samba/samba.changes
Samuel Cabrero 871b05c578 - Update to 4.21.3
* More possible replication loops against Azure AD;
    (bso#15701).
  * Compound rename from Mac clients can fail with
    NT_STATUS_INTERNAL_ERROR if the file has a lease;
    (bso#15697).
  * vfs crossrename seems not work correctly; (bso#15724).
  * After 'machine password timeout' /etc/krb5.keytab is not
    updated; (bso#6750).
  * Memory leak wbcCtxLookupSid; (bso#15771).
  * Fix heap-user-after-free with association groups;
    (bso#15765).
  * Segfault in vfs_btrfs; (bso#15758).
  * Avoid event failure race when disabling an event script;
    (bso#15755).

OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=700
2025-01-15 11:33:56 +00:00

14409 lines
605 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Tue Jan 7 10:22:16 UTC 2025 - Noel Power <nopower@suse.com>
- Update to 4.21.3
* More possible replication loops against Azure AD;
(bso#15701).
* Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease;
(bso#15697).
* vfs crossrename seems not work correctly; (bso#15724).
* After 'machine password timeout' /etc/krb5.keytab is not
updated; (bso#6750).
* Memory leak wbcCtxLookupSid; (bso#15771).
* Fix heap-user-after-free with association groups;
(bso#15765).
* Segfault in vfs_btrfs; (bso#15758).
* Avoid event failure race when disabling an event script;
(bso#15755).
-------------------------------------------------------------------
Fri Dec 6 09:09:04 UTC 2024 - Noel Power <nopower@suse.com>
- Update shipped /etc/samba/smb.conf to point to smb.conf
man page;(bsc#1233880).
-------------------------------------------------------------------
Mon Nov 25 17:35:43 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.2
* smbd fails to correctly check sharemode against OVERWRITE
dispositions; (bso#15732).
* Panic in close_directory; (bso#15754).
* winexe no longer works with samba 4.21; (bso#15752).
* protocol error - Unclear debug message "pad length mismatch"
for invalid bind packet; (bso#14356).
* NetrGetLogonCapabilities QueryLevel 2 needs to be
implemented; (bso#15425).
* gss_accept_sec_context() from Heimdal does not imply
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
* winbindd should call process_set_title() for locator child;
(bso#15749).
* Update CTDB to track all TCP connections to public IP
addresses; (bso#15320).
-------------------------------------------------------------------
Thu Oct 31 13:20:25 UTC 2024 - Noel Power <nopower@suse.com>
- Add placeholder changelog for sle15-sp7; (jsc#PED-11210).
-------------------------------------------------------------------
Wed Oct 16 13:52:25 UTC 2024 - Noel Power <nopower@suse.com>
- Adjust spec to split out rpcd_* binaries into a separate
sub package; (bsc#1231414).
-------------------------------------------------------------------
Tue Oct 15 13:23:26 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.1
* DH reconnect error handling can lead to stale sharemode
entries; (bso#15624).
* "inherit permissions = yes" triggers assert() in vfs_default
when creating a stream; (bso#15695).
* Samba 4.21.0 broke FreeIPA domain member integration;
(bso#15715).
* Missing conversion for msDS-UserTGTLifetime, msDS-
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
tool domain auth policy modify"; (bso#15692).
* irpc_destructor may crash during shutdown; (bso#15280).
* Durable handle is not granted when a previous OPEN exists
with NoOplock; (bso#15649).
* Durable handle is granted but reconnect fails; (bso#15651).
* Disconnected durable handles with RH lease should not be
purged by a new non conflicting open; (bso#15708).
* net ads testjoin and other commands use the wrong secrets.tdb
in a cluster; (bso#15714).
* 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
rfc 8009 etypes are used; (bso#15726).
* VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
(bso#15730).
* Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
* Cannot build libldb lmdb backend on a build without AD DC;
(bso#15721).
* Consistent log level for sighup handler; (bso#15706).
-------------------------------------------------------------------
Wed Sep 25 14:52:10 UTC 2024 - Noel Power <nopower@suse.com>
- Support needed packaging changes required update to samba-4.21.0
Update samba.spec, baselibs.conf to deliver libldb packages.
-------------------------------------------------------------------
Thu Sep 5 07:29:17 UTC 2024 - David Disseldorp <ddiss@suse.com>
- Package ceph_new VFS module.
-------------------------------------------------------------------
Thu Sep 5 07:13:01 UTC 2024 - David Disseldorp <ddiss@suse.com>
- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
(bso#15699); (bsc#1229684).
-------------------------------------------------------------------
Wed Aug 28 17:31:35 UTC 2024 - Noel Power <nopower@suse.com>
- Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse; (bso#15702).
-------------------------------------------------------------------
Wed Aug 28 09:01:29 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.21.0
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
truncated; (bso#15699).
* Bad variable definition for ParseTuple causing test failure
for Smb3UnixTests.test_create_context_reparse; (bso#15702).
* Add new vfs_ceph module (based on low level API);
(bso#15686).
* samba-tool can not load the default configuration file;
(bso#15698).
* Crash when readlinkat fails; (bso#15700).
* Can't add/delete special keys to keytab for nfs, cifs, http
etc; (bso#15689).
* Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients; (bso#15696).
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
* ldb_version.h is missing from ldb public library;
(bso#15690).
* Can not add/delete special keys to keytab for nfs, cifs, http
etc; (bso#15689).
* undefined reference to winbind_lookup_name_ex; (bso#15687).
* per user veto and hide file syntax is to complex;
(bso#15688).
-------------------------------------------------------------------
Wed Aug 7 09:47:14 UTC 2024 - Noel Power <nopower@suse.com>
- Fix a crash when joining offline and 'kerberos method' includes
keytab; (bsc#1228732).
-------------------------------------------------------------------
Tue Aug 6 10:51:13 UTC 2024 - Noel Power <noel.power@suse.com>
- Update to 4.20.4
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
- Update to 4.20.3
* Running samba-bgqd a a standalone systemd service does not
work; (bso#15683).
* When claims enabled with heimdal kerberos, unable to log on
to a Windows computer when user account need to change their
own password; (bso#15655).
* Invalid client warning about command line passwords;
(bso#15671).
* Version string is truncated in manpages; (bso#15672).
* cmdline_burn does not always burn secrets; (bso#15674).
* Samba does not parse SDDL found in defaultSecurityDescriptor
in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
* The images don\'t build after the git security release and
CentOS 8 Stream is EOL; (bso#15660).
* Fix clock skew error message and memory cache clock skew
recovery; (bso#15676).
* Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual; (bso#15603).
* s4:ldap_server: does not support tls channel bindings for
sasl binds; (bso#15621).
* CTDB socket output queues may suffer unbounded delays under
some special conditions; (bso#15678).
-------------------------------------------------------------------
Wed Jul 17 11:18:52 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Update samba-tool package to require python3-Markdown also in
the Heimdal ADDC build.
-------------------------------------------------------------------
Thu Jul 4 10:34:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix named crash when using samba's DLZ plugin; (bsc#1224003);
(bso#15643);
-------------------------------------------------------------------
Thu Jul 4 10:30:10 UTC 2024 - pgajdos@suse.com
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang macro, [bsc#1212476]
-------------------------------------------------------------------
Wed Jun 19 15:02:44 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.20.2
* vfs_widelinks with DFS shares breaks case insensitivity;
(bso#15662); (bsc#1213607).
* Samba build is not reproducible; (bso#13213).
* ldb qsort might r/w out of bounds with an intransitive
compare function; (bso#15569).
* Many qsort() comparison functions are non-transitive, which
can lead to out-of-bounds access in some circumstances;
(bso#15625).
* Need to change gitlab-ci.yml tags in all branches to avoid CI
bill; (bso#15638).
* We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and
packagers to put their name in the Samba version string so
that when debugging Samba the source of the binary is
obvious; (bso#15654).
* CTDB RADOS mutex helper misses namespace support;
(bso#15665).
* Dynamic DNS updates with the internal DNS are not working;
(bso#13019).
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0; (bso#14981).
* Anonymous smb3 signing/encryption should be allowed (similar
to Windows Server 2022); (bso#15412).
* Panic in dreplsrv_op_pull_source_apply_changes_trigger;
(bso#15573).
* s4:nbt_server: does not provide unexpected handling, so
winbindd can't use nmb requests instead cldap; (bso#15620).
* winbindd, net ads join and other things don't work on an ipv6
only host; (bso#15642).
* Segmentation fault when deleting files in vfs_recycle;
(bso#15659).
* Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664).
* "client use kerberos" and --use-kerberos is ignored for the
machine account; (bso#15666).
* Regression DFS not working with widelinks = true;
(bso#15435).
* samba-gpupdate - Invalid NtVer in netlogon_samlogon_response;
(bso#15633).
* idmap_ad creates an incorrect local krb5.conf in case of
trusted domain lookups; (bso#15653).
* The images don't build after the git security release and
CentOS 8 Stream is EOL; (bso#15660).
-------------------------------------------------------------------
Mon Jun 3 07:09:54 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix non deterministic builds; (bsc#1225754); (bso#13213);
-------------------------------------------------------------------
Thu May 16 10:47:57 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.20.1
* dns update debug message is too noisy; (bso#15630);
* Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
* Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
* Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
* http library doesn't support 'chunked transfer encoding'; (bso#15611);
* Provide a systemd service file for the background queue daemon; (bso#15600);
- Update to 4.20.0
New features:
* samba-tool user getpassword / syncpasswords ;rounds= change
* Group Managed service account client-side features
* New Windows Search Protocol Client
* Allow 'smbcacls' to save/restore DACLs to file
* Samba-tool extensions for AD Claims, Authentication Policies and Silos
* AD DC support for Authentication Silos and Authentication Policies
* Conditional ACEs and Resource Attribute ACEs
* Service Witness Protocol [MS-SWN]
Removed features:
* Get locally logged on users from utmp
Fixed bugs:
* Avoid null-dereference with bad claims; (bso#15606);
* ndr_pull_security_ace can leave resource attribute ACE coda
claim struct undefined; (bso#15613);
* fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close(); (bso#15527);
* set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
openat() EACCES; (bso#15583);
* libgpo: Segfault in python bindings; (bso#15599);
* Samba AD is missing some authentication policy tests;
(bso#15607);
* samba-gpupdate: Correctly implement site support; (bso#15588);
* Remove unsupported "Final" keyword missing from Python 3.6;
(bso#15575);
* Additional witness backports for 4.20.0; (bso#15577);
* Error output with wspsearch; (bso#15579);
* Packet marshalling push support missing for
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580);
* Performance regression for NDR parsing of security
descriptors; (bso#15574);
* Build and install man page for wspsearch client utility;
(bso#15565);
-------------------------------------------------------------------
Tue Feb 20 09:58:03 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.19.5
* Windows 2016 fails to restore previous version of a file from
a shadow_copy2 snapshot; (bso#13688).
* Symlinks on AIX are broken in 4.19 (and a few version before
that); (bso#15549).
* Fake directory create times has no effect; (bso#12421).
* ctime mixed up with mtime by smbd; (bso#15550).
* samba-gpupdate --rsop fails if machine is not in a site;
(bso#15548).
* gpupdate: The root cert import when NDES is not available is
broken; (bso#15557).
* samba-gpupdate should print a useful message if cepces-submit
can't be found; (bso#15552).
* samba-gpupdate logging doesn't work; (bso#15558).
* smbpasswd reset permissions only if not 0600; (bso#15555).
-------------------------------------------------------------------
Fri Jan 10 12:01:49 UTC 2024 - Noel Power <nopower@suse.com>
- Remove -x from bash shebang update-apparmor-samba-profile;
(bsc#1218431).
-------------------------------------------------------------------
Tue Jan 9 09:42:53 UTC 2024 - Noel Power <nopower@suse.com>
- Update to 4.19.4
* net changesecretpw cannot set the machine account password if
secrets.tdb is empty; (bso#13577).
* For generating doc, take, if defined, env XML_CATALOG_FILES;
(bso#15540).
* Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541).
* vfs_linux_xfs is incorrectly named; (bso#15542).
* systemd stumbled over copyright-message at smbd startup;
(bso#15377).
* Following intermediate abolute share-local symlinks is
broken; (bso#15505).
* ctdb RELEASE_IP causes a crash in release_ip if a connection
to a non-public address disconnects first; (bso#15523).
* shadow_copy2 broken when current fileset's directories are
removed; (bso#15544).
* smbd does not detect ctdb public ipv6 addresses for
multichannel exclusion; (bso#15534).
* 'force user = localunixuser' doesn't work if 'allow trusted
domains = no' is set; (bso#15469).
* smbget debug logging doesn't work; (bso#15525).
* smget: username in the smburl and interactive password entry
doesn't work; (bso#15532).
* smbget auth function doesn't set values for password prompt
correctly; (bso#15538).
* Unable to copy and write files from clients to Ceph cluster
via SMB Linux gateway with Ceph VFS module; (bso#15440).
* Multichannel refresh network information; (bso#15547).
-------------------------------------------------------------------
Mon Nov 27 12:43:02 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.3
* sid_strings test broken by unix epoch > 1700000000;
(bso#15520).
* smbd crashes if asked to return full information on close of
a stream handle with delete on close disposition set;
(bso#15487).
* smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor(); (bso#15521).
* Improve logging for failover scenarios; (bso#15499).
* Files without "read attributes" NFS4 ACL permission are not
listed in directories; (bso#15093).
* CVE-2018-14628 [SECURITY] Deleted Object tombstones visible
in AD LDAP to normal users; (bso#13595).
* Kerberos TGS-REQ with User2User does not work for normal
accounts; (bso#15492).
* vfs_gpfs stat calls fail due to file system permissions;
(bso#15507).
* Samba doesn't build with Python 3.12; (bso#15513).
-------------------------------------------------------------------
Mon Oct 23 18:59:15 UTC 2023 - David Mulder <dmulder@suse.com>
- packaging: samba-tool domain provision requires python3-Markdown;
(bsc#1216519).
-------------------------------------------------------------------
Mon Oct 16 16:04:22 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.2
* Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423).
* clidfs.c do_connect() missing a "return" after a
cli_shutdown() call; (bso#15426).
* macOS mdfind returns only 50 results; (bso#15463).
* GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value; (bso#15481).
* libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more; (bso#15464).
* ctdbd: setproctitle not initialized messages flooding logs;
(bso#15479).
* CVE-2023-5568 Heap buffer overflow with freshness tokens in
the Heimdal KDC in Samba 4.19; (bso#15491).
* The heimdal KDC doesn't detect s4u2self correctly when fast
is in use; (bso#15477).
-------------------------------------------------------------------
Thu Oct 12 11:33:44 UTC 2023 - Noel Power <nopower@suse.com>
- packaging: Remove /etc/slp.reg.d from samba spec file;
(bsc#1216160)
-------------------------------------------------------------------
Thu Oct 12 11:04:26 UTC 2023 - Noel Power <nopower@suse.com>
- use systemd-logind rather than utmp for y2038 safety;
(bsc#1216159).
-------------------------------------------------------------------
Tue Oct 10 15:12:38 UTC 2023 - Noel Power <nopower@suse.com>
- CVE-2023-4091: samba: Client can truncate file with read-only
permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-42670: samba: The procedure number is out of range
when starting Active Directory Users and Computers;
(bsc#1215906); (bso#15473).
- CVE-2023-3961: samba: Unsanitized client pipe name passed to
local_np_connect(); (bsc#1215907); (bso#15422).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
"GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
(bsc#1215908); (bso#15424).
-------------------------------------------------------------------
Tue Sep 26 08:36:43 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.19.0
* File doesn't show when user doesn't have permission if
aio_pthread is loaded; (bso#15453).
* ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
1.9.1; (bso#15451).
* Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can
log to syslog; (bso#15460).
* ‘samba-tool domain level raise’ fails unless given a URL;
(bso#15458).
* reply_sesssetup_and_X() can dereference uninitialized tmp
pointer; (bso#15420).
* missing return in reply_exit_done(); (bso#15430).
* TREE_CONNECT without SETUP causes smbd to use uninitialized
pointer; (bso#15432).
* Avoid infinite loop in initial user sync with Azure AD
Connect when synchronising a large Samba AD domain;
(bso#15401).
* Samba replication logs show (null) DN; (bso#15407).
* 2-3min delays at reconnect with
smb2_validate_sequence_number: bad message_id 2; (bso#15346).
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed;
(bso#15446).
* CID 1539212 causes real issue when output contains only
newlines; (bso#15438).
* KDC encodes INT64 claims incorrectly; (bso#15452).
* mdssvc: Do an early talloc_free() in _mdssvc_open();
(bso#15449).
* Windows client join fails if a second container CN=System
exists somewhere; (bso#9959).
* regression DFS not working with widelinks = true;
(bso#15435).
* Heimdal fails to build on 32-bit FreeBSD; (bso#15443).
* samba-tool ntacl get segfault if aio_pthread appended;
(bso#15441).
-------------------------------------------------------------------
Mon Aug 21 15:16:35 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.18.6
* reply_sesssetup_and_X() can dereference uninitialized tmp pointer;
(bso#15420);
* Missing return in reply_exit_done(); (bso#15430);
* post-exec password redaction for samba-tool is more reliable for fully
random passwords as it no longer uses regular expressions containing the
password value itself; (bso#15289);
* Windows client join fails if a second container CN=System exists somewhere;
(bso#9959);
* Spotlight sometimes returns no results on latest macOS; (bso#15342);
* Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to
remove the destination; (bso#15417);
* Spotlight results return wrong date in result list; (bso#15427);
* "net offlinejoin provision" does not work as non-root user; (bso#15414);
* rpcserver no longer accepts double backslash in dfs pathname; (bso#15400);
* cm_prepare_connection() calls close(fd) for the second time; (bso#15433);
* 2-3min delays at reconnect with smb2_validate_sequence_number: bad
message_id 2; (bso#15346);
* samba-tool ntacl get segfault if aio_pthread appended; (bso#15441);
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446);
* Python tarfile extraction needs change to avoid a warning (CVE-2007-4559
mitigation); (bso#15390);
* Regression DFS not working with widelinks = true; (bso#15435);
* mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449);
-------------------------------------------------------------------
Tue Aug 8 15:40:54 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
(bsc#1213940);
-------------------------------------------------------------------
Wed Jul 19 14:35:34 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.5
* CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
* CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
* CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
* CVE-2023-34968: Spotlight server-side Share Path Disclosure;
(bso#15388); (bsc#1213171).
* CVE-2023-3347: Samba doesn't require SMB2+ signing if
`server signing = mandatory` is set; (bso#15397); (bsc#1213170).
* secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
-------------------------------------------------------------------
Thu Jul 6 15:30:58 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.4
* Backport --pidl-developer fixes; (bso#15404).
* Named crashes on DLZ zone update; (bso#14030).
* smbcacls and smbcquotas do not check // before the server;
(bso#2312).
* cli_list loops 100% CPU against pre-lanman2 servers;
(bso#15382).
* smbclient leaks fds with showacls; (bso#15391).
* smbd returns NOT_FOUND when creating files on a r/o
filesystem; (bso#15402).
* NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
and causes test timeouts; (bso#15355).
* net ads lookup (with unspecified realm) fails; (bso#15384).
* Register Samba processes with GPFS; (bso#15381).
* Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation); (bso#15390).
* The winbind child segfaults when listing users with `winbind
scan trusted domains = yes`; (bso#15398).
* Remove comments about deprecated 'write cache size';
(bso#15383).
* smbget memory leak if failed to download files recursively;
(bso#15403).
-------------------------------------------------------------------
Thu Jun 1 08:48:25 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.3
* Symlinks to files can have random DOS mode information in a
directory listing; (bso#15375).
* vfs_fruit might cause a failing open for delete; (bso#15378).
* winbind recurses into itself via rpcd_lsad; (bso#15361).
* wbinfo -u fails on ad dc with >1000 users; (bso#15366).
* DS ACEs might be inherited to unrelated object classes;
(bso#15338).
* a lot of messages: get_static_share_mode_data:
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND;
(bso#15362).
* aes256 smb3 encryption algorithms are not allowed in
smb3_sid_parse(); (bso#15374).
* Setting veto files = /.*/ break listing directories;
(bso#15360).
* "samba-tool domain provision" does not run interactive mode
if no arguments are given; (bso#15363).
* dsgetdcname: assumes local system uses IPv4; (bso#15325).
- Update to 4.18.2
* Log flood: smbd_calculate_access_mask_fsp: Access denied:
message level should be lower; (bso#15302).
* Floating point exception (FPE) via cli_pull_send at
source3/libsmb/clireadwrite.c; (bso#15306).
* test_tstream_more_tcp_user_timeout_spin fails intermittently
on Rackspace GitLab runners; (bso#15328).
* Reduce flapping of ridalloc test; (bso#15329).
* large_ldap test is unreliable; (bso#15351).
* New filename parser doesn't check veto files smb.conf
parameter; (bso#15143).
* mdssvc may crash when initializing; (bso#15354).
* large directory optimization broken for non-lcomp path
elements; (bso#15313).
* streams_depot fails to create streams; (bso#15357).
* shadow_copy2 and streams_depot don't play well together;
(bso#15358).
* Flapping tests in samba_tool_drs_show_repl.py; (bso#15316).
* winbindd idmap child contacts the domain controller without a
need; (bso#15317).
* idmap_autorid may fail to map sids of trusted domains for the
first time; (bso#15318).
* idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings;
(bso#15319).
* net ads search -P doesn't work against servers in other
domains; (bso#15323).
* Temporary smbXsrv_tcon_global.tdb can't be parsed;
(bso#15353).
* Tests use depricated and removed methods like
assertRegexpMatches; (bso#15343).
-------------------------------------------------------------------
Wed Mar 29 15:10:50 UTC 2023 - Noel Power <nopower@suse.com>
- Update to 4.18.1
* CVE-2023-0225: AD DC "dnsHostname" attribute can be
deleted by unprivileged authenticated users.
(bso#15276);(bsc#1209483).
* CVE-2023-0614: Access controlled AD LDAP attributes can be
discovered (bso#15270); (bsc#1209485).
* CVE-2023-0922: Samba AD DC admin tool samba-tool sends
passwords in cleartext(bso#15315);(bsc#1209481).
* ldb wildcard matching makes excessive allocations;
(bso#15331).
* large_ldap test is inefficient; (bso#15332).
-------------------------------------------------------------------
Fri Mar 17 08:09:32 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.18.0
* SMB server performance improvements
* More succinct samba-tool error messages
* Color output with samba-tool --color
The NO_COLOR environment variable will disable colour output
* New samba-tool dsacl subcommand for deleting ACEs
* New wbinfo option --change-secret-at
* Net option to change the NT ACL default location
* Azure AD / Office365 synchronization improvements
-------------------------------------------------------------------
Tue Feb 14 08:21:13 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.5
* smbc_getxattr() return value is incorrect; (bso#14808);
* Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
correctly; (bso#15172);
* synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
* samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
when there is only an AAAA record for the DC in DNS; (bso#15226);
* smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
* DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
* vfs_virusfilter segfault on access, directory edgecase
(accessing NULL value); (bso#15283);
* CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
SChannel on NETLOGON (additional changes); (bso#15240);
* %U for include directive doesn't work for share listing
(netshareenum); (bso#15243);
* Shares missing from netshareenum response in samba 4.17.4;
(bso#15266);
* ctdb: use-after-free in run_proc; (bso#15269);
* irpc_destructor may crash during shutdown; (bso#15280);
* auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
* smbclient segfaults with use after free on an optimized build;
(bso#15268);
* smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
* Leak in wbcCtxPingDc2; (bso#15164);
* Access based share enum does not work in Samba 4.16+; (bso#15265);
* Crash during share enumeration; (bso#15267);
* rep_listxattr on FreeBSD does not properly check for reads off
end of returned buffer; (bso#15271);
* Avoid relying on C89 features in a few places; (bso#15281);
- named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
- Drop libnsl build requirement; (bsc#1208220);
-------------------------------------------------------------------
Mon Jan 23 09:24:07 UTC 2023 - Noel Power <nopower@suse.com>
- libdsdb-module-samba4 should be packaged as part of samba-libs and
not samba-ad-dc-libs. Additionally no need for it to be
removed conditionally.
-------------------------------------------------------------------
Thu Jan 12 15:24:55 UTC 2023 - Noel Power <nopower@suse.com>
- Clean up logic for PAM migration settings in spec file.
-------------------------------------------------------------------
Wed Jan 4 14:05:15 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Wed Dec 21 12:17:58 UTC 2022 - Noel Power <nopower@suse.com>
- Change with_dc default to 0 (for non TW builds).
-------------------------------------------------------------------
Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.4
* CVE-2022-44640 Upstream Heimdal free of user-controlled
pointer in FAST; (bsc#14929);
* CVE-2021-20251 Bad password count not incremented atomically;
(bsc#14611);
* CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
(bsc#15203);
* CVE-2022-37966 rc4-hmac Kerberos session keys issued to
modern servers; (bso#15237);
* CVE-2022-37967 Kerberos constrained delegation ticket forgery
possible against Samba AD DC; (bso#15231);
* CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
and should be avoided; (bso#15240);
* pam_winbind uses time_t and pointers assuming they are of the
same size; (bso#15224);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* filter-subunit is inefficient with large numbers of
knownfails; (bso#15258);
* smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
(bso#15252);
* The KDC logic arround msDs-supportedEncryptionTypes differs
from Windows; (bso#13135);
* libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4(); (bso#15206);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
* Memory leak in snprintf replacement functions; (bso#15230);
* RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression); (bso#15253);
* Prevent EBADF errors with vfs_glusterfs; (bso#15198);
* %U for include directive doesn't work for share listing
(netshareenum); (bso#15243);
* Stack smashing in net offlinejoin requestodj; (bso#15257);
* Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
(bso#15197);
* Heimdal session key selection in AS-REQ examines wrong entry;
(bso#15219);
- Remove deprecated if-{down,up} scripts; (bsc#1206444);
- Adjust the systemd drop-in file for named service; (bsc#1201689);
* Paths are additive so do not repeat paths from named.service
* Prefix the samba DLZ directory with "-" to ignore this path
if it does not exists
-------------------------------------------------------------------
Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
- Migration PAM settings to /usr/etc: Saving user changed
configuration files in /etc and restoring them while an RPM
update.
-------------------------------------------------------------------
Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
- Introduce without-smb1-server spec flag; (bsc#1205104);
-------------------------------------------------------------------
Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.17.3
* CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
systems; (bsc#1205126); (bso#15203);
-------------------------------------------------------------------
Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>
- Replace obsolete python-gpgme with python-gpg
* Upstream replaced it in v4.9.5 -- bso#13728
-------------------------------------------------------------------
Tue Oct 25 09:26:59 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.2
* CVE-2022-3592 [SECURITY] samba: Wide links protection broken;
(bso#15207); (bsc#1204499).
* CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal
unwrap_des3();(bso#15134); (bsc#1204254).
-------------------------------------------------------------------
Wed Oct 19 12:48:21 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.1
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* smbXsrv_connection_shutdown_send result leaked; (bso#15174).
* Flush on a named stream never completes; (bso#15182).
* Permission denied calling SMBC_getatr when file not exists;
(bso#15195).
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
(bso#15189).
* pytest: add file removal helpers for TestCaseInTempDir;
(bso#15191).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
(bso#15189).
* Flush on a named stream never completes; (bso#15182).
* vfs_gpfs silently garbles timestamps > year 2106;
(bso#15151).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
* multi-channel socket passing may hit a race if one of the
involved processes already existed; (bso#15200).
* memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others); (bso#15201).
* Since popt1.19 various use after free errors using result of
poptGetArg are now exposed; (bso#15205); (boo#1204279).
* Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs; (bso#15192).
* GETPWSID in memory cache grows indefinetly with each NTLM
auth; (bso#15169).
* CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically; (bso#14611).
- Install a systemd drop-in file for named service to allow
read/write access to the DLZ directory; (bsc#1201689);
-------------------------------------------------------------------
Fri Oct 14 14:20:51 UTC 2022 - Noel Power <nopower@suse.com>
- Fix use after free errors resulting from using return of
poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205).
-------------------------------------------------------------------
Mon Sep 26 10:40:18 UTC 2022 - Noel Power <nopower@suse.com>
- s3: smbd: Fix memory leak in
smbd_server_connection_terminate_done(); (bso#15174).
-------------------------------------------------------------------
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
- Disable SMB1 for tumbleweed builds.
-------------------------------------------------------------------
Fri Sep 23 16:22:12 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.17.0
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
(bso#15153).
* assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197; (bso#15161).
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197; (bso#15161).
* Cross-node multi-channel reconnects result in SMB2 Negotiate
returning NT_STATUS_NOT_SUPPORTED; (bso#15159).
* winbind at info level debug can coredump when processing
wb_lookupusergroups; (bso#15160).
* Make use of glfs_*at() API calls in vfs_glusterfs;
(bso#15157).
* Possible use after free of connection_struct when iterating
smbd_server_connection->connections; (bso#15128).
* `net usershare add` fails with flag works with --long but
fails with -l; (bso#15145).
* acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr; (bso#15126).
* Performance regression on contended path based operations;
(bso#15125).
* Missing READ_LEASE break could cause data corruption;
(bso#15148).
* libsamba-errors uses a wrong version number; (bso#15141).
* SMB1 negotiation can fail to handle connection errors;
(bso#15152).
* New filename parser doesn't check veto files smb.conf
parameter; (bso#15143).
* 4.17.rc1 still uses symlink-race prone unix_convert();
(bso#15144).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Manpage for smbstatus json is missing; (bso#15147).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Performance regression on contended path based operations;
(bso#15125).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
* Fix issues found by coverity in smbstatus json code;
(bso#15140).
* Backport fileserver related changed to 4.17.0rc2;
(bso#15146).
-------------------------------------------------------------------
Thu Sep 1 06:07:15 UTC 2022 - Stefan Schubert <schubi@suse.com>
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
-------------------------------------------------------------------
Thu Jul 28 11:56:31 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.4
* CVE-2022-2031: Samba AD users can bypass certain restrictions
associated with changing passwords; (bsc#1201495); (bso#15047);
* CVE-2022-32744: Samba AD users can forge password change
requests for any user; (bsc#1201493); (bso#15074);
* CVE-2022-32745: Samba AD users can crash the server process
with an LDAP add or modify request; (bsc#1201492); (bso#15008);
* CVE-2022-32746: Samba AD users can induce a use-after-free in
the server process with an LDAP add or modify request;
(bsc#1201490); (bso#15009);
* CVE-2022-32742: Server memory information leak via SMB1;
(bsc#1201496); (bso#15085);
-------------------------------------------------------------------
Tue Jul 19 11:25:59 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.3
* Using vfs_streams_xattr and deleting a file causes a panic;
(bso#15099);
* Add support for bind 9.18; (bso#14986);
* logging dsdb audit to specific files does not work;
(bso#15076);
* Problem when winbind renews Kerberos; (bso#14979);
(bsc#1196224);
* Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
developer mode; (bso#15095);
* Crash in streams_xattr because fsp->base_fsp->fsp_name is
NULL; (bso#15105);
* Crash in rpcd_classic - NULL pointer deference in
mangle_is_mangled(); (bso#15118);
* smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
(bsc#1200556);
* Fix check for chown when processing NFSv4 ACL; (bso#15120);
* The pcap background queue process should not be stopped;
(bso#15082);
* testparm: Fix typo in idmap rangesize check; (bso#15097);
* net ads info returns LDAP server and LDAP server name as
null; (bso#15106);
* ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
(bso#15108);
* CTDB child process logging does not work as expected;
(bso#15090);
-------------------------------------------------------------------
Tue Jul 12 10:48:47 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update spec file to fix the optional Heimdal DC build
- Fix external trusts with MIT Kerberos 1.20
- Add missing samba-client requirement to samba-winbind package;
(bsc#1198255);
- Move pdb backends from package samba-libs to package
samba-client-libs and remove samba-libs requirement from
samba-winbind; (bsc#1200964); (bsc#1198255);
- Add sysuser-shadow requirement for packages using
systemd-sysusers
- Use the canonical realm name to refresh the Kerberos tickets;
(bsc#1196224); (bso#14979);
-------------------------------------------------------------------
Tue Jun 21 14:29:52 UTC 2022 - Stefan Schubert <schubi@suse.de>
- Moved logrotate files from user specific directory /etc/logrotate.d
to vendor specific directory /usr/etc/logrotate.d.
-------------------------------------------------------------------
Mon Jun 13 13:32:24 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.2
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
(bso#15042);
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted; (bso#15069);
* Reintroduce netgroups support; (bso#15087);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Update from 4.15 to 4.16 breaks discovery of [homes] on
standalone server from Win and IOS; (bso#15062);
* waf produces incorrect names for python extensions with Python
3.11; (bso#15071);
* smbclient -E doesn't work as advertised; (bso#15075);
* The samba background daemon doesn't refresh the printcap cache
on startup; (bso#15081);
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
- Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
- Support building with MIT Kerberos 1.20
- Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
(CVE-2020-17049);
- Resource Based Constrained Delegation (RBCD) for Samba AD DC
- Support building with gcc 12.1
-------------------------------------------------------------------
Wed May 11 09:30:15 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Use requires_eq macro to require the libldb2 version available at
samba-dsdb-modules build time; (bsc#1199362);
-------------------------------------------------------------------
Tue May 3 07:38:02 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.1
* Share and server swapped in smbget password prompt; (bso#14831);
* Durable handles won't reconnect if the leased file is written to;
(bso#15022);
* rmdir silently fails if directory contains unreadable files and
hide unreadable is yes; (bso#15023);
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
on renamed file handle; (bso#15038);
* Need to describe --builtin-libraries= better (compare with
--bundled-libraries); (bso#8731);
* vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
(bso#14957);
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
(bso#15035);
* PAM Kerberos authentication incorrectly fails with a clock skew
error; (bso#15046);
* Username map - samba erroneously applies unix group memberships
to user account entries; (bso#15041);
* KVNO off by 100000; (bso#14951);
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
* vfs_gpfs recalls=no option prevents listing files; (bso#15055);
* smbd doesn't handle UPNs for looking up names; (bso#15054);
-------------------------------------------------------------------
Wed Apr 20 09:00:49 UTC 2022 - Noel Power <nopower@suse.com>
- Update update-apparmor-samba-profile script, replace
non-printable delimiter with more human readable separator as
sed can accept separators that can appear in the input data.
-------------------------------------------------------------------
Wed Apr 13 15:33:22 UTC 2022 - Noel Power <nopower@suse.com>
- Fix update-apparmor-samba-profile script, sed doesn't like
multibyte separators; (bsc#1198309).
-------------------------------------------------------------------
Thu Mar 24 15:00:36 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.16.0
* New samba-dcerpcd binary to provide DCERPC in the member server
setup
* Certificate Auto Enrollment
* Ability to add ports to dns forwarder addresses in internal DNS
backend
* No longer using Linux mandatory locks for sharemodes
* SMB1 protocol has been deprecated, particularly older dialects
* SMB1 protocol SMBCopy command removed
* SMB1 server-side wildcard expansion removed
- Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
- Use systemd-sysusers to create system users; (bsc#1182847);
-------------------------------------------------------------------
Tue Mar 15 17:54:57 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.6
* Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
* Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key; (bso#14737);
* NT error code is not set when overwriting a file during rename
in libsmbclient; (bso#14938);
* Fix ldap simple bind with TLS auditing; (bso#14996);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Problem when winbind renews Kerberos; (bso#14979);
(bsc#1196224);
* pam_winbind will not allow gdm login if password about to
expire; (bso#8691);
* virusfilter_vfs_openat: Not scanned: Directory or special file;
(bso#14971);
* DFS fix for AIX broken; (bso#13631);
* Solaris and AIX acl modules: wrong function arguments;
(bso#14974);
* Function aixacl_sys_acl_get_file not declared / coredump;
(bso#7239);
* Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam; (bso#14900);
* Fix a use-after-free in SMB1 server; (bso#14989);
* smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
(bso#14968);
* Changing the machine password against an RODC likely destroys
the domain join; (bso#14984);
* authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument; (bso#14993);
* Use Heimdal 8.0 (pre) rather than an earlier snapshot;
(bso#14995);
* Samba autorid fails to map AD users if id rangesize fits in the
id range only once; (bso#14967);
-------------------------------------------------------------------
Mon Mar 07 16:05:42 UTC 2022 - David Mulder <dmulder@suse.com>
- Fix mismatched version of libldb2; (bsc#1196788).
- Drop obsolete SuSEfirewall2 service files.
-------------------------------------------------------------------
Fri Mar 4 20:25:41 UTC 2022 - David Disseldorp <ddiss@suse.com>
- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
(bsc#1080338).
-------------------------------------------------------------------
Wed Feb 23 10:04:15 UTC 2022 - Noel Power <nopower@suse.com>
- Fix ntlm authentications with "winbind use default domain = yes";
(bso#13126); (bsc#1173429); (bsc#1196308).
-------------------------------------------------------------------
Mon Feb 14 18:15:29 UTC 2022 - David Mulder <dmulder@suse.com>
- Fix samba-ad-dc status warning notification message by disabling
systemd notifications in bgqd; (bsc#1195896); (bso#14947).
-------------------------------------------------------------------
Mon Feb 07 20:15:46 UTC 2022 - David Mulder <dmulder@suse.com>
- libldb version mismatch in Samba dsdb component; (bsc#1118508);
-------------------------------------------------------------------
Mon Jan 31 14:23:44 UTC 2022 - Noel Power <nopower@suse.com>
- Update to 4.15.5
* CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
outside target of a symlink exists; (bso#14911);
(bsc#1193690).
* CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bso#14914); (bsc#1194859).
* CVE-2022-0336: Re-adding an SPN skips subsequent SPN
conflict checks; bso#14950); (bsc#1195048).
-------------------------------------------------------------------
Wed Jan 26 12:00:35 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- CVE-2021-44141: Information leak via symlinks of existance of
files or directories outside of the exported share; (bso#14911);
(bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution; (bso#14914);
(bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
account can impersonate arbitrary services; (bso#14950);
(bsc#1195048);
-------------------------------------------------------------------
Fri Jan 21 12:37:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.4
* Duplicate SMB file_ids leading to Windows client cache
poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set "client max protocol" to NT1 before
calling the "Reconnecting with SMB1 for workgroup listing"
path; (bso#14939);
* Cross device copy of the crossrename module always fails;
(bso#14940);
* symlinkat function from VFS cap module always fails with an
error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
(bso#14944);
* "smbd --build-options" no longer works without an smb.conf file;
(bso#14945);
-------------------------------------------------------------------
Tue Jan 18 09:14:20 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Use pkgconfig(krb5) as dependency for the -devel package: allow
OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
package has an automatic dependency due to linkage on
libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
requires samba-client-libs, which in turn requires krb5
libraries. Samba-libs itself has no need for krb5 (but get it
indirectly anyway).
-------------------------------------------------------------------
Thu Jan 13 19:39:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
- Reorganize libs packages. Split samba-libs into samba-client-libs,
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
public libraries depending on internal samba libraries into these
packages as there were dependency problems everytime one of these
public libraries changed its version (bsc#1192684). The devel
packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
- Update the symlink create by samba-dsdb-modules to private samba
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
/usr/lib64/ldb2/modules/ldb/samba
-------------------------------------------------------------------
Fri Dec 10 17:13:28 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.3
* Recursive directory delete with veto files is broken in 4.15.0;
(bso#14878);
* A directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory;
(bso#14879);
* SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
uninitialized in rmdir_internals(); (bso#14892);
* MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694);
* The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token; (bso#14901); (bsc#1192849);
* User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable; (bso#14902);
* Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127);
* smbXsrv_client_global record validation leads to crash if existing
record points at non-existing process; (bso#14882);
* Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call;
(bso#14890);
* Samba process doesn't log to logfile; (bso#14897);
* set_ea_dos_attribute() fallback calling get_file_handle_for_metadata()
triggers locking.tdb assert; (bso#14907);
* Kerberos authentication on standalone server in MIT realm broken;
(bso#14922);
* Segmentation fault when joining the domain; (bso#14923);
* Support for ROLE_IPA_DC is incomplete; (bso#14903);
* rpcclient cannot connect to ncacn_ip_tcp services anymore;
(bso#14767);
* winexe crashes since 4.15.0 after popt parsing; (bso#14893);
* net ads status -P broken in a clustered environment; (bso#14908);
* Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
smbd_smb2_ioctl_send; (bso#14788);
* winbindd doesn't start when "allow trusted domains" is off;
(bso#14899);
* smbclient login without password using '-N' fails with
NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883);
* A schannel client incorrectly detects a downgrade connecting to
an AES only server; (bso#14912);
* Possible null pointer dereference in winbind; (bso#14921);
* Fix -k legacy option for client tools like smbclient, rpcclient,
net, etc.; (bso#14846);
* Add Debian 11 CI bootstrap support; (bso#14872);
* Crash in recycle_unlink_internal(); (bso#14888);
-------------------------------------------------------------------
Thu Nov 18 17:18:40 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Fix dependency problem upgrading from libndr0 to libndr2 and
from libsamba-credentials0 to libsamba-credentials1;
(bsc#1192684);
-------------------------------------------------------------------
Wed Nov 10 10:26:01 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Fix regression introduced by CVE-2020-25717 patches, winbindd
does not start when 'allow trusted domains' is off; (bso#14899);
- Update to 4.15.2
* CVE-2016-2124: SMB1 client connections can be downgraded to
plaintext authentication; (bso#12444); (bsc#1014440);
* CVE-2020-25717: A user on the domain can become root on domain
members; (bso#14556); (bsc#1192284);
* CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
tickets issued by an RODC; (bso#14558); (bsc#1192246);
* CVE-2020-25719: Samba AD DC did not always rely on the SID and
PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
* CVE-2020-25721: Kerberos acceptors need easy access to stable
AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
* CVE-2020-25722: Samba AD DC did not do suffienct access and
conformance checking of data stored; (bso#14564);
(bsc#1192283);
* CVE-2021-3738: Use after free in Samba AD DC RPC server;
(bso#14468); (bsc#1192215);
* CVE-2021-23192: Subsequent DCE/RPC fragment injection
vulnerability; (bso#14875); (bsc#1192214);
- Update to 4.15.1
* vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
* Log clutter from filename_convert_internal; (bso#14685);
* MacOSX compilation fixes; (bso#14862);
* rodc_rwdc test flaps; (bso#14868);
* Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal; (bso#14642);
* Python ldb.msg_diff() memory handling failure; (bso#14836);
* "in" operator on ldb.Message is case sensitive; (bso#14845);
* Release LDB 2.4.1 for Samba 4.15.1; (bso#14848);
* samldb_krbtgtnumber_available() looks for incorrect string;
(bso#14854);
* Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871);
* Allow special chars like "@" in samAccountName when generating
the salt; (bso#14874);
* Correctly ignore comments in CTDB public addresses file;
(bso#14826);
* Fix transit path validation; (bso#12998);
* Fix that child winbindd logs to log.winbindd instead of
log.wb-<DOMAIN>; (bso#14852);
* SMB3 cancel requests should only include the MID together with
AsyncID when AES-128-GMAC is used; (bso#14855);
* Prepare to operate with MIT krb5 >= 1.20; (bso#14870);
* Heimdal prefers RC4 over AES for machine accounts; (bso#14864);
-------------------------------------------------------------------
Wed Oct 13 17:07:47 UTC 2021 - David Mulder <dmulder@suse.com>
- Enable samba-tool without ad dc.
-------------------------------------------------------------------
Thu Sep 30 15:57:14 UTC 2021 - Noel Power <nopower@suse.com>
- Adjust spec to use pam macros; (bsc#1191046).
-------------------------------------------------------------------
Wed Sep 29 08:58:28 UTC 2021 - Noel Power <nopower@suse.com>
- Adjust spec for size
* allow some Recommends instead Requires to be configured
for cifs-utils, samba-libs-python3 & samba-gpupdate;
(bsc#1182847).
* remove fam, undocumented and unneeded.
-------------------------------------------------------------------
Thu Sep 23 11:41:44 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Add missing build dependency on bison when building with the
embedded Heimdal Kerberos
-------------------------------------------------------------------
Mon Sep 20 14:25:41 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.15.0
* Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10
* VFS layer modernized.
* Add the ability to set allow/deny lists for zone transfer clients
in Bind DLZ plugin
* Server multi-channel support no longer experimental
* Improved command line user experience, unifying the options in
different commands
* Winbindd no longer scans trusted domains on startup and will use
enterprise principals by default.
* The net utility is now able to support the offline domain join feature
* New options for 'samba-tool dns zoneoptions' for aging control
and to mark old records as static or dynamic
* DNS tombstones are now deleted as appropriate and use a consistent
timestamp format
* The 'samba-tool dns update' command validates and rejects now malformed
IPv4 and IPv6 addresses
* The 'samba-tool domain backup' command correctly takes out locks
against concurrent modification during backup when using the LMDB
backend
* TruACL support has been removed
* NIS support has been removed
-------------------------------------------------------------------
Thu Sep 16 07:55:35 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.7
* smbd panic on force-close share during offload write; (bso#14769);
* smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK;
(bso#12033);
* Fix returned attributes on fake quota file handle and avoid hitting
the VFS; (bso#14731);
* vfs_shadow_copy2 fix inodes not correctly updating inode numbers;
(bso#14756);
* Fix build on Solaris; (bso#14774);
* Make dos attributes available for unreadable files; (bso#14654);
* Work around special SMB2 READ response behavior of NetApp Ontap
7.3.7; (bso#14607);
* Start the SMB encryption as soon as possible; (bso#14793);
-------------------------------------------------------------------
Tue Aug 17 16:30:25 UTC 2021 - David Mulder <dmulder@suse.com>
- Add Certificate Auto Enrollment Policy; (jsc#SLE-18457).
-------------------------------------------------------------------
Fri Jul 23 16:05:05 UTC 2021 - David Mulder <dmulder@suse.com>
- Update to 4.14.6
* s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722).
* smbd: Fix pathref unlinking in create_file_unixpath(); (bso#14732).
* s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown(); (bso#14734).
* s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path; (bso#14736).
* NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module; (bso#14730).
* s3/modules: fchmod: Fallback to path based chmod if pathref; (bso#14734).
* Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740).
* gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750).
* smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records;
(bso#14752).
* samba-tool domain backup offline doesn't work against bind DLZ
backend; (bso#14027).
* netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup; (bso#14669).
-------------------------------------------------------------------
Tue Jun 1 08:38:12 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.5
* s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success;
(bso#14696);
* s3: smbd: Ensure POSIX default ACL is mapped into returned Windows
ACL for directory handles; (bso#14708);
* s3: smbd: Fix uninitialized memory read in process_symlink_open()
when used with vfs_shadow_copy2(); (bso#14721);
* docs: Expand the "log level" docs on audit logging; (bso#14689);
* smbd: Correctly initialize close timestamp fields; (bso#14714);
* Fix gcc11 compiler issues; (bso#14699);
* docs-xml: Update smbcacls manpage; (bso#14718);
* docs: Update list of available commands in rpcclient; (bso#14719);
* ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475);
* s3:winbind: For 'security = ADS' require realm/workgroup to be set;
(bso#14695);
* lib:replace: Do not build strndup test with gcc 11 or newer;
(bso#14699);
-------------------------------------------------------------------
Thu Apr 29 08:34:02 UTC 2021 - Noel Power <nopower@suse.com>
- Update to 4.14.4
* CVE-2021-20254: Fix buffer overrun in sids_to_unixids();
(bso#14571); (bsc#1184677).
- Update to 4.14.3
* s3:modules:vfs_virusfilter: Recent New_VFS changes break
vfs_virusfilter_openat; (bso#14671).
* build: Notice if flex is missing at configure time; (bso#14586).
* Fix smbd panic when two clients open same file; (bso#14672).
* Fix memory leak in the RPC server; (bso#14675).
* s3: smbd: fix deferred renames; (bso#14679).
* s3-iremotewinspool: Set the per-request memory context;
(bso#14675)
* Fix memory leak in the RPC server; (bso#14675).
* third_party: Update socket_wrapper to version 1.3.2;
(bso#11899).
* third_party: Update socket_wrapper to version 1.3.3;
(bso#14640).
* samba-gpupdate: Test that sysvol paths download in
case-insensitive way; (bso#14665).
* smbd: Ensure errno is preserved across fsp destructor;
(bso#14662).
* idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
conflict; (bso#14663).
* build: Only add -Wl,--as-needed when supported; (bso#14288).
-------------------------------------------------------------------
Wed Mar 31 14:59:15 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.14.2
* Release with dependency on ldb version 2.3.0.
- Update to 4.14.1
* CVE-2021-20277: Fix out of bounds read in ldb_handler_fold; (bso#14655);
* CVE-2020-27840: Fix unauthenticated remote heap corruption via bad DNs;
(bso#14595);
- Update to 4.14.0
* VFS layer modernized.
* Printers publishing in AD improved.
* Client group policies support for sudoers configuration and
cron jobs.
* Improved consistency of samba-tool subcommands.
* CTDB now uses the terms leader and follower instead of master and
slave. Configuration options have changed accordingly.
* The ctdb isnotrecmaster command is removed.
* For details on all items see WHATSNEW.txt in samba-doc package.
-------------------------------------------------------------------
Mon Mar 1 12:09:56 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Spec file fixes around systemd and requires; (bsc#1182830);
- Align systemd service unit files with upstream provided ones.
-------------------------------------------------------------------
Tue Jan 26 15:15:08 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.4
* Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7; (bso#14607);
* Temporary DFS share setup doesn't set case parameters in the same
way as a regular share definition does; (bso#14612);
* lib: Avoid declaring zero-length VLAs in various messaging functions;
(bso#14605);
* Do not create an empty DB when accessing a sam.ldb; (bso#14579);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Temporary DFS share setup doesn't set case parameters in the same way
as a regular share definition does; (bso#14612);
* vfs_virusfilter: Allocate separate memory for config char*; (bso#14606);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7;
(bso#14607);
* The cache directory for the user gencache should be created recursively;
(bso#14601);
* Be more flexible with repository names in CentOS 8 test environments;
(bso#14594);
-------------------------------------------------------------------
Mon Dec 28 09:41:57 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Uninstalling samba-client: Failed to disable unit, cifs.service
does not exists; (bsc#1180388);
-------------------------------------------------------------------
Wed Dec 16 11:30:25 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.3
+ libcli: smb2: Never print length if smb2_signing_key_valid() fails for
crypto blob; (bso#14210);
+ s3: modules: gluster. Fix the error I made in preventing talloc leaks
from a function; (bso#14486);
+ s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL
via TALLOC_FREE(); (bso#14515);
+ s3: spoolss: Make parameters in call to user_ok_token() match all other
uses; (bso#14568);
+ s3: smbd: Quiet log messages from usershares for an unknown share;
(bso#14590);
+ samba process does not honor max log size; (bso#14248);
+ vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE;
(bso#14587);
+ s3-libads: Pass timeout to open_socket_out in ms; (bso#13124);
+ s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486);
+ smbclient: Fix recursive mget; (bso#14517);
+ clitar: Use do_list()'s recursion in clitar.c; (bso#14581);
+ manpages/vfs_glusterfs: Mention silent skipping of write-behind
translator; (bso#14486);
+ vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573);
+ interface: Fix if_index is not parsed correctly; (bso#14514);
-------------------------------------------------------------------
Mon Nov 16 09:30:52 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.13.2
+ s3: modules: vfs_glusterfs: Fix leak of char **lines onto
mem_ctx on return; (bso#14486);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
+ smb.conf.5: Add clarification how configuration changes reflected
by Samba; (bso#14538);
+ daemons: Report status to systemd even when running in foreground;
(bso#14552);
+ DNS Resolver: Support both dnspython before and after 2.0.0;
(bso#14553);
+ s3-vfs_glusterfs: Refuse connection when write-behind xlator is
present; (bso#14486);
+ provision: Add support for BIND 9.16.x; (bso#14487);
+ ctdb-common: Avoid aliasing errors during code optimization;
(bso#14537);
+ libndr: Avoid assigning duplicate versions to symbols; (bso#14541);
+ docs: Fix default value of spoolss:architecture; (bso#14522);
+ winbind: Fix a memleak; (bso#14388);
+ s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531);
+ docs-xml/manpages: Add warning about write-behind translator for
vfs_glusterfs; (bso#14486);
+ nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
+ vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530);
+ third_party: Update resolv_wrapper to version 1.1.7; (bso#14547);
+ examples:auth: Do not install example plugin; (bso#14550);
+ ctdb-recoverd: Drop unnecessary and broken code; (bso#14513);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
-------------------------------------------------------------------
Thu Nov 5 12:23:49 UTC 2020 - Noel Power <nopower@suse.com>
- Adjust smbcacls '--propagate-inheritance' feature to align with
upstream; (bsc#1178469).
-------------------------------------------------------------------
Tue Oct 6 16:52:00 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.13.1
+ CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
easily crafted records; (bsc#1177613); (bso#14472);
+ CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994);
(bso#14436);
+ CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify;
(bsc#1173902); (bso#14434);
- Adjust systemd tmpfiles.d configuration, use /run/samba instead of
/var/run/samba; (bsc#1177355);
-------------------------------------------------------------------
Mon Oct 5 12:44:53 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph query_directory regression; (bso#14519)
- Drop liburing-devel for SLE15-SP2; (bsc#1177245)
-------------------------------------------------------------------
Thu Sep 24 16:01:26 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Register CTDB recovery lock holder with ceph-mgr
- Add liburing-devel dependency
-------------------------------------------------------------------
Tue Sep 22 16:20:33 UTC 2020 - David Disseldorp <ddiss@suse.com>
- Update to samba 4.13.0
+ Require Python 3.6
+ Move wide links functionality into VFS module
+ Deprecate NT4-like 'classic' Samba domain controllers
+ Deprecate SMBv1 only protocol options
+ Remove deprecated "ldap ssl ads" option
+ Unify asynchronous DCE-RPC server; (jsc#SES-645)
+ Replay multichannel lease break requests; (bso#11897); (jsc#SES-655)
+ Drop internal byteorder.h header from util-devel package
+ Remove final code for the AD DC LDAP backend
+ Add AD DC Group Policy Scripts
+ Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399)
+ Fix %U substitutions if it contains a domain name; (bso#14467)
+ Fix krb5.conf creation for 'net ads join'; (bso#14479)
+ Fix build problem if libbsd-dev is not installed; (bso#14482)
+ Toggle vfs_snapper using "--with-shared-modules"; (bso#14437)
+ Fix idmap_ad RFC4511 response handling; (bso#14465)
+ Fix panic in get_lease_type(); (bso#14428)
-------------------------------------------------------------------
Fri Sep 18 13:24:12 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.7
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579);
(bso#14497);
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
"server require schannel:WORKSTATION$ = no" about unsecure configurations;
(bsc#1176579); (bso#14497);
+ CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client
challenge; (bsc#1176579); (bso#14497);
+ CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in
netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no";
(bsc#1176579); (bso#14497);
- Update to samba 4.12.6
+ s3: libsmb: Fix SMB2 client rename bug to a Windows server;
(bso#14403).
+ dsdb: Allow "password hash userPassword schemes = CryptSHA256"
to work on RHEL7; (bso#14424).
+ dbcheck: Allow a dangling forward link outside our known NCs;
(bso#14450).
+ lib/debug: Set the correct default backend loglevel to
MAX_DEBUG_LEVEL; (bso#14426).
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
+ util: Fix build on AIX by fixing the order of replace.h include;
(bso#14422).
+ srvsvc_NetFileEnum asserts with open files; (bso#14355).
+ KDC breaks with DES keys still in the database and
msDS-SupportedEncryptionTypes 31 indicating support for it;
(bso#14354).
+ s3:smbd: Make sure vfs_ChDir() always sets
conn->cwd_fsp->fh->fd = AT_FDCWD; (bso#14427).
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
+ docs: Fix documentation for require_membership_of of
pam_winbind.conf; (bso#14358).
+ ctdb-scripts: Use nfsconf utility for variable values in CTDB
NFS scripts; (bso#14444).
+ s3:winbind:idmap_ad: Make failure to get attrnames for schema
mode fatal; (bso#14425).
-------------------------------------------------------------------
Tue Jul 28 13:25:09 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Don't install SuSEfirewall2 services, we don't have that package
anymore
-------------------------------------------------------------------
Thu Jul 2 15:18:42 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.5
+ Fix smbd panic on force-close share during async
io; (bso#14301).
+ Fix segfault when using SMBC_opendir_ctx() routine for
share folder that contains incorrect symbols in any
file name; (bso#14374)
+ Fix DFS links; (bso#14391).
+ Can't use DNS functionality after a Windows DC has been
in domain; (bso#14310).
+ ldapi search to FreeIPA crashes; (bso#14413).
+ Add net-ads-join dnshostname=fqdn option; (bso#14396)
+ Fix adding msDS-AdditionalDnsHostName to keytab with
Windows DC; (bso#14406).
+ docs-xml: Update list of posible VFS operations for
vfs_full_audit; (bso#14386).
+ winbindd: Fix a use-after-free when winbind clients exit;
(bso#14382).
+ Client tools are not able to read gencache anymore;
(bso#14370).
-------------------------------------------------------------------
Thu Jul 2 11:56:15 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.4
+ CVE-2020-10730: NULL de-reference in AD DC LDAP server when
ASQ and VLV combined; (bso#14364); (bsc#1173159)
+ CVE-2020-10745: invalid DNS or NBT queries containing dots use
several seconds of CPU each; (bso#14378); (bsc#1173160).
+ CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP
server with paged_result or VLV; (bso#14402); (bsc#1173161)
+ CVE-2020-14303: Endless loop from empty UDP packet sent to
AD DC nbt_server; (bso#14417); (bsc#1173359).
-------------------------------------------------------------------
Sat May 30 15:42:34 UTC 2020 - Marcus Meissner <meissner@suse.com>
- add libnetapi-devel to baselibs conf, for wine usage (bsc#1172307)
-------------------------------------------------------------------
Thu May 28 10:56:26 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Add system-user-nobody to samba package requirements
-------------------------------------------------------------------
Wed May 20 15:56:03 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.3
+ Fix smbd panic on force-close share during async io; (bso#14301);
+ s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[] array;
(bso#14343);
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
+ Fix smbd crashes when MacOS Catalina connects if iconv initialization
fails; (bso#14372);
+ Exporting from macOS Adobe Illustrator creates multiple copies;
(bso#14150);
+ smbd does a chdir() twice per request; (bso#14256);
+ smbd mistakenly updates a file's write-time on close; (bso#14320);
+ vfs_shadow_copy2: implement case canonicalisation in
shadow_copy2_get_real_filename(); (bso#14350);
+ Fix Windows 7 clients problem after upgrading samba file server;
(bso#14375);
+ s3: Pass DCE RPC handle type to create_policy_hnd; (bso#14359);
+ Fix uxsuccess test with new MIT krb5 library 1.18; (bso#14155);
+ mit-kdc: Explicitly reject S4U requests; (bso#14342);
+ dbwrap_watch: Set rec->value_valid while returning nested
share_mode_do_locked(); (bso#14352);
+ lib:util: Fix smbclient -l basename dir; (bso#14345);
+ s3:libads: Fix ads_get_upn(); (bso#14336);
+ ctdb: Fix a memleak; (bso#14348);
+ Malicous SMB1 server can crash libsmbclient; (bso#14366);
+ ldb: Bump version to 2.1.3, LMDB databases can grow without bounds;
(bso#14330);
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
+ s3/librpc/crypto: Fix double free with unresolved credential cache;
(bso#14344);
+ docs-xml: Fix usernames in pam_winbind manpages; (bso#14358);
-------------------------------------------------------------------
Mon May 11 14:53:16 UTC 2020 - David Mulder <dmulder@dmulder.com>
- Installing: samba - samba-ad-dc.service does not exist and unit
not found; (bsc#1171437);
-------------------------------------------------------------------
Mon May 4 10:33:43 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- libsmb: Don't try to find posix stat info in SMBC_getatr();
(bso#14101); (bsc#1169242);
-------------------------------------------------------------------
Wed Apr 29 15:48:50 UTC 2020 - Noel Power <nopower@suse.com>
- Move libdcerpc-server-core.so to samba-libs package, this was
initially erroneously located in samba-ad-dc.
-------------------------------------------------------------------
Tue Apr 28 11:44:07 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.2
+ CVE-2020-10700: A client combining the 'ASQ' and
'Paged Results' LDAP controls can cause a use-after-free
in Samba's AD DC LDAP server;(bso#14331); (bsc#1169850)
+ CVE-2020-10704: A deeply nested filter in an un-authenticated
LDAP search can exhaust the LDAP server's stack memory causing
a SIGSEGV; (bso#14334); (bsc#1169851).
-------------------------------------------------------------------
Mon Apr 13 09:07:02 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.12.1
+ nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14295);
+ samba-tool group: Handle group names with special chars correctly;
(bso#14296);
+ Add missing check for DMAPI offline status in async DOS attributes;
(bso#14293);
+ Starting ctdb node that was powered off hard before results in recovery
loop; (bso#14295);
+ smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs;
(bso#14307);
+ vfs_recycle: Prevent flooding the log if we're called on non-existant
paths; (bso#14316);
+ librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313);
+ nsswitch: Fix use-after-free causing segfault in _pam_delete_cred;
(bso#14327);
+ fruit:time machine max size is broken on arm; (bso#13622);
+ CTDB recovery corner cases can cause record resurrection and node
banning; (bso#14294);
+ s3/utils: Fix double free error with smbtree; (bso#14332);
+ CTDB recovery corner cases can cause record resurrection and node
banning; (bso#14294);
+ Starting ctdb node that was powered off hard before results in recovery
loop; (bso#14295);
+ CTDB recovery daemon can crash due to dereference of NULL pointer;
(bso#14324);
-------------------------------------------------------------------
Wed Mar 25 12:52:55 UTC 2020 - Noel Power <nopower@suse.com>
- s3: libsmbclient.h: add missing time.h include to fix
ffmpeg build and make it compatible with -std=c99.
-------------------------------------------------------------------
Mon Mar 16 10:40:16 UTC 2020 - Noel Power <nopower@suse.com>
- ndrdump tests: Make the tests less fragile
- python/samba/gp_parse: Fix test errors with python3.8
-------------------------------------------------------------------
Fri Mar 13 14:19:30 UTC 2020 - Noel Power <nopower@suse.com>
- Starting ctdb node that was powered off hard before results
in recovery loop; (bso#14295); (bsc#1162680).
-------------------------------------------------------------------
Fri Mar 6 15:38:01 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samba 4.12.0
+ For details on all items see WHATSNEW.txt in samba-doc
package.
+ Samba 4.12 raises this minimum version to Python
3.5.
+ Samba now requires GnuTLS 3.4.7 to be installed.
+ New Spotlight backend for Elasticsearch.
+ Retiring DES encryption types in Kerberos. With this release,
support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause
Kerberos authentication to fail for that account (see
RFC-6649).
+ Samba-DC: DES keys no longer saved in DB.
+ The netatalk VFS module has been removed.
+ The BIND9_FLATFILE DNS backend is deprecated in this release
and will be removed in the future.
+ CTDB changes
+ The ctdb_mutex_fcntl_helper periodically re-checks the
lock file.
+ Bugs
+ Retire DES encryption types in Kerberos; (bso#14202);
bsc#(1165574).
+ dsdb: Correctly handle memory in objectclass_attrs;
(bso#14258).
+ s3: DFS: Don't allow link deletion on a read-only share;
(bso#14269).
+ pidl/wscript: configure should insist on Parse::Yapp::Driver;
(bso#14284).
+ smbd fails to handle EINTR from open(2) properly;
(bso#14285).
+ ldb: version 2.1.1; (bso#14270)).
+ vfs: Set getting and setting of MS-DFS redirects on the
filesystem to go through two new VFS functions
SMB_VFS_CREATE_DFS_PATHAT() and
SMB_VFS_READ_DFS_PATHAT(); (bso#14282).
+ bootstrap: Remove un-used dependency python3-crypto;
(bso#14255)
+ Fix CID 1458418 and 1458420; (bso#14247).
+ lib: Fix a shutdown crash with "clustering = yes";
(bso#14281).
+ Winbind member (source3) fails local SAM auth with empty
domain name; (bso#14247).
+ winbindd: Handle missing idmap in getgrgid(); (bso#14265).
+ Don't use forward declaration for GnuTLS typedefs; (bso#14271).
+ Add io_uring vfs module; (bso#14280).
+ libcli:smb: Improve check for
gnutls_aead_cipher_(en|de)cryptv2; (bso#14250).
+ s3: lib: nmblib. Clean up and harden nmb packet processing;
(bso#14239);
+ lib:util: Log mkdir error on correct debug levels; (bso#14253).
-------------------------------------------------------------------
Sun Feb 2 20:42:05 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Remove unused pwdutils buildrequires
-------------------------------------------------------------------
Thu Jan 30 09:04:04 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.11.6
+ pygpo: Use correct method flags; (bso#14209);
+ Avoiding bad call flags with python 3.8, using METH_NOARGS
instead of zero; (bso#14209);
+ source4/utils/oLschema2ldif: Include stdint.h before cmocka.h;
(bso#14218);
+ docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc;
(bso#14122);
+ smbd: Fix the build with clang; (bso#14251);
+ upgradedns: Ensure lmdb lock files linked; (bso#14199);
+ s3: VFS: glusterfs: Reset nlinks for symlink entries during
readdir; (bso#14182);
+ smbc_stat() doesn't return the correct st_mode and also the
uid/gid is not filled (SMBv1) file; (bso#14101);
+ librpc: Fix string length checking in ndr_pull_charset_to_null();
(bso#14219);
+ ctdb-scripts: Strip square brackets when gathering connection info;
(bso#14227);
-------------------------------------------------------------------
Tue Jan 21 16:55:36 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Fix nmbstatus not reporting detailed information about workgroups;
(bsc#1159464);
- Fix querying all names registered within broadcast area; (bso#8927);
-------------------------------------------------------------------
Tue Jan 21 16:31:07 UTC 2020 - Noel Power <nopower@suse.com>
- Update to samab 4.11.5
+ CVE-2019-14902: Replication of ACLs down subtree on
AD Directory is not automatic; (bso#12497); (bsc#1160850).
+ CVE-2019-19344: Fix server crash with
dns zone scavenging = yes; (bso#14050); (bsc#1160852).
+ CVE-2019-14907: server-side crash after charset conversion
failure (eg during NTLMSSP processing); (bso#14208);
(bsc#1160888).
- Update to samba 4.11.4
+ Ensure SMB1 cli_qpathinfo2() doesn't return an inode number;
(bso#14161).
+ Ensure we don't call cli_RNetShareEnum() on an SMB1
connection; (bso#14174).
+ NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in
SMBC_opendir_ctx; (bso#14176).
+ SMB2 - Ensure we use the correct session_id if encrypting
an interim response; (bso#14189).
+ Prevent smbd crash after invalid SMB1 negprot; (bso#14205).
+ printing: Fix %J substition; (bso#13745).
+ Remove now unneeded call to cmdline_messaging_context();
(bso#13925).
+ Fix incomplete conversion of former parametric options;
(bso#14069).
+ Fix sync dosmode fallback in async dosmode codepath;
(bso#14070).
+ vfs_fruit returns capped resource fork length; (bso#14171).
+ libnet_join: Add SPNs for additional-dns-hostnames entries;
(bso#14116).
+ smbd: Increase a debug level; (bso#14211).
+ Prevent azure ad connect from reporting discovery errors
reference-value-not-ldap-conformant; (bso#14153).
+ krb5_plugin: Fix developer build with newer heimdal system
library; (bso#14179).
+ replace: Only link libnsl and libsocket if required;
(bso#14168);
+ ctdb: Incoming queue can be orphaned causing communication;
breakdown; (bso#14175).
+ ldb: Release ldb 2.0.8. Cross-compile will not take
cross-answers or cross-execute; (bso#13846).
+ heimdal-build: Avoid hard-coded /usr/include/heimdal in
asn1_compile-generated code; (bso#13856).
-------------------------------------------------------------------
Fri Dec 20 17:59:01 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).
-------------------------------------------------------------------
Tue Dec 10 09:57:23 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba 4.11.3
+ CVE-2019-14861: DNSServer RPC server crash, an authenticated user
can crash the DCE/RPC DNS management server by creating records
with matching the zone name; (bso#14138); (bsc#1158108).
+ CVE-2019-14870: DelegationNotAllowed not being enforced, the
DelegationNotAllowed Kerberos feature restriction was not being
applied when processing protocol transition requests (S4U2Self),
in the AD DC KDC; (bso#14187); (bsc#1158109).
-------------------------------------------------------------------
Tue Oct 29 17:22:30 UTC 2019 - Jim McDonough <jmcdonough@suse.com>
- Update to samba 4.11.2
+ CVE-2019-10218: Client code can return filenames containing
path separators; (bsc#1144902); (bso#14071).
+ CVE-2019-14833: Samba AD DC check password script does not
receive the full password; (bso#12438).
+ CVE-2019-14847: User with "get changes" permission can crash
AD DC LDAP server via dirsync; (bso#14040).
- Fixes from 4.11.1
+ Overlinking libreplace against librt and pthread against every
binary or library causes issues; (bso#14140);
+ kpasswd fails when built with MIT Kerberos; (bso#14155);
+ Fix spnego fallback from kerberos to ntlmssp in smbd server;
(bso#14106);
+ Stale file handle error when using mkstemp on a share; (bso#14137);
+ non-AES schannel broken; (bso#14134);
+ Joining Active Directory should not use SAMR to set the password;
(bso#13884);
+ smbclient can blunder into the SMB1 specific cli_RNetShareEnum()
call on an SMB2 connection; (bso#14152);
+ Deleted records can be resurrected during recovery; (bso#14147);
+ getpwnam and getpwuid need to return data for ID_TYPE_BOTH group;
(bso#14141);
+ winbind does not list forest trusts with additional trust
attributes; (bso#14130);
+ fault report points to outdated documentation; (bso#14139);
+ pam_winbind with krb5_auth or wbinfo -K doesn't work for users of
trusted domains/forests; (bso#14124);
+ classicupgrade results in uncaught exception - a bytes-like object
is required, not 'str'; (bso#14136);
+ pod2man is not longer required, stop checking at build time;
(bso#14131);
+ Exit code of ctdb nodestatus should not be influenced by deleted
nodes; (bso#14129);
+ username/password authentication doesn't work with CUPS and
smbspool; (bso#14128);
+ smbc_readdirplus() is incompatible with smbc_telldir() and
smbc_lseekdir(); (bso#14094);
-------------------------------------------------------------------
Sat Oct 5 14:20:06 UTC 2019 - James McDonough <jmcdonough@suse.com>
- Update to samba 4.11.0
+ For details on all items see WHATSNEW.txt in samba-doc
package
+ Python2 runtime support removed; python 3.4 or later required
+ Security improvements:
- SMB1 disabled by default
- lanman and plaintext authentication deprecated
- winbind: PAM_AUTH and NTLM_AUTH events logged
- GnuTLS 3.2 required; system FIPS mode setting honored
+ CephFS Snapshot integration, exposed as previous file
versions
+ ctdb changes:
- onnode -o option removed
- ctdbd logs when using more than 90% of a CPU thread
- CTDB_MONITOR_SWAP_USAGE variable removed
+ AD Domain controller improvements:
- Upgrade AD databse format
- BIND9_FLATFILE deprecated
- default process model chagned to prefork
- bind9 dns operation duration logging
- Default schema updated to 2012_R2; function level is
unchanged
- many performance improvements
+ Configuration webserver support removed
-------------------------------------------------------------------
Tue Sep 3 09:18:38 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Update to samba 4.10.8
+ CVE-2019-10197: user escape from share path definition;
(bso#14035); (bsc#1141267);
-------------------------------------------------------------------
Fri Aug 30 13:10:01 UTC 2019 - Noel Power <nopower@suse.com>
- Fix build on newer systems by modifying samba.spec to use
consistent non-relative paths for pammodules in configure line
and specification of pam_winbind.so library to package.
-------------------------------------------------------------------
Tue Aug 27 14:47:44 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba 4.10.7
+ Unable to create or rename file/directory inside shares
configured with vfs_glusterfs_fuse module; (bso#14010).
+ build: Allow build when '--disable-gnutls' is set; (bso#13844)
+ samba-tool: Add 'import samba.drs_utils' to fsmo.py;
(bso#13973).
+ Fix 'Error 32 determining PSOs in system' message on old DB
with FL upgrade; (bso#14008).
+ s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021)
+ join: Use a specific attribute order for the DsAddEntry
nTDSDSA object; (bso#14046).
+ vfs_catia: Pass stat info to synthetic_smb_fname();
(bso#14015).
+ lookup_name: Allow own domain lookup when flags == 0;
(bso#14091).
+ s4 librpc rpc pyrpc: Ensure tevent_context deleted last;
(bso#13932).
+ DEBUGC and DEBUGADDC doesn't print into a class specific log
file; (bso#13915).
+ Request to keep deprecated option "server schannel",
VMWare Quickprep requires "auto"; (bso#13949).
+ dbcheck: Fallback to the default tombstoneLifetime of 180 days;
(bso#13967).
+ dnsProperty fails to decode values from older Windows versions;
(bso#13969).
+ samba-tool: Use only one LDAP modify for dns partition fsmo
role transfer; (bso#13973).
+ third_party: Update waf to version 2.0.17; (bso#13960).
+ netcmd: Allow 'drs replicate --local' to create partitions;
(bso#14051).
+ ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).
-------------------------------------------------------------------
Wed Aug 7 13:03:55 UTC 2019 - npower <nopower@suse.com>
- Prepare for use future use of kernel keyrings, modify
/etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).
-------------------------------------------------------------------
Thu Aug 1 10:00:00 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Update samba-winbind script to work with systemd; (bsc#1132739);
- Drop samba dhcpcd hook scripts
- Update to samba 4.10.6
+ s3: winbind: Fix crash when invoking winbind idmap scripts;
(bso#13956).
+ smbd does not correctly parse arguments passed to dfree and quota
scripts; (bso#13964).
+ samba-tool dns: use bytes for inet_ntop; (bso#13965).
+ samba-tool domain provision: Fix --interactive module in python3;
(bso#13828).
+ ldb_kv: Skip @ records early in a search full scan; (bso#13893).
+ docs: Improve documentation of "lanman auth" and "ntlm auth"
connection; (bso#13981).
+ python/ntacls: Use correct "state directory" smb.conf option instead
of "state dir"; (bso#14002).
+ registry: Add a missing include; (bso#13840).
+ Fix SMB guest authentication; (bso#13944).
+ AppleDouble conversion breaks Resourceforks; (bso#13958).
+ vfs_fruit makes direct use of syscalls like mmap() and pread();
(bso#13968).
+ s3:mdssvc: Fix flex compilation error; (bso#13987).
+ s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872).
+ dsdb:samdb: schemainfo update with relax control; (bso#13799).
+ s3:util: Move static file_pload() function to lib/util; (bso#13964).
+ smbd: Fix a panic; (bso#13957).
+ ldap server: Generate correct referral schemes; (bso#12478).
+ s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value;
(bso#13941).
+ s4 dsdb: Fix use after free in samldb_rename_search_base_callback;
(bso#13942).
+ dsdb/repl: we need to replicate the whole schema before we can apply it;
(bso#12204).
+ ldb: Release ldb 1.5.5; (bso#12478).
+ Schema replication fails if link crosses chunk boundary backwards;
(bso#13713).
+ 'samba-tool domain schemaupgrade' uses relax control and skips the
schemaInfo update provision; (bso#13799).
+ dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)]
..."; (bso#13916).
+ python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to
get the ACL; (bso#13917).
+ s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary;
(bso#13947).
+ Using Kerberos credentials to print using spoolss doesn't work;
(bso#13939).
+ wafsamba: Use native waf timer; (bso#13998).
+ ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).
-------------------------------------------------------------------
Wed Jun 19 09:20:12 UTC 2019 - Noel Power <nopower@suse.com>
- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3)
+ CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
in DnssrvOperation2; (bso#13922); (bsc#1137815).
+ CVE-2019-12436 dsdb/paged_results: Ignore successful results
without messages; (bso#13951); (bsc#1137816).
- Update to samba-4.10.4
+ s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938).
+ py/provision: Fix for Python 2.6; (bso#13882).
+ netcmd: Fix 'passwordsettings --max-pwd-age' command;
(bso#13873).
+ s3-libnet_join: 'net ads join' to child domain fails when
using "-U admin@forestroot"; (bso#13861).
+ vfs_ceph: Explicitly enable libcephfs POSIX ACL support;
(bso#13896); (bsc#1130245).
+ vfs_ceph: Fix cephwrap_flistxattr() debug message;
(bso#13940); (bsc#1134697).
+ ctdb-common: Avoid race between fd and signal events;
(bso#13895).
+ ctdb-common: Fix memory leak in run_proc; (bso#13943).
+ lib: Initialize getline() arguments; (bso#13892).
+ winbind: Fix overlapping id ranges; (bco#13903).
+ lib util debug: Increase format buffer to 4KiB; (bso#13902).
+ nsswitch pam_winbind: Fix Asan use after free; (bso#13927).
+ s4 lib socket: Ensure address string owned by parent struct;
(bso#13929).
+ s3 rpc_client: Fix Asan stack use after scope; (bso#13936).
+ s3:smbd: Handle IO_REPARSE_TAG_DFS in
SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097).
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344).
+ smb2_sesssetup: avoid STATUS_PENDING responses for session setup;
(bso#12845).
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698).
+ smb2_sesssetup: avoid STATUS_PENDING responses for session
setup; (bso#13796).
+ dbcheck: Fix the err_empty_attribute() check; (bso#13843).
+ vfs_snapper: Drop unneeded fstat handler; (bso#13858).
+ vfs_default: Fix vfswrap_offload_write_send()
NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862).
+ smb2_server: Grant all 8192 credits to clients; (bso#13863).
+ smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling;
(bso#13919).
+ s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872).
+ s3: modules: ceph: Use current working directory instead of
share path; (bso#13918); (bsc#1134452).
+ winbind: Use domain name from lsa query for sid_to_name cache
entry; (bso#13831).
+ memcache: Increase size of default memcache to 512k;
(bso#13865).
+ docs: Update smbclient manpage for "--max-protocol";
(bso#13857).
+ s3:utils: If share is NULL in smbcacls, don't print it;
(bso#13937).
+ s3:smbspool: Fix regression printing with Kerberos credentials;
(bso#13939).
+ ctdb-scripts: CTDB restarts failed NFS RPC services by hand,
which is incompatible with systemd; (bso#13860).
+ ctdb-daemon: Revert "We can not assume that just because we
could complete a TCP handshake"; (bso#13888).
+ ctdb-daemon: Never use 0 as a client ID; (bso#13930).
+ ctdb-common: Fix memory leak; (bso#13943).
+ s3:debug: Enable logging for early startup failures;
(bso#13904)
- Update to samba-4.10.3
+ CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
checksum; (bso#13685); (bsc#1134024).
-------------------------------------------------------------------
Tue May 14 14:22:11 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697).
- Add ceph_snapshots VFS module; (jsc#SES-183).
-------------------------------------------------------------------
Wed May 8 12:42:31 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).
-------------------------------------------------------------------
Wed Apr 17 11:20:32 UTC 2019 - npower <nopower@suse.com>
- Update to samba-4.10.2:
+ CVE-2019-3870 (World writable files in
Samba AD DC private/ dir); (bso#13834).
+ CVE-2019-3880 (Save registry file outside share as
unprivileged user); (bso#13851).
+ py/kcc_utils: py2.6 compatibility; (bso#13837).
+ libcli: permit larger values of DataLength in
SMB2_ENCRYPTION_CAPABILITIES of negotiate response;
(bso#13869).
+ regfio: Improve handling of malformed registry hive files;
(bso#13840).
+ ctdb-version: Simplify version string usage; (bso#13789).
+ lib: Make fd_load work for non-regular files; (bso#13859).
+ dbcheck: in the middle of the tombstone garbage collection
causes replication failures,
dbcheck: add --selftest-check-expired-tombstones cmdline
option; (bso#13816).
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818).
+ s4/messaging: Fix undefined reference in linking
libMESSAGING-samba4.so; (bso#13854).
+ acl_read: Fix regression for empty lists; (bso#13836).
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841).
+ s3:client: Fix printing via smbspool backend with kerberos
auth; (bso#13832).
+ s4:librpc: Fix installation of Samba; (bso#13847).
+ s3:lib: Fix the debug message for adding cache entries;
(bso#13848).
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username;
(bso#13793).
+ s3:lib: Fix the debug message for adding cache entries;
(bso#13848).
+ s3:waf: Fix the detection of makdev() macro on Linux;
(bso#13853).
* ctdb-build: Drop creation of .distversion in tarball;
(bso#13789).
* ctdb-packaging: Test package requires tcpdump, ctdb package
should not own system library directory; (bso#13838).
- Update to samba-4.10.1:
+ py/kcc_utils: py2.6 compatibility; (bso#13837);
+ libcli: permit larger values of DataLength in
SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869);
+ regfio: Improve handling of malformed registry hive files; (bso#13840);
+ ctdb-version: Simplify version string usage; (bso#13789);
+ lib: Make fd_load work for non-regular files; (bso#13859);
+ dbcheck in the middle of the tombstone garbage collection causes
replication failures, dbcheck: add --selftest-check-expired-tombstones
cmdline option; (bso#13816);
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818);
+ s4/messaging: Fix undefined reference in linking
libMESSAGING-samba4.so; (bso#13854);
+ acl_read: Fix regression for empty lists; (bso#13836);
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841);
+ s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832);
+ s4:librpc: Fix installation of Samba; (bso#13847);
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793);
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
+ s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853);
+ ctdb-build: Drop creation of .distversion in tarball; (bso#13789);
+ ctdb-packaging: Test package requires tcpdump, ctdb package
should not own system library directory; (bso#13838);
- Update to samba-4.10.0:
+ s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760);
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
+ s4/scripting/bin: Open unicode files with utf8 encoding and write
+ unicode string.
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
files; (bso#13759);
+ Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813);
+ passdb: Update ABI to 0.27.2.
+ lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813);
+ lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);
-------------------------------------------------------------------
Sun Apr 14 22:31:32 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).
-------------------------------------------------------------------
Tue Apr 2 08:38:28 UTC 2019 - npower <nopower@suse.com>
- CVE-2019-3880: Save registry file outside share as unprivileged
user; (bso#13851); (bsc#1131060 ).
-------------------------------------------------------------------
Wed Mar 27 18:47:07 UTC 2019 - David Mulder <dmulder@suse.com>
- Update to samba-4.9.5
+ audit_logging: Remove debug log header and JSON Authentication:
prefix; (bso#13714);
+ Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760);
+ s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso#
CID: 1433607; (bso#11495);
+ smbd: uid: Don't crash if 'force group' is added to an existing
share connection; (bso#13690);
+ s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility
code; (bso#13770);
+ s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803);
+ s3:utils/smbget fix recursive download with empty source
directories; (bso#13199);
+ samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716);
+ s3:libsmb: cli_smb2_list() can sometimes fail initially on a
connection; (bso#13736);
+ join: Throw CommandError instead of Exception for simple errors; (bso#13747);
+ ldb: Avoid inefficient one-level searches; (bso#13762);
+ s3: libsmb: use smb2cli_conn_max_trans_size() in
cli_smb2_list(); (bso#13736);
+ tldap: Avoid use after free errors; (bso#13776);
+ Fix idmap xid2sid cache churn; (bso#13802);
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
+ s3-smbd: Avoid assuming fsp is always intact after close_file
call; (bso#13720);
+ s3-vfs-fruit: Add close call; (bso#13725);
+ s3-smbd: Use fruit:model string for mDNS registration; (bso#13746);
+ s3-vfs: add glusterfs_fuse vfs module; (bso#13774);
+ printing: Check lp_load_printers() prior to pcap cache update; (bso#13766);
+ vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS)
ftruncate and fallocate; (bso#13807);
+ lib/audit_logging: Actually create talloc; (bso#13737);
+ netcmd/user: python[3]-gpgme unsupported and replaced by
python[3]-gpg; (bso#13728);
+ dns: Changing onelevel search for wildcard to subtree; (bso#13738);
+ samba-tool: Don't print backtrace on simple DNS errors; (bso#13721);
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
files; (bso#13759);
+ ctdb: Print locks latency in machinereadable stats; (bso#13742);
+ messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786);
+ audit_logging: auth_json_audit required auth_json; (bso#13715);
+ man pages: Document prefork process model; (bso#13765);
+ CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773);
+ s3:auth: ignore create_builtin_guests() failing without a valid
idmap configuration; (bso#13697);
+ s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC
without trusts; (bso#13722);
+ s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd
is not available; (bso#13723);
+ s4:server: Add support for 'smbcontrol samba shutdown' and
'smbcontrol <pid> debug/debuglevel'; (bso#13752);
+ Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616);
+ vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330);
+ s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774);
+ notifyd: Fix SIGBUS on sparc; (bso#13704);
+ waf: Check for libnscd; (bso#13787);
+ s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770);
+ lib/util: Count a trailing line that doesn't end in a newline; (bso#13717);
+ Recovery lock bug fixes; (bso#13800);
+ s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726);
+ s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727);
+ vfs_fileid: Fix get_connectpath_ino; (bso#13741);
+ vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);
-------------------------------------------------------------------
Mon Mar 4 12:42:36 UTC 2019 - David Disseldorp <ddiss@suse.com>
- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).
-------------------------------------------------------------------
Fri Feb 22 11:58:53 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Fix update-apparmor-samba-profile script after apparmor switched
to using named profiles. The change is backwards compatible;
(bsc#1126377);
-------------------------------------------------------------------
Thu Feb 7 16:13:15 UTC 2019 - David Mulder <dmulder@suse.com>
- LoadParm().load_default() fails with "Unable to load default file";
(bsc#1089758);
-------------------------------------------------------------------
Thu Feb 7 00:27:42 UTC 2019 - ddiss@suse.com
- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);
-------------------------------------------------------------------
Mon Feb 4 12:38:55 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit();
(bso#13173); (bsc#1123755);
- s3:winbind: Fix regression introduced with bso #12851;
(bso#12851); (bsc#1123755);
-------------------------------------------------------------------
Tue Jan 8 11:38:40 UTC 2019 - nopower@suse.com
- Update to samba-4.9.4
+ libcli/smb: Don't overwrite status code; (bso#9175).
+ wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164).
+ Session setup reauth fails to sign response; (bso#13661).
+ vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677).
+ vfs_shadow_copy2: Nicely deal with attempts to open previous
version for writing; (bso#13688).
+ Restoring previous version of stream with vfs_shadow_copy2 fails
with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455).
+ CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571).
+ s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708)
+ PEP8: fix E231: missing whitespace after ','.
+ winbindd: Fix crash when taking profiles;(bso#13629)
+ CVE-2018-14629 dns: Fix CNAME loop prevention using counter
regression; (bso#13600)
+ 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686).
+ CVE-2018-16853: Do not segfault if client is not set; (bso#13571).
+ lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679)
+ ctdb-daemon: Exit with error if a database directory does not
exist; (bso#13696).
+ s3:libads: Add net ads leave keep-account option; (bso#13498).
-------------------------------------------------------------------
Thu Dec 20 15:15:54 UTC 2018 - David Mulder <dmulder@suse.com>
- s3:passdb: Do not return OK if we don't have pinfo set up;
(bsc#1099590); (bso#13376);
-------------------------------------------------------------------
Thu Dec 6 20:55:23 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Drop more %if..%endif guards which are idempotent.
- Drop requires on ldconfig which are already auto-discovered.
- Do not ignore errors from useradd/groupadd.
-------------------------------------------------------------------
Thu Nov 29 15:54:27 UTC 2018 - David Mulder <dmulder@suse.com>
- Remove python2 build dependency from samba-libs; (bsc#1116900);
-------------------------------------------------------------------
Wed Nov 28 09:35:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update update-apparmor-samba-profile script to ignore the shares's
paths containing substitution variables in any place, not only at the
beginning of the path.
-------------------------------------------------------------------
Mon Nov 19 12:28:56 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.3
+ CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD
Internal DNS server; (bso#13600); (bsc#1116319);
+ CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628);
(bsc#1116320);
+ CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server;
(bso#13674); (bsc#1116322);
+ CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers;
(bso#13669); (bsc#1116321);
+ CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported); (bso#13678); (bsc#1116324);
+ CVE-2018-16857: Bad password count in AD DC not always effective;
window; (bso#13683); (bsc#1116323);
-------------------------------------------------------------------
Thu Nov 8 17:53:14 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- s3: winbind: Remove fstring from wb_acct_info struct; (bsc#1114459);
- Use foreground execution mode for systemd samba daemons; (bsc#1112223);
-------------------------------------------------------------------
Thu Nov 8 15:06:37 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.2
+ dsdb: Add comments explaining the limitations of our current backlink
behaviour; (bso#13418);
+ Fix problems running domain backups (handling SMBv2, sites); (bso#13621);
+ testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3;
(bso#13465);
+ Make vfs_fruit able to cleanup AppleDouble files; (bso#13642);
+ File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646);
+ Enabling vfs_fruit looses FinderInfo; (bso#13649);
+ Cancelling of SMB2 aio reads and writes returns wrong error
NT_STATUS_INTERNAL_ERROR; (bso#13667);
+ Fix CTDB recovery record resurrection from inactive nodes and simplify
vacuuming; (bso#13641);
+ examples: Fix the smb2mount build; (bso#13465);
+ libtevent: Fix build due to missing open_memstream on Illiumos;
(bso#13629);
+ winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662);
+ dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path;
(bso#13653);
+ Extended DN SID component missing for member after switching group
membership; (bso#13418);
+ Return STATUS_SESSION_EXPIRED error encrypted, if the request was
encrypted; (bso#13624);
+ python: Allow forced signing via smb.SMB(); (bso#13621);
+ lib:socket: If returning early, set ifaces; (bso#13665);
+ ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8
encoded unicode; (bso#13616);
+ smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute;
(bso#13673);
+ waf: Add -fstack-clash-protection; (bso#13601);
+ winbind: Fix segfault if an invalid passdb backend is configured;
(bso#13668);
+ Fix bugs in CTDB event handling; (bso#13659);
+ Misbehaving nodes are sometimes not banned; (bso#13670);
-------------------------------------------------------------------
Mon Oct 29 14:38:56 UTC 2018 - dmulder@suse.com
- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);
-------------------------------------------------------------------
Tue Oct 23 18:44:53 UTC 2018 - dmulder@suse.com
- winbind requires latest version of libtevent-util0 to start
-------------------------------------------------------------------
Fri Oct 12 14:58:08 UTC 2018 - dmulder@suse.com
- Backport latest gpo code from master
+ Read policy from local gpt cache
+ Offline policy application
+ Make group policy extensible via register/unregister gpext
+ gpext's run via a process_group_policy method
-------------------------------------------------------------------
Mon Oct 8 08:36:43 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to 4.6.16; (bsc#1110943);
+ CVE-2018-10919: Fix unauthorized attribute access via searches;
(bso#13434);
-------------------------------------------------------------------
Wed Sep 26 22:45:40 UTC 2018 - jmcdonough@suse.com
- Enable profiling data collection
-------------------------------------------------------------------
Tue Sep 25 20:26:47 UTC 2018 - dmulder@suse.com
- Change samba-kdc package name to samba-ad-dc
- Move samba-ad-dc.service to the samba-ad-dc package
-------------------------------------------------------------------
Mon Sep 24 09:43:08 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.1
+ s3: nmbd: Stop nmbd network announce storm; (bso#13620);
+ s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds;
(bso#13597);
+ CTDB recovery lock has some race conditions; (bso#13617);
+ s3-rpc_client: Advertise Windows 7 client info; (bso#13597);
+ ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);
-------------------------------------------------------------------
Thu Sep 13 19:19:34 UTC 2018 - dmulder@suse.com
- Tumbleweed doesn't define the sle_version macro, so we must
include a check for suse_version also. Otherwise python3 is
disabled on Tumbleweed.
-------------------------------------------------------------------
Thu Sep 13 13:28:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
- Update to samba-4.9.0
+ samba_dnsupdate: Honor 'dns zone scavenging' option, only update if
needed; (bso#13605);
+ wafsamba: Fix 'make -j<jobs>'; (bso#13606);
-------------------------------------------------------------------
Mon Sep 10 20:46:20 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc5
+ s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only
returns absolute pathnames; (bso#13565);
+ s3: util: Do not take over stderr when there is no log file; (bso#13578);
+ Durable Reconnect fails because cookie.allow_reconnect is not
set; (bso#13549);
+ krb5-samba: Interdomain trust uses different salt principal; (bso#13539);
+ vfs_fruit: Don't unlink the main file; (bso#13441);
+ smbd: Fix a memleak in async search ask sharemode; (bso#13602);
+ Fix Samba GPO issue when Trust is enabled; (bso#11517);
+ samba-tool: Add "virtualKerberosSalt" attribute to
'user getpassword/syncpasswords'; (bso#13539);
+ Fix CTDB configuration issues; (bso#13589);
+ ctdbd logs an error until it can successfully connect to
eventd; (bso#13592);
-------------------------------------------------------------------
Wed Aug 29 15:49:29 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc4
+ s3: smbd: Ensure get_real_filename() copes with empty
pathnames; (bso#13585);
+ samba domain backup online/rename commands force user to specify
password on CLI; (bso#13566);
+ wafsamba/samba_abi: Always hide ABI symbols which must be
local; (bso#13579);
+ Fix a panic if fruit_access_check detects a locking conflict; (bso#13584);
+ Fix memory and resource leaks; (bso#13567);
+ python: Fix print in dns_invalid.py; (bso#13580);
+ Aliasing issue causes incorrect IPv6 checksum; (bso#13588);
+ Fix CTDB configuration issues; (bso#13589);
+ s3: vfs: time_audit: fix handling of token_blob in
smb_time_audit_offload_read_recv(); (bso#13568);
-------------------------------------------------------------------
Mon Aug 27 09:34:11 UTC 2018 - vcizek@suse.com
- Add missing zlib-devel dependency which was previously pulled in
by libopenssl-devel
-------------------------------------------------------------------
Tue Aug 21 13:39:49 UTC 2018 - dmulder@suse.com
- Update to samba-4.9.0rc3+git.22.3fff23ae36e
+ CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
returns from malicious servers; (bso#13453);
+ CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374);
+ CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
not servicePrincipalName is set on a user; (bso#13552);
+ CVE-2018-10919: acl_read: Fix unauthorized attribute access via
searches; (bso#13434);
+ ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540);
+ CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
is disabled via "ntlm auth"; (bso#13360);
+ s3-tldap: do not install test_tldap; (bso#13529);
+ ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540);
+ CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
ltdb_index_dn_attr(); (bso#13374);
+ ctdb-eventd: Fix CID 1438155; (bso#13554);
+ Fix CIDs 1438243, (Unchecked return value) 1438244
(Unsigned compared against 0), 1438245 (Dereference before null check) and
1438246 (Unchecked return value); (bso#13553);
+ ctdb: Fix a cut&paste error; (bso#13554);
+ systemd: Only start smb when network interfaces are up; (bso#13559);
+ Fix quotas don't work with SMB2; (bso#13553);
+ s3/smbd: Ensure quota code is only called when quota support
detected; (bso#13563);
+ s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204);
+ s3:waf: Install eventlogadm to /usr/sbin; (bso#13561);
+ Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);
-------------------------------------------------------------------
Mon Aug 20 21:25:27 UTC 2018 - ddiss@suse.com
- Update to 4.6.15
+ Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230);
+ Allow idmap_rid to have primary group other than "Domain Users";
(bsc#1087931).
-------------------------------------------------------------------
Mon Aug 20 15:03:01 MDT 2018 - dmulder@suse.com
- Update to samba-4.9.0rc2+git.21.a1069afb007
+ s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537);
+ s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check();
(bso#13535);
+ samba-tool trust: Support discovery via netr_GetDcName; (bso#13538);
+ s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542);
+ Fix portability issues on freebsd; (bso#13520);
+ DNS wildcard search does not handle multiple labels correctly; (bso#13536);
+ samba-tool domain trust: Fix trust compatibility to Windows
Server 1709 and FreeIPA; (bso#13308);
+ Fix portability issues on freebsd; (bso#13520);
+ ctdb-protocol: Fix CTDB compilation issues; (bso#13545);
+ ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT
option; (bso#13546);
+ ctdb-doc: Provide an example script for migrating old
configuration; (bso#13550);
+ ctdb-event: Implement event tool "script list" command; (bso#13551);
-------------------------------------------------------------------
Tue Aug 14 13:06:03 UTC 2018 - nopower@suse.com
- Update to samba-4.8.4+git.37.a7a861d7982;
+ CVE-2018-1139: Weak authentication protocol allowed;
(bsc#1095048); (bsc#13360);
+ CVE-2018-1140: Denial of Service Attack on DNS and LDAP server;
(bsc#1095056); (bso#13466); (bso#13374);
+ CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient; (bsc#1103411); (bso#13453);
+ CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server;
(bsc#1103414); (bso#13552);
+ CVE-2018-10919: Confidential attribute disclosure from the AD
LDAP server; (bsc#1095057); (bso#13434);
+ s3:winbind: winbind normalize names' doesn't work for users;
(bso#12851);
+ winbind: Fix UPN handling in canonicalize_username(); (bso#13369);
+ s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428);
+ samdb: Fix building Samba with gcc 8.1; (bso#13437);
+ s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440);
+ smbd: Flush dfree memcache on service reload; (bso#13446);
+ ldb: Save a copy of the index result before calling the
+ lib/util: No Backtrace given by Samba's AD DC by default;
(bso#13454).
+ s3: smbd: printing: Re-implement delete-on-close semantics for
print files missing since 3.5.x; (bso#13457).
+ python: Fix talloc frame use in make_simple_acl(); (bso#13474).
+ krb5_wrap: Fix keep_old_entries logic for older Kerberos
libraries;(bso#13478).
+ krb5_plugin: Add winbind localauth plugin for MIT Kerberos;
(bso#13480).
-------------------------------------------------------------------
Wed Aug 1 14:57:51 UTC 2018 - scabrero@suse.de
- CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient; (bso#13453); (bsc#1103411);
- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
(bso#12851);
- winbind: avoid using fstrcpy in _dual_init_connection;
(bso#13294); (bsc#1087303);
- Fix ntlm authentications with "winbind use default domain = yes";
(bso#13126); (bsc#1068059);
- net: fix net ads keytab handling; (bso#13166); (bsc#1067700);
- fix vfs_ceph flock stub; (bso#13506).
-------------------------------------------------------------------
Tue May 29 12:08:15 UTC 2018 - scabrero@suse.de
- Add missing package descriptions; (bsc#1093864);
- Fix dependency issue between samba-python and samba-kdc; (bsc#1062876);
- Call update-apparmor-samba-profile when running samba-ad-dc;
(bsc#1092099);
-------------------------------------------------------------------
Wed May 23 14:01:16 UTC 2018 - ddiss@suse.com
- Fix vfs_ceph with "aio read size" or "aio write size" > 0;
(bsc#1093664).
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
+ Fix memory leak in vfs_ceph; (bso#13424).
- Update to 4.6.14
+ winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection;
(bso#13294).
+ s3:smb2_server: correctly maintain request counters for compound
requests; (bso#13215).
+ s3: smbd: Unix extensions attempts to change wrong field in fchown
call; (bso#13375).
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338).
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
(bso#13297).
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270).
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we
don't own it here; (bso#13244).
+ s3:libsmb: allow -U"\\administrator" to work; (bso#13206).
+ CVE-2018-1057: s4:dsdb: fix unprivileged password changes;
(bso#13272); (bsc#1081024).
+ s3:smbd: Do not crash if we fail to init the session table;
(bso#13315).
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310).
+ smbXcli: Add "force_channel_sequence"; (bso#13215).
+ smbd: Fix channel sequence number checks for long-running requests;
(bso#13215).
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on
expired sessions; (bso#13197).
+ s3:smbd: return the correct error for cancelled SMB2 notifies on
expired sessions; (bso#13197).
+ samba: Only use async signal-safe functions in signal handler;
(bso#13240).
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031).
-------------------------------------------------------------------
Wed May 23 09:52:28 UTC 2018 - jmcdonough@suse.com
- Update to 4.8.2
+ After update to 4.8.0 DC failed with "Failed to find our own
NTDS Settings objectGUID" (bso#13335).
+ fix incorrect reporting of stream dos attributes on a
directory (bso#13380).
+ vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412).
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425)
+ vfs_ceph: Fix memory leak; (bso#13424).
+ libsmbclient: Fix hard-coded connection error return of
ETIMEDOUT; (bso#13419).
+ s4-lsa: Fix use-after-free in LSA server; (bso#13420).
+ winbindd: Do re-connect if the RPC call fails in the passdb
case; (bso#13430).
+ cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416).
+ cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd
unclean process shutdown; (bso#13414).
+ ctdb-client: Remove ununsed functions from old client code;
(bso#13411).
+ printing: Return the same error code as windows does on upload
failures; (bso#13395).
+ nsswitch: Fix memory leak in winbind_open_pipe_sock() when the
privileged pipe is not accessable; (bso#13400).
+ s4:lsa_lookup: remove TALLOC_FREE(state) after all
dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420).
+ rpc_server: Fix NetSessEnum with stale sessions; (bso#13407).
+ s3:smbspool: Fix cmdline argument handling; (bso#13417).
-------------------------------------------------------------------
Fri Apr 27 13:57:14 UTC 2018 - scabrero@suse.de
- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is
required by some client libs; (bsc#1074135);
- Update to 4.8.1; (bsc#1091179);
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error,
we don't own it here; (bso#13244);
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270);
+ Round-tripping ACL get/set through vfs_fruit will increase the number of
ACE entries without limit; (bso#13319);
+ s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit
issues; (bso#13347);
+ s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without
delete access; (bso#13358);
+ s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372);
+ s3: smbd: Unix extensions attempts to change wrong field in fchown call;
(bso#13375);
+ ms_schema/samba-tool visualize: Fix python2.6 incompatibility;
(bso#13337);
+ Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352);
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
+ winbindd: Recover loss of netlogon secure channel in case the peer DC is
rebooted; (bso#13332);
+ s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363);
+ ctdb-client: Fix bugs in client code; (bso#13356);
+ ctdb-scripts: Drop "net serverid wipe" from 50.samba event script;
(bso#13359);
+ s3: lib: messages: Don't use the result of sec_init() before calling
sec_init(); (bso#13368);
+ libads: Fix the build '--without-ads'; (bso#13273);
+ winbind: Keep "force_reauth" in invalidate_cm_connection, add
'smbcontrol disconnect-dc'; (bso#13332);
+ vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343);
+ dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367);
+ rpc_server: Fix core dump in dfsgetinfo; (bso#13370);
+ smbclient: Fix notify; (bso#13382);
+ Fix smbd panic if the client-supplied channel sequence number wraps;
(bso#13215);
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
+ lib/util: Remove unused '#include <sys/syscall.h>' from tests/tfork.c;
(bso#13342);
+ Fix build errors with cc from developerstudio 12.5 on Solaris;
(bso#13343);
+ Fix the picky-developer build on FreeBSD 11; (bso#13344);
+ s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345);
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338);
+ lib:replace: Fix linking when libtirpc-devel overwrites system headers;
(bso#13341);
+ winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid
query; (bso#13312);
+ s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376);
+ Allow AESNI to be used on all processor supporting AESNI; (bso#13302);
-------------------------------------------------------------------
Wed Apr 11 14:55:09 UTC 2018 - aaptel@suse.com
- Use new foreground execution flags for systemd samba daemons;
(bsc#1088574); (bsc#1071090); (bsc#1065551);
+ Add %post scriptlet to clear old sysconfig flags
- Update vendor-files to commit 880b3e7.
+ Set samba sysconfig template variables to ""
+ Add required daemon flags directly to systemd unit
-------------------------------------------------------------------
Mon Mar 26 22:37:15 UTC 2018 - jengelh@inai.de
- Specfile cleanup
+ Remove %if..%endif guards which don't affect the build
+ Remove redundant %clean section
+ Replace old $RPM_* shell vars with macros
-------------------------------------------------------------------
Thu Mar 22 16:28:02 UTC 2018 - dimstar@opensuse.org
- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in
place of systemd and systemd-devel: Allow OBS to optimize the
workload by allowing the usage of the 'build-optimized' systemd
packages.
-------------------------------------------------------------------
Thu Mar 22 14:20:44 UTC 2018 - dmulder@suse.com
- Enable building samba with python3, and create a samba-python3 package.
-------------------------------------------------------------------
Thu Mar 15 11:29:04 UTC 2018 - jmcdonough@suse.com
- Update to 4.8
+ New GUID Index mode in sam.ldb for the AD DC
+ GPO support for samba KDC
+ Time machine support with vfs_fruit
+ Encrypted secrets
+ AD Replication visualization
+ Improved trust support
- ability to not scan global trust list
- AD external trusts have limited support
- verbose trusted domain listing
+ VirusFilter VFS module
+ NT4-style replication removed
+ vfs_aio_linux removed
-------------------------------------------------------------------
Tue Mar 13 20:12:10 UTC 2018 - david.mulder@suse.com
- Disable samba-pidl package, due to the removal of dependency
perl-Parse-Yapp; (bsc#1085150);
-------------------------------------------------------------------
Tue Mar 13 09:49:44 UTC 2018 - jmcdonough@suse.com
- Update to 4.7.6;
+ CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
(bso#11343); (bsc#1081741);
+ CVE-2018-1057: Authenticated users can change other users' password;
(bso#13272); (bsc#1081024).
-------------------------------------------------------------------
Wed Mar 7 11:54:50 UTC 2018 - jmcdonough@suse.com
- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
(bso#11343); (bsc#1081741);
-------------------------------------------------------------------
Tue Mar 6 23:36:51 UTC 2018 - ddiss@suse.com
- Update to 4.6.13; (bsc#1084191)
+ ceph_statx configure time check doesn't work with a non-default
--with-libcephfs path; (bso#13250).
- follow up fix for libceph-common detection; (bso#13277).
+ Fail to copy file with empty FinderInfo from Windows client to Samba
share with fruit; (bso#13181).
+ vfs_ceph uses a local statvfs() call to determine FS capabilities;
(bso#13208).
+ smbd tries to release not leased oplock during oplock II downgrade;
(bso#13193).
+ smbd panic when chdir returns error during exit; (bso#13189).
+ ctdb_recovery_helper crashes if recovery process times out; (bso#13188).
+ POSIX ACL support is broken on hpux and possibly other big-endian OSs;
(bso#13176).
+ Kerberos: PKINIT: Can't decode algorithm parameters in
clientPublicValue; (bso#12986).
+ g_lock conflict detection broken when processing stale entries.;
(bso#13195).
+ The KDC on an RWDC doesn't send error replies in some situations;
(bso#13132).
-------------------------------------------------------------------
Mon Feb 26 22:09:49 UTC 2018 - aaptel@suse.com
- Disable python until full python3 port is done; (bsc#1082139);
+ Remove contents of package samba-python
+ Remove contents of package libsamba-policy0
+ Remove contents of package libsamba-policy-devel
+ Remove library libsamba-python-samba4.so from samba-libs package
+ Remove library libsamba-net-samba4.so from samba-libs package
+ Remove smbtorture binary and manpage from samba-test
-------------------------------------------------------------------
Fri Feb 23 15:27:07 UTC 2018 - dmulder@suse.com
- samba fails to build with glibc2.27; (bsc#1081042);
-------------------------------------------------------------------
Mon Feb 12 09:12:02 UTC 2018 - scabrero@suse.com
- Update to 4.7.5; (bsc#1080545);
+ smbd tries to release not leased oplock during oplock II downgrade;
(bso#13193);
+ Fix copying file with empty FinderInfo from Windows client to Samba share
with fruit; (bso#13181);
+ build: Deal with recent glibc sunrpc header removal; (bso#10976);
+ Make Samba work with tirpc and libnsl2; (bso#13238);
+ vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208);
(bsc#1075206);
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
(bso#12986);
+ ctdb-recovery-helper: Deregister message handler in error paths;
(bso#13188);
+ samba: Only use async signal-safe functions in signal handler; (bso#13240);
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
(bso#12986);
+ repl_meta_data: Fix linked attribute corruption on databases
with unsorted links on expunge. dbcheck: Add functionality to fix the
corrupt database; (bso#13228);
+ Fix smbd panic when chdir returns error during exit; (bso#13189);
+ Make Samba work with tirpc and libnsl2; (bso#13238);
+ Fix POSIX ACL support on HPUX and possibly other big-endian OSs;
(bso#13176);
-------------------------------------------------------------------
Fri Feb 9 13:25:11 UTC 2018 - scabrero@suse.com
- Update to 4.7.4; (bsc#1080545);
+ s3: smbclient: Implement 'volume' command over SMB2; (bso#13140);
+ s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv(); (bso#13171);
+ s3: libsmb: Fix reversing of oldname/newname paths when creating a
reparse point symlink on Windows from smbclient; (bso#13172);
+ Build man page for vfs_zfsacl.8 with Samba; (bso#12934);
+ repl_meta_data: Allow delete of an object with dangling backlinks;
(bso#13095);
+ s4:samba: Fix default to be running samba as a deamon; (bso#13129);
+ Performance regression in DNS server with introduction of DNS wildcard,
ldb: Release 1.2.3; (bso#13191);
+ vfs_zfsacl: Fix compilation error; (bso#6133);
+ "smb encrypt" setting changes are not fully applied until full smbd
restart; (bso#13051);
+ winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052);
+ vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155);
+ winbindd: Dependency on trusted-domain list in winbindd in critical auth
codepath; (bso#13173);
+ repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120);
+ ctdb: sock_daemon leaks memory; (bso#13153);
+ TCP tickles not getting synchronised on CTDB restart; (bso#13154);
+ winbindd: winbind parent and child share a ctdb connection; (bso#13150);
+ pthreadpool: Fix deadlock; (bso#13170);
+ pthreadpool: Fix starvation after fork; (bso#13179);
+ messaging: Always register the unique id; (bso#13180);
+ s4/smbd: set the process group; (bso#13129);
+ Fix broken linked attribute handling; (bso#13095);
+ The KDC on an RWDC doesn't send error replies in some situations;
(bso#13132);
+ libnet_join: Fix 'net rpc oldjoin'; (bso#13149);
+ g_lock conflict detection broken when processing stale entries;
(bso#13195);
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired
sessions; (bso#13197);
+ s3:libads: net ads keytab list fails with "Key table name malformed";
(bso#13166); (bsc#1067700);
+ Fix crash in pthreadpool thread after failure from pthread_create;
(bso#13170);
+ s4:samba: Allow samba daemon to run in foreground; (bso#13129);
(bsc#1065551);
+ third_party: Link the aesni-intel library with "-z noexecstack";
(bso#13174);
+ vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I"
options; (bso#13125);
-------------------------------------------------------------------
Wed Dec 6 17:52:41 UTC 2017 - kukuk@suse.de
- Re-enable usage of libnsl (did got lost with glibc change)
- Use TI-RPC (sunrpc is deprecated and will be removed soon from
glibc)
-------------------------------------------------------------------
Thu Nov 30 09:31:53 UTC 2017 - scabrero@suse.com
- Update to 4.6.11; (bsc#1084191)
+ vfs_glusterfs: Fix exporting subdirs with shadow_copy2; (bso#13091);
+ s3: smbclient: Ensure we call client_clean_name() before all
operations on remote pathnames; (bso#13093);
+ Non-smbd processes using kernel oplocks can hang smbd; (bso#13121);
+ python: use communicate to fix Popen deadlock; (bso#13127);
+ smbd on disk file corruption bug under heavy threaded load; (bso#13130);
+ tevent: version 0.9.34; (bso#13130);
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
+ smbd: Move check for SMB2 compound request to new function; (bso#13047);
+ s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd(); (bso#13100);
+ s4:pyparam: Fix resource leaks on error; (bso#13101);
+ s3:smbd: Fix delete-on-close after smb2_find; (bso#13118);
-------------------------------------------------------------------
Wed Nov 29 16:59:07 UTC 2017 - david.mulder@suse.com
- smbc_opendir should not return EEXIST with invalid login credentials;
(bnc#1065868).
-------------------------------------------------------------------
Tue Nov 28 17:07:26 UTC 2017 - scabrero@suse.com
- Update to 4.7.3; (bsc#1069666);
+ Non-smbd processes using kernel oplocks can hang smbd;
(bso#13121);
+ python: use communicate to fix Popen deadlock; (bso#13127);
+ smbd on disk file corruption bug under heavy threaded load;
(bso#13130);
+ tevent: version 0.9.34; (bso#13130);
+ s3: smbd: Fix delete-on-close after smb2_find; (bso#13118);
+ CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug;
(bsc#1060427);(bso#13041);
+ CVE-2017-15275: s3: smbd: Chain code can return uninitialized
memory when talloc buffer is grown; (bsc#1063008); (bso#13077);
- Build with AD DC support only in openSUSE.
-------------------------------------------------------------------
Mon Nov 27 14:23:09 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Nov 15 17:00:50 UTC 2017 - dmulder@suse.com
- samba-tool requires samba-python; (bnc#1067771).
-------------------------------------------------------------------
Wed Nov 8 17:21:41 UTC 2017 - scabrero@suse.de
- CVE-2017-14746: Use-after-free vulnerability; (bso#13041);
(bsc#1060427);
- CVE-2017-15275: Server heap memory information leak;
(bso#13077); (bsc#1063008);
-------------------------------------------------------------------
Tue Nov 7 07:43:54 UTC 2017 - scabrero@suse.com
- Run all daemons in the foreground and let systemd handle it; (bsc#1065551).
- Update to 4.7.1;
+ Fix exporting subdirs with shadow_copy2; (bso#13091);
+ Currently if getwd() fails after a chdir(), we panic; (bso#13027);
+ Ensure default SMB_VFS_GETWD() call can't return a partially completed
struct smb_filename; (bso#13068);
+ sys_getwd() can leak memory or possibly return the wrong errno on older
systems; (bso#13069);
+ smbclient doesn't correctly canonicalize all local names before use;
(bso#13093);
+ Fix broken linked attribute handling; (bso#13095);
+ Missing LDAP query escapes in DNS rpc server; (bso#12994);
+ Link to -lbsd when building replace.c by hand; (bso#13087);
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
(bso#6133);
+ Map SYNCHRONIZE acl permission statically in zfs_acl vfs module;
(bso#7909);
+ Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module;
(bso#7933);
+ Missing assignment in sl_pack_float; (bso#12991);
+ Wrong Samba access checks when changing DOS attributes; (bso#12995);
+ samba_runcmd_send() leaves zombie processes on timeout; (bso#13062);
+ groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
(bso#13076);
+ man pages: Properly ident lists; (bso#9613);
+ smb.conf.5: Sort parameters alphabetically; (bso#13081);
+ Fix GUID string format on GetPrinter info; (bso#12993);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ CTDB starts consuming memory if there are dead nodes in the cluster;
(bso#13056);
+ ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070);
+ libgpo doesn't sort the GPOs in the correct order; (bso#13046);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ vfs_catia: Fix a potential memleak; (bso#13090);
+ Fix file change notification for renames; (bso#12903);
+ Samba DNS server does not honour wildcards; (bso#12952);
+ Can't change password in samba from a Windows client if Samba runs on
IPv6 only interface; (bso#13079);
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
+ Apple client can't cope with SMB2 async replies when creating symlinks;
(bso#13047);
+ s4:rpc_server:backupkey: Move variable into scope; (bso#12959);
+ Fix ntstatus_gen.h generation on 32bit; (bso#13099);
+ Fix a double free in vfs_gluster_getwd(); (bso#13100);
+ Fix resouce leaks and pointer issues; (bso#13101);
+ vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);
-------------------------------------------------------------------
Fri Oct 27 07:48:17 UTC 2017 - scabrero@suse.de
- Update to 4.6.9; (bsc#1065066);
+ Reverse sense of 'clear all attributes', ignore attribute change in SMB2
to match SMB1; (bso#12899);
+ SMBC_setatr() initially uses an SMB1 call before falling back;
(bso#12913);
+ Fix segfault on MacOS 10.12.3 clients caused by SMB_VFS_GET_COMPRESSION;
(bso#13003);
+ sys_getwd() can leak memory or possibly return the wrong errno on older
systems; (bso#13069);
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
(bso#6133);
+ Map SYNCHRONIZE acl permission statically; (bso#7909);
+ Honor SEC_STD_WRITE_OWNER bit; (bso#7933);
+ Kernel oplocks still have issues with named streams; (bso#12791);
+ Handle EACCES when fetching DOS attributes; (bso#12944);
+ Missing assignment in sl_pack_float; (bso#12991);
+ Fix wrong Samba access checks when changing DOS attributes; (bso#12995);
+ Groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
(bso#13076);
+ Fix GUID string format on GetPrinter info; (bso#12993);
+ Match WS2016 ReFS set compression behaviour; (bso#12144);
+ Fix implementation of process_exists control; (bso#13012);
+ GET_DB_SEQNUM control can cause ctdb to deadlock when databases are
frozen; (bso#13021);
+ Free up record data if a call request is deferred; (bso#13029);
+ Initialize ctdb_ltdb_header completely for empty record; (bso#13036);
+ CTDB starts consuming memory if there are dead nodes in the cluster;
(bso#13056);
+ Ignore event scripts with multiple '.'s; (bso#13070);
+ Sort the GPOs in the correct order; (bso#13046);
+ 'smbd' uses a lot of CPU on startup of a connection; (bso#12973);
+ Fix str[n]casecmp_m() by comparing lower case values; (bso#13018);
+ Can't change password in Samba from a windows client if Samba runs on
IPv6 only interface; (bso#13079);
+ Fix file change notification for renames; (bso#12903);
+ Avoid a socket leak after fork; (bso#13006);
+ Fix a potential memleak; (bso#13090);
+ Fix passing of errno from async calls; (bso#12983);
+ Fix segfault when running with log level 10; (bso#13032);
+ Do not report an invalid range for AD DC role; (bso#12629);
+ Print the kinit failed message with DBGLVL_NOTICE; (bso#12704);
+ Fix changing passwords with Kerberos; (bso#12956);
+ Fix changing the password with 'smbpasswd' as a local user on a domain
member; (bso#12975);
+ Fix a read after free if a chained SMB1 call goes async; (bso#12836);
+ CVE-2017-12163: Prevent client short SMB1 write from writing server memory
to file; (bso#13020);
+ Let non_widelink_open() chdir() to directories directly; (bso#12885);
+ CVE-2017-12151: Keep required encryption across SMB3 dfs redirects;
(bso#12996);
+ CVE-2017-12150: Some code path don't enforce smb signing when they should;
(bso#12997);
-------------------------------------------------------------------
Mon Oct 23 15:10:32 UTC 2017 - dimstar@opensuse.org
- Add samba-kdc to baselibs.conf.
- Do not wrap samba-kdc's package definition into if/endif: the
package won't be generated simply based on the fact that there is
no files section for the package. Allows the source validator to
ensure samba-kdc is a built package.
-------------------------------------------------------------------
Thu Sep 28 11:25:54 UTC 2017 - scabrero@suse.com
- Update to 4.7.0;