pool/samba
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
samba/samba.changes

14448 lines
607 KiB
Plaintext
Raw Normal View History

- Remove nscd build dependency and usage in RPM scriptlets; (bsc#1237296); - Update to 4.21.4 * Increasing slowness of sharesec performance with high number of registry shares; (bso#15780). * winbindd shows memleak in kerberos_decode_pac; (bso#15782). * Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later; (bso#15738). * Replace `crypt` module in python/samba/netcmd/user/readpasswords/common.py; (bso#15756). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * Spotlight search results don't show file size and creation date; (bso#15796). * General improvements for vfs_ceph_new module; (bso#15703). * net offlinejoin not working correctly; (bso#15777). * net ads create/join/winbind producing unix dysfunctional keytabs; (bso#15759). * Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing security tab; (bso#14213). * The values from hresult_errstr_const and hresult_errstr are reversed in 4.20 and 4.21; (bso#15769). * Kerberos referral tickets are generated for principals in our domain if we have a trust to a top level domain; (bso#15778). * NETLOGON_NTLMV2_ENABLED is missing in the SamLogon* user_flags field; (bso#15783). * Regression: stack-use-after-return in crypt_as_best_we_can(); (bso#15784). OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=701
2025-03-06 07:35:44 +00:00
-------------------------------------------------------------------
Tue Feb 19 10:42:17 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Remove nscd build dependency and usage in RPM scriptlets;
(bsc#1237296);
-------------------------------------------------------------------
Wed Feb 19 10:08:34 UTC 2025 - Noel Power <nopower@suse.com>
- Update to 4.21.4
* Increasing slowness of sharesec performance with high number
of registry shares; (bso#15780).
* winbindd shows memleak in kerberos_decode_pac; (bso#15782).
* Creation of GPOs applicable to more than one group is
impossible with Samba 4.20.0 and later; (bso#15738).
* Replace `crypt` module in
python/samba/netcmd/user/readpasswords/common.py;
(bso#15756).
* vfs_gpfs silently garbles timestamps > year 2106;
(bso#15151).
* Spotlight search results don't show file size and creation
date; (bso#15796).
* General improvements for vfs_ceph_new module; (bso#15703).
* net offlinejoin not working correctly; (bso#15777).
* net ads create/join/winbind producing unix dysfunctional
keytabs; (bso#15759).
* Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
security tab; (bso#14213).
* The values from hresult_errstr_const and hresult_errstr are
reversed in 4.20 and 4.21; (bso#15769).
* Kerberos referral tickets are generated for principals in our
domain if we have a trust to a top level domain; (bso#15778).
* NETLOGON_NTLMV2_ENABLED is missing in the SamLogon*
user_flags field; (bso#15783).
* Regression: stack-use-after-return in crypt_as_best_we_can();
(bso#15784).
* libreplace:readline: gcc 15 complains about incompatible
pointer types; (bso#15788).
-------------------------------------------------------------------
Tue Jan 7 10:22:16 UTC 2025 - Noel Power <nopower@suse.com>
- Update to 4.21.3
* More possible replication loops against Azure AD;
(bso#15701).
* Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease;
(bso#15697).
* vfs crossrename seems not work correctly; (bso#15724).
* After 'machine password timeout' /etc/krb5.keytab is not
updated; (bso#6750).
* Memory leak wbcCtxLookupSid; (bso#15771).
* Fix heap-user-after-free with association groups;
(bso#15765).
* Segfault in vfs_btrfs; (bso#15758).
* Avoid event failure race when disabling an event script;
(bso#15755).
-------------------------------------------------------------------
Fri Dec 6 09:09:04 UTC 2024 - Noel Power <nopower@suse.com>
- Update shipped /etc/samba/smb.conf to point to smb.conf
man page;(bsc#1233880).
-------------------------------------------------------------------
Mon Nov 25 17:35:43 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.2
* smbd fails to correctly check sharemode against OVERWRITE
dispositions; (bso#15732).
* Panic in close_directory; (bso#15754).
* winexe no longer works with samba 4.21; (bso#15752).
* protocol error - Unclear debug message "pad length mismatch"
for invalid bind packet; (bso#14356).
* NetrGetLogonCapabilities QueryLevel 2 needs to be
implemented; (bso#15425).
* gss_accept_sec_context() from Heimdal does not imply
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
* winbindd should call process_set_title() for locator child;
(bso#15749).
* Update CTDB to track all TCP connections to public IP
addresses; (bso#15320).
-------------------------------------------------------------------
Thu Oct 31 13:20:25 UTC 2024 - Noel Power <nopower@suse.com>
- Add placeholder changelog for sle15-sp7; (jsc#PED-11210).
-------------------------------------------------------------------
Wed Oct 16 13:52:25 UTC 2024 - Noel Power <nopower@suse.com>
- Adjust spec to split out rpcd_* binaries into a separate
sub package; (bsc#1231414).
-------------------------------------------------------------------
Tue Oct 15 13:23:26 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.1
* DH reconnect error handling can lead to stale sharemode
entries; (bso#15624).
* "inherit permissions = yes" triggers assert() in vfs_default
when creating a stream; (bso#15695).
* Samba 4.21.0 broke FreeIPA domain member integration;
(bso#15715).
* Missing conversion for msDS-UserTGTLifetime, msDS-
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
tool domain auth policy modify"; (bso#15692).
* irpc_destructor may crash during shutdown; (bso#15280).
* Durable handle is not granted when a previous OPEN exists
with NoOplock; (bso#15649).
* Durable handle is granted but reconnect fails; (bso#15651).
* Disconnected durable handles with RH lease should not be
purged by a new non conflicting open; (bso#15708).
* net ads testjoin and other commands use the wrong secrets.tdb
in a cluster; (bso#15714).
* 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
rfc 8009 etypes are used; (bso#15726).
* VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
(bso#15730).
* Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
* Cannot build libldb lmdb backend on a build without AD DC;
(bso#15721).
* Consistent log level for sighup handler; (bso#15706).
-------------------------------------------------------------------
Wed Sep 25 14:52:10 UTC 2024 - Noel Power <nopower@suse.com>
- Support needed packaging changes required update to samba-4.21.0
Update samba.spec, baselibs.conf to deliver libldb packages.
-------------------------------------------------------------------
Thu Sep 5 07:29:17 UTC 2024 - David Disseldorp <ddiss@suse.com>
- Package ceph_new VFS module.
-------------------------------------------------------------------
Thu Sep 5 07:13:01 UTC 2024 - David Disseldorp <ddiss@suse.com>
- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
(bso#15699); (bsc#1229684).
-------------------------------------------------------------------
Wed Aug 28 17:31:35 UTC 2024 - Noel Power <nopower@suse.com>
- Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse; (bso#15702).
-------------------------------------------------------------------
Wed Aug 28 09:01:29 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.0
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
truncated; (bso#15699).
* Bad variable definition for ParseTuple causing test failure
for Smb3UnixTests.test_create_context_reparse; (bso#15702).
* Add new vfs_ceph module (based on low level API);
(bso#15686).
* samba-tool can not load the default configuration file;
(bso#15698).
* Crash when readlinkat fails; (bso#15700).
* Can't add/delete special keys to keytab for nfs, cifs, http
etc; (bso#15689).
* Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients; (bso#15696).
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
* ldb_version.h is missing from ldb public library;
(bso#15690).
* Can not add/delete special keys to keytab for nfs, cifs, http
etc; (bso#15689).
* undefined reference to winbind_lookup_name_ex; (bso#15687).
* per user veto and hide file syntax is to complex;
(bso#15688).
-------------------------------------------------------------------
Wed Aug 7 09:47:14 UTC 2024 - Noel Power <nopower@suse.com>
- Fix a crash when joining offline and 'kerberos method' includes
keytab; (bsc#1228732).
-------------------------------------------------------------------
Tue Aug 6 10:51:13 UTC 2024 - Noel Power <noel.power@suse.com>
- Update to 4.20.4
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
- Update to 4.20.3
* Running samba-bgqd a a standalone systemd service does not
work; (bso#15683).
* When claims enabled with heimdal kerberos, unable to log on
to a Windows computer when user account need to change their
own password; (bso#15655).
* Invalid client warning about command line passwords;
(bso#15671).
* Version string is truncated in manpages; (bso#15672).
* cmdline_burn does not always burn secrets; (bso#15674).
* Samba does not parse SDDL found in defaultSecurityDescriptor
in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
* The images don\'t build after the git security release and
CentOS 8 Stream is EOL; (bso#15660).
* Fix clock skew error message and memory cache clock skew
recovery; (bso#15676).
* Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual; (bso#15603).
* s4:ldap_server: does not support tls channel bindings for
sasl binds; (bso#15621).
* CTDB socket output queues may suffer unbounded delays under
some special conditions; (bso#15678).
-------------------------------------------------------------------
Wed Jul 17 11:18:52 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Update samba-tool package to require python3-Markdown also in
the Heimdal ADDC build.
-------------------------------------------------------------------
Thu Jul 4 10:34:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix named crash when using samba's DLZ plugin; (bsc#1224003);
(bso#15643);
-------------------------------------------------------------------
Thu Jul 4 10:30:10 UTC 2024 - pgajdos@suse.com
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang macro, [bsc#1212476]
-------------------------------------------------------------------
Wed Jun 19 15:02:44 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.20.2
* vfs_widelinks with DFS shares breaks case insensitivity;
(bso#15662); (bsc#1213607).
* Samba build is not reproducible; (bso#13213).
* ldb qsort might r/w out of bounds with an intransitive
compare function; (bso#15569).
* Many qsort() comparison functions are non-transitive, which
can lead to out-of-bounds access in some circumstances;
(bso#15625).
* Need to change gitlab-ci.yml tags in all branches to avoid CI
bill; (bso#15638).
* We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and
packagers to put their name in the Samba version string so
that when debugging Samba the source of the binary is
obvious; (bso#15654).
* CTDB RADOS mutex helper misses namespace support;
(bso#15665).
* Dynamic DNS updates with the internal DNS are not working;
(bso#13019).
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0; (bso#14981).
* Anonymous smb3 signing/encryption should be allowed (similar
to Windows Server 2022); (bso#15412).
* Panic in dreplsrv_op_pull_source_apply_changes_trigger;
(bso#15573).
* s4:nbt_server: does not provide unexpected handling, so
winbindd can't use nmb requests instead cldap; (bso#15620).
* winbindd, net ads join and other things don't work on an ipv6
only host; (bso#15642).
* Segmentation fault when deleting files in vfs_recycle;
(bso#15659).
* Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664).
* "client use kerberos" and --use-kerberos is ignored for the
machine account; (bso#15666).
* Regression DFS not working with widelinks = true;
(bso#15435).
* samba-gpupdate - Invalid NtVer in netlogon_samlogon_response;
(bso#15633).
* idmap_ad creates an incorrect local krb5.conf in case of
trusted domain lookups; (bso#15653).
* The images don't build after the git security release and
CentOS 8 Stream is EOL; (bso#15660).
-------------------------------------------------------------------
Mon Jun 3 07:09:54 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix non deterministic builds; (bsc#1225754); (bso#13213);
-------------------------------------------------------------------
Thu May 16 10:47:57 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.20.1
* dns update debug message is too noisy; (bso#15630);
* Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
* Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
* Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
* http library doesn't support 'chunked transfer encoding'; (bso#15611);
* Provide a systemd service file for the background queue daemon; (bso#15600);
- Update to 4.20.0
New features:
* samba-tool user getpassword / syncpasswords ;rounds= change
* Group Managed service account client-side features
* New Windows Search Protocol Client
* Allow 'smbcacls' to save/restore DACLs to file
* Samba-tool extensions for AD Claims, Authentication Policies and Silos
* AD DC support for Authentication Silos and Authentication Policies
* Conditional ACEs and Resource Attribute ACEs
* Service Witness Protocol [MS-SWN]
Removed features:
* Get locally logged on users from utmp
Fixed bugs:
* Avoid null-dereference with bad claims; (bso#15606);
* ndr_pull_security_ace can leave resource attribute ACE coda
claim struct undefined; (bso#15613);
* fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close(); (bso#15527);
* set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
openat() EACCES; (bso#15583);
* libgpo: Segfault in python bindings; (bso#15599);
* Samba AD is missing some authentication policy tests;
(bso#15607);
* samba-gpupdate: Correctly implement site support; (bso#15588);
* Remove unsupported "Final" keyword missing from Python 3.6;
(bso#15575);
* Additional witness backports for 4.20.0; (bso#15577);
* Error output with wspsearch; (bso#15579);
* Packet marshalling push support missing for
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580);
* Performance regression for NDR parsing of security
descriptors; (bso#15574);
* Build and install man page for wspsearch client utility;
(bso#15565);
-------------------------------------------------------------------
Tue Feb 20 09:58:03 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.19.5
* Windows 2016 fails to restore previous version of a file from
a shadow_copy2 snapshot; (bso#13688).
* Symlinks on AIX are broken in 4.19 (and a few version before
that); (bso#15549).
* Fake directory create times has no effect; (bso#12421).
* ctime mixed up with mtime by smbd; (bso#15550).
* samba-gpupdate --rsop fails if machine is not in a site;
(bso#15548).
* gpupdate: The root cert import when NDES is not available is
broken; (bso#15557).
* samba-gpupdate should print a useful message if cepces-submit
can't be found; (bso#15552).
* samba-gpupdate logging doesn't work; (bso#15558).
* smbpasswd reset permissions only if not 0600; (bso#15555).
-------------------------------------------------------------------
Fri Jan 10 12:01:49 UTC 2024 - Noel Power <nopower@suse.com>
- Remove -x from bash shebang update-apparmor-samba-profile;
(bsc#1218431).
-------------------------------------------------------------------
Tue Jan 9 09:42:53 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.19.4
* net changesecretpw cannot set the machine account password if
secrets.tdb is empty; (bso#13577).
* For generating doc, take, if defined, env XML_CATALOG_FILES;
(bso#15540).
* Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541).
* vfs_linux_xfs is incorrectly named; (bso#15542).
* systemd stumbled over copyright-message at smbd startup;
(bso#15377).
* Following intermediate abolute share-local symlinks is
broken; (bso#15505).
* ctdb RELEASE_IP causes a crash in release_ip if a connection
to a non-public address disconnects first; (bso#15523).
* shadow_copy2 broken when current fileset's directories are
removed; (bso#15544).
* smbd does not detect ctdb public ipv6 addresses for
multichannel exclusion; (bso#15534).
* 'force user = localunixuser' doesn't work if 'allow trusted
domains = no' is set; (bso#15469).
* smbget debug logging doesn't work; (bso#15525).
* smget: username in the smburl and interactive password entry
doesn't work; (bso#15532).
* smbget auth function doesn't set values for password prompt
correctly; (bso#15538).
* Unable to copy and write files from clients to Ceph cluster
via SMB Linux gateway with Ceph VFS module; (bso#15440).
* Multichannel refresh network information; (bso#15547).
-------------------------------------------------------------------
Mon Nov 27 12:43:02 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.3
* sid_strings test broken by unix epoch > 1700000000;
(bso#15520).
* smbd crashes if asked to return full information on close of
a stream handle with delete on close disposition set;
(bso#15487).
* smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor(); (bso#15521).
* Improve logging for failover scenarios; (bso#15499).
* Files without "read attributes" NFS4 ACL permission are not
listed in directories; (bso#15093).
* CVE-2018-14628 [SECURITY] Deleted Object tombstones visible
in AD LDAP to normal users; (bso#13595).
* Kerberos TGS-REQ with User2User does not work for normal
accounts; (bso#15492).
* vfs_gpfs stat calls fail due to file system permissions;
(bso#15507).
* Samba doesn't build with Python 3.12; (bso#15513).
-------------------------------------------------------------------
Mon Oct 23 18:59:15 UTC 2023 - David Mulder <dmulder@suse.com>
- packaging: samba-tool domain provision requires python3-Markdown;
(bsc#1216519).
-------------------------------------------------------------------
Mon Oct 16 16:04:22 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.2
* Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423).
* clidfs.c do_connect() missing a "return" after a
cli_shutdown() call; (bso#15426).
* macOS mdfind returns only 50 results; (bso#15463).
* GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value; (bso#15481).
* libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more; (bso#15464).
* ctdbd: setproctitle not initialized messages flooding logs;
(bso#15479).
* CVE-2023-5568 Heap buffer overflow with freshness tokens in
the Heimdal KDC in Samba 4.19; (bso#15491).
* The heimdal KDC doesn't detect s4u2self correctly when fast
is in use; (bso#15477).
-------------------------------------------------------------------
Thu Oct 12 11:33:44 UTC 2023 - Noel Power <nopower@suse.com>
- packaging: Remove /etc/slp.reg.d from samba spec file;
(bsc#1216160)
-------------------------------------------------------------------
Thu Oct 12 11:04:26 UTC 2023 - Noel Power <nopower@suse.com>
- use systemd-logind rather than utmp for y2038 safety;
(bsc#1216159).
-------------------------------------------------------------------
Tue Oct 10 15:12:38 UTC 2023 - Noel Power <nopower@suse.com>
- CVE-2023-4091: samba: Client can truncate file with read-only
permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-42670: samba: The procedure number is out of range
when starting Active Directory Users and Computers;
(bsc#1215906); (bso#15473).
- CVE-2023-3961: samba: Unsanitized client pipe name passed to
local_np_connect(); (bsc#1215907); (bso#15422).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
"GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
(bsc#1215908); (bso#15424).
-------------------------------------------------------------------
Tue Sep 26 08:36:43 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.0
* File doesn't show when user doesn't have permission if
aio_pthread is loaded; (bso#15453).
* ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
1.9.1; (bso#15451).
* Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can
log to syslog; (bso#15460).
* ‘samba-tool domain level raise’ fails unless given a URL;
(bso#15458).
* reply_sesssetup_and_X() can dereference uninitialized tmp
pointer; (bso#15420).
* missing return in reply_exit_done(); (bso#15430).
* TREE_CONNECT without SETUP causes smbd to use uninitialized
pointer; (bso#15432).
* Avoid infinite loop in initial user sync with Azure AD
Connect when synchronising a large Samba AD domain;
(bso#15401).
* Samba replication logs show (null) DN; (bso#15407).
* 2-3min delays at reconnect with
smb2_validate_sequence_number: bad message_id 2; (bso#15346).
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed;
(bso#15446).
* CID 1539212 causes real issue when output contains only
newlines; (bso#15438).
* KDC encodes INT64 claims incorrectly; (bso#15452).
* mdssvc: Do an early talloc_free() in _mdssvc_open();
(bso#15449).
* Windows client join fails if a second container CN=System
exists somewhere; (bso#9959).
* regression DFS not working with widelinks = true;
(bso#15435).
* Heimdal fails to build on 32-bit FreeBSD; (bso#15443).
* samba-tool ntacl get segfault if aio_pthread appended;
(bso#15441).
-------------------------------------------------------------------
Mon Aug 21 15:16:35 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.18.6
* reply_sesssetup_and_X() can dereference uninitialized tmp pointer;
(bso#15420);
* Missing return in reply_exit_done(); (bso#15430);
* post-exec password redaction for samba-tool is more reliable for fully
random passwords as it no longer uses regular expressions containing the
password value itself; (bso#15289);
* Windows client join fails if a second container CN=System exists somewhere;
(bso#9959);
* Spotlight sometimes returns no results on latest macOS; (bso#15342);
* Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to
remove the destination; (bso#15417);
* Spotlight results return wrong date in result list; (bso#15427);
* "net offlinejoin provision" does not work as non-root user; (bso#15414);
* rpcserver no longer accepts double backslash in dfs pathname; (bso#15400);
* cm_prepare_connection() calls close(fd) for the second time; (bso#15433);
* 2-3min delays at reconnect with smb2_validate_sequence_number: bad
message_id 2; (bso#15346);
* samba-tool ntacl get segfault if aio_pthread appended; (bso#15441);
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446);
* Python tarfile extraction needs change to avoid a warning (CVE-2007-4559
mitigation); (bso#15390);
* Regression DFS not working with widelinks = true; (bso#15435);
* mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449);
-------------------------------------------------------------------
Tue Aug 8 15:40:54 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
(bsc#1213940);
-------------------------------------------------------------------
Wed Jul 19 14:35:34 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.5
* CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
* CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
* CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
* CVE-2023-34968: Spotlight server-side Share Path Disclosure;
(bso#15388); (bsc#1213171).
* CVE-2023-3347: Samba doesn't require SMB2+ signing if
`server signing = mandatory` is set; (bso#15397); (bsc#1213170).
* secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
-------------------------------------------------------------------
Thu Jul 6 15:30:58 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.4
* Backport --pidl-developer fixes; (bso#15404).
* Named crashes on DLZ zone update; (bso#14030).
* smbcacls and smbcquotas do not check // before the server;
(bso#2312).
* cli_list loops 100% CPU against pre-lanman2 servers;
(bso#15382).
* smbclient leaks fds with showacls; (bso#15391).
* smbd returns NOT_FOUND when creating files on a r/o
filesystem; (bso#15402).
* NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
and causes test timeouts; (bso#15355).
* net ads lookup (with unspecified realm) fails; (bso#15384).
* Register Samba processes with GPFS; (bso#15381).
* Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation); (bso#15390).
* The winbind child segfaults when listing users with `winbind
scan trusted domains = yes`; (bso#15398).
* Remove comments about deprecated 'write cache size';
(bso#15383).
* smbget memory leak if failed to download files recursively;
(bso#15403).
-------------------------------------------------------------------
Thu Jun 1 08:48:25 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.3
* Symlinks to files can have random DOS mode information in a
directory listing; (bso#15375).
* vfs_fruit might cause a failing open for delete; (bso#15378).
* winbind recurses into itself via rpcd_lsad; (bso#15361).
* wbinfo -u fails on ad dc with >1000 users; (bso#15366).
* DS ACEs might be inherited to unrelated object classes;
(bso#15338).
* a lot of messages: get_static_share_mode_data:
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND;
(bso#15362).
* aes256 smb3 encryption algorithms are not allowed in
smb3_sid_parse(); (bso#15374).
* Setting veto files = /.*/ break listing directories;
(bso#15360).
* "samba-tool domain provision" does not run interactive mode
if no arguments are given; (bso#15363).
* dsgetdcname: assumes local system uses IPv4; (bso#15325).
- Update to 4.18.2
* Log flood: smbd_calculate_access_mask_fsp: Access denied:
message level should be lower; (bso#15302).
* Floating point exception (FPE) via cli_pull_send at
source3/libsmb/clireadwrite.c; (bso#15306).
* test_tstream_more_tcp_user_timeout_spin fails intermittently
on Rackspace GitLab runners; (bso#15328).
* Reduce flapping of ridalloc test; (bso#15329).
* large_ldap test is unreliable; (bso#15351).
* New filename parser doesn't check veto files smb.conf
parameter; (bso#15143).
* mdssvc may crash when initializing; (bso#15354).
* large directory optimization broken for non-lcomp path
elements; (bso#15313).
* streams_depot fails to create streams; (bso#15357).
* shadow_copy2 and streams_depot don't play well together;
(bso#15358).
* Flapping tests in samba_tool_drs_show_repl.py; (bso#15316).
* winbindd idmap child contacts the domain controller without a
need; (bso#15317).
* idmap_autorid may fail to map sids of trusted domains for the
first time; (bso#15318).
* idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings;
(bso#15319).
* net ads search -P doesn't work against servers in other
domains; (bso#15323).
* Temporary smbXsrv_tcon_global.tdb can't be parsed;
(bso#15353).
* Tests use depricated and removed methods like
assertRegexpMatches; (bso#15343).
-------------------------------------------------------------------
Wed Mar 29 15:10:50 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.1
* CVE-2023-0225: AD DC "dnsHostname" attribute can be
deleted by unprivileged authenticated users.
(bso#15276);(bsc#1209483).
* CVE-2023-0614: Access controlled AD LDAP attributes can be
discovered (bso#15270); (bsc#1209485).
* CVE-2023-0922: Samba AD DC admin tool samba-tool sends
passwords in cleartext(bso#15315);(bsc#1209481).
* ldb wildcard matching makes excessive allocations;
(bso#15331).
* large_ldap test is inefficient; (bso#15332).
-------------------------------------------------------------------
Fri Mar 17 08:09:32 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.18.0
* SMB server performance improvements
* More succinct samba-tool error messages
* Color output with samba-tool --color
The NO_COLOR environment variable will disable colour output
* New samba-tool dsacl subcommand for deleting ACEs
* New wbinfo option --change-secret-at
* Net option to change the NT ACL default location
* Azure AD / Office365 synchronization improvements
-------------------------------------------------------------------
Tue Feb 14 08:21:13 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.5
* smbc_getxattr() return value is incorrect; (bso#14808);
* Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
correctly; (bso#15172);
* synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
* samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
when there is only an AAAA record for the DC in DNS; (bso#15226);
* smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
* DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
* vfs_virusfilter segfault on access, directory edgecase
(accessing NULL value); (bso#15283);
* CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
SChannel on NETLOGON (additional changes); (bso#15240);
* %U for include directive doesn't work for share listing
(netshareenum); (bso#15243);
* Shares missing from netshareenum response in samba 4.17.4;
(bso#15266);
* ctdb: use-after-free in run_proc; (bso#15269);
* irpc_destructor may crash during shutdown; (bso#15280);
* auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
* smbclient segfaults with use after free on an optimized build;
(bso#15268);
* smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
* Leak in wbcCtxPingDc2; (bso#15164);
* Access based share enum does not work in Samba 4.16+; (bso#15265);
* Crash during share enumeration; (bso#15267);
* rep_listxattr on FreeBSD does not properly check for reads off
end of returned buffer; (bso#15271);
* Avoid relying on C89 features in a few places; (bso#15281);
- named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
- Drop libnsl build requirement; (bsc#1208220);
-------------------------------------------------------------------
Mon Jan 23 09:24:07 UTC 2023 - Noel Power <nopower@suse.com>
- libdsdb-module-samba4 should be packaged as part of samba-libs and
not samba-ad-dc-libs. Additionally no need for it to be
removed conditionally.
-------------------------------------------------------------------
Thu Jan 12 15:24:55 UTC 2023 - Noel Power <nopower@suse.com>
- Clean up logic for PAM migration settings in spec file.
-------------------------------------------------------------------
Wed Jan 4 14:05:15 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Wed Dec 21 12:17:58 UTC 2022 - Noel Power <nopower@suse.com>
- Change with_dc default to 0 (for non TW builds).
-------------------------------------------------------------------
Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.4
* CVE-2022-44640 Upstream Heimdal free of user-controlled
pointer in FAST; (bsc#14929);
* CVE-2021-20251 Bad password count not incremented atomically;
(bsc#14611);
* CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
(bsc#15203);
* CVE-2022-37966 rc4-hmac Kerberos session keys issued to
modern servers; (bso#15237);
* CVE-2022-37967 Kerberos constrained delegation ticket forgery
possible against Samba AD DC; (bso#15231);
* CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
and should be avoided; (bso#15240);
* pam_winbind uses time_t and pointers assuming they are of the
same size; (bso#15224);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* filter-subunit is inefficient with large numbers of
knownfails; (bso#15258);
* smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
(bso#15252);
* The KDC logic arround msDs-supportedEncryptionTypes differs
from Windows; (bso#13135);
* libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4(); (bso#15206);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* Memory leak in snprintf replacement functions; (bso#15230);
* RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression); (bso#15253);
* Prevent EBADF errors with vfs_glusterfs; (bso#15198);
* %U for include directive doesn't work for share listing
(netshareenum); (bso#15243);
* Stack smashing in net offlinejoin requestodj; (bso#15257);
* Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
(bso#15197);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
- Remove deprecated if-{down,up} scripts; (bsc#1206444);
- Adjust the systemd drop-in file for named service; (bsc#1201689);
* Paths are additive so do not repeat paths from named.service
* Prefix the samba DLZ directory with "-" to ignore this path
if it does not exists
-------------------------------------------------------------------
Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
- Migration PAM settings to /usr/etc: Saving user changed
configuration files in /etc and restoring them while an RPM
update.
-------------------------------------------------------------------
Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
- Introduce without-smb1-server spec flag; (bsc#1205104);
-------------------------------------------------------------------
Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.3
* CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
systems; (bsc#1205126); (bso#15203);
-------------------------------------------------------------------
Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>
- Replace obsolete python-gpgme with python-gpg
* Upstream replaced it in v4.9.5 -- bso#13728
-------------------------------------------------------------------
Tue Oct 25 09:26:59 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.2
* CVE-2022-3592 [SECURITY] samba: Wide links protection broken;
(bso#15207); (bsc#1204499).
* CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal
unwrap_des3();(bso#15134); (bsc#1204254).
-------------------------------------------------------------------
Wed Oct 19 12:48:21 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.1
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* smbXsrv_connection_shutdown_send result leaked; (bso#15174).
* Flush on a named stream never completes; (bso#15182).
* Permission denied calling SMBC_getatr when file not exists;
(bso#15195).
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
(bso#15189).
* pytest: add file removal helpers for TestCaseInTempDir;
(bso#15191).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
(bso#15189).
* Flush on a named stream never completes; (bso#15182).
* vfs_gpfs silently garbles timestamps > year 2106;
(bso#15151).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* multi-channel socket passing may hit a race if one of the
involved processes already existed; (bso#15200).
* memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others); (bso#15201).
* Since popt1.19 various use after free errors using result of
poptGetArg are now exposed; (bso#15205); (boo#1204279).
* Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs; (bso#15192).
* GETPWSID in memory cache grows indefinetly with each NTLM
auth; (bso#15169).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
- Install a systemd drop-in file for named service to allow
read/write access to the DLZ directory; (bsc#1201689);
-------------------------------------------------------------------
Fri Oct 14 14:20:51 UTC 2022 - Noel Power <nopower@suse.com>
- Fix use after free errors resulting from using return of
poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205).
-------------------------------------------------------------------
Mon Sep 26 10:40:18 UTC 2022 - Noel Power <nopower@suse.com>
- s3: smbd: Fix memory leak in
smbd_server_connection_terminate_done(); (bso#15174).
-------------------------------------------------------------------
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
-------------------------------------------------------------------
Fri Sep 23 16:22:12 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.0
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
(bso#15153).
* assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197; (bso#15161).
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197; (bso#15161).
* Cross-node multi-channel reconnects result in SMB2 Negotiate
returning NT_STATUS_NOT_SUPPORTED; (bso#15159).
* winbind at info level debug can coredump when processing
wb_lookupusergroups; (bso#15160).
* Make use of glfs_*at() API calls in vfs_glusterfs;
(bso#15157).
* Possible use after free of connection_struct when iterating
smbd_server_connection->connections; (bso#15128).
* `net usershare add` fails with flag works with --long but
fails with -l; (bso#15145).
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* Performance regression on contended path based operations;
(bso#15125).
* Missing READ_LEASE break could cause data corruption;
(bso#15148).
* libsamba-errors uses a wrong version number; (bso#15141).
* SMB1 negotiation can fail to handle connection errors;
(bso#15152).
* New filename parser doesn't check veto files smb.conf
parameter; (bso#15143).
* 4.17.rc1 still uses symlink-race prone unix_convert();
(bso#15144).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Manpage for smbstatus json is missing; (bso#15147).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Performance regression on contended path based operations;
(bso#15125).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Fix issues found by coverity in smbstatus json code;
(bso#15140).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
-------------------------------------------------------------------
Thu Sep 1 06:07:15 UTC 2022 - Stefan Schubert <schubi@suse.com>
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
-------------------------------------------------------------------
Thu Jul 28 11:56:31 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.4
* CVE-2022-2031: Samba AD users can bypass certain restrictions
associated with changing passwords; (bsc#1201495); (bso#15047);
* CVE-2022-32744: Samba AD users can forge password change
requests for any user; (bsc#1201493); (bso#15074);
* CVE-2022-32745: Samba AD users can crash the server process
with an LDAP add or modify request; (bsc#1201492); (bso#15008);
* CVE-2022-32746: Samba AD users can induce a use-after-free in
the server process with an LDAP add or modify request;
(bsc#1201490); (bso#15009);
* CVE-2022-32742: Server memory information leak via SMB1;
(bsc#1201496); (bso#15085);
-------------------------------------------------------------------
Tue Jul 19 11:25:59 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.3
* Using vfs_streams_xattr and deleting a file causes a panic;
(bso#15099);
* Add support for bind 9.18; (bso#14986);
* logging dsdb audit to specific files does not work;
(bso#15076);
* Problem when winbind renews Kerberos; (bso#14979);
(bsc#1196224);
* Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
developer mode; (bso#15095);
* Crash in streams_xattr because fsp->base_fsp->fsp_name is
NULL; (bso#15105);
* Crash in rpcd_classic - NULL pointer deference in
mangle_is_mangled(); (bso#15118);
* smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
(bsc#1200556);
* Fix check for chown when processing NFSv4 ACL; (bso#15120);
* The pcap background queue process should not be stopped;
(bso#15082);
* testparm: Fix typo in idmap rangesize check; (bso#15097);
* net ads info returns LDAP server and LDAP server name as
null; (bso#15106);
* ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
(bso#15108);
* CTDB child process logging does not work as expected;
(bso#15090);
-------------------------------------------------------------------
Tue Jul 12 10:48:47 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update spec file to fix the optional Heimdal DC build
- Fix external trusts with MIT Kerberos 1.20
- Add missing samba-client requirement to samba-winbind package;
(bsc#1198255);
- Move pdb backends from package samba-libs to package
samba-client-libs and remove samba-libs requirement from
samba-winbind; (bsc#1200964); (bsc#1198255);
- Add sysuser-shadow requirement for packages using
systemd-sysusers
- Use the canonical realm name to refresh the Kerberos tickets;
(bsc#1196224); (bso#14979);
-------------------------------------------------------------------
Tue Jun 21 14:29:52 UTC 2022 - Stefan Schubert <schubi@suse.de>
- Moved logrotate files from user specific directory /etc/logrotate.d
to vendor specific directory /usr/etc/logrotate.d.
-------------------------------------------------------------------
Mon Jun 13 13:32:24 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.2
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
(bso#15042);
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted; (bso#15069);
* Reintroduce netgroups support; (bso#15087);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Update from 4.15 to 4.16 breaks discovery of [homes] on
standalone server from Win and IOS; (bso#15062);
* waf produces incorrect names for python extensions with Python
3.11; (bso#15071);
* smbclient -E doesn't work as advertised; (bso#15075);
* The samba background daemon doesn't refresh the printcap cache
on startup; (bso#15081);
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
- Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
- Support building with MIT Kerberos 1.20
- Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
(CVE-2020-17049);
- Resource Based Constrained Delegation (RBCD) for Samba AD DC
- Support building with gcc 12.1
-------------------------------------------------------------------
Wed May 11 09:30:15 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Use requires_eq macro to require the libldb2 version available at
samba-dsdb-modules build time; (bsc#1199362);
-------------------------------------------------------------------
Tue May 3 07:38:02 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.1
* Share and server swapped in smbget password prompt; (bso#14831);
* Durable handles won't reconnect if the leased file is written to;
(bso#15022);
* rmdir silently fails if directory contains unreadable files and
hide unreadable is yes; (bso#15023);
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
on renamed file handle; (bso#15038);
* Need to describe --builtin-libraries= better (compare with
--bundled-libraries); (bso#8731);
* vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
(bso#14957);
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
(bso#15035);
* PAM Kerberos authentication incorrectly fails with a clock skew
error; (bso#15046);
* Username map - samba erroneously applies unix group memberships
to user account entries; (bso#15041);
* KVNO off by 100000; (bso#14951);
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
* vfs_gpfs recalls=no option prevents listing files; (bso#15055);
* smbd doesn't handle UPNs for looking up names; (bso#15054);
-------------------------------------------------------------------
Wed Apr 20 09:00:49 UTC 2022 - Noel Power <nopower@suse.com>
- Update update-apparmor-samba-profile script, replace
non-printable delimiter with more human readable separator as
sed can accept separators that can appear in the input data.
-------------------------------------------------------------------
Wed Apr 13 15:33:22 UTC 2022 - Noel Power <nopower@suse.com>
- Fix update-apparmor-samba-profile script, sed doesn't like
multibyte separators; (bsc#1198309).
-------------------------------------------------------------------
Thu Mar 24 15:00:36 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.0
* New samba-dcerpcd binary to provide DCERPC in the member server
setup
* Certificate Auto Enrollment
* Ability to add ports to dns forwarder addresses in internal DNS
backend
* No longer using Linux mandatory locks for sharemodes
* SMB1 protocol has been deprecated, particularly older dialects
* SMB1 protocol SMBCopy command removed
* SMB1 server-side wildcard expansion removed
- Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
- Use systemd-sysusers to create system users; (bsc#1182847);
-------------------------------------------------------------------
Tue Mar 15 17:54:57 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.6
* Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
* Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key; (bso#14737);
* NT error code is not set when overwriting a file during rename
in libsmbclient; (bso#14938);
* Fix ldap simple bind with TLS auditing; (bso#14996);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Problem when winbind renews Kerberos; (bso#14979);
(bsc#1196224);
* pam_winbind will not allow gdm login if password about to
expire; (bso#8691);
* virusfilter_vfs_openat: Not scanned: Directory or special file;
(bso#14971);
* DFS fix for AIX broken; (bso#13631);
* Solaris and AIX acl modules: wrong function arguments;
(bso#14974);
* Function aixacl_sys_acl_get_file not declared / coredump;
(bso#7239);
* Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam; (bso#14900);
* Fix a use-after-free in SMB1 server; (bso#14989);
* smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
(bso#14968);
* Changing the machine password against an RODC likely destroys
the domain join; (bso#14984);
* authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument; (bso#14993);
* Use Heimdal 8.0 (pre) rather than an earlier snapshot;
(bso#14995);
* Samba autorid fails to map AD users if id rangesize fits in the
id range only once; (bso#14967);
-------------------------------------------------------------------
Mon Mar 07 16:05:42 UTC 2022 - David Mulder <dmulder@suse.com>
- Fix mismatched version of libldb2; (bsc#1196788).
- Drop obsolete SuSEfirewall2 service files.
-------------------------------------------------------------------
Fri Mar 4 20:25:41 UTC 2022 - David Disseldorp <ddiss@suse.com>
- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
(bsc#1080338).
-------------------------------------------------------------------
Wed Feb 23 10:04:15 UTC 2022 - Noel Power <nopower@suse.com>
- Fix ntlm authentications with "winbind use default domain = yes";
(bso#13126); (bsc#1173429); (bsc#1196308).
-------------------------------------------------------------------
Mon Feb 14 18:15:29 UTC 2022 - David Mulder <dmulder@suse.com>
- Fix samba-ad-dc status warning notification message by disabling
systemd notifications in bgqd; (bsc#1195896); (bso#14947).
-------------------------------------------------------------------
Mon Feb 07 20:15:46 UTC 2022 - David Mulder <dmulder@suse.com>
- libldb version mismatch in Samba dsdb component; (bsc#1118508);
-------------------------------------------------------------------
Mon Jan 31 14:23:44 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.15.5
* CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
outside target of a symlink exists; (bso#14911);
(bsc#1193690).
* CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bso#14914); (bsc#1194859).
* CVE-2022-0336: Re-adding an SPN skips subsequent SPN
conflict checks; bso#14950); (bsc#1195048).
-------------------------------------------------------------------
Wed Jan 26 12:00:35 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- CVE-2021-44141: Information leak via symlinks of existance of
files or directories outside of the exported share; (bso#14911);
(bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution; (bso#14914);
(bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
account can impersonate arbitrary services; (bso#14950);
(bsc#1195048);
-------------------------------------------------------------------
Fri Jan 21 12:37:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.4
* Duplicate SMB file_ids leading to Windows client cache
poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set "client max protocol" to NT1 before
calling the "Reconnecting with SMB1 for workgroup listing"
path; (bso#14939);
* Cross device copy of the crossrename module always fails;
(bso#14940);
* symlinkat function from VFS cap module always fails with an
error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
(bso#14944);
* "smbd --build-options" no longer works without an smb.conf file;
(bso#14945);
-------------------------------------------------------------------
Tue Jan 18 09:14:20 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Use pkgconfig(krb5) as dependency for the -devel package: allow
OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
package has an automatic dependency due to linkage on
libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
requires samba-client-libs, which in turn requires krb5
libraries. Samba-libs itself has no need for krb5 (but get it
indirectly anyway).
-------------------------------------------------------------------
Thu Jan 13 19:39:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Reorganize libs packages. Split samba-libs into samba-client-libs,
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
public libraries depending on internal samba libraries into these
packages as there were dependency problems everytime one of these
public libraries changed its version (bsc#1192684). The devel
packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
- Update the symlink create by samba-dsdb-modules to private samba
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
/usr/lib64/ldb2/modules/ldb/samba
-------------------------------------------------------------------
Fri Dec 10 17:13:28 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.3
* Recursive directory delete with veto files is broken in 4.15.0;
(bso#14878);
* A directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory;
(bso#14879);
* SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
uninitialized in rmdir_internals(); (bso#14892);
* MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694);
* The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token; (bso#14901); (bsc#1192849);
* User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable; (bso#14902);
* Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127);
* smbXsrv_client_global record validation leads to crash if existing
record points at non-existing process; (bso#14882);
* Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call;
(bso#14890);
* Samba process doesn't log to logfile; (bso#14897);
* set_ea_dos_attribute() fallback calling get_file_handle_for_metadata()
triggers locking.tdb assert; (bso#14907);
* Kerberos authentication on standalone server in MIT realm broken;
(bso#14922);
* Segmentation fault when joining the domain; (bso#14923);
* Support for ROLE_IPA_DC is incomplete; (bso#14903);
* rpcclient cannot connect to ncacn_ip_tcp services anymore;
(bso#14767);
* winexe crashes since 4.15.0 after popt parsing; (bso#14893);
* net ads status -P broken in a clustered environment; (bso#14908);
* Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
smbd_smb2_ioctl_send; (bso#14788);
* winbindd doesn't start when "allow trusted domains" is off;
(bso#14899);
* smbclient login without password using '-N' fails with
NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883);
* A schannel client incorrectly detects a downgrade connecting to
an AES only server; (bso#14912);
* Possible null pointer dereference in winbind; (bso#14921);
* Fix -k legacy option for client tools like smbclient, rpcclient,
net, etc.; (bso#14846);
* Add Debian 11 CI bootstrap support; (bso#14872);
* Crash in recycle_unlink_internal(); (bso#14888);
-------------------------------------------------------------------
Thu Nov 18 17:18:40 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Fix dependency problem upgrading from libndr0 to libndr2 and
from libsamba-credentials0 to libsamba-credentials1;
(bsc#1192684);
-------------------------------------------------------------------
Wed Nov 10 10:26:01 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Fix regression introduced by CVE-2020-25717 patches, winbindd
does not start when 'allow trusted domains' is off; (bso#14899);
- Update to 4.15.2
* CVE-2016-2124: SMB1 client connections can be downgraded to
plaintext authentication; (bso#12444); (bsc#1014440);
* CVE-2020-25717: A user on the domain can become root on domain
members; (bso#14556); (bsc#1192284);
* CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
tickets issued by an RODC; (bso#14558); (bsc#1192246);
* CVE-2020-25719: Samba AD DC did not always rely on the SID and
PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
* CVE-2020-25721: Kerberos acceptors need easy access to stable
AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
* CVE-2020-25722: Samba AD DC did not do suffienct access and
conformance checking of data stored; (bso#14564);
(bsc#1192283);
* CVE-2021-3738: Use after free in Samba AD DC RPC server;
(bso#14468); (bsc#1192215);
* CVE-2021-23192: Subsequent DCE/RPC fragment injection
vulnerability; (bso#14875); (bsc#1192214);
- Update to 4.15.1
* vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
* Log clutter from filename_convert_internal; (bso#14685);
* MacOSX compilation fixes; (bso#14862);
* rodc_rwdc test flaps; (bso#14868);
* Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal; (bso#14642);
* Python ldb.msg_diff() memory handling failure; (bso#14836);
* "in" operator on ldb.Message is case sensitive; (bso#14845);
* Release LDB 2.4.1 for Samba 4.15.1; (bso#14848);
* samldb_krbtgtnumber_available() looks for incorrect string;
(bso#14854);
* Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871);
* Allow special chars like "@" in samAccountName when generating
the salt; (bso#14874);
* Correctly ignore comments in CTDB public addresses file;
(bso#14826);
* Fix transit path validation; (bso#12998);
* Fix that child winbindd logs to log.winbindd instead of
log.wb-<DOMAIN>; (bso#14852);
* SMB3 cancel requests should only include the MID together with
AsyncID when AES-128-GMAC is used; (bso#14855);
* Prepare to operate with MIT krb5 >= 1.20; (bso#14870);
* Heimdal prefers RC4 over AES for machine accounts; (bso#14864);
-------------------------------------------------------------------
Wed Oct 13 17:07:47 UTC 2021 - David Mulder <dmulder@suse.com>
- Enable samba-tool without ad dc.
-------------------------------------------------------------------
Thu Sep 30 15:57:14 UTC 2021 - Noel Power <nopower@suse.com>
- Adjust spec to use pam macros; (bsc#1191046).
-------------------------------------------------------------------
Wed Sep 29 08:58:28 UTC 2021 - Noel Power <nopower@suse.com>
- Adjust spec for size
* allow some Recommends instead Requires to be configured
for cifs-utils, samba-libs-python3 & samba-gpupdate;
(bsc#1182847).
* remove fam, undocumented and unneeded.
-------------------------------------------------------------------
Thu Sep 23 11:41:44 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Add missing build dependency on bison when building with the
embedded Heimdal Kerberos
-------------------------------------------------------------------
Mon Sep 20 14:25:41 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.0
* Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10
* VFS layer modernized.
* Add the ability to set allow/deny lists for zone transfer clients
in Bind DLZ plugin
* Server multi-channel support no longer experimental
* Improved command line user experience, unifying the options in
different commands
* Winbindd no longer scans trusted domains on startup and will use
enterprise principals by default.
* The net utility is now able to support the offline domain join feature
* New options for 'samba-tool dns zoneoptions' for aging control
and to mark old records as static or dynamic
* DNS tombstones are now deleted as appropriate and use a consistent
timestamp format
* The 'samba-tool dns update' command validates and rejects now malformed
IPv4 and IPv6 addresses
* The 'samba-tool domain backup' command correctly takes out locks
against concurrent modification during backup when using the LMDB
backend
* TruACL support has been removed
* NIS support has been removed
-------------------------------------------------------------------
Thu Sep 16 07:55:35 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.7
* smbd panic on force-close share during offload write; (bso#14769);
* smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK;
(bso#12033);
* Fix returned attributes on fake quota file handle and avoid hitting
the VFS; (bso#14731);
* vfs_shadow_copy2 fix inodes not correctly updating inode numbers;
(bso#14756);
* Fix build on Solaris; (bso#14774);
* Make dos attributes available for unreadable files; (bso#14654);
* Work around special SMB2 READ response behavior of NetApp Ontap
7.3.7; (bso#14607);
* Start the SMB encryption as soon as possible; (bso#14793);
-------------------------------------------------------------------
Tue Aug 17 16:30:25 UTC 2021 - David Mulder <dmulder@suse.com>
- Add Certificate Auto Enrollment Policy; (jsc#SLE-18457).
-------------------------------------------------------------------
Fri Jul 23 16:05:05 UTC 2021 - David Mulder <dmulder@suse.com>
- Update to 4.14.6
* s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722).
* smbd: Fix pathref unlinking in create_file_unixpath(); (bso#14732).
* s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown(); (bso#14734).
* s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path; (bso#14736).
* NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module; (bso#14730).
* s3/modules: fchmod: Fallback to path based chmod if pathref; (bso#14734).
* Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740).
* gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750).
* smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records;
(bso#14752).
* samba-tool domain backup offline doesn't work against bind DLZ
backend; (bso#14027).
* netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup; (bso#14669).
-------------------------------------------------------------------
Tue Jun 1 08:38:12 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.5
* s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success;
(bso#14696);
* s3: smbd: Ensure POSIX default ACL is mapped into returned Windows
ACL for directory handles; (bso#14708);
* s3: smbd: Fix uninitialized memory read in process_symlink_open()
when used with vfs_shadow_copy2(); (bso#14721);
* docs: Expand the "log level" docs on audit logging; (bso#14689);
* smbd: Correctly initialize close timestamp fields; (bso#14714);
* Fix gcc11 compiler issues; (bso#14699);
* docs-xml: Update smbcacls manpage; (bso#14718);
* docs: Update list of available commands in rpcclient; (bso#14719);
* ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475);
* s3:winbind: For 'security = ADS' require realm/workgroup to be set;
(bso#14695);
* lib:replace: Do not build strndup test with gcc 11 or newer;
(bso#14699);
-------------------------------------------------------------------
Thu Apr 29 08:34:02 UTC 2021 - Noel Power <nopower@suse.com>
- Update to 4.14.4
* CVE-2021-20254: Fix buffer overrun in sids_to_unixids();
(bso#14571); (bsc#1184677).
- Update to 4.14.3
* s3:modules:vfs_virusfilter: Recent New_VFS changes break
vfs_virusfilter_openat; (bso#14671).
* build: Notice if flex is missing at configure time; (bso#14586).
* Fix smbd panic when two clients open same file; (bso#14672).
* Fix memory leak in the RPC server; (bso#14675).
* s3: smbd: fix deferred renames; (bso#14679).
* s3-iremotewinspool: Set the per-request memory context;
(bso#14675)
* Fix memory leak in the RPC server; (bso#14675).
* third_party: Update socket_wrapper to version 1.3.2;
(bso#11899).
* third_party: Update socket_wrapper to version 1.3.3;
(bso#14640).
* samba-gpupdate: Test that sysvol paths download in
case-insensitive way; (bso#14665).
* smbd: Ensure errno is preserved across fsp destructor;
(bso#14662).
* idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
conflict; (bso#14663).
* build: Only add -Wl,--as-needed when supported; (bso#14288).
-------------------------------------------------------------------
Wed Mar 31 14:59:15 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.2
* Release with dependency on ldb version 2.3.0.
- Update to 4.14.1
* CVE-2021-20277: Fix out of bounds read in ldb_handler_fold; (bso#14655);
* CVE-2020-27840: Fix unauthenticated remote heap corruption via bad DNs;
(bso#14595);
- Update to 4.14.0
* VFS layer modernized.
* Printers publishing in AD improved.
* Client group policies support for sudoers configuration and
cron jobs.
* Improved consistency of samba-tool subcommands.
* CTDB now uses the terms leader and follower instead of master and
slave. Configuration options have changed accordingly.
* The ctdb isnotrecmaster command is removed.
* For details on all items see WHATSNEW.txt in samba-doc package.
-------------------------------------------------------------------
Mon Mar 1 12:09:56 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Spec file fixes around systemd and requires; (bsc#1182830);
- Align systemd service unit files with upstream provided ones.
-------------------------------------------------------------------
Tue Jan 26 15:15:08 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.4
* Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7; (bso#14607);
* Temporary DFS share setup doesn't set case parameters in the same
way as a regular share definition does; (bso#14612);
* lib: Avoid declaring zero-length VLAs in various messaging functions;
(bso#14605);
* Do not create an empty DB when accessing a sam.ldb; (bso#14579);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Temporary DFS share setup doesn't set case parameters in the same way
as a regular share definition does; (bso#14612);
* vfs_virusfilter: Allocate separate memory for config char*; (bso#14606);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7;
(bso#14607);
* The cache directory for the user gencache should be created recursively;
(bso#14601);
* Be more flexible with repository names in CentOS 8 test environments;
(bso#14594);
-------------------------------------------------------------------
Mon Dec 28 09:41:57 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Uninstalling samba-client: Failed to disable unit, cifs.service
does not exists; (bsc#1180388);
-------------------------------------------------------------------
Wed Dec 16 11:30:25 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.3
+ libcli: smb2: Never print length if smb2_signing_key_valid() fails for
crypto blob; (bso#14210);
+ s3: modules: gluster. Fix the error I made in preventing talloc leaks
from a function; (bso#14486);
+ s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL
via TALLOC_FREE(); (bso#14515);
+ s3: spoolss: Make parameters in call to user_ok_token() match all other
uses; (bso#14568);
+ s3: smbd: Quiet log messages from usershares for an unknown share;
(bso#14590);
+ samba process does not honor max log size; (bso#14248);
+ vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE;
(bso#14587);
+ s3-libads: Pass timeout to open_socket_out in ms; (bso#13124);
+ s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486);
+ smbclient: Fix recursive mget; (bso#14517);
+ clitar: Use do_list()'s recursion in clitar.c; (bso#14581);
+ manpages/vfs_glusterfs: Mention silent skipping of write-behind
translator; (bso#14486);
+ vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573);
+ interface: Fix if_index is not parsed correctly; (bso#14514);
-------------------------------------------------------------------
Mon Nov 16 09:30:52 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.2
+ s3: modules: vfs_glusterfs: Fix leak of char **lines onto
mem_ctx on return; (bso#14486);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
+ smb.conf.5: Add clarification how configuration changes reflected
by Samba; (bso#14538);
+ daemons: Report status to systemd even when running in foreground;
(bso#14552);
+ DNS Resolver: Support both dnspython before and after 2.0.0;
(bso#14553);
+ s3-vfs_glusterfs: Refuse connection when write-behind xlator is
present; (bso#14486);
+ provision: Add support for BIND 9.16.x; (bso#14487);
+ ctdb-common: Avoid aliasing errors during code optimization;
(bso#14537);
+ libndr: Avoid assigning duplicate versions to symbols; (bso#14541);
+ docs: Fix default value of spoolss:architecture; (bso#14522);
+ winbind: Fix a memleak; (bso#14388);
+ s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531);
+ docs-xml/manpages: Add warning about write-behind translator for
vfs_glusterfs; (bso#14486);
+ nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
+ vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530);
+ third_party: Update resolv_wrapper to version 1.1.7; (bso#14547);
+ examples:auth: Do not install example plugin; (bso#14550);
+ ctdb-recoverd: Drop unnecessary and broken code; (bso#14513);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
-------------------------------------------------------------------
Thu Nov 5 12:23:49 UTC 2020 - Noel Power <nopower@suse.com>
- Adjust smbcacls '--propagate-inheritance' feature to align with
upstream; (bsc#1178469).
-------------------------------------------------------------------
Tue Oct 6 16:52:00 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.13.1
+ CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
easily crafted records; (bsc#1177613); (bso#14472);
+ CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994);
(bso#14436);
+ CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify;
(bsc#1173902); (bso#14434);
- Adjust systemd tmpfiles.d configuration, use /run/samba instead of
/var/run/samba; (bsc#1177355);
-------------------------------------------------------------------
Mon Oct 5 12:44:53 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph query_directory regression; (bso#14519)
- Drop liburing-devel for SLE15-SP2; (bsc#1177245)
-------------------------------------------------------------------
Thu Sep 24 16:01:26 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Register CTDB recovery lock holder with ceph-mgr
- Add liburing-devel dependency
-------------------------------------------------------------------
Tue Sep 22 16:20:33 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Update to samba 4.13.0
+ Require Python 3.6
+ Move wide links functionality into VFS module
+ Deprecate NT4-like 'classic' Samba domain controllers
+ Deprecate SMBv1 only protocol options
+ Remove deprecated "ldap ssl ads" option
+ Unify asynchronous DCE-RPC server; (jsc#SES-645)
+ Replay multichannel lease break requests; (bso#11897); (jsc#SES-655)
+ Drop internal byteorder.h header from util-devel package
+ Remove final code for the AD DC LDAP backend
+ Add AD DC Group Policy Scripts
+ Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399)
+ Fix %U substitutions if it contains a domain name; (bso#14467)
+ Fix krb5.conf creation for 'net ads join'; (bso#14479)
+ Fix build problem if libbsd-dev is not installed; (bso#14482)
+ Toggle vfs_snapper using "--with-shared-modules"; (bso#14437)
+ Fix idmap_ad RFC4511 response handling; (bso#14465)
+ Fix panic in get_lease_type(); (bso#14428)
-------------------------------------------------------------------
Fri Sep 18 13:24:12 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.7
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579);
(bso#14497);
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
"server require schannel:WORKSTATION$ = no" about unsecure configurations;
(bsc#1176579); (bso#14497);
+ CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client
challenge; (bsc#1176579); (bso#14497);
+ CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in
netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no";
(bsc#1176579); (bso#14497);
- Update to samba 4.12.6
+ s3: libsmb: Fix SMB2 client rename bug to a Windows server;
(bso#14403).
+ dsdb: Allow "password hash userPassword schemes = CryptSHA256"
to work on RHEL7; (bso#14424).
+ dbcheck: Allow a dangling forward link outside our known NCs;
(bso#14450).
+ lib/debug: Set the correct default backend loglevel to
MAX_DEBUG_LEVEL; (bso#14426).
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
+ util: Fix build on AIX by fixing the order of replace.h include;
(bso#14422).
+ srvsvc_NetFileEnum asserts with open files; (bso#14355).
+ KDC breaks with DES keys still in the database and
msDS-SupportedEncryptionTypes 31 indicating support for it;
(bso#14354).
+ s3:smbd: Make sure vfs_ChDir() always sets
conn->cwd_fsp->fh->fd = AT_FDCWD; (bso#14427).
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
+ docs: Fix documentation for require_membership_of of
pam_winbind.conf; (bso#14358).
+ ctdb-scripts: Use nfsconf utility for variable values in CTDB
NFS scripts; (bso#14444).
+ s3:winbind:idmap_ad: Make failure to get attrnames for schema
mode fatal; (bso#14425).
-------------------------------------------------------------------
Tue Jul 28 13:25:09 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Don't install SuSEfirewall2 services, we don't have that package
anymore
-------------------------------------------------------------------
Thu Jul 2 15:18:42 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.5
+ Fix smbd panic on force-close share during async
io; (bso#14301).
+ Fix segfault when using SMBC_opendir_ctx() routine for
share folder that contains incorrect symbols in any
file name; (bso#14374)
+ Fix DFS links; (bso#14391).
+ Can't use DNS functionality after a Windows DC has been
in domain; (bso#14310).
+ ldapi search to FreeIPA crashes; (bso#14413).
+ Add net-ads-join dnshostname=fqdn option; (bso#14396)
+ Fix adding msDS-AdditionalDnsHostName to keytab with
Windows DC; (bso#14406).
+ docs-xml: Update list of posible VFS operations for
vfs_full_audit; (bso#14386).
+ winbindd: Fix a use-after-free when winbind clients exit;
(bso#14382).
+ Client tools are not able to read gencache anymore;
(bso#14370).
-------------------------------------------------------------------
Thu Jul 2 11:56:15 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.4
+ CVE-2020-10730: NULL de-reference in AD DC LDAP server when
ASQ and VLV combined; (bso#14364); (bsc#1173159)
+ CVE-2020-10745: invalid DNS or NBT queries containing dots use
several seconds of CPU each; (bso#14378); (bsc#1173160).
+ CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP
server with paged_result or VLV; (bso#14402); (bsc#1173161)
+ CVE-2020-14303: Endless loop from empty UDP packet sent to
AD DC nbt_server; (bso#14417); (bsc#1173359).
-------------------------------------------------------------------
Sat May 30 15:42:34 UTC 2020 - Marcus Meissner <meissner@suse.com>
- add libnetapi-devel to baselibs conf, for wine usage (bsc#1172307)
-------------------------------------------------------------------
Thu May 28 10:56:26 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Add system-user-nobody to samba package requirements
-------------------------------------------------------------------
Wed May 20 15:56:03 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.3
+ Fix smbd panic on force-close share during async io; (bso#14301);
+ s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[] array;
(bso#14343);
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
+ Fix smbd crashes when MacOS Catalina connects if iconv initialization
fails; (bso#14372);
+ Exporting from macOS Adobe Illustrator creates multiple copies;
(bso#14150);
+ smbd does a chdir() twice per request; (bso#14256);
+ smbd mistakenly updates a file's write-time on close; (bso#14320);
+ vfs_shadow_copy2: implement case canonicalisation in
shadow_copy2_get_real_filename(); (bso#14350);
+ Fix Windows 7 clients problem after upgrading samba file server;
(bso#14375);
+ s3: Pass DCE RPC handle type to create_policy_hnd; (bso#14359);
+ Fix uxsuccess test with new MIT krb5 library 1.18; (bso#14155);
+ mit-kdc: Explicitly reject S4U requests; (bso#14342);
+ dbwrap_watch: Set rec->value_valid while returning nested
share_mode_do_locked(); (bso#14352);
+ lib:util: Fix smbclient -l basename dir; (bso#14345);
+ s3:libads: Fix ads_get_upn(); (bso#14336);
+ ctdb: Fix a memleak; (bso#14348);
+ Malicous SMB1 server can crash libsmbclient; (bso#14366);
+ ldb: Bump version to 2.1.3, LMDB databases can grow without bounds;
(bso#14330);
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
+ s3/librpc/crypto: Fix double free with unresolved credential cache;
(bso#14344);
+ docs-xml: Fix usernames in pam_winbind manpages; (bso#14358);
-------------------------------------------------------------------
Mon May 11 14:53:16 UTC 2020 - David Mulder <dmulder@dmulder.com>
- Installing: samba - samba-ad-dc.service does not exist and unit
not found; (bsc#1171437);
-------------------------------------------------------------------
Mon May 4 10:33:43 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- libsmb: Don't try to find posix stat info in SMBC_getatr();
(bso#14101); (bsc#1169242);
-------------------------------------------------------------------
Wed Apr 29 15:48:50 UTC 2020 - Noel Power <nopower@suse.com>
- Move libdcerpc-server-core.so to samba-libs package, this was
initially erroneously located in samba-ad-dc.
-------------------------------------------------------------------
Tue Apr 28 11:44:07 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.2
+ CVE-2020-10700: A client combining the 'ASQ' and
'Paged Results' LDAP controls can cause a use-after-free
in Samba's AD DC LDAP server;(bso#14331); (bsc#1169850)
+ CVE-2020-10704: A deeply nested filter in an un-authenticated
LDAP search can exhaust the LDAP server's stack memory causing
a SIGSEGV; (bso#14334); (bsc#1169851).
-------------------------------------------------------------------
Mon Apr 13 09:07:02 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.1
+ nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14295);
+ samba-tool group: Handle group names with special chars correctly;
(bso#14296);
+ Add missing check for DMAPI offline status in async DOS attributes;
(bso#14293);
+ Starting ctdb node that was powered off hard before results in recovery
loop; (bso#14295);
+ smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs;
(bso#14307);
+ vfs_recycle: Prevent flooding the log if we're called on non-existant
paths; (bso#14316);
+ librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313);
+ nsswitch: Fix use-after-free causing segfault in _pam_delete_cred;
(bso#14327);
+ fruit:time machine max size is broken on arm; (bso#13622);
+ CTDB recovery corner cases can cause record resurrection and node
banning; (bso#14294);
+ s3/utils: Fix double free error with smbtree; (bso#14332);
+ CTDB recovery corner cases can cause record resurrection and node
banning; (bso#14294);
+ Starting ctdb node that was powered off hard before results in recovery
loop; (bso#14295);
+ CTDB recovery daemon can crash due to dereference of NULL pointer;
(bso#14324);
-------------------------------------------------------------------
Wed Mar 25 12:52:55 UTC 2020 - Noel Power <nopower@suse.com>
- s3: libsmbclient.h: add missing time.h include to fix
ffmpeg build and make it compatible with -std=c99.
-------------------------------------------------------------------
Mon Mar 16 10:40:16 UTC 2020 - Noel Power <nopower@suse.com>
- ndrdump tests: Make the tests less fragile
- python/samba/gp_parse: Fix test errors with python3.8
-------------------------------------------------------------------
Fri Mar 13 14:19:30 UTC 2020 - Noel Power <nopower@suse.com>
- Starting ctdb node that was powered off hard before results
in recovery loop; (bso#14295); (bsc#1162680).
-------------------------------------------------------------------
Fri Mar 6 15:38:01 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.0
+ For details on all items see WHATSNEW.txt in samba-doc
package.
+ Samba 4.12 raises this minimum version to Python
3.5.
+ Samba now requires GnuTLS 3.4.7 to be installed.
+ New Spotlight backend for Elasticsearch.
+ Retiring DES encryption types in Kerberos. With this release,
support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause
Kerberos authentication to fail for that account (see
RFC-6649).
+ Samba-DC: DES keys no longer saved in DB.
+ The netatalk VFS module has been removed.
+ The BIND9_FLATFILE DNS backend is deprecated in this release
and will be removed in the future.
+ CTDB changes
+ The ctdb_mutex_fcntl_helper periodically re-checks the
lock file.
+ Bugs
+ Retire DES encryption types in Kerberos; (bso#14202);
bsc#(1165574).
+ dsdb: Correctly handle memory in objectclass_attrs;
(bso#14258).
+ s3: DFS: Don't allow link deletion on a read-only share;
(bso#14269).
+ pidl/wscript: configure should insist on Parse::Yapp::Driver;
(bso#14284).
+ smbd fails to handle EINTR from open(2) properly;
(bso#14285).
+ ldb: version 2.1.1; (bso#14270)).
+ vfs: Set getting and setting of MS-DFS redirects on the
filesystem to go through two new VFS functions
SMB_VFS_CREATE_DFS_PATHAT() and
SMB_VFS_READ_DFS_PATHAT(); (bso#14282).
+ bootstrap: Remove un-used dependency python3-crypto;
(bso#14255)
+ Fix CID 1458418 and 1458420; (bso#14247).
+ lib: Fix a shutdown crash with "clustering = yes";
(bso#14281).
+ Winbind member (source3) fails local SAM auth with empty
domain name; (bso#14247).
+ winbindd: Handle missing idmap in getgrgid(); (bso#14265).
+ Don't use forward declaration for GnuTLS typedefs; (bso#14271).
+ Add io_uring vfs module; (bso#14280).
+ libcli:smb: Improve check for
gnutls_aead_cipher_(en|de)cryptv2; (bso#14250).
+ s3: lib: nmblib. Clean up and harden nmb packet processing;
(bso#14239);
+ lib:util: Log mkdir error on correct debug levels; (bso#14253).
-------------------------------------------------------------------
Sun Feb 2 20:42:05 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Remove unused pwdutils buildrequires
-------------------------------------------------------------------
Thu Jan 30 09:04:04 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.11.6
+ pygpo: Use correct method flags; (bso#14209);
+ Avoiding bad call flags with python 3.8, using METH_NOARGS
instead of zero; (bso#14209);
+ source4/utils/oLschema2ldif: Include stdint.h before cmocka.h;
(bso#14218);
+ docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc;
(bso#14122);
+ smbd: Fix the build with clang; (bso#14251);
+ upgradedns: Ensure lmdb lock files linked; (bso#14199);
+ s3: VFS: glusterfs: Reset nlinks for symlink entries during
readdir; (bso#14182);
+ smbc_stat() doesn't return the correct st_mode and also the
uid/gid is not filled (SMBv1) file; (bso#14101);
+ librpc: Fix string length checking in ndr_pull_charset_to_null();
(bso#14219);
+ ctdb-scripts: Strip square brackets when gathering connection info;
(bso#14227);
-------------------------------------------------------------------
Tue Jan 21 16:55:36 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Fix nmbstatus not reporting detailed information about workgroups;
(bsc#1159464);
- Fix querying all names registered within broadcast area; (bso#8927);
-------------------------------------------------------------------
Tue Jan 21 16:31:07 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samab 4.11.5
+ CVE-2019-14902: Replication of ACLs down subtree on
AD Directory is not automatic; (bso#12497); (bsc#1160850).
+ CVE-2019-19344: Fix server crash with
dns zone scavenging = yes; (bso#14050); (bsc#1160852).
+ CVE-2019-14907: server-side crash after charset conversion
failure (eg during NTLMSSP processing); (bso#14208);
(bsc#1160888).
- Update to samba 4.11.4
+ Ensure SMB1 cli_qpathinfo2() doesn't return an inode number;
(bso#14161).
+ Ensure we don't call cli_RNetShareEnum() on an SMB1
connection; (bso#14174).
+ NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in
SMBC_opendir_ctx; (bso#14176).
+ SMB2 - Ensure we use the correct session_id if encrypting
an interim response; (bso#14189).
+ Prevent smbd crash after invalid SMB1 negprot; (bso#14205).
+ printing: Fix %J substition; (bso#13745).
+ Remove now unneeded call to cmdline_messaging_context();
(bso#13925).
+ Fix incomplete conversion of former parametric options;
(bso#14069).
+ Fix sync dosmode fallback in async dosmode codepath;
(bso#14070).
+ vfs_fruit returns capped resource fork length; (bso#14171).
+ libnet_join: Add SPNs for additional-dns-hostnames entries;
(bso#14116).
+ smbd: Increase a debug level; (bso#14211).
+ Prevent azure ad connect from reporting discovery errors
reference-value-not-ldap-conformant; (bso#14153).
+ krb5_plugin: Fix developer build with newer heimdal system
library; (bso#14179).
+ replace: Only link libnsl and libsocket if required;
(bso#14168);
+ ctdb: Incoming queue can be orphaned causing communication;
breakdown; (bso#14175).
+ ldb: Release ldb 2.0.8. Cross-compile will not take
cross-answers or cross-execute; (bso#13846).
+ heimdal-build: Avoid hard-coded /usr/include/heimdal in
asn1_compile-generated code; (bso#13856).
-------------------------------------------------------------------
Fri Dec 20 17:59:01 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).
-------------------------------------------------------------------
Tue Dec 10 09:57:23 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba 4.11.3
+ CVE-2019-14861: DNSServer RPC server crash, an authenticated user
can crash the DCE/RPC DNS management server by creating records
with matching the zone name; (bso#14138); (bsc#1158108).
+ CVE-2019-14870: DelegationNotAllowed not being enforced, the
DelegationNotAllowed Kerberos feature restriction was not being
applied when processing protocol transition requests (S4U2Self),
in the AD DC KDC; (bso#14187); (bsc#1158109).
-------------------------------------------------------------------
Tue Oct 29 17:22:30 UTC 2019 - Jim McDonough <jmcdonough@suse.com>
- Update to samba 4.11.2
+ CVE-2019-10218: Client code can return filenames containing
path separators; (bsc#1144902); (bso#14071).
+ CVE-2019-14833: Samba AD DC check password script does not
receive the full password; (bso#12438).
+ CVE-2019-14847: User with "get changes" permission can crash
AD DC LDAP server via dirsync; (bso#14040).
- Fixes from 4.11.1
+ Overlinking libreplace against librt and pthread against every
binary or library causes issues; (bso#14140);
+ kpasswd fails when built with MIT Kerberos; (bso#14155);
+ Fix spnego fallback from kerberos to ntlmssp in smbd server;
(bso#14106);
+ Stale file handle error when using mkstemp on a share; (bso#14137);
+ non-AES schannel broken; (bso#14134);
+ Joining Active Directory should not use SAMR to set the password;
(bso#13884);
+ smbclient can blunder into the SMB1 specific cli_RNetShareEnum()
call on an SMB2 connection; (bso#14152);
+ Deleted records can be resurrected during recovery; (bso#14147);
+ getpwnam and getpwuid need to return data for ID_TYPE_BOTH group;
(bso#14141);
+ winbind does not list forest trusts with additional trust
attributes; (bso#14130);
+ fault report points to outdated documentation; (bso#14139);
+ pam_winbind with krb5_auth or wbinfo -K doesn't work for users of
trusted domains/forests; (bso#14124);
+ classicupgrade results in uncaught exception - a bytes-like object
is required, not 'str'; (bso#14136);
+ pod2man is not longer required, stop checking at build time;
(bso#14131);
+ Exit code of ctdb nodestatus should not be influenced by deleted
nodes; (bso#14129);
+ username/password authentication doesn't work with CUPS and
smbspool; (bso#14128);
+ smbc_readdirplus() is incompatible with smbc_telldir() and
smbc_lseekdir(); (bso#14094);
-------------------------------------------------------------------
Sat Oct 5 14:20:06 UTC 2019 - James McDonough <jmcdonough@suse.com>
- Update to samba 4.11.0
+ For details on all items see WHATSNEW.txt in samba-doc
package
+ Python2 runtime support removed; python 3.4 or later required
+ Security improvements:
- SMB1 disabled by default
- lanman and plaintext authentication deprecated
- winbind: PAM_AUTH and NTLM_AUTH events logged
- GnuTLS 3.2 required; system FIPS mode setting honored
+ CephFS Snapshot integration, exposed as previous file
versions
+ ctdb changes:
- onnode -o option removed
- ctdbd logs when using more than 90% of a CPU thread
- CTDB_MONITOR_SWAP_USAGE variable removed
+ AD Domain controller improvements:
- Upgrade AD databse format
- BIND9_FLATFILE deprecated
- default process model chagned to prefork
- bind9 dns operation duration logging
- Default schema updated to 2012_R2; function level is
unchanged
- many performance improvements
+ Configuration webserver support removed
-------------------------------------------------------------------
Tue Sep 3 09:18:38 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.10.8
+ CVE-2019-10197: user escape from share path definition;
(bso#14035); (bsc#1141267);
-------------------------------------------------------------------
Fri Aug 30 13:10:01 UTC 2019 - Noel Power <nopower@suse.com>
- Fix build on newer systems by modifying samba.spec to use
consistent non-relative paths for pammodules in configure line
and specification of pam_winbind.so library to package.
-------------------------------------------------------------------
Tue Aug 27 14:47:44 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba 4.10.7
+ Unable to create or rename file/directory inside shares
configured with vfs_glusterfs_fuse module; (bso#14010).
+ build: Allow build when '--disable-gnutls' is set; (bso#13844)
+ samba-tool: Add 'import samba.drs_utils' to fsmo.py;
(bso#13973).
+ Fix 'Error 32 determining PSOs in system' message on old DB
with FL upgrade; (bso#14008).
+ s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021)
+ join: Use a specific attribute order for the DsAddEntry
nTDSDSA object; (bso#14046).
+ vfs_catia: Pass stat info to synthetic_smb_fname();
(bso#14015).
+ lookup_name: Allow own domain lookup when flags == 0;
(bso#14091).
+ s4 librpc rpc pyrpc: Ensure tevent_context deleted last;
(bso#13932).
+ DEBUGC and DEBUGADDC doesn't print into a class specific log
file; (bso#13915).
+ Request to keep deprecated option "server schannel",
VMWare Quickprep requires "auto"; (bso#13949).
+ dbcheck: Fallback to the default tombstoneLifetime of 180 days;
(bso#13967).
+ dnsProperty fails to decode values from older Windows versions;
(bso#13969).
+ samba-tool: Use only one LDAP modify for dns partition fsmo
role transfer; (bso#13973).
+ third_party: Update waf to version 2.0.17; (bso#13960).
+ netcmd: Allow 'drs replicate --local' to create partitions;
(bso#14051).
+ ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).
-------------------------------------------------------------------
Wed Aug 7 13:03:55 UTC 2019 - npower <nopower@suse.com>
- Prepare for use future use of kernel keyrings, modify
/etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).
-------------------------------------------------------------------
Thu Aug 1 10:00:00 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Update samba-winbind script to work with systemd; (bsc#1132739);
- Drop samba dhcpcd hook scripts
- Update to samba 4.10.6
+ s3: winbind: Fix crash when invoking winbind idmap scripts;
(bso#13956).
+ smbd does not correctly parse arguments passed to dfree and quota
scripts; (bso#13964).
+ samba-tool dns: use bytes for inet_ntop; (bso#13965).
+ samba-tool domain provision: Fix --interactive module in python3;
(bso#13828).
+ ldb_kv: Skip @ records early in a search full scan; (bso#13893).
+ docs: Improve documentation of "lanman auth" and "ntlm auth"
connection; (bso#13981).
+ python/ntacls: Use correct "state directory" smb.conf option instead
of "state dir"; (bso#14002).
+ registry: Add a missing include; (bso#13840).
+ Fix SMB guest authentication; (bso#13944).
+ AppleDouble conversion breaks Resourceforks; (bso#13958).
+ vfs_fruit makes direct use of syscalls like mmap() and pread();
(bso#13968).
+ s3:mdssvc: Fix flex compilation error; (bso#13987).
+ s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872).
+ dsdb:samdb: schemainfo update with relax control; (bso#13799).
+ s3:util: Move static file_pload() function to lib/util; (bso#13964).
+ smbd: Fix a panic; (bso#13957).
+ ldap server: Generate correct referral schemes; (bso#12478).
+ s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value;
(bso#13941).
+ s4 dsdb: Fix use after free in samldb_rename_search_base_callback;
(bso#13942).
+ dsdb/repl: we need to replicate the whole schema before we can apply it;
(bso#12204).
+ ldb: Release ldb 1.5.5; (bso#12478).
+ Schema replication fails if link crosses chunk boundary backwards;
(bso#13713).
+ 'samba-tool domain schemaupgrade' uses relax control and skips the
schemaInfo update provision; (bso#13799).
+ dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)]
..."; (bso#13916).
+ python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to
get the ACL; (bso#13917).
+ s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary;
(bso#13947).
+ Using Kerberos credentials to print using spoolss doesn't work;
(bso#13939).
+ wafsamba: Use native waf timer; (bso#13998).
+ ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).
-------------------------------------------------------------------
Wed Jun 19 09:20:12 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3)
+ CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
in DnssrvOperation2; (bso#13922); (bsc#1137815).
+ CVE-2019-12436 dsdb/paged_results: Ignore successful results
without messages; (bso#13951); (bsc#1137816).
- Update to samba-4.10.4
+ s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938).
+ py/provision: Fix for Python 2.6; (bso#13882).
+ netcmd: Fix 'passwordsettings --max-pwd-age' command;
(bso#13873).
+ s3-libnet_join: 'net ads join' to child domain fails when
using "-U admin@forestroot"; (bso#13861).
+ vfs_ceph: Explicitly enable libcephfs POSIX ACL support;
(bso#13896); (bsc#1130245).
+ vfs_ceph: Fix cephwrap_flistxattr() debug message;
(bso#13940); (bsc#1134697).
+ ctdb-common: Avoid race between fd and signal events;
(bso#13895).
+ ctdb-common: Fix memory leak in run_proc; (bso#13943).
+ lib: Initialize getline() arguments; (bso#13892).
+ winbind: Fix overlapping id ranges; (bco#13903).
+ lib util debug: Increase format buffer to 4KiB; (bso#13902).
+ nsswitch pam_winbind: Fix Asan use after free; (bso#13927).
+ s4 lib socket: Ensure address string owned by parent struct;
(bso#13929).
+ s3 rpc_client: Fix Asan stack use after scope; (bso#13936).
+ s3:smbd: Handle IO_REPARSE_TAG_DFS in
SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097).
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344).
+ smb2_sesssetup: avoid STATUS_PENDING responses for session setup;
(bso#12845).
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698).
+ smb2_sesssetup: avoid STATUS_PENDING responses for session
setup; (bso#13796).
+ dbcheck: Fix the err_empty_attribute() check; (bso#13843).
+ vfs_snapper: Drop unneeded fstat handler; (bso#13858).
+ vfs_default: Fix vfswrap_offload_write_send()
NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862).
+ smb2_server: Grant all 8192 credits to clients; (bso#13863).
+ smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling;
(bso#13919).
+ s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872).
+ s3: modules: ceph: Use current working directory instead of
share path; (bso#13918); (bsc#1134452).
+ winbind: Use domain name from lsa query for sid_to_name cache
entry; (bso#13831).
+ memcache: Increase size of default memcache to 512k;
(bso#13865).
+ docs: Update smbclient manpage for "--max-protocol";
(bso#13857).
+ s3:utils: If share is NULL in smbcacls, don't print it;
(bso#13937).
+ s3:smbspool: Fix regression printing with Kerberos credentials;
(bso#13939).
+ ctdb-scripts: CTDB restarts failed NFS RPC services by hand,
which is incompatible with systemd; (bso#13860).
+ ctdb-daemon: Revert "We can not assume that just because we
could complete a TCP handshake"; (bso#13888).
+ ctdb-daemon: Never use 0 as a client ID; (bso#13930).
+ ctdb-common: Fix memory leak; (bso#13943).
+ s3:debug: Enable logging for early startup failures;
(bso#13904)
- Update to samba-4.10.3
+ CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
checksum; (bso#13685); (bsc#1134024).
-------------------------------------------------------------------
Tue May 14 14:22:11 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697).
- Add ceph_snapshots VFS module; (jsc#SES-183).
-------------------------------------------------------------------
Wed May 8 12:42:31 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).
-------------------------------------------------------------------
Wed Apr 17 11:20:32 UTC 2019 - npower <nopower@suse.com>
- Update to samba-4.10.2:
+ CVE-2019-3870 (World writable files in
Samba AD DC private/ dir); (bso#13834).
+ CVE-2019-3880 (Save registry file outside share as
unprivileged user); (bso#13851).
+ py/kcc_utils: py2.6 compatibility; (bso#13837).
+ libcli: permit larger values of DataLength in
SMB2_ENCRYPTION_CAPABILITIES of negotiate response;
(bso#13869).
+ regfio: Improve handling of malformed registry hive files;
(bso#13840).
+ ctdb-version: Simplify version string usage; (bso#13789).
+ lib: Make fd_load work for non-regular files; (bso#13859).
+ dbcheck: in the middle of the tombstone garbage collection
causes replication failures,
dbcheck: add --selftest-check-expired-tombstones cmdline
option; (bso#13816).
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818).
+ s4/messaging: Fix undefined reference in linking
libMESSAGING-samba4.so; (bso#13854).
+ acl_read: Fix regression for empty lists; (bso#13836).
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841).
+ s3:client: Fix printing via smbspool backend with kerberos
auth; (bso#13832).
+ s4:librpc: Fix installation of Samba; (bso#13847).
+ s3:lib: Fix the debug message for adding cache entries;
(bso#13848).
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username;
(bso#13793).
+ s3:lib: Fix the debug message for adding cache entries;
(bso#13848).
+ s3:waf: Fix the detection of makdev() macro on Linux;
(bso#13853).
* ctdb-build: Drop creation of .distversion in tarball;
(bso#13789).
* ctdb-packaging: Test package requires tcpdump, ctdb package
should not own system library directory; (bso#13838).
- Update to samba-4.10.1:
+ py/kcc_utils: py2.6 compatibility; (bso#13837);
+ libcli: permit larger values of DataLength in
SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869);
+ regfio: Improve handling of malformed registry hive files; (bso#13840);
+ ctdb-version: Simplify version string usage; (bso#13789);
+ lib: Make fd_load work for non-regular files; (bso#13859);
+ dbcheck in the middle of the tombstone garbage collection causes
replication failures, dbcheck: add --selftest-check-expired-tombstones
cmdline option; (bso#13816);
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818);
+ s4/messaging: Fix undefined reference in linking
libMESSAGING-samba4.so; (bso#13854);
+ acl_read: Fix regression for empty lists; (bso#13836);
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841);
+ s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832);
+ s4:librpc: Fix installation of Samba; (bso#13847);
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793);
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
+ s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853);
+ ctdb-build: Drop creation of .distversion in tarball; (bso#13789);
+ ctdb-packaging: Test package requires tcpdump, ctdb package
should not own system library directory; (bso#13838);
- Update to samba-4.10.0:
+ s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760);
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
+ s4/scripting/bin: Open unicode files with utf8 encoding and write
+ unicode string.
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
files; (bso#13759);
+ Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813);
+ passdb: Update ABI to 0.27.2.
+ lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813);
+ lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);
-------------------------------------------------------------------
Sun Apr 14 22:31:32 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).
-------------------------------------------------------------------
Tue Apr 2 08:38:28 UTC 2019 - npower <nopower@suse.com>
- CVE-2019-3880: Save registry file outside share as unprivileged
user; (bso#13851); (bsc#1131060 ).
-------------------------------------------------------------------
Wed Mar 27 18:47:07 UTC 2019 - David Mulder <dmulder@suse.com>
- Update to samba-4.9.5
+ audit_logging: Remove debug log header and JSON Authentication:
prefix; (bso#13714);
+ Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760);
+ s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso#
CID: 1433607; (bso#11495);
+ smbd: uid: Don't crash if 'force group' is added to an existing
share connection; (bso#13690);
+ s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility
code; (bso#13770);
+ s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803);
+ s3:utils/smbget fix recursive download with empty source
directories; (bso#13199);
+ samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716);
+ s3:libsmb: cli_smb2_list() can sometimes fail initially on a
connection; (bso#13736);
+ join: Throw CommandError instead of Exception for simple errors; (bso#13747);
+ ldb: Avoid inefficient one-level searches; (bso#13762);
+ s3: libsmb: use smb2cli_conn_max_trans_size() in
cli_smb2_list(); (bso#13736);
+ tldap: Avoid use after free errors; (bso#13776);
+ Fix idmap xid2sid cache churn; (bso#13802);
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
+ s3-smbd: Avoid assuming fsp is always intact after close_file
call; (bso#13720);
+ s3-vfs-fruit: Add close call; (bso#13725);
+ s3-smbd: Use fruit:model string for mDNS registration; (bso#13746);
+ s3-vfs: add glusterfs_fuse vfs module; (bso#13774);
+ printing: Check lp_load_printers() prior to pcap cache update; (bso#13766);
+ vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS)
ftruncate and fallocate; (bso#13807);
+ lib/audit_logging: Actually create talloc; (bso#13737);
+ netcmd/user: python[3]-gpgme unsupported and replaced by
python[3]-gpg; (bso#13728);
+ dns: Changing onelevel search for wildcard to subtree; (bso#13738);
+ samba-tool: Don't print backtrace on simple DNS errors; (bso#13721);
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
files; (bso#13759);
+ ctdb: Print locks latency in machinereadable stats; (bso#13742);
+ messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786);
+ audit_logging: auth_json_audit required auth_json; (bso#13715);
+ man pages: Document prefork process model; (bso#13765);
+ CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773);
+ s3:auth: ignore create_builtin_guests() failing without a valid
idmap configuration; (bso#13697);
+ s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC
without trusts; (bso#13722);
+ s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd
is not available; (bso#13723);
+ s4:server: Add support for 'smbcontrol samba shutdown' and
'smbcontrol <pid> debug/debuglevel'; (bso#13752);
+ Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616);
+ vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330);
+ s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774);
+ notifyd: Fix SIGBUS on sparc; (bso#13704);
+ waf: Check for libnscd; (bso#13787);
+ s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770);
+ lib/util: Count a trailing line that doesn't end in a newline; (bso#13717);
+ Recovery lock bug fixes; (bso#13800);
+ s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726);
+ s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727);
+ vfs_fileid: Fix get_connectpath_ino; (bso#13741);
+ vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);
-------------------------------------------------------------------
Mon Mar 4 12:42:36 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).
-------------------------------------------------------------------
Fri Feb 22 11:58:53 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Fix update-apparmor-samba-profile script after apparmor switched
to using named profiles. The change is backwards compatible;
(bsc#1126377);
-------------------------------------------------------------------
Thu Feb 7 16:13:15 UTC 2019 - David Mulder <dmulder@suse.com>
- LoadParm().load_default() fails with "Unable to load default file";
(bsc#1089758);
-------------------------------------------------------------------
Thu Feb 7 00:27:42 UTC 2019 - ddiss@suse.com
- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);
-------------------------------------------------------------------
Mon Feb 4 12:38:55 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit();
(bso#13173); (bsc#1123755);
- s3:winbind: Fix regression introduced with bso #12851;
(bso#12851); (bsc#1123755);
-------------------------------------------------------------------
Tue Jan 8 11:38:40 UTC 2019 - nopower@suse.com
- Update to samba-4.9.4
+ libcli/smb: Don't overwrite status code; (bso#9175).
+ wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164).
+ Session setup reauth fails to sign response; (bso#13661).
+ vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677).
+ vfs_shadow_copy2: Nicely deal with attempts to open previous
version for writing; (bso#13688).
+ Restoring previous version of stream with vfs_shadow_copy2 fails
with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455).
+ CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571).
+ s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708)
+ PEP8: fix E231: missing whitespace after ','.
+ winbindd: Fix crash when taking profiles;(bso#13629)
+ CVE-2018-14629 dns: Fix CNAME loop prevention using counter
regression; (bso#13600)
+ 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686).
+ CVE-2018-16853: Do not segfault if client is not set; (bso#13571).
+ lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679)
+ ctdb-daemon: Exit with error if a database directory does not
exist; (bso#13696).
+ s3:libads: Add net ads leave keep-account option; (bso#13498).
-------------------------------------------------------------------
Thu Dec 20 15:15:54 UTC 2018 - David Mulder <dmulder@suse.com>
- s3:passdb: Do not return OK if we don't have pinfo set up;
(bsc#1099590); (bso#13376);
-------------------------------------------------------------------
Thu Dec 6 20:55:23 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Drop more %if..%endif guards which are idempotent.
- Drop requires on ldconfig which are already auto-discovered.
- Do not ignore errors from useradd/groupadd.
-------------------------------------------------------------------
Thu Nov 29 15:54:27 UTC 2018 - David Mulder <dmulder@suse.com>
- Remove python2 build dependency from samba-libs; (bsc#1116900);
-------------------------------------------------------------------
Wed Nov 28 09:35:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update update-apparmor-samba-profile script to ignore the shares's
paths containing substitution variables in any place, not only at the
beginning of the path.
-------------------------------------------------------------------
Mon Nov 19 12:28:56 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.3
+ CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD
Internal DNS server; (bso#13600); (bsc#1116319);
+ CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628);
(bsc#1116320);
+ CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server;
(bso#13674); (bsc#1116322);
+ CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers;
(bso#13669); (bsc#1116321);
+ CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported); (bso#13678); (bsc#1116324);
+ CVE-2018-16857: Bad password count in AD DC not always effective;
window; (bso#13683); (bsc#1116323);
-------------------------------------------------------------------
Thu Nov 8 17:53:14 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- s3: winbind: Remove fstring from wb_acct_info struct; (bsc#1114459);
- Use foreground execution mode for systemd samba daemons; (bsc#1112223);
-------------------------------------------------------------------
Thu Nov 8 15:06:37 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.2
+ dsdb: Add comments explaining the limitations of our current backlink
behaviour; (bso#13418);
+ Fix problems running domain backups (handling SMBv2, sites); (bso#13621);
+ testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3;
(bso#13465);
+ Make vfs_fruit able to cleanup AppleDouble files; (bso#13642);
+ File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646);
+ Enabling vfs_fruit looses FinderInfo; (bso#13649);
+ Cancelling of SMB2 aio reads and writes returns wrong error
NT_STATUS_INTERNAL_ERROR; (bso#13667);
+ Fix CTDB recovery record resurrection from inactive nodes and simplify
vacuuming; (bso#13641);
+ examples: Fix the smb2mount build; (bso#13465);
+ libtevent: Fix build due to missing open_memstream on Illiumos;
(bso#13629);
+ winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662);
+ dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path;
(bso#13653);
+ Extended DN SID component missing for member after switching group
membership; (bso#13418);
+ Return STATUS_SESSION_EXPIRED error encrypted, if the request was
encrypted; (bso#13624);
+ python: Allow forced signing via smb.SMB(); (bso#13621);
+ lib:socket: If returning early, set ifaces; (bso#13665);
+ ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8
encoded unicode; (bso#13616);
+ smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute;
(bso#13673);
+ waf: Add -fstack-clash-protection; (bso#13601);
+ winbind: Fix segfault if an invalid passdb backend is configured;
(bso#13668);
+ Fix bugs in CTDB event handling; (bso#13659);
+ Misbehaving nodes are sometimes not banned; (bso#13670);
-------------------------------------------------------------------
Mon Oct 29 14:38:56 UTC 2018 - dmulder@suse.com
- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);
-------------------------------------------------------------------
Tue Oct 23 18:44:53 UTC 2018 - dmulder@suse.com
- winbind requires latest version of libtevent-util0 to start
-------------------------------------------------------------------
Fri Oct 12 14:58:08 UTC 2018 - dmulder@suse.com
- Backport latest gpo code from master
+ Read policy from local gpt cache
+ Offline policy application
+ Make group policy extensible via register/unregister gpext
+ gpext's run via a process_group_policy method
-------------------------------------------------------------------
Mon Oct 8 08:36:43 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.6.16; (bsc#1110943);
+ CVE-2018-10919: Fix unauthorized attribute access via searches;
(bso#13434);
-------------------------------------------------------------------
Wed Sep 26 22:45:40 UTC 2018 - jmcdonough@suse.com
- Enable profiling data collection
-------------------------------------------------------------------
Tue Sep 25 20:26:47 UTC 2018 - dmulder@suse.com
- Change samba-kdc package name to samba-ad-dc
- Move samba-ad-dc.service to the samba-ad-dc package
-------------------------------------------------------------------
Mon Sep 24 09:43:08 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.1
+ s3: nmbd: Stop nmbd network announce storm; (bso#13620);
+ s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds;
(bso#13597);
+ CTDB recovery lock has some race conditions; (bso#13617);
+ s3-rpc_client: Advertise Windows 7 client info; (bso#13597);
+ ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);
-------------------------------------------------------------------
Thu Sep 13 19:19:34 UTC 2018 - dmulder@suse.com
- Tumbleweed doesn't define the sle_version macro, so we must
include a check for suse_version also. Otherwise python3 is
disabled on Tumbleweed.
-------------------------------------------------------------------
Thu Sep 13 13:28:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.0
+ samba_dnsupdate: Honor 'dns zone scavenging' option, only update if
needed; (bso#13605);
+ wafsamba: Fix 'make -j<jobs>'; (bso#13606);
-------------------------------------------------------------------
Mon Sep 10 20:46:20 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc5
+ s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only
returns absolute pathnames; (bso#13565);
+ s3: util: Do not take over stderr when there is no log file; (bso#13578);
+ Durable Reconnect fails because cookie.allow_reconnect is not
set; (bso#13549);
+ krb5-samba: Interdomain trust uses different salt principal; (bso#13539);
+ vfs_fruit: Don't unlink the main file; (bso#13441);
+ smbd: Fix a memleak in async search ask sharemode; (bso#13602);
+ Fix Samba GPO issue when Trust is enabled; (bso#11517);
+ samba-tool: Add "virtualKerberosSalt" attribute to
'user getpassword/syncpasswords'; (bso#13539);
+ Fix CTDB configuration issues; (bso#13589);
+ ctdbd logs an error until it can successfully connect to
eventd; (bso#13592);
-------------------------------------------------------------------
Wed Aug 29 15:49:29 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc4
+ s3: smbd: Ensure get_real_filename() copes with empty
pathnames; (bso#13585);
+ samba domain backup online/rename commands force user to specify
password on CLI; (bso#13566);
+ wafsamba/samba_abi: Always hide ABI symbols which must be
local; (bso#13579);
+ Fix a panic if fruit_access_check detects a locking conflict; (bso#13584);
+ Fix memory and resource leaks; (bso#13567);
+ python: Fix print in dns_invalid.py; (bso#13580);
+ Aliasing issue causes incorrect IPv6 checksum; (bso#13588);
+ Fix CTDB configuration issues; (bso#13589);
+ s3: vfs: time_audit: fix handling of token_blob in
smb_time_audit_offload_read_recv(); (bso#13568);
-------------------------------------------------------------------
Mon Aug 27 09:34:11 UTC 2018 - vcizek@suse.com
- Add missing zlib-devel dependency which was previously pulled in
by libopenssl-devel
-------------------------------------------------------------------
Tue Aug 21 13:39:49 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc3+git.22.3fff23ae36e
+ CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
returns from malicious servers; (bso#13453);
+ CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374);
+ CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
not servicePrincipalName is set on a user; (bso#13552);
+ CVE-2018-10919: acl_read: Fix unauthorized attribute access via
searches; (bso#13434);
+ ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540);
+ CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
is disabled via "ntlm auth"; (bso#13360);
+ s3-tldap: do not install test_tldap; (bso#13529);
+ ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540);
+ CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
ltdb_index_dn_attr(); (bso#13374);
+ ctdb-eventd: Fix CID 1438155; (bso#13554);
+ Fix CIDs 1438243, (Unchecked return value) 1438244
(Unsigned compared against 0), 1438245 (Dereference before null check) and
1438246 (Unchecked return value); (bso#13553);
+ ctdb: Fix a cut&paste error; (bso#13554);
+ systemd: Only start smb when network interfaces are up; (bso#13559);
+ Fix quotas don't work with SMB2; (bso#13553);
+ s3/smbd: Ensure quota code is only called when quota support
detected; (bso#13563);
+ s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204);
+ s3:waf: Install eventlogadm to /usr/sbin; (bso#13561);
+ Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);
-------------------------------------------------------------------
Mon Aug 20 21:25:27 UTC 2018 - ddiss@suse.com
- Update to 4.6.15
+ Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230);
+ Allow idmap_rid to have primary group other than "Domain Users";
(bsc#1087931).
-------------------------------------------------------------------
Mon Aug 20 15:03:01 MDT 2018 - dmulder@suse.com
- Update to samba-4.9.0rc2+git.21.a1069afb007
+ s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537);
+ s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check();
(bso#13535);
+ samba-tool trust: Support discovery via netr_GetDcName; (bso#13538);
+ s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542);
+ Fix portability issues on freebsd; (bso#13520);
+ DNS wildcard search does not handle multiple labels correctly; (bso#13536);
+ samba-tool domain trust: Fix trust compatibility to Windows
Server 1709 and FreeIPA; (bso#13308);
+ Fix portability issues on freebsd; (bso#13520);
+ ctdb-protocol: Fix CTDB compilation issues; (bso#13545);
+ ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT
option; (bso#13546);
+ ctdb-doc: Provide an example script for migrating old
configuration; (bso#13550);
+ ctdb-event: Implement event tool "script list" command; (bso#13551);
-------------------------------------------------------------------
Tue Aug 14 13:06:03 UTC 2018 - nopower@suse.com
- Update to samba-4.8.4+git.37.a7a861d7982;
+ CVE-2018-1139: Weak authentication protocol allowed;
(bsc#1095048); (bsc#13360);
+ CVE-2018-1140: Denial of Service Attack on DNS and LDAP server;
(bsc#1095056); (bso#13466); (bso#13374);
+ CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient; (bsc#1103411); (bso#13453);
+ CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server;
(bsc#1103414); (bso#13552);
+ CVE-2018-10919: Confidential attribute disclosure from the AD
LDAP server; (bsc#1095057); (bso#13434);
+ s3:winbind: winbind normalize names' doesn't work for users;
(bso#12851);
+ winbind: Fix UPN handling in canonicalize_username(); (bso#13369);
+ s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428);
+ samdb: Fix building Samba with gcc 8.1; (bso#13437);
+ s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440);
+ smbd: Flush dfree memcache on service reload; (bso#13446);
+ ldb: Save a copy of the index result before calling the
+ lib/util: No Backtrace given by Samba's AD DC by default;
(bso#13454).
+ s3: smbd: printing: Re-implement delete-on-close semantics for
print files missing since 3.5.x; (bso#13457).
+ python: Fix talloc frame use in make_simple_acl(); (bso#13474).
+ krb5_wrap: Fix keep_old_entries logic for older Kerberos
libraries;(bso#13478).
+ krb5_plugin: Add winbind localauth plugin for MIT Kerberos;
(bso#13480).
-------------------------------------------------------------------
Wed Aug 1 14:57:51 UTC 2018 - scabrero@suse.de
- CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient; (bso#13453); (bsc#1103411);
- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
(bso#12851);
- winbind: avoid using fstrcpy in _dual_init_connection;
(bso#13294); (bsc#1087303);
- Fix ntlm authentications with "winbind use default domain = yes";
(bso#13126); (bsc#1068059);
- net: fix net ads keytab handling; (bso#13166); (bsc#1067700);
- fix vfs_ceph flock stub; (bso#13506).
-------------------------------------------------------------------
Tue May 29 12:08:15 UTC 2018 - scabrero@suse.de
- Add missing package descriptions; (bsc#1093864);
- Fix dependency issue between samba-python and samba-kdc; (bsc#1062876);
- Call update-apparmor-samba-profile when running samba-ad-dc;
(bsc#1092099);
-------------------------------------------------------------------
Wed May 23 14:01:16 UTC 2018 - ddiss@suse.com
- Fix vfs_ceph with "aio read size" or "aio write size" > 0;
(bsc#1093664).
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
+ Fix memory leak in vfs_ceph; (bso#13424).
- Update to 4.6.14
+ winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection;
(bso#13294).
+ s3:smb2_server: correctly maintain request counters for compound
requests; (bso#13215).
+ s3: smbd: Unix extensions attempts to change wrong field in fchown
call; (bso#13375).
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338).
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
(bso#13297).
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270).
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we
don't own it here; (bso#13244).
+ s3:libsmb: allow -U"\\administrator" to work; (bso#13206).
+ CVE-2018-1057: s4:dsdb: fix unprivileged password changes;
(bso#13272); (bsc#1081024).
+ s3:smbd: Do not crash if we fail to init the session table;
(bso#13315).
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310).
+ smbXcli: Add "force_channel_sequence"; (bso#13215).
+ smbd: Fix channel sequence number checks for long-running requests;
(bso#13215).
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on
expired sessions; (bso#13197).
+ s3:smbd: return the correct error for cancelled SMB2 notifies on
expired sessions; (bso#13197).
+ samba: Only use async signal-safe functions in signal handler;
(bso#13240).
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031).
-------------------------------------------------------------------
Wed May 23 09:52:28 UTC 2018 - jmcdonough@suse.com
- Update to 4.8.2
+ After update to 4.8.0 DC failed with "Failed to find our own
NTDS Settings objectGUID" (bso#13335).
+ fix incorrect reporting of stream dos attributes on a
directory (bso#13380).
+ vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412).
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425)
+ vfs_ceph: Fix memory leak; (bso#13424).
+ libsmbclient: Fix hard-coded connection error return of
ETIMEDOUT; (bso#13419).
+ s4-lsa: Fix use-after-free in LSA server; (bso#13420).
+ winbindd: Do re-connect if the RPC call fails in the passdb
case; (bso#13430).
+ cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416).
+ cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd
unclean process shutdown; (bso#13414).
+ ctdb-client: Remove ununsed functions from old client code;
(bso#13411).
+ printing: Return the same error code as windows does on upload
failures; (bso#13395).
+ nsswitch: Fix memory leak in winbind_open_pipe_sock() when the
privileged pipe is not accessable; (bso#13400).
+ s4:lsa_lookup: remove TALLOC_FREE(state) after all
dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420).
+ rpc_server: Fix NetSessEnum with stale sessions; (bso#13407).
+ s3:smbspool: Fix cmdline argument handling; (bso#13417).
-------------------------------------------------------------------
Fri Apr 27 13:57:14 UTC 2018 - scabrero@suse.de
- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is
required by some client libs; (bsc#1074135);
- Update to 4.8.1; (bsc#1091179);
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error,
we don't own it here; (bso#13244);
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270);
+ Round-tripping ACL get/set through vfs_fruit will increase the number of
ACE entries without limit; (bso#13319);
+ s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit
issues; (bso#13347);
+ s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without
delete access; (bso#13358);
+ s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372);
+ s3: smbd: Unix extensions attempts to change wrong field in fchown call;
(bso#13375);
+ ms_schema/samba-tool visualize: Fix python2.6 incompatibility;
(bso#13337);
+ Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352);
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
+ winbindd: Recover loss of netlogon secure channel in case the peer DC is
rebooted; (bso#13332);
+ s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363);
+ ctdb-client: Fix bugs in client code; (bso#13356);
+ ctdb-scripts: Drop "net serverid wipe" from 50.samba event script;
(bso#13359);
+ s3: lib: messages: Don't use the result of sec_init() before calling
sec_init(); (bso#13368);
+ libads: Fix the build '--without-ads'; (bso#13273);
+ winbind: Keep "force_reauth" in invalidate_cm_connection, add
'smbcontrol disconnect-dc'; (bso#13332);
+ vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343);
+ dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367);
+ rpc_server: Fix core dump in dfsgetinfo; (bso#13370);
+ smbclient: Fix notify; (bso#13382);
+ Fix smbd panic if the client-supplied channel sequence number wraps;
(bso#13215);
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
+ lib/util: Remove unused '#include <sys/syscall.h>' from tests/tfork.c;
(bso#13342);
+ Fix build errors with cc from developerstudio 12.5 on Solaris;
(bso#13343);
+ Fix the picky-developer build on FreeBSD 11; (bso#13344);
+ s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345);
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338);
+ lib:replace: Fix linking when libtirpc-devel overwrites system headers;
(bso#13341);
+ winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid
query; (bso#13312);
+ s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376);
+ Allow AESNI to be used on all processor supporting AESNI; (bso#13302);
-------------------------------------------------------------------
Wed Apr 11 14:55:09 UTC 2018 - aaptel@suse.com
- Use new foreground execution flags for systemd samba daemons;
(bsc#1088574); (bsc#1071090); (bsc#1065551);
+ Add %post scriptlet to clear old sysconfig flags
- Update vendor-files to commit 880b3e7.
+ Set samba sysconfig template variables to ""
+ Add required daemon flags directly to systemd unit
-------------------------------------------------------------------
Mon Mar 26 22:37:15 UTC 2018 - jengelh@inai.de
- Specfile cleanup
+ Remove %if..%endif guards which don't affect the build
+ Remove redundant %clean section
+ Replace old $RPM_* shell vars with macros
-------------------------------------------------------------------
Thu Mar 22 16:28:02 UTC 2018 - dimstar@opensuse.org
- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in
place of systemd and systemd-devel: Allow OBS to optimize the
workload by allowing the usage of the 'build-optimized' systemd
packages.
-------------------------------------------------------------------
Thu Mar 22 14:20:44 UTC 2018 - dmulder@suse.com
- Enable building samba with python3, and create a samba-python3 package.
-------------------------------------------------------------------
Thu Mar 15 11:29:04 UTC 2018 - jmcdonough@suse.com
- Update to 4.8
+ New GUID Index mode in sam.ldb for the AD DC
+ GPO support for samba KDC
+ Time machine support with vfs_fruit
+ Encrypted secrets
+ AD Replication visualization
+ Improved trust support
- ability to not scan global trust list
- AD external trusts have limited support
- verbose trusted domain listing
+ VirusFilter VFS module
+ NT4-style replication removed
+ vfs_aio_linux removed
-------------------------------------------------------------------
Tue Mar 13 20:12:10 UTC 2018 - david.mulder@suse.com
- Disable samba-pidl package, due to the removal of dependency
perl-Parse-Yapp; (bsc#1085150);
-------------------------------------------------------------------
Tue Mar 13 09:49:44 UTC 2018 - jmcdonough@suse.com
- Update to 4.7.6;
+ CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
(bso#11343); (bsc#1081741);
+ CVE-2018-1057: Authenticated users can change other users' password;
(bso#13272); (bsc#1081024).
-------------------------------------------------------------------
Wed Mar 7 11:54:50 UTC 2018 - jmcdonough@suse.com
- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
(bso#11343); (bsc#1081741);
-------------------------------------------------------------------
Tue Mar 6 23:36:51 UTC 2018 - ddiss@suse.com
- Update to 4.6.13; (bsc#1084191)
+ ceph_statx configure time check doesn't work with a non-default
--with-libcephfs path; (bso#13250).
- follow up fix for libceph-common detection; (bso#13277).
+ Fail to copy file with empty FinderInfo from Windows client to Samba
share with fruit; (bso#13181).
+ vfs_ceph uses a local statvfs() call to determine FS capabilities;
(bso#13208).
+ smbd tries to release not leased oplock during oplock II downgrade;
(bso#13193).
+ smbd panic when chdir returns error during exit; (bso#13189).
+ ctdb_recovery_helper crashes if recovery process times out; (bso#13188).
+ POSIX ACL support is broken on hpux and possibly other big-endian OSs;
(bso#13176).
+ Kerberos: PKINIT: Can't decode algorithm parameters in
clientPublicValue; (bso#12986).
+ g_lock conflict detection broken when processing stale entries.;
(bso#13195).
+ The KDC on an RWDC doesn't send error replies in some situations;
(bso#13132).
-------------------------------------------------------------------
Mon Feb 26 22:09:49 UTC 2018 - aaptel@suse.com
- Disable python until full python3 port is done; (bsc#1082139);
+ Remove contents of package samba-python
+ Remove contents of package libsamba-policy0
+ Remove contents of package libsamba-policy-devel
+ Remove library libsamba-python-samba4.so from samba-libs package
+ Remove library libsamba-net-samba4.so from samba-libs package
+ Remove smbtorture binary and manpage from samba-test
-------------------------------------------------------------------
Fri Feb 23 15:27:07 UTC 2018 - dmulder@suse.com
- samba fails to build with glibc2.27; (bsc#1081042);
-------------------------------------------------------------------
Mon Feb 12 09:12:02 UTC 2018 - scabrero@suse.com
- Update to 4.7.5; (bsc#1080545);
+ smbd tries to release not leased oplock during oplock II downgrade;
(bso#13193);
+ Fix copying file with empty FinderInfo from Windows client to Samba share
with fruit; (bso#13181);
+ build: Deal with recent glibc sunrpc header removal; (bso#10976);
+ Make Samba work with tirpc and libnsl2; (bso#13238);
+ vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208);
(bsc#1075206);
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
(bso#12986);
+ ctdb-recovery-helper: Deregister message handler in error paths;
(bso#13188);
+ samba: Only use async signal-safe functions in signal handler; (bso#13240);
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
(bso#12986);
+ repl_meta_data: Fix linked attribute corruption on databases
with unsorted links on expunge. dbcheck: Add functionality to fix the
corrupt database; (bso#13228);
+ Fix smbd panic when chdir returns error during exit; (bso#13189);
+ Make Samba work with tirpc and libnsl2; (bso#13238);
+ Fix POSIX ACL support on HPUX and possibly other big-endian OSs;
(bso#13176);
-------------------------------------------------------------------
Fri Feb 9 13:25:11 UTC 2018 - scabrero@suse.com
- Update to 4.7.4; (bsc#1080545);
+ s3: smbclient: Implement 'volume' command over SMB2; (bso#13140);
+ s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv(); (bso#13171);
+ s3: libsmb: Fix reversing of oldname/newname paths when creating a
reparse point symlink on Windows from smbclient; (bso#13172);
+ Build man page for vfs_zfsacl.8 with Samba; (bso#12934);
+ repl_meta_data: Allow delete of an object with dangling backlinks;
(bso#13095);
+ s4:samba: Fix default to be running samba as a deamon; (bso#13129);
+ Performance regression in DNS server with introduction of DNS wildcard,
ldb: Release 1.2.3; (bso#13191);
+ vfs_zfsacl: Fix compilation error; (bso#6133);
+ "smb encrypt" setting changes are not fully applied until full smbd
restart; (bso#13051);
+ winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052);
+ vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155);
+ winbindd: Dependency on trusted-domain list in winbindd in critical auth
codepath; (bso#13173);
+ repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120);
+ ctdb: sock_daemon leaks memory; (bso#13153);
+ TCP tickles not getting synchronised on CTDB restart; (bso#13154);
+ winbindd: winbind parent and child share a ctdb connection; (bso#13150);
+ pthreadpool: Fix deadlock; (bso#13170);
+ pthreadpool: Fix starvation after fork; (bso#13179);
+ messaging: Always register the unique id; (bso#13180);
+ s4/smbd: set the process group; (bso#13129);
+ Fix broken linked attribute handling; (bso#13095);
+ The KDC on an RWDC doesn't send error replies in some situations;
(bso#13132);
+ libnet_join: Fix 'net rpc oldjoin'; (bso#13149);
+ g_lock conflict detection broken when processing stale entries;
(bso#13195);
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired
sessions; (bso#13197);
+ s3:libads: net ads keytab list fails with "Key table name malformed";
(bso#13166); (bsc#1067700);
+ Fix crash in pthreadpool thread after failure from pthread_create;
(bso#13170);
+ s4:samba: Allow samba daemon to run in foreground; (bso#13129);
(bsc#1065551);
+ third_party: Link the aesni-intel library with "-z noexecstack";
(bso#13174);
+ vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I"
options; (bso#13125);
-------------------------------------------------------------------
Wed Dec 6 17:52:41 UTC 2017 - kukuk@suse.de
- Re-enable usage of libnsl (did got lost with glibc change)
- Use TI-RPC (sunrpc is deprecated and will be removed soon from
glibc)
-------------------------------------------------------------------
Thu Nov 30 09:31:53 UTC 2017 - scabrero@suse.com
- Update to 4.6.11; (bsc#1084191)
+ vfs_glusterfs: Fix exporting subdirs with shadow_copy2; (bso#13091);
+ s3: smbclient: Ensure we call client_clean_name() before all
operations on remote pathnames; (bso#13093);
+ Non-smbd processes using kernel oplocks can hang smbd; (bso#13121);
+ python: use communicate to fix Popen deadlock; (bso#13127);
+ smbd on disk file corruption bug under heavy threaded load; (bso#13130);
+ tevent: version 0.9.34; (bso#13130);
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
+ smbd: Move check for SMB2 compound request to new function; (bso#13047);
+ s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd(); (bso#13100);
+ s4:pyparam: Fix resource leaks on error; (bso#13101);
+ s3:smbd: Fix delete-on-close after smb2_find; (bso#13118);
-------------------------------------------------------------------
Wed Nov 29 16:59:07 UTC 2017 - david.mulder@suse.com
- smbc_opendir should not return EEXIST with invalid login credentials;
(bnc#1065868).
-------------------------------------------------------------------
Tue Nov 28 17:07:26 UTC 2017 - scabrero@suse.com
- Update to 4.7.3; (bsc#1069666);
+ Non-smbd processes using kernel oplocks can hang smbd;
(bso#13121);
+ python: use communicate to fix Popen deadlock; (bso#13127);
+ smbd on disk file corruption bug under heavy threaded load;
(bso#13130);
+ tevent: version 0.9.34; (bso#13130);
+ s3: smbd: Fix delete-on-close after smb2_find; (bso#13118);
+ CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug;
(bsc#1060427);(bso#13041);
+ CVE-2017-15275: s3: smbd: Chain code can return uninitialized
memory when talloc buffer is grown; (bsc#1063008); (bso#13077);
- Build with AD DC support only in openSUSE.
-------------------------------------------------------------------
Mon Nov 27 14:23:09 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Nov 15 17:00:50 UTC 2017 - dmulder@suse.com
- samba-tool requires samba-python; (bnc#1067771).
-------------------------------------------------------------------
Wed Nov 8 17:21:41 UTC 2017 - scabrero@suse.de
- CVE-2017-14746: Use-after-free vulnerability; (bso#13041);
(bsc#1060427);
- CVE-2017-15275: Server heap memory information leak;
(bso#13077); (bsc#1063008);
-------------------------------------------------------------------
Tue Nov 7 07:43:54 UTC 2017 - scabrero@suse.com
- Run all daemons in the foreground and let systemd handle it; (bsc#1065551).
- Update to 4.7.1;
+ Fix exporting subdirs with shadow_copy2; (bso#13091);
+ Currently if getwd() fails after a chdir(), we panic; (bso#13027);
+ Ensure default SMB_VFS_GETWD() call can't return a partially completed
struct smb_filename; (bso#13068);
+ sys_getwd() can leak memory or possibly return the wrong errno on older
systems; (bso#13069);
+ smbclient doesn't correctly canonicalize all local names before use;
(bso#13093);
+ Fix broken linked attribute handling; (bso#13095);
+ Missing LDAP query escapes in DNS rpc server; (bso#12994);
+ Link to -lbsd when building replace.c by hand; (bso#13087);
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
(bso#6133);
+ Map SYNCHRONIZE acl permission statically in zfs_acl vfs module;
(bso#7909);
+ Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module;
(bso#7933);
+ Missing assignment in sl_pack_float; (bso#12991);
+ Wrong Samba access checks when changing DOS attributes; (bso#12995);
+ samba_runcmd_send() leaves zombie processes on timeout; (bso#13062);
+ groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
(bso#13076);
+ man pages: Properly ident lists; (bso#9613);
+ smb.conf.5: Sort parameters alphabetically; (bso#13081);
+ Fix GUID string format on GetPrinter info; (bso#12993);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ CTDB starts consuming memory if there are dead nodes in the cluster;
(bso#13056);
+ ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070);
+ libgpo doesn't sort the GPOs in the correct order; (bso#13046);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ vfs_catia: Fix a potential memleak; (bso#13090);
+ Fix file change notification for renames; (bso#12903);
+ Samba DNS server does not honour wildcards; (bso#12952);
+ Can't change password in samba from a Windows client if Samba runs on
IPv6 only interface; (bso#13079);
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
+ Apple client can't cope with SMB2 async replies when creating symlinks;
(bso#13047);
+ s4:rpc_server:backupkey: Move variable into scope; (bso#12959);
+ Fix ntstatus_gen.h generation on 32bit; (bso#13099);
+ Fix a double free in vfs_gluster_getwd(); (bso#13100);
+ Fix resouce leaks and pointer issues; (bso#13101);
+ vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);
-------------------------------------------------------------------
Fri Oct 27 07:48:17 UTC 2017 - scabrero@suse.de
- Update to 4.6.9; (bsc#1065066);
+ Reverse sense of 'clear all attributes', ignore attribute change in SMB2
to match SMB1; (bso#12899);
+ SMBC_setatr() initially uses an SMB1 call before falling back;
(bso#12913);
+ Fix segfault on MacOS 10.12.3 clients caused by SMB_VFS_GET_COMPRESSION;
(bso#13003);
+ sys_getwd() can leak memory or possibly return the wrong errno on older
systems; (bso#13069);
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
(bso#6133);
+ Map SYNCHRONIZE acl permission statically; (bso#7909);
+ Honor SEC_STD_WRITE_OWNER bit; (bso#7933);
+ Kernel oplocks still have issues with named streams; (bso#12791);
+ Handle EACCES when fetching DOS attributes; (bso#12944);
+ Missing assignment in sl_pack_float; (bso#12991);
+ Fix wrong Samba access checks when changing DOS attributes; (bso#12995);
+ Groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
(bso#13076);
+ Fix GUID string format on GetPrinter info; (bso#12993);
+ Match WS2016 ReFS set compression behaviour; (bso#12144);
+ Fix implementation of process_exists control; (bso#13012);
+ GET_DB_SEQNUM control can cause ctdb to deadlock when databases are
frozen; (bso#13021);
+ Free up record data if a call request is deferred; (bso#13029);
+ Initialize ctdb_ltdb_header completely for empty record; (bso#13036);
+ CTDB starts consuming memory if there are dead nodes in the cluster;
(bso#13056);
+ Ignore event scripts with multiple '.'s; (bso#13070);
+ Sort the GPOs in the correct order; (bso#13046);
+ 'smbd' uses a lot of CPU on startup of a connection; (bso#12973);
+ Fix str[n]casecmp_m() by comparing lower case values; (bso#13018);
+ Can't change password in Samba from a windows client if Samba runs on
IPv6 only interface; (bso#13079);
+ Fix file change notification for renames; (bso#12903);
+ Avoid a socket leak after fork; (bso#13006);
+ Fix a potential memleak; (bso#13090);
+ Fix passing of errno from async calls; (bso#12983);
+ Fix segfault when running with log level 10; (bso#13032);
+ Do not report an invalid range for AD DC role; (bso#12629);
+ Print the kinit failed message with DBGLVL_NOTICE; (bso#12704);
+ Fix changing passwords with Kerberos; (bso#12956);
+ Fix changing the password with 'smbpasswd' as a local user on a domain
member; (bso#12975);
+ Fix a read after free if a chained SMB1 call goes async; (bso#12836);
+ CVE-2017-12163: Prevent client short SMB1 write from writing server memory
to file; (bso#13020);
+ Let non_widelink_open() chdir() to directories directly; (bso#12885);
+ CVE-2017-12151: Keep required encryption across SMB3 dfs redirects;
(bso#12996);
+ CVE-2017-12150: Some code path don't enforce smb signing when they should;
(bso#12997);
-------------------------------------------------------------------
Mon Oct 23 15:10:32 UTC 2017 - dimstar@opensuse.org
- Add samba-kdc to baselibs.conf.
- Do not wrap samba-kdc's package definition into if/endif: the
package won't be generated simply based on the fact that there is
no files section for the package. Allows the source validator to
ensure samba-kdc is a built package.
-------------------------------------------------------------------
Thu Sep 28 11:25:54 UTC 2017 - scabrero@suse.com
- Update to 4.7.0;
+ Whole DB read locks: Improved LDAP and replication consistency;
(bso#12858).
+ Samba AD with MIT Kerberos
+ Dynamic RPC port range: Default range changed from "1024-1300" to
"49152-65535".
+ Authentication and Authorization audit support: New auth_audit debug
class.
+ Multi-process LDAP Server: The LDAP server in the AD DC now honours
the process model used for the rest of the 'samba' process.
+ Improved Read-Only Domain Controller (RODC) Support; (bso#12977).
+ Additional password hashes stored in supplementalCredentials.
+ Improvements to DNS during Active Directory domain join.
+ Significant AD performance and replication improvements.
+ Query record for open file or directory.
+ Removal of lpcfg_register_defaults_hook().
+ Change of loadable module interface.
+ SHA256 LDAPS Certificates: The self-signed certificate generated for use
on LDAPS will now be generated with a SHA256 self-signature, not a SHA1
self-signature.
+ CTDB no longer allows mixed minor versions in a cluster.
+ CTDB now ignores hints from Samba about TDB flags when attaching to
databases.
+ New configuration variable CTDB_NFS_CHECKS_DIR.
+ The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed.
+ The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed.
+ The example NFS Ganesha call-out has been improved.
+ A new "replicated" database type is available.
-------------------------------------------------------------------
Fri Sep 22 13:51:41 UTC 2017 - scabrero@suse.de
- Fix GUID string format on GetPrinter info request; (bso#12993);
(bsc#1050707).
-------------------------------------------------------------------
Thu Sep 14 20:41:11 UTC 2017 - aaptel@suse.com
- CVE-2017-12163: Prevent client short SMB1 write from
writing server memory to file; (bso#13020); (bsc#1058624).
-------------------------------------------------------------------
Thu Sep 14 19:03:56 UTC 2017 - nopower@suse.com
- CVE-2017-12150: Some code path don't enforce smb signing,
when they should; (bso#12997); (bsc#1058622).
-------------------------------------------------------------------
Thu Sep 14 14:39:37 UTC 2017 - nopower@suse.com
- CVE-2017-12151: Keep required encryption across SMB3 dfs
redirects; (bso#12996); (bsc#1058565).
-------------------------------------------------------------------
Thu Aug 31 08:31:51 UTC 2017 - aaptel@suse.com
- Clean specfile assuming SUSE-only system and product >=SLE11
+ %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version}
are always undefined
+ %{_vendor} is "suse" and %{suse_version} is at least 1100
-------------------------------------------------------------------
Wed Aug 16 11:33:36 UTC 2017 - ddiss@suse.com
- Update to 4.6.7; (bsc#1054017)
+ Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392).
+ smbcacls can fail against a directory on Windows using SMB2.; (bso#12937).
+ vfs_ceph provides inconsistent directory listings; (bso#12911).
+ Misused talloc context can cause a user to crash their smbd by chaining
SMB1 commands.; (bso#12836).
+ Use-after free can crash libsmbclient code.; (bso#12927).
+ Server exit with active AIO can crash.; (bso#12925).
+ Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910).
+ fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs;
(bso#12898).
+ vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897).
+ smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for
authentication; (bso#12886).
+ finder sidebar showing question mark instead of icon when using ip to
connect with vfs_fruit; (bso#12840).
+ Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes
from AD.; (bso#12720).
+ KCC run at selftest startup can fail spuriously due to a race;
(bso#12869).
+ winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for
the remote change; (bso#12782).
+ rpc_pipe_client memory leaks due to long term memory context passed to
rpc_pipe_open_interface(); (bso#12890).
+ CVE-2017-2619 breaks accessing previous versions of directories with
snapshots in subdirectories of the share; (bso#12885).
+ dns_name_equal doing OOB read; (bso#12813).
+ replica_sync tests flap; (bso#12753).
+ Selftest should not call 'net cache flush' and wipe important winbind
entries; (bso#12868).
+ Old Samba versions don't support using recent ldb versions (>=1.1.30);
(bso#12859).
+ pam_winbind fails with kerberos method = secrets and keytab; (bso#10490).
+ race starting winbindd against posixacl test; (bso#12843).
+ Crash in the reentrant smbd_smb2_create_send() if the something fails in
the subsequent try; (bso#12832).
+ spnego.c passes the wrong argument order to gensec_update_ev() for the
FALLBACK case; (bso#12788).
+ Clients with SMB3 support can't connect with
"server max protocol = SMB2_02"; (bso#12772).
+ A log message of samb-tool user syncpasswords reverses string arguments in
a debug message "Call Popen[...".; (bso#12768).
+ The smb tarmode tests kills the share dir contents; (bso#12867).
+ Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862).
+ CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860).
+ manpage/index.html lists links not in alphabetical order; (bso#12854).
+ smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831).
+ If a record is locked in a database, then recovery does not complete;
(bso#12857).
+ debug_locks.sh script does not log any information; (bso#12856).
+ SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport
after error; (bso#12852).
+ smbclient can't parse DOMAIN+username if a different winbind separator is
used; (bso#12849).
+ Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845).
+ Related requests with TreeConnect fail with NETWORK_NAME_DELETED;
(bso#12844).
+ cli->server_os not filled correctly; (bso#12779).
+ REGRESSION: smbclient doesn't print the session setup anymore;
(bso#12824).
+ smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for
FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808).
+ CTDB NFS call-out failures do not cause event failures; (bso#12837).
+ net command fails due to incorrectly return code; (bso#12828).
+ Fix building Samba with GCC 7.1; (bso#12827).
-------------------------------------------------------------------
Tue Aug 8 12:58:56 UTC 2017 - dmulder@suse.com
- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again;
(bsc#1048339).
-------------------------------------------------------------------
Mon Jul 24 13:34:55 UTC 2017 - ddiss@suse.com
- fix cephwrap_chdir(); (bsc#1048790).
- Update to 4.6.6
+ CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation;
(bsc#1048278).
-------------------------------------------------------------------
Thu Jul 13 21:13:21 UTC 2017 - dmulder@suse.com
- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).
-------------------------------------------------------------------
Wed Jul 12 22:30:48 UTC 2017 - ddiss@suse.com
- Fix inconsistent ctdb socket path; (bsc#1048352).
- Fix non-admin cephx authentication; (bsc#1048387).
-------------------------------------------------------------------
Wed Jun 7 14:31:47 UTC 2017 - ddiss@suse.com
- Update to 4.6.5; (bsc#1040157)
+ Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at
startup; (bso#12814).
+ vfs_expand_msdfs tries to open the remote address as a file path;
(bso#12687).
+ PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type);
(bso#12798).
+ With clustering get update_num_read_oplocks failed and PANIC:
num_share_modes == 1 assertion failure; (bso#11844).
+ contend_level2_oplocks_begin_default oplock optimisation doesn't carry
over to leases; (bso#12766).
+ `ctdb nodestatus` incorrectly displays status for all nodes with wrong
exit code; (bso#12802).
+ CTDB can spin hard on revoking readonly delegations if a node becomes
disconnected; (bso#12697).
+ Printing a share mode entry with leases can crash in the ndr code;
(bso#12793).
+ Fix flakey unit tests for eventd; (bso#12792).
+ CTDB daemon crashes if built with clang; (bso#12770).
+ smbcacls fails if no password is specified; (bso#12765).
+ idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757).
+ samba-tool user syncpasswords doesn't trigger the script when a user gets
removed; (bso#12767).
+ systemd: fix detection of libsystemd; (bso#12764).
+ Notify subsystem only maps first inotify mask to Windows notify filter;
(bso#12760).
+ Allow passing trusted domain password as plain-text to PASSDB layer;
(bso#12751).
+ Can't case-rename files with vfs_fruit; (bso#12749).
+ wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702).
+ vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562).
+ Ordering of notify responses broken; (bso#12756).
-------------------------------------------------------------------
Wed Jun 7 13:17:24 UTC 2017 - nopower@suse.com
- s3: libsmb: Fix error where short name length was read as 2
bytes, should be 1; (bso#11822); (bsc#1042419).
-------------------------------------------------------------------
Mon May 29 16:03:52 UTC 2017 - ddiss@suse.com
- Revert explicit winbind %{version}-%{release} dependency.
+ The ABI has stabilized since (bsc#936909), so remove to fix cross-media
dependencies; (bsc#1037899).
-------------------------------------------------------------------
Mon May 22 15:54:05 UTC 2017 - ddiss@suse.com
- Fix CVE-2017-7494 remote code execution from a writable share;
(bso#12780); (bsc#1038231).
-------------------------------------------------------------------
Tue Apr 25 15:28:16 UTC 2017 - ddiss@suse.com
- Update to 4.6.3; (bsc#1036011)
+ s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
from shares with GlusterFS backend; (bso#12743).
+ Fix for Solaris C compiler; (bso#12559).
+ s3: locking: Update oplock optimization for the leases era; (bso#12628).
+ Make the Solaris C compiler happy; (bso#12693).
+ s3: libgpo: Allow skipping GPO objects that don't have the
expected LDAP attributes; (bso#12695).
+ Fix buffer overflow caused by wrong use of getgroups; (bso#12747).
+ lib: debug: Avoid negative array access; (bso#12746).
+ cleanupdb: Fix a memory read error; (bso#12748).
+ streams_xattr and kernel oplocks results in
NT_STATUS_NETWORK_BUSY; (bso#7537).
+ winbindd: idmap_autorid allocates ids for unknown SIDs from other
backends; (bso#11961).
+ vfs_fruit: Resource fork open request with
flags=O_CREAT|O_RDONLY; (bso#12565).
+ manpages/vfs_fruit: Document global options; (bso#12615).
+ lib/pthreadpool: Fix a memory leak; (bso#12624).
+ Lookup-domain for well-known SIDs on a DC; (bso#12727).
+ winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728).
+ winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729).
+ credentials_krb5: use gss_acquire_cred for client-side GSSAPI
use case; (bso#12611).
+ lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690).
+ ctdb-readonly: Avoid a tight loop waiting for revoke to
complete; (bso#12697).
+ ctdb_event monitor command crashes if event is not specified;
(bso#12723).
+ ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733).
+ smbd: Fix smb1 findfirst with DFS; (bso#12558).
+ smbd: Do an early exit on negprot failure; (bso#12610).
+ winbindd: Fix substitution for 'template homedir'; (bso#12699).
+ s4:kdc: Disable principal based autodetected referral detection;
(bso#12554).
+ idmap_autorid: Allocate new domain range if the callers knows
the sid is valid; (bso#12613).
+ LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724).
+ PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
trusted domain; (bso#12725).
+ rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731).
+ winbindd: Fix password policy for pam authentication; (bso#12725).
+ s3:gse: Correctly handle external trusts with MIT; (bso#12554).
+ auth/credentials: Always set the realm if we set the principal
from the ccache; (bso#12611).
+ replace: Include sysmacros.h; (bso#12686).
+ s3:vfs_expand_msdfs: Do not open the remote address as a file;
(bso#12687).
+ s3:libsmb: Only print error message if kerberos use is forced;
(bso#12704).
+ winbindd: Child process crashes when kerberos-authenticating
a user with wrong password; (bso#12708).
+ vfs_fruit: Office document opens as read-only on macOS due to
CNID semantics; (bso#12715).
+ vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
fragmented; (bso#12737).
-------------------------------------------------------------------
Tue Apr 25 13:46:20 UTC 2017 - ddiss@suse.com
- Generate and update vendor-files tarball from Git
+ SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).
-------------------------------------------------------------------
Tue Apr 18 13:38:11 UTC 2017 - ddiss@suse.com
- Generate source tarball directly from Git using OBS tar_scm
+ use version string derived from parent Git tag and commit hash
- remove obsolete vendor-files/tools/package-data version ID
+ explicitly generate ctdb manpages, needed without "make dist"
-------------------------------------------------------------------
Mon Apr 10 13:52:40 UTC 2017 - ddiss@suse.com
- Update to 4.6.2
+ remove bso#12721 patches now upstream
-------------------------------------------------------------------
Fri Apr 7 12:59:26 UTC 2017 - ddiss@suse.com
- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622).
+ x86-64 and aarch64
-------------------------------------------------------------------
Mon Apr 3 14:01:25 UTC 2017 - ddiss@suse.com
- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).
-------------------------------------------------------------------
Thu Mar 30 17:18:54 UTC 2017 - dmulder@suse.com
- Build and install the html man pages (bsc#1021907).
-------------------------------------------------------------------
Thu Mar 30 12:33:39 UTC 2017 - nopower@suse.com
- Fix CVE-2017-2619 regression with "follow symlinks = no";
(bso#12721).
-------------------------------------------------------------------
Wed Mar 22 13:15:12 UTC 2017 - jmcdonough@suse.com
- Update to 4.6.1
+ symlink race permits opening files outside share directory;
CVE-2017-2619; (bso#12496); (bsc#1027147)
+ testparm checks for valid idmap parameters
+ add new krb client encryption types
+ support for printer driver upload from windows 10
+ inherit owner = 'unix only' for improved quota support
+ improved CTDB event support
+ new primary group support for idmap_ad
+ idmap_hash deprecated
+ mvxattr added to recursively rename extended attributes
-------------------------------------------------------------------
Wed Mar 15 11:50:50 UTC 2017 - aaptel@suse.com
- Remove chkconfig requirements for systemd systems
-------------------------------------------------------------------
Mon Mar 13 15:14:58 UTC 2017 - kukuk@suse.com
- Don't call insserv if systemd is used
-------------------------------------------------------------------
Fri Feb 10 23:00:14 CET 2017 - kukuk@suse.de
- Fix check if we need to require insserv
-------------------------------------------------------------------
Thu Feb 9 15:23:21 UTC 2017 - nopower@suse.com
- async_req: make async_connect_send() "reentrant";
(bso#12105); (bsc#1024416).
-------------------------------------------------------------------
Mon Feb 6 18:35:29 UTC 2017 - aaptel@suse.com
- Force usage of ncurses6-config thru NCURSES_CONFIG env var;
(bsc#1023847).
-------------------------------------------------------------------
Thu Jan 26 21:23:06 UTC 2017 - dmulder@suse.com
- add missing patch for libnss_wins segfault; (bsc#995730).
-------------------------------------------------------------------
Wed Jan 25 17:20:31 UTC 2017 - ddiss@suse.com
- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).
-------------------------------------------------------------------
Mon Jan 23 21:44:03 UTC 2017 - dmulder@suse.com
- Document "winbind: ignore domains" parameter; (bsc#1019416).
-------------------------------------------------------------------
Thu Jan 19 19:19:07 UTC 2017 - ddiss@suse.com
- Add base Samba dependency to samba-ceph package.
-------------------------------------------------------------------
Mon Dec 19 19:11:20 UTC 2016 - jmcdonough@suse.com
- Update to 4.5.3
+ Heap-based Buffer Overflow Remote Code Execution Vulnerability;
CVE-2016-2123; (bso#12409); (bsc#1014437).
+ Don't send delegated credentials to all servers; CVE-2016-2125;
(bso#12445); (bsc#1014441).
+ denial of service due to a client triggered crash in the winbindd
parent process; CVE-2016-2126; (bso#12446); (bsc#1014442).
- 4.5.1 and 4.5.2 updates
+ various streams vfs fixes
+ various printing fixes
+ ntlm_auth: do not map explicitly empty domain
+ various stability fixes in smbd
+ match file compression ReFS behavior
-------------------------------------------------------------------
Fri Dec 2 13:15:50 UTC 2016 - nopower@suse.com
- Add missing ldb module directory; (bnc#1012092).
-------------------------------------------------------------------
Thu Nov 17 08:33:07 UTC 2016 - nopower@suse.com
- s3/client: obey 'disable netbios' smb.conf param, don't
connect via NBT port; (bsc#1009085); (bso#12418).
-------------------------------------------------------------------
Mon Sep 26 17:55:13 UTC 2016 - nopower@suse.com
- Include vfstest in samba-test; (bsc#1001203).
-------------------------------------------------------------------
Wed Sep 21 08:55:37 UTC 2016 - nopower@suse.com
- s3/winbindd: using default domain with user@domain.com format
fails; (bsc#997833).
-------------------------------------------------------------------
Tue Sep 20 18:25:21 UTC 2016 - jmcdonough@suse.com
- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).
-------------------------------------------------------------------
Wed Sep 14 09:03:18 UTC 2016 - jmcdonough@suse.com
- Update to 4.5.0
+ NTLM1 Authentication disabled by default
+ SMB2.1 leases enabled by default
+ Support for OFD locks
+ ctdb tool rewritten
+ Added shadow copy snapshot prefix parameter
-------------------------------------------------------------------
Tue Aug 30 09:47:01 UTC 2016 - nopower@suse.com
- Fix illegal memory access after memory has been deleted;
(bso#11836); (bsc#975299).
-------------------------------------------------------------------
Mon Aug 29 10:25:40 UTC 2016 - nopower@suse.com
- Prevent core, make sure response->extra_data.data is always
cleared out; (bsc#993692).
-------------------------------------------------------------------
Mon Aug 15 14:54:14 UTC 2016 - ddiss@suse.com
- Don't package man pages for VFS modules that aren't built;
(boo#993707).
-------------------------------------------------------------------
Sat Aug 13 14:41:26 UTC 2016 - jmcdonough@suse.com
- Fix population of ctdb sysconfig after source merge; (bsc#981566).
-------------------------------------------------------------------
Fri Aug 12 16:22:33 UTC 2016 - ddiss@suse.com
- Enable vfs_ceph builds for Factory (x86-64)
+ Package as samba-ceph to avoid Ceph dependency in base package.
-------------------------------------------------------------------
Thu Jul 7 15:20:14 UTC 2016 - jmcdonough@suse.com
- Update to 4.4.5
+ Prevent client-side SMB2 signing downgrade; CVE-2016-2119;
(bso#11860); (bsc#986869).
-------------------------------------------------------------------
Wed Jun 22 10:49:02 UTC 2016 - jmcdonough@suse.com
- Remove obsolete syslog.target; (bsc#983938).
-------------------------------------------------------------------
Tue Jun 14 17:49:59 UTC 2016 - jmcdonough@suse.com
- Honor smb.conf socket options in winbind; (bsc#975131).
-------------------------------------------------------------------
Thu Jun 9 17:12:14 UTC 2016 - jmcdonough@suse.com
- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).
-------------------------------------------------------------------
Thu Jun 9 12:46:18 UTC 2016 - jmcdonough@suse.com
- Update to 4.4.4
+ SMB3 multichannel: Add implementation of missing channel sequence
number verification; (bso#11809).
+ smbd:close: Only remove kernel share modes if they had been
taken at open; (bso#11919).
+ notifyd: Prevent NULL deref segfault in notifyd_peer_destructor;
(bso#11930).
+ s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796).
+ Fix case sensitivity issues over SMB2 or above; (bso#11438).
+ s3:smbd: Fix anonymous authentication if signing is mandatory.
(bso#11910)
+ Fix NTLM Authentication issue with squid; (bso#11914).
+ pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530).
+ Fix memory leak in share mode locking; (bso#11934).
-------------------------------------------------------------------
Thu May 19 10:06:40 UTC 2016 - jmcdonough@suse.com
- Update to 4.4.3
+ Various post-badlock regressions; (bso#11841); (bso#11850);
(bso#11858); (bso#11870); (bso#11872).
+ Only allow idmap_hash for default idmap config (bso#11786).
+ smbd: Avoid large reads beyond EOF; (bso#11878).
+ vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
is set; (bso#11806).
+ libads: Record session expiry for spnego sasl binds; (bso#11852).
-------------------------------------------------------------------
Tue May 3 13:03:47 UTC 2016 - jmcdonough@suse.com
- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849);
(bsc#975962); (bsc#979268), (bsc#977669).
-------------------------------------------------------------------
Thu Apr 28 22:48:17 UTC 2016 - jmcdonough@suse.com
- Revert shared library packaging to comply with SLPP
-------------------------------------------------------------------
Sat Apr 9 21:36:02 UTC 2016 - jmcdonough@suse.com
- Update to 4.4.2
+ A man-in-the-middle can downgrade NTLMSSP authentication;
CVE-2016-2110; (bso#11688); (bsc#973031).
+ Domain controller netlogon member computer can be spoofed;
CVE-2016-2111; (bso#11749); (bsc#973032).
+ LDAP conenctions vulnerable to downgrade and MITM attack;
CVE-2016-2112; (bso#11644); (bsc#973033).
+ TLS certificate validation missing; CVE-2016-2113; (bso#11752);
(bsc#973034).
+ Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115;
(bso#11756); (bsc#973036).
+ "Badlock" DCERPC impersonation of authenticated account possible;
CVE-2016-2118; (bso#11804); (bsc#971965).
+ DCERPC server and client vulnerable to DOS and MITM attacks;
CVE-2015-5370; (bso#11344); (bsc#936862).
-------------------------------------------------------------------
Fri Apr 8 10:23:22 UTC 2016 - nopower@suse.com
- Fix samba.tests.messaging test and prevent potential tdb corruption
by removing obsolete now invalid tdb_close call; (bsc#974629).
-------------------------------------------------------------------
Tue Mar 22 17:36:01 UTC 2016 - lmuelle@suse.com
- Obsolete libsmbclient from libsmbclient0 while not providing it;
(bsc#972197).
-------------------------------------------------------------------
Tue Mar 22 14:00:05 UTC 2016 - lmuelle@suse.com
- Update to 4.4.0.
+ Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686);
CVE-2016-0771.
+ Getting and setting Windows ACLs on symlinks can change permissions on link
target; (bso#11648); CVE-2015-7560.
+ Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543.
+ s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem
with no ACL support; (bso#10489).
+ docs: Add example for domain logins to smbspool man page; (bso#11643).
+ smbd: Show correct disk size for different quota and dfree block sizes;
(bso#11681).
+ docs: Add smbspool_krb5_wrapper manpage; (bso#11690).
+ winbindd: Return trust parameters when listing trusts; (bso#11691).
+ ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696).
+ Crypto.Cipher.ARC4 is not available on some platforms, fallback to
M2Crypto.RC4.RC4 then; (bso#11699).
+ s3:utils/smbget: Set default blocksize; (bso#11700).
+ Streamline 'smbget' options with the rest of the Samba utils; (bso#11700).
+ s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702).
+ s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703).
+ loadparm: Fix memory leak issue; (bso#11708).
+ lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).
+ s3:vfs:glusterfs: Fix build after quota changes; (bso#11715).
+ ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719).
+ lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723).
+ smbd: Fix CID 1351215 Improper use of negative value; (bso#11724).
+ smbd: Fix CID 1351216 Dereference null return value; (bso#11725).
+ s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new
file; (bso#11727).
+ docs: Add manpage for cifsdd; (bso#11730).
+ param: Fix str_list_v3 to accept ; again; (bso#11732).
+ lib/socket: Fix improper use of default interface speed; (bso#11734).
+ lib:socket: Fix CID 1350009: Fix illegal memory accesses
(BUFFER_SIZE_WARNING); (bso#11735).
+ libcli: Fix debug message, print sid string for new_ace trustee;
(bso#11738).
+ Fix installation path of Samba helper binaries; (bso#11739).
+ Fix memory leak in loadparm; (bso#11740).
+ tevent: version 0.9.28: Fix memory leak when old signal action restored;
(bso#11742).
+ smbd: Ignore SVHDX create context; (bso#11753).
+ Fix net join; (bso#11755).
+ s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add;
(bso#11755).
+ passdb: Add linefeed to debug message; (bso#11763).
+ s3:utils/smbget: Fix option parsing; (bso#11767).
+ libnet: Make Kerberos domain join site-aware; (bso#11769).
+ Reset TCP Connections during IP failover; (bso#11770).
+ ldb: Version 1.1.26; (bso#11772).
+ s3:smbd: Add negprot remote arch detection for OSX; (bso#11773).
+ vfs_glusterfs: Fix use after free in AIO callback; (bso#11774).
+ mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780).
+ "trustdom_list_done: Got invalid trustdom response" message should be
avoided; (bso#11782).
+ Mismatch between local and remote attribute ids lets replication fail with
custom schema; (bso#11783).
+ Quota is not supported on Solaris 10; (bso#11788).
+ Talloc: Version 2.1.6; (bso#11789).
+ smbd: Enable multi-channel if 'server multi channel support = yes' in the
config; (bso#11796).
+ build: Fix build when '--without-quota' specified; (bso#11798).
+ lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802).
+ Access based share enum: handle permission set in configuration files;
(bso#8093).
+ See also WHATSNEW.txt from the samba-doc package.
-------------------------------------------------------------------
Sun Mar 6 16:23:02 UTC 2016 - jmcdonough@suse.com
- Update to 4.3.6.
+ Getting and setting Windows ACLs on symlinks can change permissions on link
target; CVE-2015-7560; (bso#11648); (bsc#968222).
+ Fix Out-of-bounds read in internal DNS server; CVE-2016-0771;
(bso#11128); (bso#11686); (bsc#968223).
-------------------------------------------------------------------
Thu Mar 3 11:37:35 UTC 2016 - nopower@suse.com
- Upgrade on-disk FSRVP server state to new version; (bsc#924519).
-------------------------------------------------------------------
Tue Mar 1 18:03:17 UTC 2016 - lmuelle@suse.com
- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).
-------------------------------------------------------------------
Tue Mar 1 17:28:09 UTC 2016 - lmuelle@suse.com
- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).
-------------------------------------------------------------------
Thu Feb 25 10:16:06 UTC 2016 - lmuelle@suse.com
- Obsolete no longer existing samba-32bit package; (bsc#967625).
-------------------------------------------------------------------
Tue Feb 23 09:47:53 UTC 2016 - lmuelle@suse.com
- Update to 4.3.5.
+ s3:utils/smbget: Fix recursive download; (bso#6482).
+ s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi
with no ACL support; (bso#10489).
+ s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks;
(bso#11400).
+ vfs_shadow_copy2: Fix case where snapshots are outside the share;
(bso#11580).
+ smbclient: Query disk usage relative to current directory; (bso#11662).
+ winbindd: Handle expired sessions correctly; (bso#11670).
+ smbd: Show correct disk size for different quota and dfree block sizes;
(bso#11681).
+ smbcacls: Fix uninitialized variable; (bso#11682).
+ s3:smbd: Ignore initial allocation size for directory creation;
(bso#11684).
+ s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).
+ s3-parm: Clean up defaults when removing global parameters; (bso#11693).
+ Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699).
+ s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703).
+ ctdb: Remove error messages after kernel security update; CVE-2015-8543;
(bso#11705).
+ loadparm: Fix memory leak issue; (bso#11708).
+ lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).
+ ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...";
(bso#11719).
+ s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new
file; (bso#11727).
+ param: Fix str_list_v3 to accept ";" again; (bso#11732).
-------------------------------------------------------------------
Mon Feb 22 16:16:32 UTC 2016 - lmuelle@suse.com
- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).
-------------------------------------------------------------------
Wed Feb 17 17:44:10 UTC 2016 - lmuelle@suse.com
- Simplify shared library packaging; (bsc#966956).
-------------------------------------------------------------------
Sun Feb 14 18:41:34 UTC 2016 - lmuelle@suse.com
- Enable clustering (CTDB) support; (bsc#966271).
-------------------------------------------------------------------
Fri Feb 12 17:41:03 UTC 2016 - lmuelle@suse.com
- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703);
(bsc#964023).
-------------------------------------------------------------------
Fri Jan 15 21:58:31 UTC 2016 - lmuelle@suse.com
- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).
-------------------------------------------------------------------
Wed Jan 13 21:25:05 UTC 2016 - lmuelle@suse.com
- Remove autoconf build-time requirement.
-------------------------------------------------------------------
Wed Jan 13 10:23:56 UTC 2016 - lmuelle@suse.com
- Update to 4.3.4.
+ vfs_fruit: Enable POSIX directory rename semantics; (bso#11065).
+ Crash: Bad talloc magic value - access after free; (bso#11394).
+ Copying files with vfs_fruit fails when using vfs_streams_xattr without
stream prefix and type suffix; (bso#11466).
+ samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given;
(bso#11613).
+ Fix a typo in the smb.conf manpage, explanation of idmap config;
(bso#11619).
+ Correctly initialize the list head when keeping a list of primary followed
by DFS connections; (bso#11624).
+ Reduce the memory footprint of empty string options; (bso#11625).
+ lib/async_req: Do not install async_connect_send_test; (bso#11639).
+ Fix typos in man vfs_gpfs; (bso#11641).
+ Make "hide dot files" option work with "store dos attributes = yes";
(bso#11645).
+ Fix a corner case of the symlink verification; (bso#11647); (bnc#960249).
+ Do not disable "store dos attributes" on-the-fly; (bso#11649).
+ Update lastLogon and lastLogonTimestamp; (bso#11659).
-------------------------------------------------------------------
Mon Jan 11 19:16:46 UTC 2016 - lmuelle@suse.com
- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).
-------------------------------------------------------------------
Fri Dec 11 16:49:16 UTC 2015 - lmuelle@suse.com
- Update to 4.3.3.
+ Malicious request can cause Samba LDAP server to hang, spinning using CPU;
CVE-2015-3223; (bso#11325); (bnc#958581).
+ Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599);
(bnc#958586).
+ Insufficient symlink verification (file access outside the share);
CVE-2015-5252; (bso#11395); (bnc#958582).
+ No man in the middle protection when forcing smb encryption on the client
side; CVE-2015-5296; (bso#11536); (bnc#958584).
+ Currently the snapshot browsing is not secure thru windows previous version
(shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583).
+ Fix Microsoft MS15-096 to prevent machine accounts from being changed into
user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).
-------------------------------------------------------------------
Tue Dec 1 16:48:13 UTC 2015 - lmuelle@suse.com
- Update to 4.3.2.
+ vfs_gpfs: Re-enable share modes; (bso#11243).
+ dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327).
+ s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute
type of zero; (bso#11452).
+ Add libreplace dependency to texpect, fixes a linking error on Solaris;
(bso#11511).
+ s4: Fix linking of 'smbtorture' on Solaris; (bso#11512).
+ s4:lib/messaging: Use correct path for names.tdb; (bso#11562).
+ Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins;
(bso#11563).
+ async_req: Fix non-blocking connect(); (bso#11564).
+ auth: gensec: Fix a memory leak; (bso#11565).
+ lib: util: Make non-critical message a warning; (bso#11566).
+ Fix winbindd crashes with samlogon for trusted domain user; (bso#11569);
(bnc#949022).
+ smbd: Send SMB2 oplock breaks unencrypted; (bso#11570).
+ ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577).
+ s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer;
(bso#11581).
+ s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581).
+ manpage: Correct small typo error; (bso#11584).
+ s3: smbd: If EAs are turned off on a share don't allow an SMB2 create
containing them; (bso#11589).
+ Backport some valgrind fixes from upstream master; (bso#11597).
+ auth: Consistent handling of well-known alias as primary gid; (bso#11608).
+ winbind: Fix crash on invalid idmap configs; (bso#11612).
+ s3: smbd: have_file_open_below() fails to enumerate open files below an
open directory handle; (bso#11615).
+ Changing log level of two entries to DBG_NOTICE; (bso#9912).
-------------------------------------------------------------------
Mon Nov 16 16:27:49 UTC 2015 - nopower@suse.com
- Ensure samlogon fallback requests are rerouted after kerberos failure;
(bnc#953382); (bnc#953972).
-------------------------------------------------------------------
Sat Nov 14 18:31:04 UTC 2015 - lmuelle@suse.com
- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0.
- Always use the default optimization even on pre-9.2 systems.
-------------------------------------------------------------------
Sat Nov 14 18:10:01 UTC 2015 - lmuelle@suse.com
- Remove redundant configure options while adding with-relro.
-------------------------------------------------------------------
Sat Nov 14 17:44:24 UTC 2015 - lmuelle@suse.com
- Relocate the lockdir to the /var/lib/samba/lock directory.
-------------------------------------------------------------------
Sat Nov 14 16:59:09 UTC 2015 - lmuelle@suse.com
- Cleanup and enhance the pidl sub package.
-------------------------------------------------------------------
Thu Oct 22 22:09:19 UTC 2015 - lmuelle@suse.com
- Require renamed python-ldb-devel and python-talloc-devel at build-time.
- Requires python-ldb and python-talloc from the python subpackage.
-------------------------------------------------------------------
Wed Oct 21 10:51:58 UTC 2015 - lmuelle@suse.com
- Update to 4.3.1.
+ s3: smbd: Fix our access-based enumeration on "hide unreadable" to match
Windows; (bso#10252).
+ nss_winbind: Fix hang on Solaris on big groups; (bso#10365).
+ smbd: Fix file name buflen and padding in notify repsonse; (bso#10634).
+ kerberos: Make sure we only use prompter type when available;
winbind: Fix 100% loop; (bso#11038).
+ source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053).
+ s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket;
(bso#11316).
+ s3: smbd: Fix mkdir race condition; (bso#11486).
+ pam_winbind: Fix a segfault if initialization fails; (bso#11502).
+ s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509).
+ s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related
subdirs; (bso#11515).
+ s3: smbd: Fix opening/creating :stream files on the root share directory;
(bso#11522).
+ lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526).
+ net: Fix a crash with 'net ads keytab create'; (bso#11528).
+ s3: smbd: Fix a crash in unix_convert(); (bso#11535).
+ s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix
(bso#11522); (bso#11535).
+ vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543).
+ vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547).
+ s3:locking: Initialize lease pointer in share_mode_traverse_fn();
(bso#11549).
+ s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550).
+ s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555).
+ s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names
is incorrect; (bso#11555).
-------------------------------------------------------------------
Fri Oct 16 11:39:35 UTC 2015 - lmuelle@suse.com
- Fix 100% CPU in winbindd when logging in with "user must change password on
next logon"; (bso#11038).
-------------------------------------------------------------------
Fri Sep 25 15:23:47 UTC 2015 - lmuelle@suse.com
- Relocate the tmpfiles.d directory to the client package; (bnc#947552).
-------------------------------------------------------------------
Tue Sep 22 13:13:02 UTC 2015 - lmuelle@suse.com
- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf
instead; (bnc#942716).
-------------------------------------------------------------------
Wed Sep 16 13:06:36 UTC 2015 - lmuelle@suse.com
- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).
-------------------------------------------------------------------
Fri Sep 11 15:53:45 UTC 2015 - lmuelle@suse.com
- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).
-------------------------------------------------------------------
Wed Sep 9 10:57:52 UTC 2015 - lmuelle@suse.com
- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15
systems; (bnc#945013).
-------------------------------------------------------------------
Tue Sep 8 16:40:50 UTC 2015 - lmuelle@suse.com
- Update to 4.3.0.
+ Samba "map to guest = Bad uid" doesn't work; (bso#9862).
+ revert LDAP extended rule 1.2.840.113556.1.4.1941
LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493).
+ No objectClass found in replPropertyMetaData on ordinary objects
(non-deleted); (bso#10973).
+ Stream names with colon don't work with fruit:encoding = native;
(bso#11278).
+ NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291).
+ tevent_fd needs to be destroyed before closing the fd; (bso#11316).
+ "force group" with local group not working; (bso#11320).
+ strsep is not available on Solaris; (bso#11359).
+ smbtorture does not build when configured --with-system-mitkrb5;
(bso#11411).
+ Build with GPFS support is broken; (bso#11421).
+ Build broken with --disable-python; (bso#11424).
+ net share allowedusers crashes; (bso#11426).
+ nmbd incorrectly matches netbios names as own name; (bso#11427).
+ Python bindings don't check integer types; (bso#11429).
+ Python bindings don't check array sizes; (bso#11430).
+ CTDB's eventscript error handling is broken; (bso#11431).
+ Fix crash in nested ctdb banning; (bso#11432).
+ Cannot build ctdbpmda; (bso#11434).
+ samba-tool uncaught exception error; (bso#11436).
+ Crash in notify_remove caused by change notify = no; (bso#11444).
+ Poor SMB3 encryption performance with AES-GCM; (bso#11451).
+ Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451).
+ fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455).
+ --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and
install; (bso#11458).
+ xid2sid gives inconsistent results; (bso#11464).
+ ctdb: Fix the build on FreeBSD 10.1; (bso#11465).
+ Handling of 0 byte resource fork stream; (bso#11467).
+ AD samr GetGroupsForUser fails for users with "()" in their name;
(bso#11488).
-------------------------------------------------------------------
Mon Aug 31 22:34:57 UTC 2015 - lmuelle@suse.com
- Configure with --bundled-libraries=NONE; (bso#11458).
-------------------------------------------------------------------
Fri Aug 7 12:21:57 UTC 2015 - lmuelle@suse.com
- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).
-------------------------------------------------------------------
Fri Jul 17 14:11:21 UTC 2015 - lmuelle@suse.com
- Remove libiniparser-devel build-time requirement.
-------------------------------------------------------------------
Tue Jul 14 11:33:07 UTC 2015 - lmuelle@suse.com
- Update to 4.2.3.
+ s4:lib/tls: Fix build with gnutls 3.4; (bso#8780).
+ s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924).
+ winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991).
+ Logon via MS Remote Desktop hangs; (bso#11061).
+ s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068).
+ tevent: Add a note to tevent_add_fd(); (bso#11141).
+ s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170).
+ s3-unix_msg: Remove socket file after closing socket fd; (bso#11217).
+ smbd: Fix a use-after-free; (bso#11218); (bnc#919309).
+ s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces;
(bso#11245).
+ s3:smb2: Add padding to last command in compound requests; (bso#11277).
+ Add IPv6 support to ADS client side LDAP connects; (bso#11281).
+ Add IPv6 support for determining FQDN during ADS join; (bso#11282).
+ s3: IPv6 enabled DNS connections for ADS client; (bso#11283).
+ Fix invalid write in ctdb_lock_context_destructor; (bso#11293).
+ Excessive cli_resolve_path() usage can slow down transmission; (bso#11295).
+ vfs_fruit: Add option "veto_appledouble"; (bso#11305).
+ tstream: Make socketpair nonblocking; (bso#11312).
+ idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313).
+ Group creation: Add msSFU30Name only when --nis-domain was given;
(bso#11315).
+ tevent_fd needs to be destroyed before closing the fd; (bso#11316).
+ Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared";
(bso#11319).
+ smbd/trans2: Add a useful diagnostic for files with bad encoding;
(bso#11323).
+ Change sharesec output back to previous format; (bso#11324).
+ Robust mutex support broken in 1.3.5; (bso#11326).
+ Kerberos auth info3 should contain resource group ids available from
pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info
exists in PAC; (bso#11328); (bnc#912457).
+ s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329).
+ tevent: Fix CID 1035381 Unchecked return value; (bso#11330).
+ tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331).
+ s3: smbd: Use separate flag to track become_root()/unbecome_root() state;
(bso#11339).
+ s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342).
+ pidl: Make the compilation of PIDL producing the same results if the
content hasn't change; (bso#11356).
+ winbindd: Disconnect child process if request is cancelled at main
process; (bso#11358).
+ vfs_fruit: Check offset and length for AFP_AfpInfo read requests;
(bso#11363).
+ docs: Overhaul the description of "smb encrypt" to include SMB3
encryption; (bso#11366).
+ s3:auth_domain: Fix talloc problem in connect_to_domain_password_server();
(bso#11367).
+ ncacn_http: Fix GNUism; (bso#11371).
-------------------------------------------------------------------
Sun Jul 5 10:54:29 UTC 2015 - tchvatal@suse.com
- Disable rpath usage; (bnc#902421).
-------------------------------------------------------------------
Fri Jul 3 15:06:57 UTC 2015 - lmuelle@suse.com
- Make the winbind package depend on the matching libwbclient version and
vice versa; (bnc#936909).
-------------------------------------------------------------------
Tue Jun 16 14:27:28 UTC 2015 - nopower@suse.com
- Backport changes to use resource group sids obtained from pac logon_info;
(bso#11328); (bnc#912457).
-------------------------------------------------------------------
Sat Jun 6 03:41:17 UTC 2015 - crrodriguez@opensuse.org
- Order winbind.service Before and Want nss-user-lookup target.
-------------------------------------------------------------------
Fri Jun 5 16:12:47 UTC 2015 - lmuelle@suse.com
- Remove fam-devel build-time dependency for post-6 RHEL systems.
-------------------------------------------------------------------
Fri May 29 12:23:07 UTC 2015 - lmuelle@suse.com
- Update to 4.2.2.
+ s3:smbXsrv: refactor duplicate code into
smbXsrv_session_clear_and_logoff(); (bso#11182).
+ gencache: don't fail gencache_stabilize if there were records to delete;
(bso#11260).
+ s3: libsmbclient: After getting attribute server, ensure main srv pointer
is still valid; (bso#11186).
+ s4: rpc: Refactor dcesrv_alter() function into setup and send steps;
(bso#11236).
+ s3: smbd: Incorrect file size returned in the response of
"FILE_SUPERSEDE Create"; (bso#11240).
+ Mangled names do not work with acl_xattr; (bso#11249).
+ nmbd rewrites browse.dat when not required; (bso#11254).
+ vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff;
(bso#11213).
+ s3:smbd: Add missing tevent_req_nterror; (bso#11224).
+ vfs: kernel_flock and named streams; (bso#11243).
+ vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244).
+ s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses
are used; (bso#11284).
+ ctdb: check for talloc_asprintf() failure; (bso#11201).
+ spoolss: purge the printer name cache on name change; (bso#11210);
(bnc#901813).
+ CTDB statd-callout does not scale; (bso#11204).
+ vfs_fruit: also map characters below 0x20; (bso#11221).
+ ctdb: Coverity fix for CID 1291643; (bso#11201).
+ Multiplexed RPC connections are not handled by DCERPC server; (bso#11225).
+ Fix terminate connection behavior for asynchronous endpoint with PUSH
notification flavors; (bso#11226).
+ ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007).
+ ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201).
+ SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the
directory is deleted; (bso#11257).
+ s3:winbindd: make sure we remove pending io requests before closing client
sockets; (bso#11141); (bnc#931854).
+ Fix panic triggered by smbd_smb2_request_notify_done() ->
smbXsrv_session_find_channel() in smbd; (bso#11182).
+ 'sharesec' output no longer matches input format; (bso#11237).
+ waf: Fix systemd detection; (bso#11200).
+ CTDB: Fix portability issues; (bso#11202).
+ CTDB: Fix some IPv6-related issues; (bso#11203).
+ CTDB statd-callout does not scale; (bso#11204).
+ 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you
enter invalid values; (bso#11234).
+ libads: record service ticket endtime for sealed ldap connections;
(bso#11267).
+ lib/util: Include DEBUG macro in internal header files before samba_util.h;
(bso#11033).
-------------------------------------------------------------------
Fri May 22 09:49:01 UTC 2015 - lmuelle@suse.com
- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).
-------------------------------------------------------------------
Wed May 13 16:10:00 UTC 2015 - lmuelle@suse.com
- Remove the independently built libraries ldb, talloc, tdn, and tevent and
the post-10.3 renamed libsmbclient from baselibs.conf.
-------------------------------------------------------------------
Wed May 6 17:09:36 UTC 2015 - lmuelle@suse.com
- Drop redundant doc attribute from man pages.
-------------------------------------------------------------------
Thu Apr 16 11:32:55 UTC 2015 - lmuelle@suse.com
- Update to 4.2.1.
+ s3:winbind:grent: Don't stop group enumeration when a group has no gid;
(bso#8905).
+ Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791).
+ s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with
servers that don't send the 2 unused fields; (bso#10016).
+ build:wafadmin: Fix use of spaces instead of tabs; (bso#10476).
+ waf: Fix the build on openbsd; (bso#10476).
+ s3: client: "client use spnego principal = yes" code checks wrong name;
(bso#10888).
+ spoolss: Retrieve published printer GUID if not in registry; (bso#11018).
+ s3: lib: libsmbclient: If reusing a server struct, check every cli->timout
miliseconds if it's still valid before use; (bso#11079).
+ vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125).
+ backupkey: Explicitly link to gnutls and gcrypt; (bso#11135).
+ replace: Remove superfluous check for gcrypt header; (bso#11135).
+ Backport subunit changes; (bso#11137).
+ libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with
implementation; (bso#11140).
+ s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143).
+ talloc: Version 2.1.2; (bso#11144).
+ Update libwbclient version to 0.12; (bso#11149).
+ brlock: Use 0 instead of empty initializer list; (bso#11153).
+ s4:auth/gensec_gssapi: Let gensec_gssapi_update() return
NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164).
+ docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169);
(bnc#913304).
+ s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev
fails in the SMB1 case; (bso#11173).
+ backupkey: Use ndr_pull_struct_blob_all(); (bso#11174).
+ Fix lots of winbindd zombie processes on Solaris platform; (bso#11175).
+ s3: libsmbclient: Add missing talloc stackframe; (bso#11177).
+ s4-process_model: Do not close random fds while forking; (bso#11180).
+ s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).
-------------------------------------------------------------------
Thu Apr 16 10:20:52 UTC 2015 - lmuelle@suse.com
- Prevent samba package updates from disabling samba kerberos printing.
-------------------------------------------------------------------
Thu Apr 9 12:02:25 UTC 2015 - noel.power@suse.com
- Add sparse file support for samba; (fate#318424).
-------------------------------------------------------------------
Tue Mar 31 23:21:12 UTC 2015 - ddiss@suse.com
- Purge printer name cache on spoolss SetPrinter change; (bso#11210);
(bnc#901813).
-------------------------------------------------------------------
Fri Mar 20 13:21:43 UTC 2015 - ddiss@suse.com
- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).
-------------------------------------------------------------------
Wed Mar 18 17:57:50 UTC 2015 - lmuelle@suse.com
- Simplify libxslt build requirement and README.SUSE install.
- Remove no longer required cleanup steps while populating the build root.
-------------------------------------------------------------------
Tue Mar 17 15:21:58 UTC 2015 - ddiss@suse.com
- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169);
(bnc#913304).
-------------------------------------------------------------------
Thu Mar 5 10:35:21 UTC 2015 - lmuelle@suse.com
- Update to 4.2.0.
+ smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115).
+ pam_winbind: fix warn_pwd_expire implementation; (bso#9056).
+ nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299).
+ Make 'profiles' work again; (bso#9629).
+ s3:smb2_server: protect against integer wrap with
"smb2 max credits = 65535"; (bso#9702).
+ Make validate_ldb of String(Generalized-Time) accept millisecond format
".000Z"; (bso#9810).
+ Use -R linker flag on Solaris, not -rpath; (bso#10112).
+ vfs: Add glusterfs manpage; (bso#10240).
+ Make 'smbclient' use cached creds; (bso#10279).
+ pdb: Fix build issues with shared modules; (bso#10355).
+ s4-dns: Add support for BIND 9.10; (bso#10620).
+ idmap: Return the correct id type to *id_to_sid methods; (bso#10720).
+ printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808).
+ Don't build vfs_snapper on FreeBSD; (bso#10834).
+ nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835).
+ idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837).
+ s3: smb2cli: query info return length check was reversed; (bso#10848).
+ s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849).
+ lib: uid_wrapper: Fix setgroups and syscall detection on a system without
native uid_wrapper library; (bso#10851).
+ winbind3: Fix pwent variable substitution; (bso#10852).
+ Improve samba-regedit; (bso#10859).
+ registry: Don't leave dangling transactions; (bso#10860).
+ Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861).
+ build: Do not install 'texpect' binary anymore; (bso#10862).
+ Fix testparm to show hidden share defaults; (bso#10864).
+ libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1
max=PROTOCOL_SMB2_02; (bso#10866).
+ Integrate CTDB into top-level Samba build; (bso#10892).
+ samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895).
+ s3-nmbd: Fix netbios name truncation; (bso#10896).
+ spoolss: Fix handling of bad EnumJobs levels; (bso#10898).
+ Fix smbclient loops doing a directory listing against Mac OS X 10 server
with a non-wildcard path; (bso#10904).
+ Fix print job enumeration; (bso#10905); (bnc#898031).
+ samba-tool: Create NIS enabled users and unixHomeDirectory attribute;
(bso#10909).
+ Add support for SMB2 leases; (bso#10911).
+ btrfs: Don't leak opened directory handle; (bso#10918).
+ s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920).
+ s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921).
+ pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932).
+ s3-keytab: fix keytab array NULL termination; (bso#10933).
+ s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940).
+ Cleanup add_string_to_array and usage; (bso#10942).
+ dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942).
+ Fix RootDSE search with extended dn control; (bso#10949).
+ Fix 'samba-tool dns serverinfo <server>' for IPv6; (bso#10952).
+ libcli/smb: only force signing of smb2 session setups when binding a new
session; (bso#10958).
+ s3-smbclient: Return success if we listed the shares; (bso#10960).
+ s3-smbstatus: Fix exit code of profile output; (bso#10961).
+ socket_wrapper: Add missing prototype check for eventfd; (bso#10965).
+ libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows
client does; (bso#10966).
+ vfs_streams_xattr: Check stream type; (bso#10971).
+ s3: smbd: Fix *allocate* calls to follow POSIX error return convention;
(bso#10982).
+ vfs_fruit: Add support for AAPL; (bso#10983).
+ Fix spoolss IDL response marshalling when returning error without clearing
info; (bso#10984).
+ dsdb-samldb: Check for extended access rights before we allow changes to
userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).
+ Fix IPv6 support in CTDB; (bso#10996).
+ ctdb-daemon: Use correct tdb flags when enabling robust mutex support;
(bso#11000).
+ vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005).
+ s3-util: Fix authentication with long hostnames; (bso#11008).
+ ctdb-build: Fix build without xsltproc; (bso#11014).
+ packaging: Include CTDB man pages in the tarball; (bso#11014).
+ pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords;
(bso#11016).
+ Make Sharepoint search show user documents; (bso#11022).
+ nss_wrapper: check for nss.h; (bso#11026).
+ Enable mutexes in gencache_notrans.tdb; (bso#11032).
+ tdb_wrap: Make mutexes easier to use; (bso#11032).
+ lib/util: Avoid collision which alread defined consumer DEBUG macro;
(bso#11033).
+ winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034).
+ s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037).
+ vfs_fruit: Fix base_fsp name conversion; (bso#11039).
+ vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040).
+ Fix authentication using Kerberos (not AD); (bso#11044).
+ net: Fix sam addgroupmem; (bso#11051).
+ vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055);
(bnc#913238).
+ cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058).
+ utils: Fix 'net time' segfault; (bso#11058).
+ libsmb: Provide authinfo domain for encrypted session referrals;
(bso#11059).
+ s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066).
+ vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069).
+ vfs/glusterfs: Change xattr key to match gluster key; (bso#11069).
+ vfs_glusterfs: Implement AIO support; (bso#11069).
+ s3-vfs: Fix developer build of vfs_ceph module; (bso#11070).
+ s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer;
(bso#11077); CVE-2015-0240; (bnc#917376).
+ vfs: Add a brief vfs_ceph manpage; (bso#11088).
+ s3: smbclient: Allinfo leaves the file handle open; (bso#11094).
+ Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain;
(bso#11097).
+ debug: Set close-on-exec for the main log file FD; (bso#11100).
+ s3: smbd: leases - losen paranoia check. Stat opens can grant leases;
(bso#11102).
+ s3: smbd: SMB2 close. If a file has delete on close, store the return info
before deleting; (bso#11104).
+ doc:man:vfs_glusterfs: improve the configuration section; (bso#11117).
+ snprintf: Try to support %j; (bso#11119).
+ ctdb-io: Do not use sys_write to write to client sockets; (bso#11124).
+ doc-xml: Add 'sharesec' reference to 'access based share enum';
(bso#11127).
-------------------------------------------------------------------
Sun Mar 1 13:32:41 UTC 2015 - lmuelle@suse.com
- Update to 4.2.0rc5.
+ Ensure we don't call talloc_free on an uninitialized pointer;
CVE-2015-0240; (bso#11077); (bnc#917376).
-------------------------------------------------------------------
Tue Feb 24 16:52:36 UTC 2015 - nopower@suse.com
- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).
-------------------------------------------------------------------
Tue Feb 24 16:23:16 UTC 2015 - ddiss@suse.com
- Fix tdb_store_flag_to_ntdb() gcc5 build failure.
-------------------------------------------------------------------
Thu Jan 22 14:03:52 UTC 2015 - ddiss@suse.com
- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).
-------------------------------------------------------------------
Thu Jan 22 12:40:18 UTC 2015 - lmuelle@suse.com
- Update to 4.1.16.
+ dsdb-samldb: Check for extended access rights before we allow changes to
userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).
-------------------------------------------------------------------
Tue Jan 20 11:33:34 UTC 2015 - lmuelle@suse.com
- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.
-------------------------------------------------------------------
Mon Jan 19 17:15:19 UTC 2015 - ddiss@suse.com
- Fix libsmbclient DFS referral handling.
+ Reuse connections derived from DFS referrals; (bso#10123); (fate#316512).
+ Set domain/workgroup based on authentication callback value; (bso#11059).
-------------------------------------------------------------------
Mon Jan 19 12:33:21 UTC 2015 - lmuelle@suse.com
- Update to 4.2.0rc4.
- Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and
libhttp to the libs package; (boo#913547).
- Rename libpdb packages to libsamba-passdb.
- Drop libsmbsharemodes packages.
-------------------------------------------------------------------
Tue Jan 13 13:28:31 UTC 2015 - mpluskal@suse.com
- Enable avahi support on post-12.2 systems.
-------------------------------------------------------------------
Tue Jan 13 13:01:11 UTC 2015 - lmuelle@suse.com
- Update to 4.1.15.
+ pam_winbind: Fix warn_pwd_expire implementation; (bso#9056).
+ nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299).
+ Fix profiles tool; (bso#9629).
+ s3-lib: Do not require a password with --use-ccache; (bso#10279).
+ s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control;
(bso#10949).
+ s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952).
+ s3:smb2_server: Allow reauthentication without signing; (bso#10958).
+ s3-smbclient: Return success if we listed the shares; (bso#10960).
+ s3-smbstatus: Fix exit code of profile output; (bso#10961).
+ libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows
client does; (bso#10966).
+ s3: smbd/modules: Fix *allocate* calls to follow POSIX error return
convention; (bso#10982).
+ Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute
'supported_extensions'; (bso#11006).
+ idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo;
(bso#11006).
+ winbind: Retry LogonControl RPC in ping-dc after session expiration;
(bso#11034).
-------------------------------------------------------------------
Tue Jan 6 10:33:44 CET 2015 - nopower@suse.de
- yast2-samba-client should be able to specify osName and osVer on
AD domain join; (bnc#873922).
-------------------------------------------------------------------
Mon Dec 8 12:01:35 UTC 2014 - ddiss@suse.com
- Lookup FSRVP share snums at runtime rather than storing them persistently;
(bnc#908627).
-------------------------------------------------------------------
Fri Dec 5 13:12:47 UTC 2014 - ddiss@suse.com
- Specify soft dependency for network-online.target in Winbind systemd service
file; (bnc#889175).
-------------------------------------------------------------------
Thu Dec 4 19:08:11 UTC 2014 - ddiss@suse.com
- Fix spoolss error response marshalling; (bso#10984).
-------------------------------------------------------------------
Tue Dec 2 10:19:26 UTC 2014 - lmuelle@suse.de
- Update to 4.1.14.
+ pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/
Tools/perl.py back to upstream state; (bso#10472).
+ s4-dns: Add support for BIND 9.10; (bso#10620).
+ nmbd fails to accept "--piddir" option; (bso#10711).
+ nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835).
+ S3: source3/smbd/process.c::srv_send_smb() returns true on the error path;
(bso#10880).
+ vfs_glusterfs: Remove "integer fd" code and store the glfs pointers;
(bso#10889).
+ s3-nmbd: Fix netbios name truncation; (bso#10896).
+ spoolss: Fix handling of bad EnumJobs levels; (bso#10898).
+ s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set
STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904).
+ spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905).
+ s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920).
+ s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921).
+ pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932).
+ s3-keytab: Fix keytab array NULL termination; (bso#10933).
+ Cleanup add_string_to_array and usage; (bso#10942).
-------------------------------------------------------------------
Fri Nov 28 15:57:23 CET 2014 - nopower@suse.de
- Remove and cleanup shares and registry state associated with
externally deleted snaphots exposed as shadow copies; (bnc#876312).
-------------------------------------------------------------------
Thu Nov 6 13:41:46 UTC 2014 - lmuelle@suse.com
- Use the upstream tar ball, as signature verification is now able to handle
compressed archives.
-------------------------------------------------------------------
Wed Nov 5 13:02:57 CET 2014 - nopower@suse.de
- Fix leak when closing file descriptor returned from dirfd; (bso#10918).
-------------------------------------------------------------------
Thu Oct 30 10:29:04 UTC 2014 - ddiss@suse.com
- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031).
+ Fix handling of bad EnumJobs levels; (bso#10898).
-------------------------------------------------------------------
Tue Oct 28 16:13:45 UTC 2014 - lmuelle@suse.com
- Remove dependency on gpg-offline as signature checking is implemented in the
source validator.
-------------------------------------------------------------------
Sat Oct 25 13:47:41 UTC 2014 - lmuelle@suse.com
- Update to 4.1.13.
+ s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984).
+ s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984).
+ s3-libads: Add all machine account principals to the keytab; (bso#9985).
+ s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to
be NULL. Ensure this is safe with modern AD-DCs; (bso#10717).
+ Fix unstrcpy; (bso#10735).
+ pthreadpool: Slightly serialize jobs; (bso#10779).
+ s3: smbd: streams - Ensure share mode validation ignores internal opens
(op_mid == 0); (bso#10797).
+ s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809).
+ vfs_media_harmony: Fix a crash bug; (bso#10813).
+ docs: Mention incompatibility between kernel oplocks and streams_xattr;
(bso#10814).
+ nmbd: Send waiting status to systemd; (bso#10816).
+ libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL;
(bso#10817).
+ nsswitch: Skip groups we were not able to map; (bso#10824).
+ s3-winbindd: Use correct realm for trusted domains in idmap child;
(bso#10826).
+ s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830).
+ s3: lib: Signal handling - ensure smbrun and change password code save and
restore existing SIGCHLD handlers; (bso#10831).
+ idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837).
+ s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call;
(bso#10838).
+ s3: smb2cli: Query info return length check was reversed; (bso#10848).
+ registry: Don't leave dangling transactions; (bso#10860).
-------------------------------------------------------------------
Wed Oct 15 10:11:49 UTC 2014 - lmuelle@suse.com
- Update to 4.2.0rc2.
-------------------------------------------------------------------
Wed Oct 8 18:22:21 UTC 2014 - ddiss@suse.com
- Rebase File Server Remote VSS Protocol (FSRVP) server against 4.2.0rc1;
(fate#313346).
-------------------------------------------------------------------
Wed Oct 8 10:13:03 CEST 2014 - nopower@suse.de
- Backport upstream master fixes for samba-regedit; (bnc#896536).
-------------------------------------------------------------------
Tue Oct 7 12:50:21 UTC 2014 - lmuelle@suse.com
- BuildRequire python-xml on SUSE systems only.
-------------------------------------------------------------------
Sun Oct 5 19:25:20 UTC 2014 - lmuelle@suse.com
- BuildRequire python-xml.
- Exclude unwanted texpect binary and libhttp, libsamba-cluster-support,
libsamba-debug, and libsocket-blocking shared libs.
- Add vfs_fruit and vfs_worm man pages and ndr_dcerpc, smb2_lease_struct,
tstream_smbXcli_np, idtree, and idtree_random header files.
- Remove nmblookup and smbclient4 binary and nmblookup4 man page.
-------------------------------------------------------------------
Thu Oct 2 21:14:56 UTC 2014 - lmuelle@suse.com
- Update to 4.2.0rc1.
-------------------------------------------------------------------
Thu Oct 2 16:49:23 UTC 2014 - ddiss@suse.com
- Fix small memory-leak in the background print process; (bnc#899558).
-------------------------------------------------------------------
Fri Sep 26 15:41:38 CEST 2014 - nopower@suse.de
- Modify samba-regedit so it displays correctly (related to ncurses).
Changed code to use menu sub windows, seems to fix problems with display not
refreshing; explicitly BuildRequire ncurses-devel; (bnc#896536).
-------------------------------------------------------------------
Thu Sep 25 12:44:48 UTC 2014 - lmuelle@suse.com
- Exclude unwanted libdnsserver_common and libdfs_server_ad shared libs and
the man page of the unused findsmb script.
-------------------------------------------------------------------
Tue Sep 23 16:55:55 UTC 2014 - ddiss@suse.com
- Skip groups that aren't mapped by idmap_ad; (bso#10824); (bnc#897969).
-------------------------------------------------------------------
Tue Sep 23 12:02:16 UTC 2014 - lmuelle@suse.com
- Update to 4.1.12.
+ s3: winbindd: On new client connect, prune idle or hung connections older
than "winbind request timeout". Add new parameter "winbind request
timeout". Please see smb.conf man page for details; (bso#3204);
(bnc#872912).
+ Fix smbd crashes when filename contains non-ascii character; (bso#10716).
+ s4-rpc: dnsserver: Handle updates of tombstoned dnsNode objects;
(bso#10749).
+ passdb: Fix NT_STATUS_NO_SUCH_GROUP; (bso#9570).
+ s4:setup/dns_update_list: make use of the new substitution variables;
(bso#9831).
+ build: Fix configure to honour '--without-dmapi'; (bso#10369).
+ provision: Correctly provision the SOA record minimum TTL; (bso#10466).
+ s3: Enforce a positive allocation_file_size for non-empty files;
(bso#10543).
+ lib: tevent: make TEVENT_SIG_INCREMENT atomic; (bso#10640).
+ Make "case sensitive = True" option working with "max protocol = SMB2" or
higher in large directories; (bso#10650).
+ Samba 4 consuming a lot of CPU when re-reading printcap info; (bso#10652).
+ lib: strings: Simplify strcasecmp; (bso#10716).
+ Allow netr_ServerReqChallenge() and netr_ServerAuthenticate3() on different
connections; (bso#10723).
+ 'net time': Fix usage and core dump; (bso#10728).
+ sys_poll_intr: Fix timeout arithmetic; (bso#10731).
+ s3:idmap: Don't log missing range config if range checking not requested;
(bso#10737).
+ Fix flapping VFS gpfs offline bit; (bso#10741).
+ s4-rpc: dnsserver: Allow . to be specified for @ record; (bso#10742).
+ s4-rpc: dnsserver: return DNS_RANK_NS_GLUE recors when explicitly asked
for; (bso#10751).
+ samba: Retain case sensitivity of cifs client; (bso#10755).
+ lib: Remove unused nstrcpy; (bso#10758).
+ Fix a memory leak in cli_set_mntpoint(); (bso#10759).
+ docs: Fix typos in smb.conf (inherit acls); (bso#10761).
+ libcli/security: Add better detection of SECINFO_[UN]PROTECTED_[D|S]ACL in
get_sec_info(); (bso#10773).
+ s3: smbd: POSIX ACLs. Remove incorrect check for SECINFO_PROTECTED_DACL in
incoming security_information flags in posix_get_nt_acl_common();
(bso#10773).
+ Don't discard result of checking grouptype; (bso#10777).
+ s3:libsmb: Set a max charge for SMB2 connections; (bso#10778).
+ smbd: Properly initialize mangle_hash; (bso#10782).
+ dosmode: Fix FSCTL_SET_SPARSE request validation; (bso#10787).
+ vfs_dirsort: Fix an off-by-one error that can cause uninitialized memory
read; (bso#10794).
-------------------------------------------------------------------
Thu Sep 18 16:59:49 UTC 2014 - jmcdonough@suse.com
- Wait for network-online.target to prevent caching of
pre-network failures; (bnc#889175).
-------------------------------------------------------------------
Thu Sep 18 08:54:38 UTC 2014 - jmcdonough@suse.com
- Use domain name if search by domain SID fails to send SIDHistory
lookups to correct idmap backend; (bnc#773464).
-------------------------------------------------------------------
Thu Sep 11 17:26:26 UTC 2014 - ddiss@suse.com
- Prune idle or hung connections older than "winbind request timeout";
(bso#3204); (bnc#872912).
-------------------------------------------------------------------
Thu Aug 28 10:03:21 UTC 2014 - ddiss@suse.com
- fix FSCTL_SET_SPARSE request validation; (bso#10787); (bnc#893774).
-------------------------------------------------------------------
Tue Aug 19 14:07:53 UTC 2014 - lmuelle@suse.com
- Remove pre-11.2 patch which by default uses the smbpasswd passdb backend.
-------------------------------------------------------------------
Wed Aug 13 11:44:31 UTC 2014 - lmuelle@suse.com
- build: disable mmap on s390 systems; (bso#10765); (bnc#886193);
(bnc#882356).
-------------------------------------------------------------------
Mon Aug 11 11:55:35 UTC 2014 - lmuelle@suse.com
- Create the cups smb backend as sym link pointing to smbspool; (bnc#891220).
-------------------------------------------------------------------
Fri Aug 1 16:34:44 UTC 2014 - ddiss@suse.com
- Fix winbind service parameter usage; (bnc#890005).
-------------------------------------------------------------------
Fri Aug 1 13:47:57 UTC 2014 - lmuelle@suse.com
- lib/param: change the default for "winbind expand groups" to "0";
(bnc#890008).
-------------------------------------------------------------------
Fri Aug 1 13:42:19 UTC 2014 - lmuelle@suse.com
- Update to 4.1.11.
+ A malicious browser can send packets that may overwrite the heap of the
target nmbd NetBIOS name services daemon; CVE-2014-3560; (bnc#889429).
-------------------------------------------------------------------
Wed Jul 30 11:39:30 UTC 2014 - ddiss@suse.com
- Fix "net time" segfault; (bso#10728); (bnc#889539).
-------------------------------------------------------------------
Mon Jul 28 10:12:04 UTC 2014 - lmuelle@suse.com
- Update to 4.1.10.
+ net/doc: Make clear that net vampire is for NT4 domains only; (bso#3263).
+ dbcheck: Add check and test for various invalid userParameters values;
(bso#8077).
+ s4:dsdb/samldb: Don't allow 'userParameters' to be modified over LDAP for
now; (bso#8077).
+ Simple use case results in "no talloc stackframe around, leaking memory"
error; (bso#8449).
+ s4:dsdb/repl_meta_data: Make sure objectGUID can't be deleted; (bso#9763).
+ dsdb: Always store and return the userParameters as a array of LE 16-bit
values; (bso#10130).
+ s4:repl_meta_data: fix array assignment in
replmd_process_linked_attribute(); (bso#10294).
+ ldb-samba: fix a memory leak in ldif_canonicalise_objectCategory();
(bso#10469).
+ dbchecker: Verify and fix broken dn values; (bso#10536).
+ dsdb: Rename private_data to rootdse_private_data in rootdse; (bso#10582).
+ s3: libsmbclient: Work around bugs in SLES cifsd and Apple smbx SMB1
servers; (bso#10587).
+ Fix "PANIC: assert failed at ../source3/smbd/open.c(1582): ret";
(bso#10593).
+ rid_array used before status checked - segmentation fault due to null
pointer dereference; (bso#10627).
+ Samba won't start on a machine configured with only IPv4; (bso#10653).
+ msg_channel: Fix a 100% CPU loop; (bso#10663).
+ s3: smbd: Prevent file truncation on an open that fails with share mode
violation; (bso#10671); (bnc#884056).
+ s3: SMB2: Fix leak of blocking lock records in the database; (bso#10673).
+ samba-tool: Add --site parameter to provision command; (bso#10674).
+ smbstatus: Fix an uninitialized variable; (bso#10680).
+ SMB1 blocking locks can fail notification on unlock, causing client
timeout; (bso#10684).
+ s3: smbd: Locking, fix off-by one calculation in brl_pending_overlap();
(bso#10685).
+ 'RW2' smbtorture test fails when -N <numprocs> is set to 2 due to the
invalid status check in the second client; (bso#10687).
+ wbcCredentialCache fails if challenge_blob is not first; (bso#10692).
+ Backport ldb-1.1.17 + changes from master; (bso#10693).
+ Fix SEGV from improperly formed SUBSTRING/PRESENCE filter; (bso#10693).
+ ldb: Add a env variable to disable RTLD_DEEPBIND; (bso#10693).
+ ldb: Do not build libldb-cmdline when using system ldb; (bso#10693).
+ ldb: Fix 1138330 Dereference null return value, fix CIDs 241329, 240798,
1034791, 1034792 1034910, 1034910); (bso#10693).
+ ldb: make the successful ldb_transaction_start() message clearer;
(bso#10693).
+ ldb:pyldb: Add some more helper functions for LdbDn; (bso#10693).
+ ldb: Use of NULL pointer bugfix; (bso#10693).
+ lib/ldb: Fix compiler warnings; (bso#10693).
+ pyldb: Decrement ref counters on py_results and quiet warnings;
(bso#10693).
+ s4-openldap: Remove use of talloc_reference in ldb_map_outbound.c;
(bso#10693).
+ dsdb: Return NO_SUCH_OBJECT if a basedn is a deleted object; (bso#10694).
+ s4:dsdb/extended_dn_in: Don't force DSDB_SEARCH_SHOW_RECYCLED; (bso#10694).
+ Backport autobuild/selftest fixes from master; (bso#10696).
+ Backport drs-crackname fixes from master; (bso#10698).
+ smbd: Avoid double-free in get_print_db_byname; (bso#10699).
+ Backport access check related fixes from master; (bso#10700).
+ Backport provision fixes from master; (bso#10703).
+ s3:smb2_read: let smb2_sendfile_send_data() behave like send_file_readX();
(bso#10706).
+ s3: Fix missing braces in nfs4_acls.c.
-------------------------------------------------------------------
Wed Jul 9 22:59:09 UTC 2014 - ddiss@suse.com
- Reduce printer_list.tdb lock contention during printcap update;
(bso#10652); (bnc#883870).
+ Only update the printer share inventory when needed.
-------------------------------------------------------------------
Tue Jul 8 12:35:25 UTC 2014 - lmuelle@suse.com
- Add missing newline to debug message in daemon_ready(); (bnc#865627).
-------------------------------------------------------------------
Mon Jul 7 13:59:24 UTC 2014 - lmuelle@suse.com
- BuildRequire systemd-devel, configure --with-systemd, and modify the service
files accordingly on post-12.2 systems; (bso#10517); (bnc#865627).
-------------------------------------------------------------------
Wed Jun 25 11:52:17 UTC 2014 - ddiss@suse.com
- Prevent file truncation on an open that fails with share mode violation;
(bso#10671); (bnc#884056).
-------------------------------------------------------------------
Mon Jun 23 09:43:53 UTC 2014 - lmuelle@suse.com
- Update to 4.1.9.
+ Fix nmbd denial of service; CVE-2014-0244; (bnc#880962).
+ Fix segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX
handler; CVE-2014-3493; (bnc#883758).
-------------------------------------------------------------------
Thu Jun 12 18:09:44 UTC 2014 - lmuelle@suse.com
- BuildRequire krb5-devel, libiniparser-devel, and python-devel in any case.
-------------------------------------------------------------------
Thu Jun 12 17:15:09 UTC 2014 - lmuelle@suse.com
- BuildRequire libxslt and perl-ExtUtils-MakeMaker and BuildIgnore libtevent
on CentOS, Fedora, and RHEL systems.
-------------------------------------------------------------------
Tue Jun 3 18:36:06 UTC 2014 - lmuelle@suse.com
- Update to 4.1.8.
+ dns: Don't reply to replies; CVE-2014-0239; (bso#10609).
+ Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response; CVE-2014-0178;
(bso#10549).
+ s3: smb2: Fix 'xcopy /d' with samba shares; (bso#3124).
+ Extra ':' in msg for Waf Cross Compile Build System with Cross-answers
command; (bso#10151).
+ s3: nmbd: Reset debug settings after reading config file; (bso#10239).
+ Fix empty body in if-statement in continue_domain_open_lookup; (bso#10348).
+ script/autobuild: Make use of '--with-perl-{arch,lib}-install-dir';
(bso#10472).
+ wafsamba: Fix the installation on FreeBSD; (bso#10472).
+ Use exit_daemon() to communicate status of startup to systemd; (bso#10517).
+ Fix adding NetApps; (bso#10524).
+ s3: lib/util: Fix logic inside set_namearray loops; (bso#10544).
+ s3: lib/util: set_namearray reads across end of namelist; (bso#10544).
+ idmap_autorid: Fix failure in reverse lookup if ID is from domain range
index #0; (bso#10547).
+ build: Fix ordering problems with lib-provided and internal RPATHs;
(bso#10548).
+ Fix read of deleted memory in reply_writeclose()'; (bso#10554).
+ lib-util: Rename memdup to smb_memdup and fix all callers; (bso#10556).
+ Fix lock order violation and file lost; (bso#10564).
+ dsdb: Do checks for invalid renames in samldb, before repl_meta_data;
(bso#10569).
+ Fix wildcard unlink to fail if we get an error rather than trying to
continue; (bso#10577).
+ byteorder: Do not assume PowerPC is big-endian; (bso#10590).
+ printing: Fix purge of all print jobs; (bso#10612).
-------------------------------------------------------------------
Fri May 23 10:41:11 UTC 2014 - lmuelle@suse.com
- examples/libsmbclient: avoid some compiler warnings; (bso#10624).
-------------------------------------------------------------------
Thu May 22 13:08:13 UTC 2014 - ddiss@suse.com
- Fix printer job purging; (bso#10612); (bnc#879390).
-------------------------------------------------------------------
Sun May 18 12:07:03 UTC 2014 - lmuelle@suse.com
- Update samba-pubkey_6568B7EA.asc which will expire 2016-01-17.
-------------------------------------------------------------------
Mon May 5 11:44:20 UTC 2014 - ddiss@suse.com
- Fix byte-order macros on little endian Power8; (bso#10590); (bnc#871701).
-------------------------------------------------------------------
Fri May 2 15:37:33 UTC 2014 - ddiss@suse.com
- Pass through vfs_btrfs snapshot manipulation requests when
"btrfs: manipulate snapshots = no" is configured; (bnc#874180).
-------------------------------------------------------------------
Fri Apr 25 08:47:57 UTC 2014 - ddiss@suse.com
- Clone the base share security descriptor when exposing a snapshot share;
(bnc#874656).
-------------------------------------------------------------------
Thu Apr 24 16:21:04 UTC 2014 - ddiss@suse.com
- Use appropriate HRESULT return codes; (bnc#875046).
-------------------------------------------------------------------
Thu Apr 17 15:44:30 UTC 2014 - lmuelle@suse.com
- Update to 4.1.7.
+ Make "force user" work as expected; (bso#9878).
+ Fix build on AIX with IBM XL C/C++ (gettext detection issues); (bso#9911).
+ Fix problem with server taking too long to respond to a
MSG_PRINTER_DRVUPGRADE message; (bso#9942).
+ s3-printing: Fix obvious memory leak in printer_list_get_printer();
(bso#9993).
+ doc: Add "spoolss: architecture" parameter usage; (bso#10188).
+ Make 'smbclient' support DFS shares with SMB2/3; (bso#10200).
+ Make (lib)smbclient work with NetApp; (bso#10230).
+ SessionLogoff on a signed connection with an outstanding notify request
crashes smbd; (bso#10344).
+ dfs: Always call create_conn_struct with root privileges; (bso#10378).
+ 'net ads search' on high latency networks can return a partial list with
no error indication; (bso#10387).
+ max xmit > 64kb leads to segmentation fault; (bso#10422).
+ Fix STATUS_NO_MEMORY response from Query File Posix Lock request;
(bso#10431).
+ Increase max netbios name components; (bso#10439).
+ smbd_server_connection_terminate("CTDB_SRVID_RELEASE_IP") panics from
within ctdbd_migrate() with invalid lock_order; (bso#10444).
+ Fix 'wbinfo -i' with one-way trust; (bso#10458).
+ samba4 services not binding on IPv6 addresses causing connection delays;
(bso#10464).
+ s3-vfs: Fix stream_depot vfs module on btrfs; (bso#10467).
+ Don't respond with NXDOMAIN to records that exist with another type;
(bso#10471).
+ pidl: waf should have an option for the dir to install perl files and do
not glob; (bso#10472).
+ s3-spoolssd: Don't register spoolssd if epmd is not running; (bso#10474).
+ s3-rpc_server: Fix handling of fragmented rpc requests; (bso#10481).
+ Initial FSRVP rpcclient requests fail with NT_STATUS_PIPE_NOT_AVAILABLE;
(bso#10484).
+ lsa.idl: Define lsa.ForestTrustCollisionInfo and ForestTrustCollisionRecord
as public structs; (bso#10504).
+ Make 'smbreadline' build with readline 6.3; (bso#10506).
+ smbd: Correctly add remote users into local groups; (bso#10508).
+ rpcclient FSRVP request UNCs should include a trailing backslash;
(bso#10521).
+ Cleanup messages.tdb record after unclean smbd shutdown; (bso#10534).
+ s3:rpc_server: Minor refactoring of process_request_pdu().
-------------------------------------------------------------------
Tue Apr 15 15:03:27 UTC 2014 - ddiss@suse.com
- Create a new DBus connection for every vfs_snapper request, to ensure
correct snapper UID detection; (bnc#866354).
-------------------------------------------------------------------
Tue Apr 15 10:41:04 UTC 2014 - nopower@suse.de
- Fix "Invalid read" in method reply_writeclose; (bso#10554); (bnc#873658).
-------------------------------------------------------------------
Fri Apr 11 12:37:48 UTC 2014 - ddiss@suse.com
- Fix minor compiler warnings in snapshot code-path; (bnc#873177).
-------------------------------------------------------------------
Fri Apr 11 12:21:48 UTC 2014 - lmuelle@suse.com
- Remove references to the obsolete samba-krb-printing package and
get_printing_ticket binary.
-------------------------------------------------------------------
Fri Apr 11 12:09:23 UTC 2014 - ddiss@suse.com
- Fix malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response; CVE-2014-0178;
(bso#10549); (bnc#872396).
-------------------------------------------------------------------
Fri Apr 11 11:50:08 UTC 2014 - nopower@suse.de
- User error strings instead of hex codes where possible for FSRVP
errors; (bnc#866927).
-------------------------------------------------------------------
Tue Apr 1 16:49:05 UTC 2014 - ddiss@suse.com
- Fix remote share shadow copy request UNCs; (bso#10521); (bnc#870957).
-------------------------------------------------------------------
Tue Apr 1 15:20:21 UTC 2014 - lmuelle@suse.com
- Add krb5rcache directory to the winbind package; (bnc#870607).
- Cleanup and consolidate the sysconfig and systemd service files.
-------------------------------------------------------------------
Fri Mar 28 11:45:03 UTC 2014 - ddiss@suse.com
- Extend vfs_snapper man page to cover permissions; (bnc#870570).
-------------------------------------------------------------------
Wed Mar 26 14:36:34 UTC 2014 - ddiss@suse.com
- Fix RPC server handling of fragmented requests; (bso#10481); (bnc#869707).
-------------------------------------------------------------------
Fri Mar 21 18:59:29 UTC 2014 - lmuelle@suse.com
- Default with the cache and lock directory to the same path to have both
non-persistent and persistent data at one location; (bnc#846586).
-------------------------------------------------------------------
Wed Mar 12 13:57:29 UTC 2014 - lmuelle@suse.com
- Depend only on %version with all manual Provides and Requires; (bnc#844307).
-------------------------------------------------------------------
Tue Mar 11 18:07:47 UTC 2014 - lmuelle@suse.com
- Update to 4.1.6.
+ Password lockout not enforced for SAMR password changes; CVE-2013-4496;
(bnc#849224).
+ smbcacls can remove a file or directory ACL by mistake; CVE-2013-6442;
(bnc#855866).
-------------------------------------------------------------------
Tue Mar 11 13:10:59 UTC 2014 - lmuelle@suse.com
- Password lockout not enforced for SAMR password changes;
CVE-2013-4496; (bnc#849224).
-------------------------------------------------------------------
Tue Mar 11 10:21:46 UTC 2014 - lmuelle@suse.com
- Call update-apparmor-samba-profile via ExecStartPre too; (bnc#867665).
-------------------------------------------------------------------
Mon Mar 10 16:00:03 UTC 2014 - nopower@suse.com
- samba4 smbcalcs --chown | --chgrp dacl regression; CVE-2013-6442;
(bnc#855866).
-------------------------------------------------------------------
Tue Mar 4 17:20:33 UTC 2014 - ddiss@suse.com
- Retry named pipe open requests on STATUS_PIPE_NOT_AVAILABLE; (bso#10484);
(bnc#865095).
-------------------------------------------------------------------
Thu Feb 27 15:19:56 UTC 2014 - ddiss@suse.com
- Propagate snapshot enumeration permissions errors to SMB clients;
(bnc#865641).
-------------------------------------------------------------------
Wed Feb 26 12:48:58 CET 2014 - nopower@suse.de
- Properly handle empty 'requires_membership_of' entries in
/etc/security/pam_winbind.conf; (bnc#865771).
-------------------------------------------------------------------
Tue Feb 25 13:12:25 UTC 2014 - ddiss@suse.com
- Fix problem with server taking too long to respond to a
MSG_PRINTER_DRVUPGRADE message; (bso#9942); (bnc#863748).
- Fix memory leak in printer_list_get_printer(); (bso#9993); (bnc#865561).
-------------------------------------------------------------------
Mon Feb 24 18:44:59 UTC 2014 - ddiss@suse.com
- Fix stream_depot VFS module on Btrfs; (bso#10467); (bnc#865397).
-------------------------------------------------------------------
Fri Feb 21 17:57:57 UTC 2014 - ddiss@suse.com
- Use libarchive to provide improved smbclient tarmode functionality;
(bso#9667); (bnc#861135).
-------------------------------------------------------------------
Fri Feb 21 16:02:12 UTC 2014 - lmuelle@suse.com
- Depend on %version-%release with all manual Provides and Requires;
(bnc#844307).
-------------------------------------------------------------------
Fri Feb 21 13:16:01 UTC 2014 - lmuelle@suse.com
- Update to 4.1.5.
+ Fix 100% CPU utilization in winbindd when trying to free memory in
winbindd_reinit_after_fork; (bso#10358); (bnc#786677).
+ smbd: Fix memory overwrites; (bso#10415).
+ s3-winbind: Improve performance of wb_fill_pwent_sid2uid_done();
(bso#2191).
+ ntlm_auth sometimes returns the wrong username to mod_ntlm_auth_winbind;
(bso#10087).
+ s3: smbpasswd: Fix crashes on invalid input; (bso#10320).
+ s3: vfs_dirsort module: Allow dirsort to work when multiple simultaneous
directories are open; (bso#10406).
+ Add support for Heimdal's unified krb5 and hdb plugin system, cope with
first element in hdb_method having a different name in different heimdal
versions and fix INTERNAL ERROR: Signal 11 in the kdc pid; (bso#10418).
+ vfs_btrfs: Fix incorrect zero length server-side copy request handling;
(bso#10424).
+ s3: modules: streaminfo: As we have no VFS function SMB_VFS_LLISTXATTR we
can't cope with a symlink when lp_posix_pathnames() is true; (bso#10429).
+ smbd: Fix an ancient oplock bug; (bso#10436).
+ Fix crash bug in smb2_notify code; (bso#10442).
-------------------------------------------------------------------
Tue Feb 18 13:04:37 UTC 2014 - lmuelle@suse.com
- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).
-------------------------------------------------------------------
Fri Feb 14 00:31:35 UTC 2014 - ddiss@suse.com
- Migrate @GMT token parsing functionality into vfs_snapper; (bnc#863079).
+ Improve vfs_snapper documentation.
-------------------------------------------------------------------
Wed Feb 12 17:50:02 UTC 2014 - ddiss@suse.com
- Fix Winbind 100% CPU utilization caused by domain list corruption;
(bso#10358); (bnc#786677).
-------------------------------------------------------------------
Sat Feb 8 10:39:25 UTC 2014 - ddiss@suse.com
- Fix memory overwrite in FSCTL_VALIDATE_NEGOTIATE_INFO handler; (bso#10415);
(bnc#862370).
-------------------------------------------------------------------
Fri Feb 7 16:48:52 UTC 2014 - lmuelle@suse.com
- Streamline the vendor suffix handling and add support for SLE 12.
-------------------------------------------------------------------
Fri Feb 7 16:07:50 UTC 2014 - ddiss@suse.com
- Fix zero length server-side copy request handling; (bso#10424);
(bnc#862558).
-------------------------------------------------------------------
Tue Feb 4 17:22:52 UTC 2014 - lmuelle@suse.com
- Set the PID directory to /run/samba on post-12.2 systems.
-------------------------------------------------------------------
Tue Feb 4 16:02:45 UTC 2014 - lmuelle@suse.com
- Make use of the tmpfilesdir macro while calling systemd-tmpfiles.
-------------------------------------------------------------------
Tue Jan 28 20:05:30 CET 2014 - nopower@suse.de
- Make winbindd print the interface version when it gets an INTERFACE_VERSION
request; (bnc#726937).
-------------------------------------------------------------------
Tue Jan 28 15:16:30 UTC 2014 - ddiss@suse.com
- Fix vfs_btrfs build on older platforms with duplicate WRITE_FLUSH
definitions; (bnc#860832).
-------------------------------------------------------------------
Tue Jan 28 14:34:57 UTC 2014 - ddiss@suse.com
- Check for NULL gensec_security in gensec_security_by_auth_type();
(bnc#860809).
-------------------------------------------------------------------
Tue Jan 28 01:57:08 UTC 2014 - ddiss@suse.com
- Ensure ndr table initialization; (bnc#860648).
-------------------------------------------------------------------
Fri Jan 24 19:41:59 UTC 2014 - ddiss@suse.com
- Add File Server Remote VSS Protocol (FSRVP) server for SMB share
shadow-copies; (fate#313346).
-------------------------------------------------------------------
Fri Jan 24 15:17:53 UTC 2014 - lmuelle@suse.com
- s3-dir: Fix the DOS clients against 64-bit smbd's; (bso#2662).
- shadow_copy2: module "Previous Version" not working in Windows 7;
(bso#10259).
- s3-passdb: Fix string duplication to pointers; (bso#10367).
- vfs/glusterfs: in case atime is not passed, set it to the current atime;
(bso#10384)
-------------------------------------------------------------------
Fri Jan 24 14:30:45 UTC 2014 - lmuelle@suse.com
- s3: winbindd: Move calling setup_domain_child() into add_trusted_domain();
(bso#10358); (bnc#786677).
-------------------------------------------------------------------
Mon Jan 20 10:47:54 UTC 2014 - lmuelle@suse.com
- Default sysconfig daemon options to -D; (bso#10388); (bnc#857454).
-------------------------------------------------------------------
Thu Jan 16 19:19:58 UTC 2014 - lmuelle@suse.com
- Add /var/cache/samba to the client file list; (bnc#846586).
-------------------------------------------------------------------
Tue Jan 14 21:57:32 UTC 2014 - lmuelle@suse.com
- Really add the WINBINDDOPTIONS sysconfig variable on install; (bnc#857454).
-------------------------------------------------------------------
Mon Jan 13 13:04:53 UTC 2014 - lmuelle@suse.com
- Correct sysconfig variable names by adding the missing D char; (bnc#857454).
-------------------------------------------------------------------
Fri Jan 10 17:02:40 UTC 2014 - lmuelle@suse.com
- Update to 4.1.4.
+ Fix segfault in smbd; (bso#10284).
+ Fix SMB2 server panic when a smb2 brlock times out; (bso#10311).
-------------------------------------------------------------------
Wed Jan 8 15:36:42 UTC 2014 - lmuelle@suse.com
- Call stop_on_removal from preun and restart_on_update and insserv_cleanup
from postun on pre-12.3 systems only; (bnc#857454).
-------------------------------------------------------------------
Wed Jan 8 13:53:33 UTC 2014 - adrian@suse.de
- BuildRequire gamin-devel instead of unmaintained fam-devel package on
post-12.1 systems.
-------------------------------------------------------------------
Mon Jan 6 21:37:37 UTC 2014 - lmuelle@suse.com
- smbd: allow updates on directory write times on open handles; (bso#9870).
- lib/util: use proper include for struct stat; (bso#10276).
- s3:winbindd fix use of uninitialized variables; (bso#10280).
- s3-winbindd: Fix DEBUG statement in winbind_msg_offline(); (bso#10285).
- s3-lib: Fix %G substitution for domain users in smbd; (bso#10286).
- smbd: Always use UCF_PREP_CREATEFILE for filename_convert calls to resolve a
path for open; (bso#10297).
- smb2_server processing overhead; (bso#10298).
- ldb: bad if test in ldb_comparison_fold(); (bso#10305).
- Fix AIO with SMB2 and locks; (bso#10310).
- smbd: Fix a panic when a smb2 brlock times out; (bso#10311).
- vfs_glusterfs: Enable per client log file; (bso#10337).
-------------------------------------------------------------------
Mon Jan 6 17:12:55 UTC 2014 - lmuelle@suse.com
- Add /etc/sysconfig/samba to the main and winbind package; (bnc#857454).
-------------------------------------------------------------------
Mon Jan 6 13:09:35 UTC 2014 - lmuelle@suse.com
- Create /var/run/samba with systemd-tmpfiles on post-12.2 systems;
(bnc#856759).
-------------------------------------------------------------------
Mon Jan 6 10:06:59 UTC 2014 - lmuelle@suse.com
- Fix broken rc{nmb,smb,winbind} sym links which should point to the service
binary on post-12.2 systems; (bnc#856759).
-------------------------------------------------------------------
Mon Jan 6 07:01:48 UTC 2014 - ddiss@suse.com
- Add Snapper VFS module for snapshot manipulation; (fate#313347).
+ dbus-1-devel required at build time.
-------------------------------------------------------------------
Mon Jan 6 06:59:01 UTC 2014 - ddiss@suse.com
- Add File Server Remote VSS Protocol (FSRVP) client for SMB share
shadow-copies; (fate#313345).
-------------------------------------------------------------------
Wed Dec 11 12:12:21 UTC 2013 - lmuelle@suse.com
- Do not BuildRequire perl ExtUtils::MakeMaker and Parse::Yapp as they're part
of the minimum build environment.
-------------------------------------------------------------------
Mon Dec 9 10:48:06 UTC 2013 - lmuelle@suse.com
- Update to 4.1.3.
+ DCE-RPC fragment length field is incorrectly checked; CVE-2013-4408;
(bnc#844720).
+ pam_winbind login without require_membership_of restrictions;
CVE-2012-6150; (bnc#853347).
-------------------------------------------------------------------
Fri Dec 6 16:25:59 UTC 2013 - lmuelle@suse.com
- Make use of the full gpg pub key file name including the key ID.
-------------------------------------------------------------------
Thu Dec 5 19:22:47 UTC 2013 - ddiss@suse.com
- Add transparent file compression support; (fate#316266).
+ Implement FSCTL_GET_COMPRESSION and FSCTL_SET_COMPRESSION handlers.
+ Add FILE_ATTRIBUTE_COMPRESSED and FILE_NO_COMPRESSION support.
+ Extend vfs_btrfs VFS module to utilize get/set compression hooks.
-------------------------------------------------------------------
Thu Dec 5 17:03:34 UTC 2013 - ddiss@suse.com
- Add support for FSCTL_SRV_COPYCHUNK_WRITE; (fate#314770).
-------------------------------------------------------------------
Mon Dec 2 15:50:56 UTC 2013 - lmuelle@suse.com
- Remove bogus libsmbclient0 package description and cleanup the libsmbclient
line from baselibs.conf; (bnc#853021).
-------------------------------------------------------------------
Fri Nov 22 11:11:42 UTC 2013 - lmuelle@suse.com
- BuildRequire systemd on post-12.2 systems.
-------------------------------------------------------------------
Fri Nov 22 10:32:30 UTC 2013 - lmuelle@suse.com
- Update to 4.1.2.
+ s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled; (bso#9091).
+ dfs_server: Use dsdb_search_one to catch 0 results as well as
NO_SUCH_OBJECT errors; (bso#10052).
+ Missing talloc_free can leak stackframe in error path; (bso#10187).
+ Fix memset used with constant zero length parameter; (bso#10190).
+ s4:dsdb/rootdse: report 'dnsHostName' instead of 'dNSHostName';
(bso#10193).
+ Make offline logon cache updating for cross child domain group membership;
(bso#10194).
+ nsswitch: Fix short writes in winbind_write_sock; (bso#10195).
+ RW Deny for a specific user is not overriding RW Allow for a group;
(bso#10196).
+ vfs_glusterfs: Fix excessive debug output from vfs_gluster_open();
(bso#10224).
+ vfs_glusterfs: Implement proper mashalling/unmarshalling of ACLs;
(bso#10224).
+ VFS plugin was sending the actual size of the volume instead of the total
number of block units because of which windows was getting the wrong
volume capacity; (bso#10224).
+ libcli/smb: Fix smb2cli_ioctl*() against Windows 2008; (bso#10232).
+ xattr: Fix listing EAs on *BSD for non-root users; (bso#10247).
+ Fix the build of vfs_glusterfs; (bso#10253).
+ s3-winbindd: Fix cache_traverse_validate_fn failure for NDR cache entries;
(bso#10264).
+ util: Remove 32bit macros breaking strict aliasing; (bso#10269).
-------------------------------------------------------------------
Thu Nov 21 17:16:42 UTC 2013 - lmuelle@suse.com
- Let gpg verify execution condition not fail on non SUSE systems.
-------------------------------------------------------------------
Thu Nov 21 14:13:37 UTC 2013 - lmuelle@suse.com
- Add systemd support for post-12.2 systems.
-------------------------------------------------------------------
Tue Nov 19 19:17:40 CET 2013 - nopower@suse.de
- Allow smbcacls to take a '--propagate-inheritance' flag to indicate that
the add, delete, modify and set operations now support automatic
propagation of inheritable ACE(s); (FATE#316474).
-------------------------------------------------------------------
Fri Nov 15 18:04:50 UTC 2013 - lmuelle@suse.com
- Unconditionally create the CUPS smb backend sym link pointing to smbspool;
(bnc#850656).
-------------------------------------------------------------------
Wed Nov 13 15:16:03 UTC 2013 - lmuelle@suse.com
- Update to 4.1.1.
+ ACLs are not checked on opening an alternate data stream on a file or
directory; CVE-2013-4475; (bso#10229); (bnc#848101).
+ Private key in key.pem world readable; CVE-2013-4476; (bnc#848103).
-------------------------------------------------------------------
Sun Nov 10 18:16:56 UTC 2013 - lmuelle@suse.com
- Private key in key.pem world readable; CVE-2013-4476; (bnc#848103).
-------------------------------------------------------------------
Wed Oct 30 14:11:42 UTC 2013 - lmuelle@suse.com
- ACLs are not checked on opening an alternate data stream on a file or
directory; CVE-2013-4475; (bso#10229); (bnc#848101).
-------------------------------------------------------------------
Fri Oct 11 08:58:29 UTC 2013 - lmuelle@suse.com
- Update to 4.1.0.
+ pam_winbindd: Support the KEYRING ccache type; (bso#10132).
+ Fix PAC parsing failure; (bso#10178).
-------------------------------------------------------------------
Wed Oct 9 20:41:52 UTC 2013 - lmuelle@suse.com
- Unify the defattr lines in the pidl, python, test and test-devel files
section by removing the optional directory mode.
-------------------------------------------------------------------
Wed Oct 9 15:30:31 UTC 2013 - lmuelle@suse.com
- Verify source tar ball gpg signature.
-------------------------------------------------------------------
Fri Sep 27 12:30:24 UTC 2013 - lmuelle@suse.com
- Update to 4.1.0rc4.
+ dsdb: Convert the full string from UTF16 to UTF8, including embedded
NULLs; (bso#8077).
+ python-samba-tool fsmo: Do not give an error on a successful role
transfer; (bso#9461).
+ dbwrap_ctdb: Treat empty records as non-existing; (bso#10008).
+ Raise the level of a debug when unable to open a printer; (bso#10118).
+ Add "acl allow execute always" parameter; (bso#10134).
+ vfs_shadow_copy2: Display previous versions correctly over SMB2;
(bso#10137).
+ smbd: Always clean up share modes after hard crash; (bso#10138).
+ Valid utf8 filenames cause "invalid conversion error" messages;
(bso#10139).
+ libcli/smb: Use SMB1 MID=0 for the initial Negprot; (bso#10144).
+ Samba SMB2 client code reads the wrong short name length in a directory
listing reply; (bso#10145).
+ libcli/smb: Only check the SMB2 session setup signature if required and
valid; (bso#10146).
+ Better document potential implications of a globally used "valid users";
(bso#10147).
+ cli_smb2_get_ea_list_path() failed to close file on exit; (bso#10149).
+ Not all OEM servers support the ALTNAME info level; (bso#10150).
+ Regression causes replication failure with Windows 2008R2 and deletes
Deleted Objects; (bso#10157).
+ Netbios related samba process consumes 100% CPU; (bso#10158).
+ Fix POSIX ACL mapping when setting DENY ACE's from Windows; (bso#10162).
-------------------------------------------------------------------
Thu Sep 19 22:10:11 UTC 2013 - lmuelle@suse.com
- Require libndr-standard-devel due to gen_ndr/lsa.h from libpdb-devel.
-------------------------------------------------------------------
Mon Sep 16 12:49:02 UTC 2013 - lmuelle@suse.com
- Add libdcerpc0, libdcerpc-atsvc0, libdcerpc-binding0, libdcerpc-samr0,
libgensec0, libndr0, libndr-krb5pac0, libndr-nbt0, libndr-standard0,
libpdb0, libregistry0, libsamba-credentials0, libsamba-hostconfig0,
libsamba-policy0, libsamba-util0, libsamdb0, libsmbclient-raw0, libsmbconf0,
libsmbldap0, and libtevent-util0 to baselibs.conf.
-------------------------------------------------------------------
Sat Sep 14 17:05:05 UTC 2013 - jengelh@inai.de
- Add or polish the shared library package summaries and descriptions.
-------------------------------------------------------------------
Fri Sep 13 09:24:47 UTC 2013 - lmuelle@suse.com
- Update to 4.1.0rc3.
+ Fix working on site with Read Only Domain Controller; (bso#5917).
+ Add man page for vfs_syncops; (bso#7364).
+ Add man page for vfs_linux_xfs_sgid; (bso#7490).
+ When replicating DNS for bind9_dlz we need to create the server-DNS
account remotely; (bso#9091).
+ Winbind unable to retrieve user information from AD; (bso#9615).
+ winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
(bso#9899).
+ Build Samba 4.0.x on AIX with IBM XL C/C++; (bso#9911).
+ Add SMB2 and SMB3 support for smbclient; (bso#9974).
+ Add man pages for ntdb tools; (bso#10000).
+ Add man page for samba-regedit tool; (bso#10001).
+ ::1 added to nameserver on join; (bso#10030).
+ Fix memory leak in source3/lib/util.c:1493; (bso#10063).
+ Fix segmentation fault in 'net ads join'; (bso#10073).
+ Fix variable list in vfs_crossrename man page; (bso#10076).
+ s3-winbind: Fix a segfault passing NULL to a fstring argument; (bso#10082).
+ smbd: Fix async echo handler forking; (bso#10086).
+ MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba;
(bso#10097).
+ Honour output buffer length set by the client for SMB2 GetInfo requests;
(bso#10106).
+ Fix Winbind crashes on DC with trusted AD domains; (bso#10107).
+ Handle Dropbox (write-only-directory) case correctly in pathname lookup;
(bso#10114).
+ Masks incorrectly applied to UNIX extension permission changes;
(bso#10121).
-------------------------------------------------------------------
Thu Sep 5 12:31:09 UTC 2013 - jengelh@inai.de
- Implement shared library packaging guidelines.
- Correct interpackage dependencies; (bso#10129).
-------------------------------------------------------------------
Tue Sep 3 17:30:08 UTC 2013 - lmuelle@suse.com
- Define the source URL differently in the case of a release candidate.
-------------------------------------------------------------------
Sat Aug 31 22:47:49 UTC 2013 - lmuelle@suse.com
- Update to 4.1.0rc2.
+ Add vfs_btrfs module.
+ Add support for server-side copy operations via the
SMB2 FSCTL_SRV_COPYCHUNK request.
+ Fix replication with --domain-crictical-only to fill in backlinks;
(bso#9029).
+ Windows 8 Roaming profiles fail; (bso#9678).
+ Fix crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol";
(bso#9820).
+ Windows error 0x800700FE when copying files with xattr names containing
":"; (bso#9992).
+ Do not delete an existing valid credential cache (s3-winbind); (bso#9994).
+ Fix segfault while reading incomplete session info; (bso#10003).
+ Missing integer wrap protection in EA list reading can cause server to
loop with DOS (CVE-2013-4124); (bso#10010).
+ Fix a 100% loop at shutdown time (smbd); (bso#10013).
+ Fix/improve debug options; (bso#10015).
+ Rename regedit to samba-regedit; (bso#10040).
+ Remove obsolete swat manpage and references; (bso#10041).
+ Fix crashes in socket_get_local_addr(); (bso#10042).
+ Allow to change the default location for Kerberos credential caches;
(bso#10043).
+ Remove a redundant inlined substitution of ACLs; (bso#10045).
+ nsswitch: Add OPT_KRB5CCNAME to avoid an error message; (bso#10048).
+ dsdb improvements; (bso#10056).
+ Linux kernel oplock breaks can miss signals; (bso#10064).
-------------------------------------------------------------------
Thu Aug 29 12:47:26 UTC 2013 - lmuelle@suse.com
- BuildRequire pyldb-devel.
-------------------------------------------------------------------
Wed Aug 28 14:56:09 UTC 2013 - lmuelle@suse.com
- Add libnetapi0 and samba-libs to baselibs.conf.
-------------------------------------------------------------------
Thu Aug 22 12:01:15 UTC 2013 - lmuelle@suse.de
- Update to 4.0.9.
+ Fix crash of Winbind after "ls -l /usr/local/samba/var/locks/sysvol";
(bso#9820).
+ s3-lib: Fix segmentation fault while reading incomplete session info;
(bso#10003).
+ smbd: Fix a 100% loop at shutdown time; (bso#10013).
+ Windows 8 Roaming profiles fail; (bso#9678).
+ Add UPN enumeration to passdb internal API; (bso#9779).
+ smbd: Cleanup disonnected durable handles; (bso#9930).
+ vfs_streams_xattr: Do not attempt to write empty attribute twice;
(bso#9970).
+ Fix Windows error 0x800700FE when copying files with xattr names
containing ":"; (bso#9992).
+ s3-winbind: Do not delete an existing valid credential cache; (bso#9994).
+ Fix excessive RID allocation; (bso#10014).
+ Add debugclass for DNS server; (bso#10015).
+ Fix/improve debug options; (bso#10015).
+ Allow to change the default location for Kerberos credential caches;
(bso#10043).
+ Linux kernel oplock breaks can miss signals; (bso#10064).
+ net ads join: Fix segmentation fault in
create_local_private_krb5_conf_for_domain; (bso#10073).
-------------------------------------------------------------------
Mon Aug 5 10:56:56 UTC 2013 - lmuelle@suse.com
- Update to 4.0.8.
+ Samba 3.0.x to 4.0.7 are affected by a denial of service attack on
authenticated or guest connections; CVE-2013-4124; (bnc#829969).
-------------------------------------------------------------------
Mon Jul 22 08:41:07 UTC 2013 - lmuelle@suse.com
- Require krb5 and not the non existing krb5-libs package.
-------------------------------------------------------------------
Wed Jul 17 17:42:23 UTC 2013 - lmuelle@suse.com
- Update to 4.1.0rc1.
+ Directory database replication (AD DC mode)
+ Server-Side Copy Support
+ Btrfs Filesystem Integration
-------------------------------------------------------------------
Fri Jul 12 13:07:11 UTC 2013 - lmuelle@suse.com
- BuildRequire perl ExtUtils::MakeMaker and Parse::Yapp.
- BuildRequire libxslt, libxslt1, or libxslt-tools depending on SUSE version.
- Require perl-base on SUSE systems only.
-------------------------------------------------------------------
Fri Jul 12 10:27:25 UTC 2013 - lmuelle@suse.com
- Adjust group setting of the test-devel subpackage.
- Require perl-base from the pidl subpackage.
-------------------------------------------------------------------
Fri Jul 12 10:11:50 UTC 2013 - lmuelle@suse.com
- Remove libdir/samba/ldb after install if we're building Samba without
Active Directory Domain Controller support.
-------------------------------------------------------------------
Thu Jul 11 21:31:07 UTC 2013 - lmuelle@suse.com
- Remove unused ccache switch from the spec file.
-------------------------------------------------------------------
Thu Jul 11 20:42:23 UTC 2013 - lmuelle@suse.com
- BuildRequire docbook-xsl-stylesheets and libxslt-tools to build the
man pages and add them to the package again.
-------------------------------------------------------------------
Thu Jul 11 16:20:32 UTC 2013 - lmuelle@suse.com
- Build from the package from the top level directory; (bnc#794744).
- BuildRequire pytalloc-devel, python-tdb, and python-tevent.
- Also use out of tree builds of talloc, tdb, tevent, and ldb for pre-12.1
SUSE systems.
-------------------------------------------------------------------
Fri Jul 5 18:48:26 UTC 2013 - lmuelle@suse.com
- Remove the empty data dir from the doc package filelist.
- Explicitly use samba instead of the name macro to define the docbook dir.
-------------------------------------------------------------------
Tue Jul 2 09:49:54 UTC 2013 - lmuelle@suse.com
- Update to 4.0.7.
+ Fix a core dump with invalid lock order while opening/editing
or copying MS files; (bso#9794).
+ Fix crash bug from search of mail=; (bso#9967).
+ s3-rpc_server: Ensure we are root when starting and using gensec;
(bso#9465).
+ Add support for MX queries; (bso#9485).
+ dns: Delete dnsNode objects when they are empty; (bso#9559).
+ dns: Support larger queries when asking forwarder; (bso#9632).
+ s3:lib/server_mutex: Open mutex.tdb with CLEAR_IF_FIRST; (bso#9805).
+ Use of wrong RFC2307 primary group field; (bso#9880).
+ Check for system libtevent; (bso#9881).
+ is_printer_published GUID retrieval; (bso#9900).
+ Doc fixes for 4.0; (bso#9906).
+ Build fixes for 4.0 found during autoconf or debian packaging work;
(bso#9907).
+ build: Add missing new line to replaced python shebang line; (bso#9909).
+ PIE builds not supported; (bso#9910).
+ s4:winbind: Don't leak libnet_context into the main event context;
(bso#9929).
+ Fix a bug of drvupgrade of smbcontrol; (bso#9941).
+ Check for netbios aliases in ad_get_referrals; (bso#9947).
+ Fix tevent_poll on 32-bit machines (Coverity ID 989236); (bso#9953).
+ docs: Avoid mentioning a possibly misleading option; (bso#9964).
+ Fix build with system Heimdal of samba4kgetcred; (bso#9968).
-------------------------------------------------------------------
Mon Jul 1 17:34:32 UTC 2013 - lmuelle@suse.com
- Use SLE as product prefix for SUSE Linux Enterprise, oS for openSUSE, and
OBS for any other operating system to define the vendor string while build.
-------------------------------------------------------------------
Fri Jun 28 16:49:31 UTC 2013 - lmuelle@suse.com
- Remove ldapsmb from the main spec file.
-------------------------------------------------------------------
Wed Jun 26 13:55:13 UTC 2013 - lmuelle@suse.com
- Adjust ldapsmb and nmbstatus man page syntax required by a newer pod2man.
-------------------------------------------------------------------
Tue Jun 25 17:03:49 UTC 2013 - lmuelle@suse.com
- Don't bzip2 the main tar ball, use the upstream gziped one instead.
-------------------------------------------------------------------
Sun Jun 23 05:45:26 UTC 2013 - jengelh@inai.de
- Explicitly BuildRequire cyrus-sasl-devel, libattr-devel, and
libopenssl-devel.
-------------------------------------------------------------------
Wed Jun 5 11:45:41 UTC 2013 - ddiss@suse.com
- Fix libreplace license ambiguity; (bso#8997); (bnc#765270).
-------------------------------------------------------------------
Wed May 22 11:32:46 UTC 2013 - lmuelle@suse.com
- Update to 4.0.6.
+ Fix crash during Win8 sync; (bso#9822).
+ Fix segfault when loging in with wrong password from w2k8r2; (bso#9834).
+ Fix the username map optimization; (bso#9139).
+ Add support for PFC_FLAG_OBJECT_UUID when parsing packets; (bso#9382).
+ SMB2 server doesn't support recvfile; (bso#9412).
+ Fix the build of vfs_notify_fam; (bso#9545).
+ Fix adding case sensitive spn; (bso#9699).
+ Properly handle oplock breaks in compound requests; (bso#9722).
+ Properly handle oplock breaks in compound requests; (bso#9722).
+ Cache name_to_sid/sid_to_name correctly; (bso#9766).
+ Fix 'net ads join' when called via stdin; (bso#9767).
+ Fix segfault for "artificial" conn_structs in vfs_fake_perms; (bso#9775).
+ vfs_dirsort uses non-stackable calls, dirfd(), malloc instead of talloc and
doesn't cope with directories being modified whilst reading; (bso#9777).
+ Fix panic when running 'smbtorture smb.base'; (bso#9782).
+ Use specified python for runtime installation of Samba; (bso#9785).
+ Change '--with-dmapi' to 'default=auto' to match the autoconf build;
(bso#9803).
+ wafsamba: Display the default value in help for SAMBA3_ADD_OPTION;
(bso#9804).
+ wbinfo: Fix segfault in wbinfo_pam_logon; (bso#9807).
+ Package new dbwrap_tool man page; (bso#9809).
+ Old DOS SMB CTEMP request uses a non-VFS function to access
the filesystem; (bso#9811).
+ Fix 'map untrusted to domain' with NTLMv2; (bso#9817).
+ SMB signing and the async echo responder don't work together; (bso#9824).
+ Fix panic in nt_printer_publish_ads; (bso#9830).
+ talloc use after free in winbind4; (bso#9832).
+ Function called in unix_convert() path can overwrite errno; (bso#9833).
+ Fix NULL pointer dereference in Winbind; (bso#9854).
+ Fix making LIBNDR_PREG_OBJ; (bso#9868).
-------------------------------------------------------------------
Fri Apr 26 15:54:50 UTC 2013 - lmuelle@suse.com
- Remove disabled and anyhow obsoleted net-report and net_rpc_migrate patches.
-------------------------------------------------------------------
Tue Apr 9 10:07:28 UTC 2013 - lmuelle@suse.com
- Update to 4.0.5.
+ Fix large reads/writes from some Linux clients; (bso#9706).
+ Add 'samba-tool dbcheck --reset-well-known-acls'; (bso#9740).
+ Can't delegate adding computers to domain; (bso#9267).
+ Fix GNU ld version detection with old gcc releases; (bso#7825).
+ Never try to map global SAM name; (bso#9039).
+ Certain xattrs cause Windows error 0x800700FF; (bso#9130).
+ Samba returns unexpected error on SMB posix open; (bso#9519).
+ Fix build on AIX; (bso#9557).
+ libnss-winbindd does not provide pass struct for groups mapped with
ID_TYPE_BOTH and vice versa; (bso#9617).
+ Reauth-capable client fails to access shares on Windows member; (bso#9625).
+ PIDL: Fix parsing linemarkers in preprocessor output; (bso#9636).
+ Rename internal subsystem pdb_ldap to pdb_ldapsam; (bso#9639).
+ Fix the build of vfs_afsacl; (bso#9642).
+ Fix the build with --fake-kaserver; (bso#9643).
+ Fix compile of source3/lib/afs.c; (bso#9644).
+ Make SMB2_GETINFO multi-volume aware; (bso#9646).
+ idmap_autorid: Fix freeing of non-talloced memory; (bso#9653).
+ Work around FreeBSD's getaddrinfo() underscore issue; (bso#9656).
+ 'make test' hangs; (bso#9663).
+ Fix correct linking of libreplace with cmdline-credentials; (bso#9664).
+ Fix filtering of link-local addresses; (bso#9666).
+ Fix crash in 'net rpc join' against a Samba 3.0.33 PDC; (bso#9669).
+ Samba denies owner Read Control when there is a DENY entry while W2K08
does not; (bso#9674).
+ Fix several resource (fd) leaks; (bso#9683).
+ Fix a memory leak in spoolss rpc server; (bso#9685).
+ Fix a possible buffer overrun in pdb_smbpasswd; (bso#9686).
+ Fix several possible null pointer dereferences; (bso#9687).
+ Make sure that domain joins work correctly when the DC disallows NTLM
auth; (bso#9689).
+ Backport tevent changes to bring library to version 0.9.18; (bso#9695).
+ Remove incomplete samba_dnsupdate IPv6 link-local address check;
(bso#9696).
+ DsReplicaGetInfo fails due to sendto() EMSGSIZE error on UNIX
domain socket; (bso#9697).
+ Fix vfs_catia and update documentation; (bso#9701); (bnc#824833).
+ Fix build on solaris8: Do not force a specific perl on pod2man; (bso#9703).
+ Fix nss_winbind name on FreeBSD; (bso#9704).
+ s4:winbindd: Do not drop the workgroup name in the getgrnam, getgrent and
getgrgid calls; (bso#9711).
+ Set LD_LIBRARY_PATH in install_with_python.sh; (bso#9717).
+ s4-idmap: Remove requirement that posixAccount or posixGroup be set for
rfc2307; (bso#9718).
+ Allow forcing an override of an old @MODULES record; (bso#9719).
+ Do not print the admin password during 'samba-tool classicupgrade';
(bso#9720).
+ Make samba_upgradedns more robust (do not guess addresses when just
changing roles); (bso#9721).
+ Add a tool to migrate latin1 printing tdbs to registry; (bso#9723).
+ is_encrypted_packet() function incorrectly used inside server; (bso#9724).
+ upgradeprovision and 'samba-tool dbcheck' patches for 4.0.NEXT; (bso#9725).
+ Fix NULL pointer dereference; (bso#9727).
+ DO NOT install samba_upgradeprovision in 4.0.x; (bso#9728).
+ Fix 'smbcontrol close-share'; (bso#9733).
+ Fix Winbind separator in upn to username conversion; (bso#9735).
+ Change to smbd/dir.c code gives significant performance increases on large
directory listings; (bso#9736).
+ PIDL: Build fixes for hosts without CPP (Solaris 11); (bso#9739).
+ Make sure that we only propogate the INHERITED flag when we are allowed
to; (bso#9747).
+ Remove unneeded fstat system call from hot read path; (bso#9748).
+ Don't leak the epm_Map policy handle; (bso#9758).
+ Fix incorrect parsing of SMB2 command codes; (bso#9760).
- Update to 4.0.4.
+ Remove forced set of 'create mask' to 0777; CVE-2013-1863; (bnc#809624).
-------------------------------------------------------------------
Thu Mar 14 14:40:51 UTC 2013 - ddiss@suse.com
- Fix periodic printcap cache reloads; (bso#9650); (bnc#807334).
-------------------------------------------------------------------
Tue Feb 26 13:03:46 UTC 2013 - lmuelle@suse.com
- No longer use the cifs- or smbfstab named configuration file on post-12.2
systems; (bnc#804822); (bnc#821889).
<