Accepting request 1043954 from home:scabrero:branches:network:samba:STABLE

- Update to 4.17.4
   * CVE-2022-44640 Upstream Heimdal free of user-controlled
     pointer in FAST; (bsc#14929);
   * CVE-2021-20251 Bad password count not incremented atomically;
     (bsc#14611);
   * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
     (bsc#15203);
   * CVE-2022-37966 rc4-hmac Kerberos session keys issued to
     modern servers; (bso#15237);
   * CVE-2022-37967 Kerberos constrained delegation ticket forgery
     possible against Samba AD DC; (bso#15231);
   * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
     and should be avoided; (bso#15240);
   * pam_winbind uses time_t and pointers assuming they are of the
     same size; (bso#15224);
   * Heimdal session key selection in AS-REQ examines wrong entry;
     (bso#15219);
   * filter-subunit is inefficient with large numbers of
     knownfails; (bso#15258);
   * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
     (bso#15252);
   * The KDC logic arround msDs-supportedEncryptionTypes differs
     from Windows; (bso#13135);
   * libnet: change_password() doesn't work with
     dcerpc_samr_ChangePasswordUser4(); (bso#15206);
   * Heimdal session key selection in AS-REQ examines wrong entry;
     (bso#15219);
   * Memory leak in snprintf replacement functions; (bso#15230);
   * RODC doesn't reset badPwdCount reliable via an RWDC
     (CVE-2021-20251 regression); (bso#15253);

OBS-URL: https://build.opensuse.org/request/show/1043954
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=674
This commit is contained in:
Noel Power 2022-12-21 09:46:36 +00:00 committed by Git OBS Bridge
parent 4ebecf5ac8
commit 15e4a66aab
4 changed files with 67 additions and 36 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fb1c21abf0553f6cad87f38e1fb63a1d2f55ae41641358806d7714d74d9adfd5
size 34240839

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:651d971d759a6d7f82e05d82d4aa5797ef3aac49f70b3e697bfe23c6301f12a5
size 34349253

View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.4
* CVE-2022-44640 Upstream Heimdal free of user-controlled
pointer in FAST; (bsc#14929);
* CVE-2021-20251 Bad password count not incremented atomically;
(bsc#14611);
* CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
(bsc#15203);
* CVE-2022-37966 rc4-hmac Kerberos session keys issued to
modern servers; (bso#15237);
* CVE-2022-37967 Kerberos constrained delegation ticket forgery
possible against Samba AD DC; (bso#15231);
* CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
and should be avoided; (bso#15240);
* pam_winbind uses time_t and pointers assuming they are of the
same size; (bso#15224);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* filter-subunit is inefficient with large numbers of
knownfails; (bso#15258);
* smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
(bso#15252);
* The KDC logic arround msDs-supportedEncryptionTypes differs
from Windows; (bso#13135);
* libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4(); (bso#15206);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* Memory leak in snprintf replacement functions; (bso#15230);
* RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression); (bso#15253);
* Prevent EBADF errors with vfs_glusterfs; (bso#15198);
* %U for include directive doesn't work for share listing
(netshareenum); (bso#15243);
* Stack smashing in net offlinejoin requestodj; (bso#15257);
* Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
(bso#15197);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
- Remove deprecated if-{down,up} scripts; (bsc#1206444);
- Adjust the systemd drop-in file for named service; (bsc#1201689);
* Paths are additive so do not repeat paths from named.service
* Prefix the samba DLZ directory with "-" to ignore this path
if it does not exists
-------------------------------------------------------------------
Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
- Migration PAM settings to /usr/etc: Saving user changed
configuration files in /etc and restoring them while an RPM
update.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com> Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
@ -6,8 +60,9 @@ Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de> Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit - Update to 4.17.3
systems; (bsc#1205126); (bso#15203); * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
systems; (bsc#1205126); (bso#15203);
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de> Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>

View File

@ -22,7 +22,11 @@
%{!?_fillupdir:%global _fillupdir /var/adm/fillup-templates} %{!?_fillupdir:%global _fillupdir /var/adm/fillup-templates}
%{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d} %{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d}
%{!?_pam_moduledir:%global _pam_moduledir /%{_lib}/security} %{!?_pam_moduledir:%global _pam_moduledir /%{_lib}/security}
%if 0%{?suse_version} > 1500
%global _pam_confdir %{_distconfdir}/pam.d
%else
%{!?_pam_confdir:%global _pam_confdir %{_sysconfdir}/pam.d} %{!?_pam_confdir:%global _pam_confdir %{_sysconfdir}/pam.d}
%endif
%{!?_pam_secconfdir:%global _pam_secconfdir %{_sysconfdir}/security} %{!?_pam_secconfdir:%global _pam_secconfdir %{_sysconfdir}/security}
%define with_mscat 1 %define with_mscat 1
@ -148,7 +152,7 @@ BuildRequires: liburing-devel
%endif %endif
BuildRequires: sysuser-tools BuildRequires: sysuser-tools
Version: 4.17.3+git.283.2157972742b Version: 4.17.4+git.300.305b22bfce
Release: 0 Release: 0
URL: https://www.samba.org/ URL: https://www.samba.org/
Obsoletes: samba-32bit < %{version} Obsoletes: samba-32bit < %{version}
@ -181,7 +185,6 @@ Provides: group(ntadmin)
%define CONFIGDIR %{_sysconfdir}/samba %define CONFIGDIR %{_sysconfdir}/samba
%define INITDIR %{_sysconfdir}/init.d %define INITDIR %{_sysconfdir}/init.d
%define PIDDIR /run/samba %define PIDDIR /run/samba
%define NET_CFGDIR network
%define auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4 %define auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
%define idmap_modules idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_rfc2307,idmap_rid,idmap_tdb2 %define idmap_modules idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_rfc2307,idmap_rid,idmap_tdb2
%define pdb_modules pdb_tdbsam,pdb_ldapsam,pdb_smbpasswd,pdb_samba_dsdb %define pdb_modules pdb_tdbsam,pdb_ldapsam,pdb_smbpasswd,pdb_samba_dsdb
@ -711,7 +714,6 @@ install -d -m 0755 -p \
%{buildroot}/%_pam_confdir \ %{buildroot}/%_pam_confdir \
%{buildroot}/%{_sysconfdir}/{xinetd.d,logrotate.d} \ %{buildroot}/%{_sysconfdir}/{xinetd.d,logrotate.d} \
%{buildroot}/%{_sysconfdir}/openldap/schema \ %{buildroot}/%{_sysconfdir}/openldap/schema \
%{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/{if-{down,up}.d,scripts} \
%{buildroot}/%{_sysconfdir}/security \ %{buildroot}/%{_sysconfdir}/security \
%{buildroot}/%{_sysconfdir}/slp.reg.d \ %{buildroot}/%{_sysconfdir}/slp.reg.d \
%{buildroot}/%{CONFIGDIR} \ %{buildroot}/%{CONFIGDIR} \
@ -826,18 +828,6 @@ install -m 0644 config/samba.pamd-common %{buildroot}/%_pam_confdir/samba
install -m 0644 config/dhcp.conf %{buildroot}/%{_fillupdir}/samba-client-dhcp.conf install -m 0644 config/dhcp.conf %{buildroot}/%{_fillupdir}/samba-client-dhcp.conf
install -m 0644 config/sysconfig.dhcp-samba-client %{buildroot}/%{_fillupdir}/sysconfig.dhcp-samba-client install -m 0644 config/sysconfig.dhcp-samba-client %{buildroot}/%{_fillupdir}/sysconfig.dhcp-samba-client
# Network scripts
NETWORK_SCRIPTS="samba-winbindd"
for script in ${NETWORK_SCRIPTS}; do
install -m 0755 "tools/${script}" "%{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/${script}"
done
# Create ghosts for the symlinks
NETWORK_LINKS="55-samba-winbindd"
for script in ${NETWORK_LINKS}; do
touch %{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-{down,up}.d/${script}
done
# Add logrotate settings for nmbd and smbd only on systems newer than 8.1. # Add logrotate settings for nmbd and smbd only on systems newer than 8.1.
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_distconfdir}/logrotate.d mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
@ -937,7 +927,7 @@ install -m 0644 examples/LDAP/samba-nds.schema %{buildroot}/%{_datadir}/samba/LD
%service_add_pre nmb.service smb.service %service_add_pre nmb.service smb.service
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/samba ; do for i in logrotate.d/samba pam.d/samba; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done done
%endif %endif
@ -945,7 +935,7 @@ done
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
%posttrans %posttrans
# Migration to /usr/etc, restore just created .rpmsave # Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/samba ; do for i in logrotate.d/samba pam.d/samba; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done done
%endif %endif
@ -1058,17 +1048,6 @@ done
%post winbind %post winbind
/sbin/ldconfig /sbin/ldconfig
if test ${1:-0} -eq 1; then
ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd
ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd
else
for if_case in if-down.d if-up.d; do
test -h %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd || \
continue
rm -f %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd
ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/55-samba-winbindd
done
fi
%service_add_post winbind.service %service_add_post winbind.service
%tmpfiles_create samba.conf %tmpfiles_create samba.conf
%{fillup_only -ans samba winbind} %{fillup_only -ans samba winbind}
@ -1618,9 +1597,6 @@ exit 0
%defattr(-,root,root) %defattr(-,root,root)
%config(noreplace) %_pam_secconfdir/pam_winbind.conf %config(noreplace) %_pam_secconfdir/pam_winbind.conf
%{_unitdir}/winbind.service %{_unitdir}/winbind.service
%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd
%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd
%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd
%{_sysusersdir}/samba-winbind.conf %{_sysusersdir}/samba-winbind.conf
%{_bindir}/ntlm_auth %{_bindir}/ntlm_auth
%{_bindir}/wbinfo %{_bindir}/wbinfo