|
(bso#15659).
|
|||
|
* Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664).
|
|||
|
* "client use kerberos" and --use-kerberos is ignored for the
|
|||
|
machine account; (bso#15666).
|
|||
|
* Regression DFS not working with widelinks = true;
|
|||
|
(bso#15435).
|
|||
|
* samba-gpupdate - Invalid NtVer in netlogon_samlogon_response;
|
|||
|
(bso#15633).
|
|||
|
* idmap_ad creates an incorrect local krb5.conf in case of
|
|||
|
trusted domain lookups; (bso#15653).
|
|||
|
* The images don't build after the git security release and
|
|||
|
CentOS 8 Stream is EOL; (bso#15660).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Jun 3 07:09:54 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Fix non deterministic builds; (bsc#1225754); (bso#13213);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu May 16 10:47:57 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.20.1
|
|||
|
* dns update debug message is too noisy; (bso#15630);
|
|||
|
* Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
|
|||
|
* Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
|
|||
|
* Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
|
|||
|
* http library doesn't support 'chunked transfer encoding'; (bso#15611);
|
|||
|
* Provide a systemd service file for the background queue daemon; (bso#15600);
|
|||
|
|
|||
|
- Update to 4.20.0
|
|||
|
New features:
|
|||
|
* samba-tool user getpassword / syncpasswords ;rounds= change
|
|||
|
* Group Managed service account client-side features
|
|||
|
* New Windows Search Protocol Client
|
|||
|
* Allow 'smbcacls' to save/restore DACLs to file
|
|||
|
* Samba-tool extensions for AD Claims, Authentication Policies and Silos
|
|||
|
* AD DC support for Authentication Silos and Authentication Policies
|
|||
|
* Conditional ACEs and Resource Attribute ACEs
|
|||
|
* Service Witness Protocol [MS-SWN]
|
|||
|
Removed features:
|
|||
|
* Get locally logged on users from utmp
|
|||
|
Fixed bugs:
|
|||
|
* Avoid null-dereference with bad claims; (bso#15606);
|
|||
|
* ndr_pull_security_ace can leave resource attribute ACE coda
|
|||
|
claim struct undefined; (bso#15613);
|
|||
|
* fd_handle_destructor() panics within an smbd_smb2_close() if
|
|||
|
vfs_stat_fsp() fails in fd_close(); (bso#15527);
|
|||
|
* set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
|
|||
|
openat() EACCES; (bso#15583);
|
|||
|
* libgpo: Segfault in python bindings; (bso#15599);
|
|||
|
* Samba AD is missing some authentication policy tests;
|
|||
|
(bso#15607);
|
|||
|
* samba-gpupdate: Correctly implement site support; (bso#15588);
|
|||
|
* Remove unsupported "Final" keyword missing from Python 3.6;
|
|||
|
(bso#15575);
|
|||
|
* Additional witness backports for 4.20.0; (bso#15577);
|
|||
|
* Error output with wspsearch; (bso#15579);
|
|||
|
* Packet marshalling push support missing for
|
|||
|
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
|
|||
|
CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580);
|
|||
|
* Performance regression for NDR parsing of security
|
|||
|
descriptors; (bso#15574);
|
|||
|
* Build and install man page for wspsearch client utility;
|
|||
|
(bso#15565);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Feb 20 09:58:03 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.19.5
|
|||
|
* Windows 2016 fails to restore previous version of a file from
|
|||
|
a shadow_copy2 snapshot; (bso#13688).
|
|||
|
* Symlinks on AIX are broken in 4.19 (and a few version before
|
|||
|
that); (bso#15549).
|
|||
|
* Fake directory create times has no effect; (bso#12421).
|
|||
|
* ctime mixed up with mtime by smbd; (bso#15550).
|
|||
|
* samba-gpupdate --rsop fails if machine is not in a site;
|
|||
|
(bso#15548).
|
|||
|
* gpupdate: The root cert import when NDES is not available is
|
|||
|
broken; (bso#15557).
|
|||
|
* samba-gpupdate should print a useful message if cepces-submit
|
|||
|
can't be found; (bso#15552).
|
|||
|
* samba-gpupdate logging doesn't work; (bso#15558).
|
|||
|
* smbpasswd reset permissions only if not 0600; (bso#15555).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Jan 10 12:01:49 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Remove -x from bash shebang update-apparmor-samba-profile;
|
|||
|
(bsc#1218431).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jan 9 09:42:53 UTC 2024 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.19.4
|
|||
|
* net changesecretpw cannot set the machine account password if
|
|||
|
secrets.tdb is empty; (bso#13577).
|
|||
|
* For generating doc, take, if defined, env XML_CATALOG_FILES;
|
|||
|
(bso#15540).
|
|||
|
* Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541).
|
|||
|
* vfs_linux_xfs is incorrectly named; (bso#15542).
|
|||
|
* systemd stumbled over copyright-message at smbd startup;
|
|||
|
(bso#15377).
|
|||
|
* Following intermediate abolute share-local symlinks is
|
|||
|
broken; (bso#15505).
|
|||
|
* ctdb RELEASE_IP causes a crash in release_ip if a connection
|
|||
|
to a non-public address disconnects first; (bso#15523).
|
|||
|
* shadow_copy2 broken when current fileset's directories are
|
|||
|
removed; (bso#15544).
|
|||
|
* smbd does not detect ctdb public ipv6 addresses for
|
|||
|
multichannel exclusion; (bso#15534).
|
|||
|
* 'force user = localunixuser' doesn't work if 'allow trusted
|
|||
|
domains = no' is set; (bso#15469).
|
|||
|
* smbget debug logging doesn't work; (bso#15525).
|
|||
|
* smget: username in the smburl and interactive password entry
|
|||
|
doesn't work; (bso#15532).
|
|||
|
* smbget auth function doesn't set values for password prompt
|
|||
|
correctly; (bso#15538).
|
|||
|
* Unable to copy and write files from clients to Ceph cluster
|
|||
|
via SMB Linux gateway with Ceph VFS module; (bso#15440).
|
|||
|
* Multichannel refresh network information; (bso#15547).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Nov 27 12:43:02 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.19.3
|
|||
|
* sid_strings test broken by unix epoch > 1700000000;
|
|||
|
(bso#15520).
|
|||
|
* smbd crashes if asked to return full information on close of
|
|||
|
a stream handle with delete on close disposition set;
|
|||
|
(bso#15487).
|
|||
|
* smbd: fix close order of base_fsp and stream_fsp in
|
|||
|
smb_fname_fsp_destructor(); (bso#15521).
|
|||
|
* Improve logging for failover scenarios; (bso#15499).
|
|||
|
* Files without "read attributes" NFS4 ACL permission are not
|
|||
|
listed in directories; (bso#15093).
|
|||
|
* CVE-2018-14628 [SECURITY] Deleted Object tombstones visible
|
|||
|
in AD LDAP to normal users; (bso#13595).
|
|||
|
* Kerberos TGS-REQ with User2User does not work for normal
|
|||
|
accounts; (bso#15492).
|
|||
|
* vfs_gpfs stat calls fail due to file system permissions;
|
|||
|
(bso#15507).
|
|||
|
* Samba doesn't build with Python 3.12; (bso#15513).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Oct 23 18:59:15 UTC 2023 - David Mulder <dmulder@suse.com>
|
|||
|
|
|||
|
- packaging: samba-tool domain provision requires python3-Markdown;
|
|||
|
(bsc#1216519).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Oct 16 16:04:22 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.19.2
|
|||
|
* Use-after-free in aio_del_req_from_fsp during smbd shutdown
|
|||
|
after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423).
|
|||
|
* clidfs.c do_connect() missing a "return" after a
|
|||
|
cli_shutdown() call; (bso#15426).
|
|||
|
* macOS mdfind returns only 50 results; (bso#15463).
|
|||
|
* GETREALFILENAME_CACHE can modify incoming new filename with
|
|||
|
previous cache entry value; (bso#15481).
|
|||
|
* libnss_winbind causes memory corruption since samba-4.18,
|
|||
|
impacts sendmail, zabbix, potentially more; (bso#15464).
|
|||
|
* ctdbd: setproctitle not initialized messages flooding logs;
|
|||
|
(bso#15479).
|
|||
|
* CVE-2023-5568 Heap buffer overflow with freshness tokens in
|
|||
|
the Heimdal KDC in Samba 4.19; (bso#15491).
|
|||
|
* The heimdal KDC doesn't detect s4u2self correctly when fast
|
|||
|
is in use; (bso#15477).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Oct 12 11:33:44 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- packaging: Remove /etc/slp.reg.d from samba spec file;
|
|||
|
(bsc#1216160)
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Oct 12 11:04:26 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- use systemd-logind rather than utmp for y2038 safety;
|
|||
|
(bsc#1216159).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Oct 10 15:12:38 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- CVE-2023-4091: samba: Client can truncate file with read-only
|
|||
|
permissions; (bsc#1215904); (bso#15439).
|
|||
|
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
|
|||
|
allows blocking sleep on request; (bso#1215905); (bso#15474).
|
|||
|
- CVE-2023-42670: samba: The procedure number is out of range
|
|||
|
when starting Active Directory Users and Computers;
|
|||
|
(bsc#1215906); (bso#15473).
|
|||
|
- CVE-2023-3961: samba: Unsanitized client pipe name passed to
|
|||
|
local_np_connect(); (bsc#1215907); (bso#15422).
|
|||
|
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
|
|||
|
"GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
|
|||
|
(bsc#1215908); (bso#15424).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Sep 26 08:36:43 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.19.0
|
|||
|
* File doesn't show when user doesn't have permission if
|
|||
|
aio_pthread is loaded; (bso#15453).
|
|||
|
* ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
|
|||
|
1.9.1; (bso#15451).
|
|||
|
* Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can
|
|||
|
log to syslog; (bso#15460).
|
|||
|
* ‘samba-tool domain level raise’ fails unless given a URL;
|
|||
|
(bso#15458).
|
|||
|
* reply_sesssetup_and_X() can dereference uninitialized tmp
|
|||
|
pointer; (bso#15420).
|
|||
|
* missing return in reply_exit_done(); (bso#15430).
|
|||
|
* TREE_CONNECT without SETUP causes smbd to use uninitialized
|
|||
|
pointer; (bso#15432).
|
|||
|
* Avoid infinite loop in initial user sync with Azure AD
|
|||
|
Connect when synchronising a large Samba AD domain;
|
|||
|
(bso#15401).
|
|||
|
* Samba replication logs show (null) DN; (bso#15407).
|
|||
|
* 2-3min delays at reconnect with
|
|||
|
smb2_validate_sequence_number: bad message_id 2; (bso#15346).
|
|||
|
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed;
|
|||
|
(bso#15446).
|
|||
|
* CID 1539212 causes real issue when output contains only
|
|||
|
newlines; (bso#15438).
|
|||
|
* KDC encodes INT64 claims incorrectly; (bso#15452).
|
|||
|
* mdssvc: Do an early talloc_free() in _mdssvc_open();
|
|||
|
(bso#15449).
|
|||
|
* Windows client join fails if a second container CN=System
|
|||
|
exists somewhere; (bso#9959).
|
|||
|
* regression DFS not working with widelinks = true;
|
|||
|
(bso#15435).
|
|||
|
* Heimdal fails to build on 32-bit FreeBSD; (bso#15443).
|
|||
|
* samba-tool ntacl get segfault if aio_pthread appended;
|
|||
|
(bso#15441).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Aug 21 15:16:35 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.18.6
|
|||
|
* reply_sesssetup_and_X() can dereference uninitialized tmp pointer;
|
|||
|
(bso#15420);
|
|||
|
* Missing return in reply_exit_done(); (bso#15430);
|
|||
|
* post-exec password redaction for samba-tool is more reliable for fully
|
|||
|
random passwords as it no longer uses regular expressions containing the
|
|||
|
password value itself; (bso#15289);
|
|||
|
* Windows client join fails if a second container CN=System exists somewhere;
|
|||
|
(bso#9959);
|
|||
|
* Spotlight sometimes returns no results on latest macOS; (bso#15342);
|
|||
|
* Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to
|
|||
|
remove the destination; (bso#15417);
|
|||
|
* Spotlight results return wrong date in result list; (bso#15427);
|
|||
|
* "net offlinejoin provision" does not work as non-root user; (bso#15414);
|
|||
|
* rpcserver no longer accepts double backslash in dfs pathname; (bso#15400);
|
|||
|
* cm_prepare_connection() calls close(fd) for the second time; (bso#15433);
|
|||
|
* 2-3min delays at reconnect with smb2_validate_sequence_number: bad
|
|||
|
message_id 2; (bso#15346);
|
|||
|
* samba-tool ntacl get segfault if aio_pthread appended; (bso#15441);
|
|||
|
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446);
|
|||
|
* Python tarfile extraction needs change to avoid a warning (CVE-2007-4559
|
|||
|
mitigation); (bso#15390);
|
|||
|
* Regression DFS not working with widelinks = true; (bso#15435);
|
|||
|
* mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Aug 8 15:40:54 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
|
|||
|
(bsc#1213940);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jul 19 14:35:34 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.18.5
|
|||
|
* CVE-2022-2127: lm_resp_len not checked properly in
|
|||
|
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
|
|||
|
* CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
|
|||
|
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
|
|||
|
* CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
|
|||
|
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
|
|||
|
* CVE-2023-34968: Spotlight server-side Share Path Disclosure;
|
|||
|
(bso#15388); (bsc#1213171).
|
|||
|
* CVE-2023-3347: Samba doesn't require SMB2+ signing if
|
|||
|
`server signing = mandatory` is set; (bso#15397); (bsc#1213170).
|
|||
|
* secure channel faulty since Windows 10/11 update 07/2023;
|
|||
|
(bso#15418); (bsc#1213384).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jul 6 15:30:58 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.18.4
|
|||
|
* Backport --pidl-developer fixes; (bso#15404).
|
|||
|
* Named crashes on DLZ zone update; (bso#14030).
|
|||
|
* smbcacls and smbcquotas do not check // before the server;
|
|||
|
(bso#2312).
|
|||
|
* cli_list loops 100% CPU against pre-lanman2 servers;
|
|||
|
(bso#15382).
|
|||
|
* smbclient leaks fds with showacls; (bso#15391).
|
|||
|
* smbd returns NOT_FOUND when creating files on a r/o
|
|||
|
filesystem; (bso#15402).
|
|||
|
* NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
|
|||
|
and causes test timeouts; (bso#15355).
|
|||
|
* net ads lookup (with unspecified realm) fails; (bso#15384).
|
|||
|
* Register Samba processes with GPFS; (bso#15381).
|
|||
|
* Python tarfile extraction needs change to avoid a warning
|
|||
|
(CVE-2007-4559 mitigation); (bso#15390).
|
|||
|
* The winbind child segfaults when listing users with `winbind
|
|||
|
scan trusted domains = yes`; (bso#15398).
|
|||
|
* Remove comments about deprecated 'write cache size';
|
|||
|
(bso#15383).
|
|||
|
* smbget memory leak if failed to download files recursively;
|
|||
|
(bso#15403).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jun 1 08:48:25 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.18.3
|
|||
|
* Symlinks to files can have random DOS mode information in a
|
|||
|
directory listing; (bso#15375).
|
|||
|
* vfs_fruit might cause a failing open for delete; (bso#15378).
|
|||
|
* winbind recurses into itself via rpcd_lsad; (bso#15361).
|
|||
|
* wbinfo -u fails on ad dc with >1000 users; (bso#15366).
|
|||
|
* DS ACEs might be inherited to unrelated object classes;
|
|||
|
(bso#15338).
|
|||
|
* a lot of messages: get_static_share_mode_data:
|
|||
|
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND;
|
|||
|
(bso#15362).
|
|||
|
* aes256 smb3 encryption algorithms are not allowed in
|
|||
|
smb3_sid_parse(); (bso#15374).
|
|||
|
* Setting veto files = /.*/ break listing directories;
|
|||
|
(bso#15360).
|
|||
|
* "samba-tool domain provision" does not run interactive mode
|
|||
|
if no arguments are given; (bso#15363).
|
|||
|
* dsgetdcname: assumes local system uses IPv4; (bso#15325).
|
|||
|
|
|||
|
- Update to 4.18.2
|
|||
|
* Log flood: smbd_calculate_access_mask_fsp: Access denied:
|
|||
|
message level should be lower; (bso#15302).
|
|||
|
* Floating point exception (FPE) via cli_pull_send at
|
|||
|
source3/libsmb/clireadwrite.c; (bso#15306).
|
|||
|
* test_tstream_more_tcp_user_timeout_spin fails intermittently
|
|||
|
on Rackspace GitLab runners; (bso#15328).
|
|||
|
* Reduce flapping of ridalloc test; (bso#15329).
|
|||
|
* large_ldap test is unreliable; (bso#15351).
|
|||
|
* New filename parser doesn't check veto files smb.conf
|
|||
|
parameter; (bso#15143).
|
|||
|
* mdssvc may crash when initializing; (bso#15354).
|
|||
|
* large directory optimization broken for non-lcomp path
|
|||
|
elements; (bso#15313).
|
|||
|
* streams_depot fails to create streams; (bso#15357).
|
|||
|
* shadow_copy2 and streams_depot don't play well together;
|
|||
|
(bso#15358).
|
|||
|
* Flapping tests in samba_tool_drs_show_repl.py; (bso#15316).
|
|||
|
* winbindd idmap child contacts the domain controller without a
|
|||
|
need; (bso#15317).
|
|||
|
* idmap_autorid may fail to map sids of trusted domains for the
|
|||
|
first time; (bso#15318).
|
|||
|
* idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings;
|
|||
|
(bso#15319).
|
|||
|
* net ads search -P doesn't work against servers in other
|
|||
|
domains; (bso#15323).
|
|||
|
* Temporary smbXsrv_tcon_global.tdb can't be parsed;
|
|||
|
(bso#15353).
|
|||
|
* Tests use depricated and removed methods like
|
|||
|
assertRegexpMatches; (bso#15343).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Mar 29 15:10:50 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.18.1
|
|||
|
* CVE-2023-0225: AD DC "dnsHostname" attribute can be
|
|||
|
deleted by unprivileged authenticated users.
|
|||
|
(bso#15276);(bsc#1209483).
|
|||
|
* CVE-2023-0614: Access controlled AD LDAP attributes can be
|
|||
|
discovered (bso#15270); (bsc#1209485).
|
|||
|
* CVE-2023-0922: Samba AD DC admin tool samba-tool sends
|
|||
|
passwords in cleartext(bso#15315);(bsc#1209481).
|
|||
|
* ldb wildcard matching makes excessive allocations;
|
|||
|
(bso#15331).
|
|||
|
* large_ldap test is inefficient; (bso#15332).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Mar 17 08:09:32 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.18.0
|
|||
|
* SMB server performance improvements
|
|||
|
* More succinct samba-tool error messages
|
|||
|
* Color output with samba-tool --color
|
|||
|
The NO_COLOR environment variable will disable colour output
|
|||
|
* New samba-tool dsacl subcommand for deleting ACEs
|
|||
|
* New wbinfo option --change-secret-at
|
|||
|
* Net option to change the NT ACL default location
|
|||
|
* Azure AD / Office365 synchronization improvements
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Feb 14 08:21:13 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.17.5
|
|||
|
* smbc_getxattr() return value is incorrect; (bso#14808);
|
|||
|
* Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
|
|||
|
correctly; (bso#15172);
|
|||
|
* synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
|
|||
|
* samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
|
|||
|
when there is only an AAAA record for the DC in DNS; (bso#15226);
|
|||
|
* smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
|
|||
|
* DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
|
|||
|
* vfs_virusfilter segfault on access, directory edgecase
|
|||
|
(accessing NULL value); (bso#15283);
|
|||
|
* CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
|
|||
|
SChannel on NETLOGON (additional changes); (bso#15240);
|
|||
|
* %U for include directive doesn't work for share listing
|
|||
|
(netshareenum); (bso#15243);
|
|||
|
* Shares missing from netshareenum response in samba 4.17.4;
|
|||
|
(bso#15266);
|
|||
|
* ctdb: use-after-free in run_proc; (bso#15269);
|
|||
|
* irpc_destructor may crash during shutdown; (bso#15280);
|
|||
|
* auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
|
|||
|
* smbclient segfaults with use after free on an optimized build;
|
|||
|
(bso#15268);
|
|||
|
* smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
|
|||
|
* Leak in wbcCtxPingDc2; (bso#15164);
|
|||
|
* Access based share enum does not work in Samba 4.16+; (bso#15265);
|
|||
|
* Crash during share enumeration; (bso#15267);
|
|||
|
* rep_listxattr on FreeBSD does not properly check for reads off
|
|||
|
end of returned buffer; (bso#15271);
|
|||
|
* Avoid relying on C89 features in a few places; (bso#15281);
|
|||
|
- named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
|
|||
|
- Drop libnsl build requirement; (bsc#1208220);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Jan 23 09:24:07 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- libdsdb-module-samba4 should be packaged as part of samba-libs and
|
|||
|
not samba-ad-dc-libs. Additionally no need for it to be
|
|||
|
removed conditionally.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jan 12 15:24:55 UTC 2023 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Clean up logic for PAM migration settings in spec file.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jan 4 14:05:15 UTC 2023 - Stefan Schubert <schubi@suse.com>
|
|||
|
|
|||
|
- Migration of PAM settings to /usr/lib/pam.d.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Dec 21 12:17:58 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Change with_dc default to 0 (for non TW builds).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.17.4
|
|||
|
* CVE-2022-44640 Upstream Heimdal free of user-controlled
|
|||
|
pointer in FAST; (bsc#14929);
|
|||
|
* CVE-2021-20251 Bad password count not incremented atomically;
|
|||
|
(bsc#14611);
|
|||
|
* CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
|
|||
|
(bsc#15203);
|
|||
|
* CVE-2022-37966 rc4-hmac Kerberos session keys issued to
|
|||
|
modern servers; (bso#15237);
|
|||
|
* CVE-2022-37967 Kerberos constrained delegation ticket forgery
|
|||
|
possible against Samba AD DC; (bso#15231);
|
|||
|
* CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
|
|||
|
and should be avoided; (bso#15240);
|
|||
|
* pam_winbind uses time_t and pointers assuming they are of the
|
|||
|
same size; (bso#15224);
|
|||
|
* Heimdal session key selection in AS-REQ examines wrong entry;
|
|||
|
(bso#15219);
|
|||
|
* filter-subunit is inefficient with large numbers of
|
|||
|
knownfails; (bso#15258);
|
|||
|
* smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
|
|||
|
(bso#15252);
|
|||
|
* The KDC logic arround msDs-supportedEncryptionTypes differs
|
|||
|
from Windows; (bso#13135);
|
|||
|
* libnet: change_password() doesn't work with
|
|||
|
dcerpc_samr_ChangePasswordUser4(); (bso#15206);
|
|||
|
* Heimdal session key selection in AS-REQ examines wrong entry;
|
|||
|
(bso#15219);
|
|||
|
* Memory leak in snprintf replacement functions; (bso#15230);
|
|||
|
* RODC doesn't reset badPwdCount reliable via an RWDC
|
|||
|
(CVE-2021-20251 regression); (bso#15253);
|
|||
|
* Prevent EBADF errors with vfs_glusterfs; (bso#15198);
|
|||
|
* %U for include directive doesn't work for share listing
|
|||
|
(netshareenum); (bso#15243);
|
|||
|
* Stack smashing in net offlinejoin requestodj; (bso#15257);
|
|||
|
* Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
|
|||
|
(bso#15197);
|
|||
|
* Heimdal session key selection in AS-REQ examines wrong entry;
|
|||
|
(bso#15219);
|
|||
|
- Remove deprecated if-{down,up} scripts; (bsc#1206444);
|
|||
|
- Adjust the systemd drop-in file for named service; (bsc#1201689);
|
|||
|
* Paths are additive so do not repeat paths from named.service
|
|||
|
* Prefix the samba DLZ directory with "-" to ignore this path
|
|||
|
if it does not exists
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|||
|
|
|||
|
- Migration PAM settings to /usr/etc: Saving user changed
|
|||
|
configuration files in /etc and restoring them while an RPM
|
|||
|
update.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
|
|||
|
|
|||
|
- Introduce without-smb1-server spec flag; (bsc#1205104);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.17.3
|
|||
|
* CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
|
|||
|
systems; (bsc#1205126); (bso#15203);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>
|
|||
|
|
|||
|
- Replace obsolete python-gpgme with python-gpg
|
|||
|
* Upstream replaced it in v4.9.5 -- bso#13728
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Oct 25 09:26:59 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.17.2
|
|||
|
* CVE-2022-3592 [SECURITY] samba: Wide links protection broken;
|
|||
|
(bso#15207); (bsc#1204499).
|
|||
|
* CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal
|
|||
|
unwrap_des3();(bso#15134); (bsc#1204254).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Oct 19 12:48:21 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.17.1
|
|||
|
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
|||
|
atomically; (bso#14611).
|
|||
|
* smbXsrv_connection_shutdown_send result leaked; (bso#15174).
|
|||
|
* Flush on a named stream never completes; (bso#15182).
|
|||
|
* Permission denied calling SMBC_getatr when file not exists;
|
|||
|
(bso#15195).
|
|||
|
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
|
|||
|
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
|
|||
|
(bso#15189).
|
|||
|
* pytest: add file removal helpers for TestCaseInTempDir;
|
|||
|
(bso#15191).
|
|||
|
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
|||
|
atomically; (bso#14611).
|
|||
|
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
|
|||
|
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
|
|||
|
(bso#15189).
|
|||
|
* Flush on a named stream never completes; (bso#15182).
|
|||
|
* vfs_gpfs silently garbles timestamps > year 2106;
|
|||
|
(bso#15151).
|
|||
|
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
|||
|
atomically; (bso#14611).
|
|||
|
* multi-channel socket passing may hit a race if one of the
|
|||
|
involved processes already existed; (bso#15200).
|
|||
|
* memory leak on temporary of struct imessaging_post_state and
|
|||
|
struct tevent_immediate on struct imessaging_context (in
|
|||
|
rpcd_spoolss and maybe others); (bso#15201).
|
|||
|
* Since popt1.19 various use after free errors using result of
|
|||
|
poptGetArg are now exposed; (bso#15205); (boo#1204279).
|
|||
|
* Remove special case for O_CREAT in SMB_VFS_OPENAT from
|
|||
|
vfs_glusterfs; (bso#15192).
|
|||
|
* GETPWSID in memory cache grows indefinetly with each NTLM
|
|||
|
auth; (bso#15169).
|
|||
|
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
|||
|
atomically; (bso#14611).
|
|||
|
- Install a systemd drop-in file for named service to allow
|
|||
|
read/write access to the DLZ directory; (bsc#1201689);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Oct 14 14:20:51 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Fix use after free errors resulting from using return of
|
|||
|
poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Sep 26 10:40:18 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- s3: smbd: Fix memory leak in
|
|||
|
smbd_server_connection_terminate_done(); (bso#15174).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Disable SMB1 for tumbleweed builds.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Sep 23 16:22:12 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.17.0
|
|||
|
* acl_xattr VFS module may unintentionally use filesystem
|
|||
|
permissions instead of ACL from xattr; (bso#15126).
|
|||
|
* Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
|
|||
|
(bso#15153).
|
|||
|
* assert failed: !is_named_stream(smb_fname)") at
|
|||
|
../../lib/util/fault.c:197; (bso#15161).
|
|||
|
* acl_xattr VFS module may unintentionally use filesystem
|
|||
|
permissions instead of ACL from xattr; (bso#15126).
|
|||
|
* assert failed: !is_named_stream(smb_fname)") at
|
|||
|
../../lib/util/fault.c:197; (bso#15161).
|
|||
|
* Cross-node multi-channel reconnects result in SMB2 Negotiate
|
|||
|
returning NT_STATUS_NOT_SUPPORTED; (bso#15159).
|
|||
|
* winbind at info level debug can coredump when processing
|
|||
|
wb_lookupusergroups; (bso#15160).
|
|||
|
* Make use of glfs_*at() API calls in vfs_glusterfs;
|
|||
|
(bso#15157).
|
|||
|
* Possible use after free of connection_struct when iterating
|
|||
|
smbd_server_connection->connections; (bso#15128).
|
|||
|
* `net usershare add` fails with flag works with --long but
|
|||
|
fails with -l; (bso#15145).
|
|||
|
* acl_xattr VFS module may unintentionally use filesystem
|
|||
|
permissions instead of ACL from xattr; (bso#15126).
|
|||
|
* Performance regression on contended path based operations;
|
|||
|
(bso#15125).
|
|||
|
* Missing READ_LEASE break could cause data corruption;
|
|||
|
(bso#15148).
|
|||
|
* libsamba-errors uses a wrong version number; (bso#15141).
|
|||
|
* SMB1 negotiation can fail to handle connection errors;
|
|||
|
(bso#15152).
|
|||
|
* New filename parser doesn't check veto files smb.conf
|
|||
|
parameter; (bso#15143).
|
|||
|
* 4.17.rc1 still uses symlink-race prone unix_convert();
|
|||
|
(bso#15144).
|
|||
|
* Backport fileserver related changed to 4.17.0rc2;
|
|||
|
(bso#15146).
|
|||
|
* Manpage for smbstatus json is missing; (bso#15147).
|
|||
|
* Backport fileserver related changed to 4.17.0rc2;
|
|||
|
(bso#15146).
|
|||
|
* Performance regression on contended path based operations;
|
|||
|
(bso#15125).
|
|||
|
* Backport fileserver related changed to 4.17.0rc2;
|
|||
|
(bso#15146).
|
|||
|
* Fix issues found by coverity in smbstatus json code;
|
|||
|
(bso#15140).
|
|||
|
* Backport fileserver related changed to 4.17.0rc2;
|
|||
|
(bso#15146).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Sep 1 06:07:15 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|||
|
|
|||
|
- Migration to /usr/etc: Saving user changed configuration files
|
|||
|
in /etc and restoring them while an RPM update.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jul 28 11:56:31 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.16.4
|
|||
|
* CVE-2022-2031: Samba AD users can bypass certain restrictions
|
|||
|
associated with changing passwords; (bsc#1201495); (bso#15047);
|
|||
|
* CVE-2022-32744: Samba AD users can forge password change
|
|||
|
requests for any user; (bsc#1201493); (bso#15074);
|
|||
|
* CVE-2022-32745: Samba AD users can crash the server process
|
|||
|
with an LDAP add or modify request; (bsc#1201492); (bso#15008);
|
|||
|
* CVE-2022-32746: Samba AD users can induce a use-after-free in
|
|||
|
the server process with an LDAP add or modify request;
|
|||
|
(bsc#1201490); (bso#15009);
|
|||
|
* CVE-2022-32742: Server memory information leak via SMB1;
|
|||
|
(bsc#1201496); (bso#15085);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jul 19 11:25:59 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.16.3
|
|||
|
* Using vfs_streams_xattr and deleting a file causes a panic;
|
|||
|
(bso#15099);
|
|||
|
* Add support for bind 9.18; (bso#14986);
|
|||
|
* logging dsdb audit to specific files does not work;
|
|||
|
(bso#15076);
|
|||
|
* Problem when winbind renews Kerberos; (bso#14979);
|
|||
|
(bsc#1196224);
|
|||
|
* Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
|
|||
|
developer mode; (bso#15095);
|
|||
|
* Crash in streams_xattr because fsp->base_fsp->fsp_name is
|
|||
|
NULL; (bso#15105);
|
|||
|
* Crash in rpcd_classic - NULL pointer deference in
|
|||
|
mangle_is_mangled(); (bso#15118);
|
|||
|
* smbclient commands del & deltree fail with
|
|||
|
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
|
|||
|
(bsc#1200556);
|
|||
|
* Fix check for chown when processing NFSv4 ACL; (bso#15120);
|
|||
|
* The pcap background queue process should not be stopped;
|
|||
|
(bso#15082);
|
|||
|
* testparm: Fix typo in idmap rangesize check; (bso#15097);
|
|||
|
* net ads info returns LDAP server and LDAP server name as
|
|||
|
null; (bso#15106);
|
|||
|
* ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
|
|||
|
(bso#15108);
|
|||
|
* CTDB child process logging does not work as expected;
|
|||
|
(bso#15090);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jul 12 10:48:47 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update spec file to fix the optional Heimdal DC build
|
|||
|
- Fix external trusts with MIT Kerberos 1.20
|
|||
|
- Add missing samba-client requirement to samba-winbind package;
|
|||
|
(bsc#1198255);
|
|||
|
- Move pdb backends from package samba-libs to package
|
|||
|
samba-client-libs and remove samba-libs requirement from
|
|||
|
samba-winbind; (bsc#1200964); (bsc#1198255);
|
|||
|
- Add sysuser-shadow requirement for packages using
|
|||
|
systemd-sysusers
|
|||
|
- Use the canonical realm name to refresh the Kerberos tickets;
|
|||
|
(bsc#1196224); (bso#14979);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jun 21 14:29:52 UTC 2022 - Stefan Schubert <schubi@suse.de>
|
|||
|
|
|||
|
- Moved logrotate files from user specific directory /etc/logrotate.d
|
|||
|
to vendor specific directory /usr/etc/logrotate.d.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Jun 13 13:32:24 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.16.2
|
|||
|
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
|
|||
|
(bso#15042);
|
|||
|
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
|
|||
|
file had been deleted; (bso#15069);
|
|||
|
* Reintroduce netgroups support; (bso#15087);
|
|||
|
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
|
|||
|
server; (bso#14674);
|
|||
|
* Update from 4.15 to 4.16 breaks discovery of [homes] on
|
|||
|
standalone server from Win and IOS; (bso#15062);
|
|||
|
* waf produces incorrect names for python extensions with Python
|
|||
|
3.11; (bso#15071);
|
|||
|
* smbclient -E doesn't work as advertised; (bso#15075);
|
|||
|
* The samba background daemon doesn't refresh the printcap cache
|
|||
|
on startup; (bso#15081);
|
|||
|
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
|
|||
|
- Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
|
|||
|
- Support building with MIT Kerberos 1.20
|
|||
|
- Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
|
|||
|
(CVE-2020-17049);
|
|||
|
- Resource Based Constrained Delegation (RBCD) for Samba AD DC
|
|||
|
- Support building with gcc 12.1
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed May 11 09:30:15 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Use requires_eq macro to require the libldb2 version available at
|
|||
|
samba-dsdb-modules build time; (bsc#1199362);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue May 3 07:38:02 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.16.1
|
|||
|
* Share and server swapped in smbget password prompt; (bso#14831);
|
|||
|
* Durable handles won't reconnect if the leased file is written to;
|
|||
|
(bso#15022);
|
|||
|
* rmdir silently fails if directory contains unreadable files and
|
|||
|
hide unreadable is yes; (bso#15023);
|
|||
|
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
|
|||
|
on renamed file handle; (bso#15038);
|
|||
|
* Need to describe --builtin-libraries= better (compare with
|
|||
|
--bundled-libraries); (bso#8731);
|
|||
|
* vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
|
|||
|
(bso#14957);
|
|||
|
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
|
|||
|
(bso#15035);
|
|||
|
* PAM Kerberos authentication incorrectly fails with a clock skew
|
|||
|
error; (bso#15046);
|
|||
|
* Username map - samba erroneously applies unix group memberships
|
|||
|
to user account entries; (bso#15041);
|
|||
|
* KVNO off by 100000; (bso#14951);
|
|||
|
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
|
|||
|
* vfs_gpfs recalls=no option prevents listing files; (bso#15055);
|
|||
|
* smbd doesn't handle UPNs for looking up names; (bso#15054);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Apr 20 09:00:49 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update update-apparmor-samba-profile script, replace
|
|||
|
non-printable delimiter with more human readable separator as
|
|||
|
sed can accept separators that can appear in the input data.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Apr 13 15:33:22 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Fix update-apparmor-samba-profile script, sed doesn't like
|
|||
|
multibyte separators; (bsc#1198309).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Mar 24 15:00:36 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.16.0
|
|||
|
* New samba-dcerpcd binary to provide DCERPC in the member server
|
|||
|
setup
|
|||
|
* Certificate Auto Enrollment
|
|||
|
* Ability to add ports to dns forwarder addresses in internal DNS
|
|||
|
backend
|
|||
|
* No longer using Linux mandatory locks for sharemodes
|
|||
|
* SMB1 protocol has been deprecated, particularly older dialects
|
|||
|
* SMB1 protocol SMBCopy command removed
|
|||
|
* SMB1 server-side wildcard expansion removed
|
|||
|
- Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
|
|||
|
- Use systemd-sysusers to create system users; (bsc#1182847);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Mar 15 17:54:57 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.15.6
|
|||
|
* Renaming file on DFS root fails with
|
|||
|
NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
|
|||
|
* Samba does not response STATUS_INVALID_PARAMETER when opening 2
|
|||
|
objects with same lease key; (bso#14737);
|
|||
|
* NT error code is not set when overwriting a file during rename
|
|||
|
in libsmbclient; (bso#14938);
|
|||
|
* Fix ldap simple bind with TLS auditing; (bso#14996);
|
|||
|
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
|
|||
|
server; (bso#14674);
|
|||
|
* Problem when winbind renews Kerberos; (bso#14979);
|
|||
|
(bsc#1196224);
|
|||
|
* pam_winbind will not allow gdm login if password about to
|
|||
|
expire; (bso#8691);
|
|||
|
* virusfilter_vfs_openat: Not scanned: Directory or special file;
|
|||
|
(bso#14971);
|
|||
|
* DFS fix for AIX broken; (bso#13631);
|
|||
|
* Solaris and AIX acl modules: wrong function arguments;
|
|||
|
(bso#14974);
|
|||
|
* Function aixacl_sys_acl_get_file not declared / coredump;
|
|||
|
(bso#7239);
|
|||
|
* Regression: Samba 4.15.2 on macOS segfaults intermittently
|
|||
|
during strcpy in tdbsam_getsampwnam; (bso#14900);
|
|||
|
* Fix a use-after-free in SMB1 server; (bso#14989);
|
|||
|
* smb2_signing_decrypt_pdu() may not decrypt with
|
|||
|
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
|
|||
|
(bso#14968);
|
|||
|
* Changing the machine password against an RODC likely destroys
|
|||
|
the domain join; (bso#14984);
|
|||
|
* authsam_make_user_info_dc() steals memory from its struct
|
|||
|
ldb_message *msg argument; (bso#14993);
|
|||
|
* Use Heimdal 8.0 (pre) rather than an earlier snapshot;
|
|||
|
(bso#14995);
|
|||
|
* Samba autorid fails to map AD users if id rangesize fits in the
|
|||
|
id range only once; (bso#14967);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Mar 07 16:05:42 UTC 2022 - David Mulder <dmulder@suse.com>
|
|||
|
|
|||
|
- Fix mismatched version of libldb2; (bsc#1196788).
|
|||
|
- Drop obsolete SuSEfirewall2 service files.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Mar 4 20:25:41 UTC 2022 - David Disseldorp <ddiss@suse.com>
|
|||
|
|
|||
|
- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
|
|||
|
(bsc#1080338).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Feb 23 10:04:15 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Fix ntlm authentications with "winbind use default domain = yes";
|
|||
|
(bso#13126); (bsc#1173429); (bsc#1196308).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Feb 14 18:15:29 UTC 2022 - David Mulder <dmulder@suse.com>
|
|||
|
|
|||
|
- Fix samba-ad-dc status warning notification message by disabling
|
|||
|
systemd notifications in bgqd; (bsc#1195896); (bso#14947).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Feb 07 20:15:46 UTC 2022 - David Mulder <dmulder@suse.com>
|
|||
|
|
|||
|
- libldb version mismatch in Samba dsdb component; (bsc#1118508);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Jan 31 14:23:44 UTC 2022 - Noel Power <nopower@suse.com>
|
|||
|
|
|||
|
- Update to 4.15.5
|
|||
|
* CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
|
|||
|
outside target of a symlink exists; (bso#14911);
|
|||
|
(bsc#1193690).
|
|||
|
* CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
|
|||
|
module; (bso#14914); (bsc#1194859).
|
|||
|
* CVE-2022-0336: Re-adding an SPN skips subsequent SPN
|
|||
|
conflict checks; bso#14950); (bsc#1195048).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jan 26 12:00:35 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- CVE-2021-44141: Information leak via symlinks of existance of
|
|||
|
files or directories outside of the exported share; (bso#14911);
|
|||
|
(bsc#1193690);
|
|||
|
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
|
|||
|
in VFS module vfs_fruit allows code execution; (bso#14914);
|
|||
|
(bsc#1194859);
|
|||
|
- CVE-2022-0336: Samba AD users with permission to write to an
|
|||
|
account can impersonate arbitrary services; (bso#14950);
|
|||
|
(bsc#1195048);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Jan 21 12:37:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.15.4
|
|||
|
* Duplicate SMB file_ids leading to Windows client cache
|
|||
|
poisoning; (bso#14928);
|
|||
|
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
|
|||
|
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
|
|||
|
* kill_tcp_connections does not work; (bso#14934);
|
|||
|
* Can't connect to Windows shares not requiring authentication
|
|||
|
using KDE/Gnome; (bso#14935);
|
|||
|
* smbclient -L doesn't set "client max protocol" to NT1 before
|
|||
|
calling the "Reconnecting with SMB1 for workgroup listing"
|
|||
|
path; (bso#14939);
|
|||
|
* Cross device copy of the crossrename module always fails;
|
|||
|
(bso#14940);
|
|||
|
* symlinkat function from VFS cap module always fails with an
|
|||
|
error; (bso#14941);
|
|||
|
* Fix possible fsp pointer deference; (bso#14942);
|
|||
|
* Missing pop_sec_ctx() in error path inside close_directory();
|
|||
|
(bso#14944);
|
|||
|
* "smbd --build-options" no longer works without an smb.conf file;
|
|||
|
(bso#14945);
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jan 18 09:14:20 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
|||
|
|
|||
|
- Use pkgconfig(krb5) as dependency for the -devel package: allow
|
|||
|
OBS to pick the right flavor of krb5-devel (full vs mini).
|
|||
|
- Do not require the 'krb5' symbol by samba-client-libs: this
|
|||
|
package has an automatic dependency due to linkage on
|
|||
|
libgssapi_krb5.so.2. Automatic deps are always better.
|
|||
|
- Do not require the 'krb5' symbol from samba-libs: samba-libs
|
|||
|
requires samba-client-libs, which in turn requires krb5
|
|||
|
libraries. Samba-libs itself has no need for krb5 (but get it
|
|||
|
indirectly anyway).
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jan 13 19:39:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Reorganize libs packages. Split samba-libs into samba-client-libs,
|
|||
|
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
|
|||
|
public libraries depending on internal samba libraries into these
|
|||
|
packages as there were dependency problems everytime one of these
|
|||
|
public libraries changed its version (bsc#1192684). The devel
|
|||
|
packages are merged into samba-devel.
|
|||
|
- Rename package samba-core-devel to samba-devel
|
|||
|
- Add python-rpm-macros to build requirements
|
|||
|
- Update the symlink create by samba-dsdb-modules to private samba
|
|||
|
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
|
|||
|
/usr/lib64/ldb2/modules/ldb/samba
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Dec 10 17:13:28 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|||
|
|
|||
|
- Update to 4.15.3
|
|||
|
* Recursive directory delete with veto files is broken in 4.15.0;
|
|||
|
(bso#14878);
|
|||
|
* A directory containing dangling symlinks cannot be deleted by
|
|||
|
SMB2 alone when they are the only entry in the directory;
|
|||
|
(bso#14879);
|
|||
|
* SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
|
|||
|
uninitialized in rmdir_internals(); (bso#14892);
|
|||
|
* MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694);
|
|||
|