Accepting request 1043954 from home:scabrero:branches:network:samba:STABLE

- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); OBS-URL: https://build.opensuse.org/request/show/1043954 OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=674
2022-12-21 09:46:36 +00:00 · 2022-12-21 09:46:36 +00:00 · 15e4a66aab
commit 15e4a66aab
parent 4ebecf5ac8
4 changed files with 67 additions and 36 deletions
--- a/samba-4.17.3+git.283.2157972742b.tar.bz2
+++ b/samba-4.17.3+git.283.2157972742b.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fb1c21abf0553f6cad87f38e1fb63a1d2f55ae41641358806d7714d74d9adfd5
-size 34240839
--- a/samba-4.17.4+git.300.305b22bfce.tar.bz2
+++ b/samba-4.17.4+git.300.305b22bfce.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:651d971d759a6d7f82e05d82d4aa5797ef3aac49f70b3e697bfe23c6301f12a5
+size 34349253
--- a/samba.changes
+++ b/samba.changes
@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
+
+- Update to 4.17.4
+   * CVE-2022-44640 Upstream Heimdal free of user-controlled
+     pointer in FAST; (bsc#14929);
+   * CVE-2021-20251 Bad password count not incremented atomically;
+     (bsc#14611);
+   * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
+     (bsc#15203);
+   * CVE-2022-37966 rc4-hmac Kerberos session keys issued to
+     modern servers; (bso#15237);
+   * CVE-2022-37967 Kerberos constrained delegation ticket forgery
+     possible against Samba AD DC; (bso#15231);
+   * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
+     and should be avoided; (bso#15240);
+   * pam_winbind uses time_t and pointers assuming they are of the
+     same size; (bso#15224);
+   * Heimdal session key selection in AS-REQ examines wrong entry;
+     (bso#15219);
+   * filter-subunit is inefficient with large numbers of
+     knownfails; (bso#15258);
+   * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
+     (bso#15252);
+   * The KDC logic arround msDs-supportedEncryptionTypes differs
+     from Windows; (bso#13135);
+   * libnet: change_password() doesn't work with
+     dcerpc_samr_ChangePasswordUser4(); (bso#15206);
+   * Heimdal session key selection in AS-REQ examines wrong entry;
+     (bso#15219);
+   * Memory leak in snprintf replacement functions; (bso#15230);
+   * RODC doesn't reset badPwdCount reliable via an RWDC
+     (CVE-2021-20251 regression); (bso#15253);
+   * Prevent EBADF errors with vfs_glusterfs; (bso#15198);
+   * %U for include directive doesn't work for share listing
+     (netshareenum); (bso#15243);
+   * Stack smashing in net offlinejoin requestodj; (bso#15257);
+   * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
+     (bso#15197);
+   * Heimdal session key selection in AS-REQ examines wrong entry;
+     (bso#15219);
+- Remove deprecated if-{down,up} scripts; (bsc#1206444);
+- Adjust the systemd drop-in file for named service; (bsc#1201689);
+  * Paths are additive so do not repeat paths from named.service
+  * Prefix the samba DLZ directory with "-" to ignore this path
+    if it does not exists
+
+-------------------------------------------------------------------
+Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
+
+- Migration PAM settings to /usr/etc: Saving user changed
+  configuration files in /etc and restoring them while an RPM
+  update.
+
 -------------------------------------------------------------------
 Thu Dec  1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>

@ -6,8 +60,9 @@ Thu Dec  1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
 -------------------------------------------------------------------
 Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>

- CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
-  systems; (bsc#1205126); (bso#15203);
+- Update to 4.17.3
+  * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
+    systems; (bsc#1205126); (bso#15203);

 -------------------------------------------------------------------
 Tue Nov  8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>
--- a/samba.spec
+++ b/samba.spec
@ -22,7 +22,11 @@
 %{!?_fillupdir:%global _fillupdir /var/adm/fillup-templates}
 %{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d}
 %{!?_pam_moduledir:%global _pam_moduledir /%{_lib}/security}
+%if 0%{?suse_version} > 1500
+%global _pam_confdir %{_distconfdir}/pam.d
+%else
 %{!?_pam_confdir:%global _pam_confdir %{_sysconfdir}/pam.d}
+%endif
 %{!?_pam_secconfdir:%global _pam_secconfdir %{_sysconfdir}/security}

 %define with_mscat 1
@ -148,7 +152,7 @@ BuildRequires:  liburing-devel
 %endif
 BuildRequires:  sysuser-tools

-Version:        4.17.3+git.283.2157972742b
+Version:        4.17.4+git.300.305b22bfce
 Release:        0
 URL:            https://www.samba.org/
 Obsoletes:      samba-32bit < %{version}
@ -181,7 +185,6 @@ Provides:       group(ntadmin)
 %define	CONFIGDIR %{_sysconfdir}/samba
 %define	INITDIR %{_sysconfdir}/init.d
 %define	PIDDIR /run/samba
-%define	NET_CFGDIR network
 %define	auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
 %define	idmap_modules idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_rfc2307,idmap_rid,idmap_tdb2
 %define	pdb_modules pdb_tdbsam,pdb_ldapsam,pdb_smbpasswd,pdb_samba_dsdb
@ -711,7 +714,6 @@ install -d -m 0755 -p \
 	%{buildroot}/%_pam_confdir \
 	%{buildroot}/%{_sysconfdir}/{xinetd.d,logrotate.d} \
 	%{buildroot}/%{_sysconfdir}/openldap/schema \
-	%{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/{if-{down,up}.d,scripts} \
 	%{buildroot}/%{_sysconfdir}/security \
 	%{buildroot}/%{_sysconfdir}/slp.reg.d \
 	%{buildroot}/%{CONFIGDIR} \
@ -826,18 +828,6 @@ install -m 0644 config/samba.pamd-common %{buildroot}/%_pam_confdir/samba
 install -m 0644 config/dhcp.conf %{buildroot}/%{_fillupdir}/samba-client-dhcp.conf
 install -m 0644 config/sysconfig.dhcp-samba-client %{buildroot}/%{_fillupdir}/sysconfig.dhcp-samba-client

-# Network scripts
-NETWORK_SCRIPTS="samba-winbindd"
-for script in ${NETWORK_SCRIPTS}; do
-	install -m 0755 "tools/${script}" "%{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/${script}"
-done
-
-# Create ghosts for the symlinks
-NETWORK_LINKS="55-samba-winbindd"
-for script in ${NETWORK_LINKS}; do
-	touch %{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-{down,up}.d/${script}
-done
-
 # Add logrotate settings for nmbd and smbd only on systems newer than 8.1.
 %if 0%{?suse_version} > 1500
 mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
@ -937,7 +927,7 @@ install -m 0644 examples/LDAP/samba-nds.schema %{buildroot}/%{_datadir}/samba/LD
 %service_add_pre nmb.service smb.service
 %if 0%{?suse_version} > 1500
 # Prepare for migration to /usr/etc; save any old .rpmsave
-for i in logrotate.d/samba ; do
+for i in logrotate.d/samba pam.d/samba; do
   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 %endif
@ -945,7 +935,7 @@ done
 %if 0%{?suse_version} > 1500
 %posttrans
 # Migration to /usr/etc, restore just created .rpmsave
-for i in logrotate.d/samba ; do
+for i in logrotate.d/samba pam.d/samba; do
   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
@ -1058,17 +1048,6 @@ done

 %post winbind
 /sbin/ldconfig
-if test ${1:-0} -eq 1; then
-	ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd
-	ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd
-else
-	for if_case in if-down.d if-up.d; do
-		test -h %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd || \
-			continue
-		rm -f %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd
-		ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/55-samba-winbindd
-	done
-fi
 %service_add_post winbind.service
 %tmpfiles_create samba.conf
 %{fillup_only -ans samba winbind}
@ -1618,9 +1597,6 @@ exit 0
 %defattr(-,root,root)
 %config(noreplace) %_pam_secconfdir/pam_winbind.conf
 %{_unitdir}/winbind.service
-%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd
-%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd
-%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd
 %{_sysusersdir}/samba-winbind.conf
 %{_bindir}/ntlm_auth
 %{_bindir}/wbinfo