diff --git a/samba-4.10.2+git.94.31fb5e37171.tar.bz2 b/samba-4.10.2+git.94.31fb5e37171.tar.bz2 deleted file mode 100644 index 2e994a4..0000000 --- a/samba-4.10.2+git.94.31fb5e37171.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2c1a39f2dc3c7ccb1030d2a246077b2569b607f9babf6de05c4e5eb8c22975f0 -size 24797292 diff --git a/samba-4.10.5+git.105.2bd98587873.tar.bz2 b/samba-4.10.5+git.105.2bd98587873.tar.bz2 new file mode 100644 index 0000000..e4f8d3c --- /dev/null +++ b/samba-4.10.5+git.105.2bd98587873.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:381473531074f9c49f0f5726aa01ae29aa94c09ca36e574694ee800ea498147e +size 24835880 diff --git a/samba.changes b/samba.changes index 3f50ff5..66d9d08 100644 --- a/samba.changes +++ b/samba.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Wed Jun 19 09:20:12 UTC 2019 - Noel Power + +- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found + in DnssrvOperation2; (bso#13922); (bsc#1137815). + + CVE-2019-12436 dsdb/paged_results: Ignore successful results + without messages; (bso#13951); (bsc#1137816). +- Update to samba-4.10.4 + + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + + py/provision: Fix for Python 2.6; (bso#13882). + + netcmd: Fix 'passwordsettings --max-pwd-age' command; + (bso#13873). + + s3-libnet_join: 'net ads join' to child domain fails when + using "-U admin@forestroot"; (bso#13861). + + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; + (bso#13896); (bsc#1130245). + + vfs_ceph: Fix cephwrap_flistxattr() debug message; + (bso#13940); (bsc#1134697). + + ctdb-common: Avoid race between fd and signal events; + (bso#13895). + + ctdb-common: Fix memory leak in run_proc; (bso#13943). + + lib: Initialize getline() arguments; (bso#13892). + + winbind: Fix overlapping id ranges; (bco#13903). + + lib util debug: Increase format buffer to 4KiB; (bso#13902). + + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + + s4 lib socket: Ensure address string owned by parent struct; + (bso#13929). + + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + + s3:smbd: Handle IO_REPARSE_TAG_DFS in + SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; + (bso#12845). + + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + + smb2_sesssetup: avoid STATUS_PENDING responses for session + setup; (bso#13796). + + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + + vfs_default: Fix vfswrap_offload_write_send() + NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + + smb2_server: Grant all 8192 credits to clients; (bso#13863). + + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; + (bso#13919). + + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + + s3: modules: ceph: Use current working directory instead of + share path; (bso#13918); (bsc#1134452). + + winbind: Use domain name from lsa query for sid_to_name cache + entry; (bso#13831). + + memcache: Increase size of default memcache to 512k; + (bso#13865). + + docs: Update smbclient manpage for "--max-protocol"; + (bso#13857). + + s3:utils: If share is NULL in smbcacls, don't print it; + (bso#13937). + + s3:smbspool: Fix regression printing with Kerberos credentials; + (bso#13939). + + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, + which is incompatible with systemd; (bso#13860). + + ctdb-daemon: Revert "We can not assume that just because we + could complete a TCP handshake"; (bso#13888). + + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + + ctdb-common: Fix memory leak; (bso#13943). + + s3:debug: Enable logging for early startup failures; + (bso#13904) + +- Update to samba-4.10.3 + + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed + checksum; (bso#13685); (bsc#1134024). + ------------------------------------------------------------------- Tue May 14 14:22:11 UTC 2019 - David Disseldorp @@ -92,6 +162,12 @@ Sun Apr 14 22:31:32 UTC 2019 - David Disseldorp - Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). +------------------------------------------------------------------- +Tue Apr 2 08:38:28 UTC 2019 - npower + +- CVE-2019-3880: Save registry file outside share as unprivileged + user; (bso#13851); (bsc#1131060 ). + ------------------------------------------------------------------- Wed Mar 27 18:47:07 UTC 2019 - David Mulder @@ -182,6 +258,14 @@ Thu Feb 7 00:27:42 UTC 2019 - ddiss@suse.com - Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223); +------------------------------------------------------------------- +Mon Feb 4 12:38:55 UTC 2019 - Samuel Cabrero + +- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit(); + (bso#13173); (bsc#1123755); +- s3:winbind: Fix regression introduced with bso #12851; + (bso#12851); (bsc#1123755); + ------------------------------------------------------------------- Tue Jan 8 11:38:40 UTC 2019 - nopower@suse.com @@ -207,6 +291,12 @@ Tue Jan 8 11:38:40 UTC 2019 - nopower@suse.com exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498). +------------------------------------------------------------------- +Thu Dec 20 15:15:54 UTC 2018 - David Mulder + +- s3:passdb: Do not return OK if we don't have pinfo set up; + (bsc#1099590); (bso#13376); + ------------------------------------------------------------------- Thu Dec 6 20:55:23 UTC 2018 - Jan Engelhardt @@ -243,6 +333,12 @@ Mon Nov 19 12:28:56 UTC 2018 - Samuel Cabrero + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323); +------------------------------------------------------------------- +Thu Nov 8 17:53:14 UTC 2018 - Samuel Cabrero + +- s3: winbind: Remove fstring from wb_acct_info struct; (bsc#1114459); +- Use foreground execution mode for systemd samba daemons; (bsc#1112223); + ------------------------------------------------------------------- Thu Nov 8 15:06:37 UTC 2018 - Samuel Cabrero @@ -300,6 +396,13 @@ Fri Oct 12 14:58:08 UTC 2018 - dmulder@suse.com + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method +------------------------------------------------------------------- +Mon Oct 8 08:36:43 UTC 2018 - Samuel Cabrero + +- Update to 4.6.16; (bsc#1110943); + + CVE-2018-10919: Fix unauthorized attribute access via searches; + (bso#13434); + ------------------------------------------------------------------- Wed Sep 26 22:45:40 UTC 2018 - jmcdonough@suse.com @@ -412,6 +515,14 @@ Tue Aug 21 13:39:49 UTC 2018 - dmulder@suse.com + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562); +------------------------------------------------------------------- +Mon Aug 20 21:25:27 UTC 2018 - ddiss@suse.com + +- Update to 4.6.15 + + Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230); + + Allow idmap_rid to have primary group other than "Domain Users"; + (bsc#1087931). + ------------------------------------------------------------------- Mon Aug 20 15:03:01 MDT 2018 - dmulder@suse.com @@ -465,6 +576,20 @@ Tue Aug 14 13:06:03 UTC 2018 - nopower@suse.com + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480). +------------------------------------------------------------------- +Wed Aug 1 14:57:51 UTC 2018 - scabrero@suse.de + +- CVE-2018-10858: Insufficient input validation on client directory + listing in libsmbclient; (bso#13453); (bsc#1103411); +- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid(); + (bso#12851); +- winbind: avoid using fstrcpy in _dual_init_connection; + (bso#13294); (bsc#1087303); +- Fix ntlm authentications with "winbind use default domain = yes"; + (bso#13126); (bsc#1068059); +- net: fix net ads keytab handling; (bso#13166); (bsc#1067700); +- fix vfs_ceph flock stub; (bso#13506). + ------------------------------------------------------------------- Tue May 29 12:08:15 UTC 2018 - scabrero@suse.de @@ -473,6 +598,45 @@ Tue May 29 12:08:15 UTC 2018 - scabrero@suse.de - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099); +------------------------------------------------------------------- +Wed May 23 14:01:16 UTC 2018 - ddiss@suse.com + +- Fix vfs_ceph with "aio read size" or "aio write size" > 0; + (bsc#1093664). + + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425). + + Fix memory leak in vfs_ceph; (bso#13424). + +- Update to 4.6.14 + + winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection; + (bso#13294). + + s3:smb2_server: correctly maintain request counters for compound + requests; (bso#13215). + + s3: smbd: Unix extensions attempts to change wrong field in fchown + call; (bso#13375). + + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338). + + vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async; + (bso#13297). + + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't + support fdopendir(); (bso#13270). + + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we + don't own it here; (bso#13244). + + s3:libsmb: allow -U"\\administrator" to work; (bso#13206). + + CVE-2018-1057: s4:dsdb: fix unprivileged password changes; + (bso#13272); (bsc#1081024). + + s3:smbd: Do not crash if we fail to init the session table; + (bso#13315). + + libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310). + + smbXcli: Add "force_channel_sequence"; (bso#13215). + + smbd: Fix channel sequence number checks for long-running requests; + (bso#13215). + + s3:smb2_server: allow logoff, close, unlock, cancel and echo on + expired sessions; (bso#13197). + + s3:smbd: return the correct error for cancelled SMB2 notifies on + expired sessions; (bso#13197). + + samba: Only use async signal-safe functions in signal handler; + (bso#13240). + + subnet: Avoid a segfault when renaming subnet objects; (bso#13031). + ------------------------------------------------------------------- Wed May 23 09:52:28 UTC 2018 - jmcdonough@suse.com @@ -621,6 +785,36 @@ Tue Mar 13 09:49:44 UTC 2018 - jmcdonough@suse.com + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024). +------------------------------------------------------------------- +Wed Mar 7 11:54:50 UTC 2018 - jmcdonough@suse.com + +- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; + (bso#11343); (bsc#1081741); + +------------------------------------------------------------------- +Tue Mar 6 23:36:51 UTC 2018 - ddiss@suse.com + +- Update to 4.6.13; (bsc#1084191) + + ceph_statx configure time check doesn't work with a non-default + --with-libcephfs path; (bso#13250). + - follow up fix for libceph-common detection; (bso#13277). + + Fail to copy file with empty FinderInfo from Windows client to Samba + share with fruit; (bso#13181). + + vfs_ceph uses a local statvfs() call to determine FS capabilities; + (bso#13208). + + smbd tries to release not leased oplock during oplock II downgrade; + (bso#13193). + + smbd panic when chdir returns error during exit; (bso#13189). + + ctdb_recovery_helper crashes if recovery process times out; (bso#13188). + + POSIX ACL support is broken on hpux and possibly other big-endian OSs; + (bso#13176). + + Kerberos: PKINIT: Can't decode algorithm parameters in + clientPublicValue; (bso#12986). + + g_lock conflict detection broken when processing stale entries.; + (bso#13195). + + The KDC on an RWDC doesn't send error replies in some situations; + (bso#13132). + ------------------------------------------------------------------- Mon Feb 26 22:09:49 UTC 2018 - aaptel@suse.com @@ -720,6 +914,23 @@ Wed Dec 6 17:52:41 UTC 2017 - kukuk@suse.de - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc) +------------------------------------------------------------------- +Thu Nov 30 09:31:53 UTC 2017 - scabrero@suse.com + +- Update to 4.6.11; (bsc#1084191) + + vfs_glusterfs: Fix exporting subdirs with shadow_copy2; (bso#13091); + + s3: smbclient: Ensure we call client_clean_name() before all + operations on remote pathnames; (bso#13093); + + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + + python: use communicate to fix Popen deadlock; (bso#13127); + + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + + tevent: version 0.9.34; (bso#13130); + + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + + smbd: Move check for SMB2 compound request to new function; (bso#13047); + + s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd(); (bso#13100); + + s4:pyparam: Fix resource leaks on error; (bso#13101); + + s3:smbd: Fix delete-on-close after smb2_find; (bso#13118); + ------------------------------------------------------------------- Wed Nov 29 16:59:07 UTC 2017 - david.mulder@suse.com @@ -754,6 +965,14 @@ Wed Nov 15 17:00:50 UTC 2017 - dmulder@suse.com - samba-tool requires samba-python; (bnc#1067771). +------------------------------------------------------------------- +Wed Nov 8 17:21:41 UTC 2017 - scabrero@suse.de + +- CVE-2017-14746: Use-after-free vulnerability; (bso#13041); + (bsc#1060427); +- CVE-2017-15275: Server heap memory information leak; + (bso#13077); (bsc#1063008); + ------------------------------------------------------------------- Tue Nov 7 07:43:54 UTC 2017 - scabrero@suse.com @@ -805,6 +1024,63 @@ Tue Nov 7 07:43:54 UTC 2017 - scabrero@suse.com + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049); +------------------------------------------------------------------- +Fri Oct 27 07:48:17 UTC 2017 - scabrero@suse.de + +- Update to 4.6.9; (bsc#1065066); + + Reverse sense of 'clear all attributes', ignore attribute change in SMB2 + to match SMB1; (bso#12899); + + SMBC_setatr() initially uses an SMB1 call before falling back; + (bso#12913); + + Fix segfault on MacOS 10.12.3 clients caused by SMB_VFS_GET_COMPRESSION; + (bso#13003); + + sys_getwd() can leak memory or possibly return the wrong errno on older + systems; (bso#13069); + + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; + (bso#6133); + + Map SYNCHRONIZE acl permission statically; (bso#7909); + + Honor SEC_STD_WRITE_OWNER bit; (bso#7933); + + Kernel oplocks still have issues with named streams; (bso#12791); + + Handle EACCES when fetching DOS attributes; (bso#12944); + + Missing assignment in sl_pack_float; (bso#12991); + + Fix wrong Samba access checks when changing DOS attributes; (bso#12995); + + Groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + + Enabling vfs_fruit results in loss of Finder tags and other xattrs; + (bso#13076); + + Fix GUID string format on GetPrinter info; (bso#12993); + + Match WS2016 ReFS set compression behaviour; (bso#12144); + + Fix implementation of process_exists control; (bso#13012); + + GET_DB_SEQNUM control can cause ctdb to deadlock when databases are + frozen; (bso#13021); + + Free up record data if a call request is deferred; (bso#13029); + + Initialize ctdb_ltdb_header completely for empty record; (bso#13036); + + CTDB starts consuming memory if there are dead nodes in the cluster; + (bso#13056); + + Ignore event scripts with multiple '.'s; (bso#13070); + + Sort the GPOs in the correct order; (bso#13046); + + 'smbd' uses a lot of CPU on startup of a connection; (bso#12973); + + Fix str[n]casecmp_m() by comparing lower case values; (bso#13018); + + Can't change password in Samba from a windows client if Samba runs on + IPv6 only interface; (bso#13079); + + Fix file change notification for renames; (bso#12903); + + Avoid a socket leak after fork; (bso#13006); + + Fix a potential memleak; (bso#13090); + + Fix passing of errno from async calls; (bso#12983); + + Fix segfault when running with log level 10; (bso#13032); + + Do not report an invalid range for AD DC role; (bso#12629); + + Print the kinit failed message with DBGLVL_NOTICE; (bso#12704); + + Fix changing passwords with Kerberos; (bso#12956); + + Fix changing the password with 'smbpasswd' as a local user on a domain + member; (bso#12975); + + Fix a read after free if a chained SMB1 call goes async; (bso#12836); + + CVE-2017-12163: Prevent client short SMB1 write from writing server memory + to file; (bso#13020); + + Let non_widelink_open() chdir() to directories directly; (bso#12885); + + CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; + (bso#12996); + + CVE-2017-12150: Some code path don't enforce smb signing when they should; + (bso#12997); + ------------------------------------------------------------------- Mon Oct 23 15:10:32 UTC 2017 - dimstar@opensuse.org @@ -846,6 +1122,12 @@ Thu Sep 28 11:25:54 UTC 2017 - scabrero@suse.com + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available. +------------------------------------------------------------------- +Fri Sep 22 13:51:41 UTC 2017 - scabrero@suse.de + +- Fix GUID string format on GetPrinter info request; (bso#12993); + (bsc#1050707). + ------------------------------------------------------------------- Thu Sep 14 20:41:11 UTC 2017 - aaptel@suse.com diff --git a/samba.spec b/samba.spec index ea77ece..270e3d7 100644 --- a/samba.spec +++ b/samba.spec @@ -170,7 +170,7 @@ BuildRequires: libtasn1-devel >= 3.8 %else %define build_make_smp_mflags %{?jobs:-j%jobs} %endif -Version: 4.10.2+git.94.31fb5e37171 +Version: 4.10.5+git.105.2bd98587873 Release: 0 Url: https://www.samba.org/ Obsoletes: samba-32bit < %{version}