diff --git a/samba-4.17.3+git.283.2157972742b.tar.bz2 b/samba-4.17.3+git.283.2157972742b.tar.bz2 deleted file mode 100644 index 8dd28cb..0000000 --- a/samba-4.17.3+git.283.2157972742b.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fb1c21abf0553f6cad87f38e1fb63a1d2f55ae41641358806d7714d74d9adfd5 -size 34240839 diff --git a/samba-4.17.4+git.300.305b22bfce.tar.bz2 b/samba-4.17.4+git.300.305b22bfce.tar.bz2 new file mode 100644 index 0000000..e931bc1 --- /dev/null +++ b/samba-4.17.4+git.300.305b22bfce.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:651d971d759a6d7f82e05d82d4aa5797ef3aac49f70b3e697bfe23c6301f12a5 +size 34349253 diff --git a/samba.changes b/samba.changes index 29c9555..d109f2e 100644 --- a/samba.changes +++ b/samba.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero + +- Update to 4.17.4 + * CVE-2022-44640 Upstream Heimdal free of user-controlled + pointer in FAST; (bsc#14929); + * CVE-2021-20251 Bad password count not incremented atomically; + (bsc#14611); + * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; + (bsc#15203); + * CVE-2022-37966 rc4-hmac Kerberos session keys issued to + modern servers; (bso#15237); + * CVE-2022-37967 Kerberos constrained delegation ticket forgery + possible against Samba AD DC; (bso#15231); + * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak + and should be avoided; (bso#15240); + * pam_winbind uses time_t and pointers assuming they are of the + same size; (bso#15224); + * Heimdal session key selection in AS-REQ examines wrong entry; + (bso#15219); + * filter-subunit is inefficient with large numbers of + knownfails; (bso#15258); + * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; + (bso#15252); + * The KDC logic arround msDs-supportedEncryptionTypes differs + from Windows; (bso#13135); + * libnet: change_password() doesn't work with + dcerpc_samr_ChangePasswordUser4(); (bso#15206); + * Heimdal session key selection in AS-REQ examines wrong entry; + (bso#15219); + * Memory leak in snprintf replacement functions; (bso#15230); + * RODC doesn't reset badPwdCount reliable via an RWDC + (CVE-2021-20251 regression); (bso#15253); + * Prevent EBADF errors with vfs_glusterfs; (bso#15198); + * %U for include directive doesn't work for share listing + (netshareenum); (bso#15243); + * Stack smashing in net offlinejoin requestodj; (bso#15257); + * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; + (bso#15197); + * Heimdal session key selection in AS-REQ examines wrong entry; + (bso#15219); +- Remove deprecated if-{down,up} scripts; (bsc#1206444); +- Adjust the systemd drop-in file for named service; (bsc#1201689); + * Paths are additive so do not repeat paths from named.service + * Prefix the samba DLZ directory with "-" to ignore this path + if it does not exists + +------------------------------------------------------------------- +Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert + +- Migration PAM settings to /usr/etc: Saving user changed + configuration files in /etc and restoring them while an RPM + update. + ------------------------------------------------------------------- Thu Dec 1 16:43:05 UTC 2022 - David Mulder @@ -6,8 +60,9 @@ Thu Dec 1 16:43:05 UTC 2022 - David Mulder ------------------------------------------------------------------- Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero -- CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit - systems; (bsc#1205126); (bso#15203); +- Update to 4.17.3 + * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit + systems; (bsc#1205126); (bso#15203); ------------------------------------------------------------------- Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner diff --git a/samba.spec b/samba.spec index 3dadd55..f6531bb 100644 --- a/samba.spec +++ b/samba.spec @@ -22,7 +22,11 @@ %{!?_fillupdir:%global _fillupdir /var/adm/fillup-templates} %{!?_tmpfilesdir:%global _tmpfilesdir /usr/lib/tmpfiles.d} %{!?_pam_moduledir:%global _pam_moduledir /%{_lib}/security} +%if 0%{?suse_version} > 1500 +%global _pam_confdir %{_distconfdir}/pam.d +%else %{!?_pam_confdir:%global _pam_confdir %{_sysconfdir}/pam.d} +%endif %{!?_pam_secconfdir:%global _pam_secconfdir %{_sysconfdir}/security} %define with_mscat 1 @@ -148,7 +152,7 @@ BuildRequires: liburing-devel %endif BuildRequires: sysuser-tools -Version: 4.17.3+git.283.2157972742b +Version: 4.17.4+git.300.305b22bfce Release: 0 URL: https://www.samba.org/ Obsoletes: samba-32bit < %{version} @@ -181,7 +185,6 @@ Provides: group(ntadmin) %define CONFIGDIR %{_sysconfdir}/samba %define INITDIR %{_sysconfdir}/init.d %define PIDDIR /run/samba -%define NET_CFGDIR network %define auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4 %define idmap_modules idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_rfc2307,idmap_rid,idmap_tdb2 %define pdb_modules pdb_tdbsam,pdb_ldapsam,pdb_smbpasswd,pdb_samba_dsdb @@ -711,7 +714,6 @@ install -d -m 0755 -p \ %{buildroot}/%_pam_confdir \ %{buildroot}/%{_sysconfdir}/{xinetd.d,logrotate.d} \ %{buildroot}/%{_sysconfdir}/openldap/schema \ - %{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/{if-{down,up}.d,scripts} \ %{buildroot}/%{_sysconfdir}/security \ %{buildroot}/%{_sysconfdir}/slp.reg.d \ %{buildroot}/%{CONFIGDIR} \ @@ -826,18 +828,6 @@ install -m 0644 config/samba.pamd-common %{buildroot}/%_pam_confdir/samba install -m 0644 config/dhcp.conf %{buildroot}/%{_fillupdir}/samba-client-dhcp.conf install -m 0644 config/sysconfig.dhcp-samba-client %{buildroot}/%{_fillupdir}/sysconfig.dhcp-samba-client -# Network scripts -NETWORK_SCRIPTS="samba-winbindd" -for script in ${NETWORK_SCRIPTS}; do - install -m 0755 "tools/${script}" "%{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/${script}" -done - -# Create ghosts for the symlinks -NETWORK_LINKS="55-samba-winbindd" -for script in ${NETWORK_LINKS}; do - touch %{buildroot}/%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-{down,up}.d/${script} -done - # Add logrotate settings for nmbd and smbd only on systems newer than 8.1. %if 0%{?suse_version} > 1500 mkdir -p %{buildroot}%{_distconfdir}/logrotate.d @@ -937,7 +927,7 @@ install -m 0644 examples/LDAP/samba-nds.schema %{buildroot}/%{_datadir}/samba/LD %service_add_pre nmb.service smb.service %if 0%{?suse_version} > 1500 # Prepare for migration to /usr/etc; save any old .rpmsave -for i in logrotate.d/samba ; do +for i in logrotate.d/samba pam.d/samba; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: done %endif @@ -945,7 +935,7 @@ done %if 0%{?suse_version} > 1500 %posttrans # Migration to /usr/etc, restore just created .rpmsave -for i in logrotate.d/samba ; do +for i in logrotate.d/samba pam.d/samba; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: done %endif @@ -1058,17 +1048,6 @@ done %post winbind /sbin/ldconfig -if test ${1:-0} -eq 1; then - ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd - ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd -else - for if_case in if-down.d if-up.d; do - test -h %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd || \ - continue - rm -f %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/samba-winbindd - ln -fs %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/${if_case}/55-samba-winbindd - done -fi %service_add_post winbind.service %tmpfiles_create samba.conf %{fillup_only -ans samba winbind} @@ -1618,9 +1597,6 @@ exit 0 %defattr(-,root,root) %config(noreplace) %_pam_secconfdir/pam_winbind.conf %{_unitdir}/winbind.service -%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-down.d/55-samba-winbindd -%ghost %{_sysconfdir}/sysconfig/%{NET_CFGDIR}/if-up.d/55-samba-winbindd -%{_sysconfdir}/sysconfig/%{NET_CFGDIR}/scripts/samba-winbindd %{_sysusersdir}/samba-winbind.conf %{_bindir}/ntlm_auth %{_bindir}/wbinfo