Samuel Cabrero
871b05c578
* More possible replication loops against Azure AD; (bso#15701). * Compound rename from Mac clients can fail with NT_STATUS_INTERNAL_ERROR if the file has a lease; (bso#15697). * vfs crossrename seems not work correctly; (bso#15724). * After 'machine password timeout' /etc/krb5.keytab is not updated; (bso#6750). * Memory leak wbcCtxLookupSid; (bso#15771). * Fix heap-user-after-free with association groups; (bso#15765). * Segfault in vfs_btrfs; (bso#15758). * Avoid event failure race when disabling an event script; (bso#15755). OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=700
14409 lines
605 KiB
Plaintext
14409 lines
605 KiB
Plaintext
-------------------------------------------------------------------
|
||
Tue Jan 7 10:22:16 UTC 2025 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.21.3
|
||
* More possible replication loops against Azure AD;
|
||
(bso#15701).
|
||
* Compound rename from Mac clients can fail with
|
||
NT_STATUS_INTERNAL_ERROR if the file has a lease;
|
||
(bso#15697).
|
||
* vfs crossrename seems not work correctly; (bso#15724).
|
||
* After 'machine password timeout' /etc/krb5.keytab is not
|
||
updated; (bso#6750).
|
||
* Memory leak wbcCtxLookupSid; (bso#15771).
|
||
* Fix heap-user-after-free with association groups;
|
||
(bso#15765).
|
||
* Segfault in vfs_btrfs; (bso#15758).
|
||
* Avoid event failure race when disabling an event script;
|
||
(bso#15755).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 6 09:09:04 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update shipped /etc/samba/smb.conf to point to smb.conf
|
||
man page;(bsc#1233880).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 25 17:35:43 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.21.2
|
||
* smbd fails to correctly check sharemode against OVERWRITE
|
||
dispositions; (bso#15732).
|
||
* Panic in close_directory; (bso#15754).
|
||
* winexe no longer works with samba 4.21; (bso#15752).
|
||
* protocol error - Unclear debug message "pad length mismatch"
|
||
for invalid bind packet; (bso#14356).
|
||
* NetrGetLogonCapabilities QueryLevel 2 needs to be
|
||
implemented; (bso#15425).
|
||
* gss_accept_sec_context() from Heimdal does not imply
|
||
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
|
||
* winbindd should call process_set_title() for locator child;
|
||
(bso#15749).
|
||
* Update CTDB to track all TCP connections to public IP
|
||
addresses; (bso#15320).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 31 13:20:25 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Add placeholder changelog for sle15-sp7; (jsc#PED-11210).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 16 13:52:25 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Adjust spec to split out rpcd_* binaries into a separate
|
||
sub package; (bsc#1231414).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 15 13:23:26 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.21.1
|
||
* DH reconnect error handling can lead to stale sharemode
|
||
entries; (bso#15624).
|
||
* "inherit permissions = yes" triggers assert() in vfs_default
|
||
when creating a stream; (bso#15695).
|
||
* Samba 4.21.0 broke FreeIPA domain member integration;
|
||
(bso#15715).
|
||
* Missing conversion for msDS-UserTGTLifetime, msDS-
|
||
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
|
||
tool domain auth policy modify"; (bso#15692).
|
||
* irpc_destructor may crash during shutdown; (bso#15280).
|
||
* Durable handle is not granted when a previous OPEN exists
|
||
with NoOplock; (bso#15649).
|
||
* Durable handle is granted but reconnect fails; (bso#15651).
|
||
* Disconnected durable handles with RH lease should not be
|
||
purged by a new non conflicting open; (bso#15708).
|
||
* net ads testjoin and other commands use the wrong secrets.tdb
|
||
in a cluster; (bso#15714).
|
||
* 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
|
||
rfc 8009 etypes are used; (bso#15726).
|
||
* VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
|
||
(bso#15730).
|
||
* Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
|
||
* Cannot build libldb lmdb backend on a build without AD DC;
|
||
(bso#15721).
|
||
* Consistent log level for sighup handler; (bso#15706).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 25 14:52:10 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Support needed packaging changes required update to samba-4.21.0
|
||
Update samba.spec, baselibs.conf to deliver libldb packages.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 5 07:29:17 UTC 2024 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Package ceph_new VFS module.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 5 07:13:01 UTC 2024 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
|
||
(bso#15699); (bsc#1229684).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 28 17:31:35 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Bad variable definition for ParseTuple causing test failure for
|
||
Smb3UnixTests.test_create_context_reparse; (bso#15702).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 28 09:01:29 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.21.0
|
||
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
|
||
truncated; (bso#15699).
|
||
* Bad variable definition for ParseTuple causing test failure
|
||
for Smb3UnixTests.test_create_context_reparse; (bso#15702).
|
||
* Add new vfs_ceph module (based on low level API);
|
||
(bso#15686).
|
||
* samba-tool can not load the default configuration file;
|
||
(bso#15698).
|
||
* Crash when readlinkat fails; (bso#15700).
|
||
* Can't add/delete special keys to keytab for nfs, cifs, http
|
||
etc; (bso#15689).
|
||
* Compound SMB2 requests don't return
|
||
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
|
||
MacOSX clients; (bso#15696).
|
||
* --version-* options are still not ergonomic, and they reject
|
||
tilde characters; (bso#15673).
|
||
* ldb_version.h is missing from ldb public library;
|
||
(bso#15690).
|
||
* Can not add/delete special keys to keytab for nfs, cifs, http
|
||
etc; (bso#15689).
|
||
* undefined reference to winbind_lookup_name_ex; (bso#15687).
|
||
* per user veto and hide file syntax is to complex;
|
||
(bso#15688).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 7 09:47:14 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Fix a crash when joining offline and 'kerberos method' includes
|
||
keytab; (bsc#1228732).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 6 10:51:13 UTC 2024 - Noel Power <noel.power@suse.com>
|
||
|
||
- Update to 4.20.4
|
||
* --version-* options are still not ergonomic, and they reject
|
||
tilde characters; (bso#15673).
|
||
|
||
- Update to 4.20.3
|
||
* Running samba-bgqd a a standalone systemd service does not
|
||
work; (bso#15683).
|
||
* When claims enabled with heimdal kerberos, unable to log on
|
||
to a Windows computer when user account need to change their
|
||
own password; (bso#15655).
|
||
* Invalid client warning about command line passwords;
|
||
(bso#15671).
|
||
* Version string is truncated in manpages; (bso#15672).
|
||
* cmdline_burn does not always burn secrets; (bso#15674).
|
||
* Samba does not parse SDDL found in defaultSecurityDescriptor
|
||
in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
|
||
* The images don\'t build after the git security release and
|
||
CentOS 8 Stream is EOL; (bso#15660).
|
||
* Fix clock skew error message and memory cache clock skew
|
||
recovery; (bso#15676).
|
||
* Heimdal ignores _gsskrb5_decapsulate errors in
|
||
init_sec_context/repl_mutual; (bso#15603).
|
||
* s4:ldap_server: does not support tls channel bindings for
|
||
sasl binds; (bso#15621).
|
||
* CTDB socket output queues may suffer unbounded delays under
|
||
some special conditions; (bso#15678).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 17 11:18:52 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update samba-tool package to require python3-Markdown also in
|
||
the Heimdal ADDC build.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 4 10:34:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix named crash when using samba's DLZ plugin; (bsc#1224003);
|
||
(bso#15643);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 4 10:30:10 UTC 2024 - pgajdos@suse.com
|
||
|
||
- remove dependency on /usr/bin/python3 using
|
||
%python3_fix_shebang macro, [bsc#1212476]
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 19 15:02:44 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.20.2
|
||
* vfs_widelinks with DFS shares breaks case insensitivity;
|
||
(bso#15662); (bsc#1213607).
|
||
* Samba build is not reproducible; (bso#13213).
|
||
* ldb qsort might r/w out of bounds with an intransitive
|
||
compare function; (bso#15569).
|
||
* Many qsort() comparison functions are non-transitive, which
|
||
can lead to out-of-bounds access in some circumstances;
|
||
(bso#15625).
|
||
* Need to change gitlab-ci.yml tags in all branches to avoid CI
|
||
bill; (bso#15638).
|
||
* We have added new options --vendor-name and --vendor-patch-
|
||
revision arguments to ./configure to allow distributions and
|
||
packagers to put their name in the Samba version string so
|
||
that when debugging Samba the source of the binary is
|
||
obvious; (bso#15654).
|
||
* CTDB RADOS mutex helper misses namespace support;
|
||
(bso#15665).
|
||
* Dynamic DNS updates with the internal DNS are not working;
|
||
(bso#13019).
|
||
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
|
||
SysvolReady=0; (bso#14981).
|
||
* Anonymous smb3 signing/encryption should be allowed (similar
|
||
to Windows Server 2022); (bso#15412).
|
||
* Panic in dreplsrv_op_pull_source_apply_changes_trigger;
|
||
(bso#15573).
|
||
* s4:nbt_server: does not provide unexpected handling, so
|
||
winbindd can't use nmb requests instead cldap; (bso#15620).
|
||
* winbindd, net ads join and other things don't work on an ipv6
|
||
only host; (bso#15642).
|
||
* Segmentation fault when deleting files in vfs_recycle;
|
||
(bso#15659).
|
||
* Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664).
|
||
* "client use kerberos" and --use-kerberos is ignored for the
|
||
machine account; (bso#15666).
|
||
* Regression DFS not working with widelinks = true;
|
||
(bso#15435).
|
||
* samba-gpupdate - Invalid NtVer in netlogon_samlogon_response;
|
||
(bso#15633).
|
||
* idmap_ad creates an incorrect local krb5.conf in case of
|
||
trusted domain lookups; (bso#15653).
|
||
* The images don't build after the git security release and
|
||
CentOS 8 Stream is EOL; (bso#15660).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 3 07:09:54 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix non deterministic builds; (bsc#1225754); (bso#13213);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 16 10:47:57 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.20.1
|
||
* dns update debug message is too noisy; (bso#15630);
|
||
* Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
|
||
* Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
|
||
* Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
|
||
* http library doesn't support 'chunked transfer encoding'; (bso#15611);
|
||
* Provide a systemd service file for the background queue daemon; (bso#15600);
|
||
|
||
- Update to 4.20.0
|
||
New features:
|
||
* samba-tool user getpassword / syncpasswords ;rounds= change
|
||
* Group Managed service account client-side features
|
||
* New Windows Search Protocol Client
|
||
* Allow 'smbcacls' to save/restore DACLs to file
|
||
* Samba-tool extensions for AD Claims, Authentication Policies and Silos
|
||
* AD DC support for Authentication Silos and Authentication Policies
|
||
* Conditional ACEs and Resource Attribute ACEs
|
||
* Service Witness Protocol [MS-SWN]
|
||
Removed features:
|
||
* Get locally logged on users from utmp
|
||
Fixed bugs:
|
||
* Avoid null-dereference with bad claims; (bso#15606);
|
||
* ndr_pull_security_ace can leave resource attribute ACE coda
|
||
claim struct undefined; (bso#15613);
|
||
* fd_handle_destructor() panics within an smbd_smb2_close() if
|
||
vfs_stat_fsp() fails in fd_close(); (bso#15527);
|
||
* set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
|
||
openat() EACCES; (bso#15583);
|
||
* libgpo: Segfault in python bindings; (bso#15599);
|
||
* Samba AD is missing some authentication policy tests;
|
||
(bso#15607);
|
||
* samba-gpupdate: Correctly implement site support; (bso#15588);
|
||
* Remove unsupported "Final" keyword missing from Python 3.6;
|
||
(bso#15575);
|
||
* Additional witness backports for 4.20.0; (bso#15577);
|
||
* Error output with wspsearch; (bso#15579);
|
||
* Packet marshalling push support missing for
|
||
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
|
||
CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580);
|
||
* Performance regression for NDR parsing of security
|
||
descriptors; (bso#15574);
|
||
* Build and install man page for wspsearch client utility;
|
||
(bso#15565);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 20 09:58:03 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.19.5
|
||
* Windows 2016 fails to restore previous version of a file from
|
||
a shadow_copy2 snapshot; (bso#13688).
|
||
* Symlinks on AIX are broken in 4.19 (and a few version before
|
||
that); (bso#15549).
|
||
* Fake directory create times has no effect; (bso#12421).
|
||
* ctime mixed up with mtime by smbd; (bso#15550).
|
||
* samba-gpupdate --rsop fails if machine is not in a site;
|
||
(bso#15548).
|
||
* gpupdate: The root cert import when NDES is not available is
|
||
broken; (bso#15557).
|
||
* samba-gpupdate should print a useful message if cepces-submit
|
||
can't be found; (bso#15552).
|
||
* samba-gpupdate logging doesn't work; (bso#15558).
|
||
* smbpasswd reset permissions only if not 0600; (bso#15555).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 10 12:01:49 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Remove -x from bash shebang update-apparmor-samba-profile;
|
||
(bsc#1218431).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 9 09:42:53 UTC 2024 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.19.4
|
||
* net changesecretpw cannot set the machine account password if
|
||
secrets.tdb is empty; (bso#13577).
|
||
* For generating doc, take, if defined, env XML_CATALOG_FILES;
|
||
(bso#15540).
|
||
* Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541).
|
||
* vfs_linux_xfs is incorrectly named; (bso#15542).
|
||
* systemd stumbled over copyright-message at smbd startup;
|
||
(bso#15377).
|
||
* Following intermediate abolute share-local symlinks is
|
||
broken; (bso#15505).
|
||
* ctdb RELEASE_IP causes a crash in release_ip if a connection
|
||
to a non-public address disconnects first; (bso#15523).
|
||
* shadow_copy2 broken when current fileset's directories are
|
||
removed; (bso#15544).
|
||
* smbd does not detect ctdb public ipv6 addresses for
|
||
multichannel exclusion; (bso#15534).
|
||
* 'force user = localunixuser' doesn't work if 'allow trusted
|
||
domains = no' is set; (bso#15469).
|
||
* smbget debug logging doesn't work; (bso#15525).
|
||
* smget: username in the smburl and interactive password entry
|
||
doesn't work; (bso#15532).
|
||
* smbget auth function doesn't set values for password prompt
|
||
correctly; (bso#15538).
|
||
* Unable to copy and write files from clients to Ceph cluster
|
||
via SMB Linux gateway with Ceph VFS module; (bso#15440).
|
||
* Multichannel refresh network information; (bso#15547).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 27 12:43:02 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.19.3
|
||
* sid_strings test broken by unix epoch > 1700000000;
|
||
(bso#15520).
|
||
* smbd crashes if asked to return full information on close of
|
||
a stream handle with delete on close disposition set;
|
||
(bso#15487).
|
||
* smbd: fix close order of base_fsp and stream_fsp in
|
||
smb_fname_fsp_destructor(); (bso#15521).
|
||
* Improve logging for failover scenarios; (bso#15499).
|
||
* Files without "read attributes" NFS4 ACL permission are not
|
||
listed in directories; (bso#15093).
|
||
* CVE-2018-14628 [SECURITY] Deleted Object tombstones visible
|
||
in AD LDAP to normal users; (bso#13595).
|
||
* Kerberos TGS-REQ with User2User does not work for normal
|
||
accounts; (bso#15492).
|
||
* vfs_gpfs stat calls fail due to file system permissions;
|
||
(bso#15507).
|
||
* Samba doesn't build with Python 3.12; (bso#15513).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 23 18:59:15 UTC 2023 - David Mulder <dmulder@suse.com>
|
||
|
||
- packaging: samba-tool domain provision requires python3-Markdown;
|
||
(bsc#1216519).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 16 16:04:22 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.19.2
|
||
* Use-after-free in aio_del_req_from_fsp during smbd shutdown
|
||
after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423).
|
||
* clidfs.c do_connect() missing a "return" after a
|
||
cli_shutdown() call; (bso#15426).
|
||
* macOS mdfind returns only 50 results; (bso#15463).
|
||
* GETREALFILENAME_CACHE can modify incoming new filename with
|
||
previous cache entry value; (bso#15481).
|
||
* libnss_winbind causes memory corruption since samba-4.18,
|
||
impacts sendmail, zabbix, potentially more; (bso#15464).
|
||
* ctdbd: setproctitle not initialized messages flooding logs;
|
||
(bso#15479).
|
||
* CVE-2023-5568 Heap buffer overflow with freshness tokens in
|
||
the Heimdal KDC in Samba 4.19; (bso#15491).
|
||
* The heimdal KDC doesn't detect s4u2self correctly when fast
|
||
is in use; (bso#15477).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 12 11:33:44 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- packaging: Remove /etc/slp.reg.d from samba spec file;
|
||
(bsc#1216160)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 12 11:04:26 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- use systemd-logind rather than utmp for y2038 safety;
|
||
(bsc#1216159).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 10 15:12:38 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- CVE-2023-4091: samba: Client can truncate file with read-only
|
||
permissions; (bsc#1215904); (bso#15439).
|
||
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
|
||
allows blocking sleep on request; (bso#1215905); (bso#15474).
|
||
- CVE-2023-42670: samba: The procedure number is out of range
|
||
when starting Active Directory Users and Computers;
|
||
(bsc#1215906); (bso#15473).
|
||
- CVE-2023-3961: samba: Unsanitized client pipe name passed to
|
||
local_np_connect(); (bsc#1215907); (bso#15422).
|
||
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
|
||
"GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
|
||
(bsc#1215908); (bso#15424).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 26 08:36:43 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.19.0
|
||
* File doesn't show when user doesn't have permission if
|
||
aio_pthread is loaded; (bso#15453).
|
||
* ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
|
||
1.9.1; (bso#15451).
|
||
* Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can
|
||
log to syslog; (bso#15460).
|
||
* ‘samba-tool domain level raise’ fails unless given a URL;
|
||
(bso#15458).
|
||
* reply_sesssetup_and_X() can dereference uninitialized tmp
|
||
pointer; (bso#15420).
|
||
* missing return in reply_exit_done(); (bso#15430).
|
||
* TREE_CONNECT without SETUP causes smbd to use uninitialized
|
||
pointer; (bso#15432).
|
||
* Avoid infinite loop in initial user sync with Azure AD
|
||
Connect when synchronising a large Samba AD domain;
|
||
(bso#15401).
|
||
* Samba replication logs show (null) DN; (bso#15407).
|
||
* 2-3min delays at reconnect with
|
||
smb2_validate_sequence_number: bad message_id 2; (bso#15346).
|
||
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed;
|
||
(bso#15446).
|
||
* CID 1539212 causes real issue when output contains only
|
||
newlines; (bso#15438).
|
||
* KDC encodes INT64 claims incorrectly; (bso#15452).
|
||
* mdssvc: Do an early talloc_free() in _mdssvc_open();
|
||
(bso#15449).
|
||
* Windows client join fails if a second container CN=System
|
||
exists somewhere; (bso#9959).
|
||
* regression DFS not working with widelinks = true;
|
||
(bso#15435).
|
||
* Heimdal fails to build on 32-bit FreeBSD; (bso#15443).
|
||
* samba-tool ntacl get segfault if aio_pthread appended;
|
||
(bso#15441).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 21 15:16:35 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.18.6
|
||
* reply_sesssetup_and_X() can dereference uninitialized tmp pointer;
|
||
(bso#15420);
|
||
* Missing return in reply_exit_done(); (bso#15430);
|
||
* post-exec password redaction for samba-tool is more reliable for fully
|
||
random passwords as it no longer uses regular expressions containing the
|
||
password value itself; (bso#15289);
|
||
* Windows client join fails if a second container CN=System exists somewhere;
|
||
(bso#9959);
|
||
* Spotlight sometimes returns no results on latest macOS; (bso#15342);
|
||
* Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to
|
||
remove the destination; (bso#15417);
|
||
* Spotlight results return wrong date in result list; (bso#15427);
|
||
* "net offlinejoin provision" does not work as non-root user; (bso#15414);
|
||
* rpcserver no longer accepts double backslash in dfs pathname; (bso#15400);
|
||
* cm_prepare_connection() calls close(fd) for the second time; (bso#15433);
|
||
* 2-3min delays at reconnect with smb2_validate_sequence_number: bad
|
||
message_id 2; (bso#15346);
|
||
* samba-tool ntacl get segfault if aio_pthread appended; (bso#15441);
|
||
* DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446);
|
||
* Python tarfile extraction needs change to avoid a warning (CVE-2007-4559
|
||
mitigation); (bso#15390);
|
||
* Regression DFS not working with widelinks = true; (bso#15435);
|
||
* mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 8 15:40:54 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
|
||
(bsc#1213940);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 19 14:35:34 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.18.5
|
||
* CVE-2022-2127: lm_resp_len not checked properly in
|
||
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
|
||
* CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
|
||
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
|
||
* CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
|
||
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
|
||
* CVE-2023-34968: Spotlight server-side Share Path Disclosure;
|
||
(bso#15388); (bsc#1213171).
|
||
* CVE-2023-3347: Samba doesn't require SMB2+ signing if
|
||
`server signing = mandatory` is set; (bso#15397); (bsc#1213170).
|
||
* secure channel faulty since Windows 10/11 update 07/2023;
|
||
(bso#15418); (bsc#1213384).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 6 15:30:58 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.18.4
|
||
* Backport --pidl-developer fixes; (bso#15404).
|
||
* Named crashes on DLZ zone update; (bso#14030).
|
||
* smbcacls and smbcquotas do not check // before the server;
|
||
(bso#2312).
|
||
* cli_list loops 100% CPU against pre-lanman2 servers;
|
||
(bso#15382).
|
||
* smbclient leaks fds with showacls; (bso#15391).
|
||
* smbd returns NOT_FOUND when creating files on a r/o
|
||
filesystem; (bso#15402).
|
||
* NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
|
||
and causes test timeouts; (bso#15355).
|
||
* net ads lookup (with unspecified realm) fails; (bso#15384).
|
||
* Register Samba processes with GPFS; (bso#15381).
|
||
* Python tarfile extraction needs change to avoid a warning
|
||
(CVE-2007-4559 mitigation); (bso#15390).
|
||
* The winbind child segfaults when listing users with `winbind
|
||
scan trusted domains = yes`; (bso#15398).
|
||
* Remove comments about deprecated 'write cache size';
|
||
(bso#15383).
|
||
* smbget memory leak if failed to download files recursively;
|
||
(bso#15403).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 1 08:48:25 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.18.3
|
||
* Symlinks to files can have random DOS mode information in a
|
||
directory listing; (bso#15375).
|
||
* vfs_fruit might cause a failing open for delete; (bso#15378).
|
||
* winbind recurses into itself via rpcd_lsad; (bso#15361).
|
||
* wbinfo -u fails on ad dc with >1000 users; (bso#15366).
|
||
* DS ACEs might be inherited to unrelated object classes;
|
||
(bso#15338).
|
||
* a lot of messages: get_static_share_mode_data:
|
||
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND;
|
||
(bso#15362).
|
||
* aes256 smb3 encryption algorithms are not allowed in
|
||
smb3_sid_parse(); (bso#15374).
|
||
* Setting veto files = /.*/ break listing directories;
|
||
(bso#15360).
|
||
* "samba-tool domain provision" does not run interactive mode
|
||
if no arguments are given; (bso#15363).
|
||
* dsgetdcname: assumes local system uses IPv4; (bso#15325).
|
||
|
||
- Update to 4.18.2
|
||
* Log flood: smbd_calculate_access_mask_fsp: Access denied:
|
||
message level should be lower; (bso#15302).
|
||
* Floating point exception (FPE) via cli_pull_send at
|
||
source3/libsmb/clireadwrite.c; (bso#15306).
|
||
* test_tstream_more_tcp_user_timeout_spin fails intermittently
|
||
on Rackspace GitLab runners; (bso#15328).
|
||
* Reduce flapping of ridalloc test; (bso#15329).
|
||
* large_ldap test is unreliable; (bso#15351).
|
||
* New filename parser doesn't check veto files smb.conf
|
||
parameter; (bso#15143).
|
||
* mdssvc may crash when initializing; (bso#15354).
|
||
* large directory optimization broken for non-lcomp path
|
||
elements; (bso#15313).
|
||
* streams_depot fails to create streams; (bso#15357).
|
||
* shadow_copy2 and streams_depot don't play well together;
|
||
(bso#15358).
|
||
* Flapping tests in samba_tool_drs_show_repl.py; (bso#15316).
|
||
* winbindd idmap child contacts the domain controller without a
|
||
need; (bso#15317).
|
||
* idmap_autorid may fail to map sids of trusted domains for the
|
||
first time; (bso#15318).
|
||
* idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings;
|
||
(bso#15319).
|
||
* net ads search -P doesn't work against servers in other
|
||
domains; (bso#15323).
|
||
* Temporary smbXsrv_tcon_global.tdb can't be parsed;
|
||
(bso#15353).
|
||
* Tests use depricated and removed methods like
|
||
assertRegexpMatches; (bso#15343).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 29 15:10:50 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.18.1
|
||
* CVE-2023-0225: AD DC "dnsHostname" attribute can be
|
||
deleted by unprivileged authenticated users.
|
||
(bso#15276);(bsc#1209483).
|
||
* CVE-2023-0614: Access controlled AD LDAP attributes can be
|
||
discovered (bso#15270); (bsc#1209485).
|
||
* CVE-2023-0922: Samba AD DC admin tool samba-tool sends
|
||
passwords in cleartext(bso#15315);(bsc#1209481).
|
||
* ldb wildcard matching makes excessive allocations;
|
||
(bso#15331).
|
||
* large_ldap test is inefficient; (bso#15332).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 17 08:09:32 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.18.0
|
||
* SMB server performance improvements
|
||
* More succinct samba-tool error messages
|
||
* Color output with samba-tool --color
|
||
The NO_COLOR environment variable will disable colour output
|
||
* New samba-tool dsacl subcommand for deleting ACEs
|
||
* New wbinfo option --change-secret-at
|
||
* Net option to change the NT ACL default location
|
||
* Azure AD / Office365 synchronization improvements
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 14 08:21:13 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.17.5
|
||
* smbc_getxattr() return value is incorrect; (bso#14808);
|
||
* Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
|
||
correctly; (bso#15172);
|
||
* synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
|
||
* samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
|
||
when there is only an AAAA record for the DC in DNS; (bso#15226);
|
||
* smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
|
||
* DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
|
||
* vfs_virusfilter segfault on access, directory edgecase
|
||
(accessing NULL value); (bso#15283);
|
||
* CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
|
||
SChannel on NETLOGON (additional changes); (bso#15240);
|
||
* %U for include directive doesn't work for share listing
|
||
(netshareenum); (bso#15243);
|
||
* Shares missing from netshareenum response in samba 4.17.4;
|
||
(bso#15266);
|
||
* ctdb: use-after-free in run_proc; (bso#15269);
|
||
* irpc_destructor may crash during shutdown; (bso#15280);
|
||
* auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
|
||
* smbclient segfaults with use after free on an optimized build;
|
||
(bso#15268);
|
||
* smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
|
||
* Leak in wbcCtxPingDc2; (bso#15164);
|
||
* Access based share enum does not work in Samba 4.16+; (bso#15265);
|
||
* Crash during share enumeration; (bso#15267);
|
||
* rep_listxattr on FreeBSD does not properly check for reads off
|
||
end of returned buffer; (bso#15271);
|
||
* Avoid relying on C89 features in a few places; (bso#15281);
|
||
- named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
|
||
- Drop libnsl build requirement; (bsc#1208220);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 23 09:24:07 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- libdsdb-module-samba4 should be packaged as part of samba-libs and
|
||
not samba-ad-dc-libs. Additionally no need for it to be
|
||
removed conditionally.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 12 15:24:55 UTC 2023 - Noel Power <nopower@suse.com>
|
||
|
||
- Clean up logic for PAM migration settings in spec file.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 4 14:05:15 UTC 2023 - Stefan Schubert <schubi@suse.com>
|
||
|
||
- Migration of PAM settings to /usr/lib/pam.d.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 21 12:17:58 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Change with_dc default to 0 (for non TW builds).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 15 16:45:28 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.17.4
|
||
* CVE-2022-44640 Upstream Heimdal free of user-controlled
|
||
pointer in FAST; (bsc#14929);
|
||
* CVE-2021-20251 Bad password count not incremented atomically;
|
||
(bsc#14611);
|
||
* CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
|
||
(bsc#15203);
|
||
* CVE-2022-37966 rc4-hmac Kerberos session keys issued to
|
||
modern servers; (bso#15237);
|
||
* CVE-2022-37967 Kerberos constrained delegation ticket forgery
|
||
possible against Samba AD DC; (bso#15231);
|
||
* CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
|
||
and should be avoided; (bso#15240);
|
||
* pam_winbind uses time_t and pointers assuming they are of the
|
||
same size; (bso#15224);
|
||
* Heimdal session key selection in AS-REQ examines wrong entry;
|
||
(bso#15219);
|
||
* filter-subunit is inefficient with large numbers of
|
||
knownfails; (bso#15258);
|
||
* smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
|
||
(bso#15252);
|
||
* The KDC logic arround msDs-supportedEncryptionTypes differs
|
||
from Windows; (bso#13135);
|
||
* libnet: change_password() doesn't work with
|
||
dcerpc_samr_ChangePasswordUser4(); (bso#15206);
|
||
* Heimdal session key selection in AS-REQ examines wrong entry;
|
||
(bso#15219);
|
||
* Memory leak in snprintf replacement functions; (bso#15230);
|
||
* RODC doesn't reset badPwdCount reliable via an RWDC
|
||
(CVE-2021-20251 regression); (bso#15253);
|
||
* Prevent EBADF errors with vfs_glusterfs; (bso#15198);
|
||
* %U for include directive doesn't work for share listing
|
||
(netshareenum); (bso#15243);
|
||
* Stack smashing in net offlinejoin requestodj; (bso#15257);
|
||
* Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
|
||
(bso#15197);
|
||
* Heimdal session key selection in AS-REQ examines wrong entry;
|
||
(bso#15219);
|
||
- Remove deprecated if-{down,up} scripts; (bsc#1206444);
|
||
- Adjust the systemd drop-in file for named service; (bsc#1201689);
|
||
* Paths are additive so do not repeat paths from named.service
|
||
* Prefix the samba DLZ directory with "-" to ignore this path
|
||
if it does not exists
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 12 08:56:12 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
||
|
||
- Migration PAM settings to /usr/etc: Saving user changed
|
||
configuration files in /etc and restoring them while an RPM
|
||
update.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 1 16:43:05 UTC 2022 - David Mulder <dmulder@suse.com>
|
||
|
||
- Introduce without-smb1-server spec flag; (bsc#1205104);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 15 17:14:58 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.17.3
|
||
* CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
|
||
systems; (bsc#1205126); (bso#15203);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 8 17:20:21 UTC 2022 - Ben Greiner <code@bnavigator.de>
|
||
|
||
- Replace obsolete python-gpgme with python-gpg
|
||
* Upstream replaced it in v4.9.5 -- bso#13728
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 25 09:26:59 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.17.2
|
||
* CVE-2022-3592 [SECURITY] samba: Wide links protection broken;
|
||
(bso#15207); (bsc#1204499).
|
||
* CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal
|
||
unwrap_des3();(bso#15134); (bsc#1204254).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 19 12:48:21 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.17.1
|
||
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
||
atomically; (bso#14611).
|
||
* smbXsrv_connection_shutdown_send result leaked; (bso#15174).
|
||
* Flush on a named stream never completes; (bso#15182).
|
||
* Permission denied calling SMBC_getatr when file not exists;
|
||
(bso#15195).
|
||
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
|
||
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
|
||
(bso#15189).
|
||
* pytest: add file removal helpers for TestCaseInTempDir;
|
||
(bso#15191).
|
||
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
||
atomically; (bso#14611).
|
||
* Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
|
||
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
|
||
(bso#15189).
|
||
* Flush on a named stream never completes; (bso#15182).
|
||
* vfs_gpfs silently garbles timestamps > year 2106;
|
||
(bso#15151).
|
||
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
||
atomically; (bso#14611).
|
||
* multi-channel socket passing may hit a race if one of the
|
||
involved processes already existed; (bso#15200).
|
||
* memory leak on temporary of struct imessaging_post_state and
|
||
struct tevent_immediate on struct imessaging_context (in
|
||
rpcd_spoolss and maybe others); (bso#15201).
|
||
* Since popt1.19 various use after free errors using result of
|
||
poptGetArg are now exposed; (bso#15205); (boo#1204279).
|
||
* Remove special case for O_CREAT in SMB_VFS_OPENAT from
|
||
vfs_glusterfs; (bso#15192).
|
||
* GETPWSID in memory cache grows indefinetly with each NTLM
|
||
auth; (bso#15169).
|
||
* CVE-2021-20251 [SECURITY] Bad password count not incremented
|
||
atomically; (bso#14611).
|
||
- Install a systemd drop-in file for named service to allow
|
||
read/write access to the DLZ directory; (bsc#1201689);
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 14 14:20:51 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Fix use after free errors resulting from using return of
|
||
poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 26 10:40:18 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- s3: smbd: Fix memory leak in
|
||
smbd_server_connection_terminate_done(); (bso#15174).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 26 09:38:59 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Disable SMB1 for tumbleweed builds.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 23 16:22:12 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.17.0
|
||
* acl_xattr VFS module may unintentionally use filesystem
|
||
permissions instead of ACL from xattr; (bso#15126).
|
||
* Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
|
||
(bso#15153).
|
||
* assert failed: !is_named_stream(smb_fname)") at
|
||
../../lib/util/fault.c:197; (bso#15161).
|
||
* acl_xattr VFS module may unintentionally use filesystem
|
||
permissions instead of ACL from xattr; (bso#15126).
|
||
* assert failed: !is_named_stream(smb_fname)") at
|
||
../../lib/util/fault.c:197; (bso#15161).
|
||
* Cross-node multi-channel reconnects result in SMB2 Negotiate
|
||
returning NT_STATUS_NOT_SUPPORTED; (bso#15159).
|
||
* winbind at info level debug can coredump when processing
|
||
wb_lookupusergroups; (bso#15160).
|
||
* Make use of glfs_*at() API calls in vfs_glusterfs;
|
||
(bso#15157).
|
||
* Possible use after free of connection_struct when iterating
|
||
smbd_server_connection->connections; (bso#15128).
|
||
* `net usershare add` fails with flag works with --long but
|
||
fails with -l; (bso#15145).
|
||
* acl_xattr VFS module may unintentionally use filesystem
|
||
permissions instead of ACL from xattr; (bso#15126).
|
||
* Performance regression on contended path based operations;
|
||
(bso#15125).
|
||
* Missing READ_LEASE break could cause data corruption;
|
||
(bso#15148).
|
||
* libsamba-errors uses a wrong version number; (bso#15141).
|
||
* SMB1 negotiation can fail to handle connection errors;
|
||
(bso#15152).
|
||
* New filename parser doesn't check veto files smb.conf
|
||
parameter; (bso#15143).
|
||
* 4.17.rc1 still uses symlink-race prone unix_convert();
|
||
(bso#15144).
|
||
* Backport fileserver related changed to 4.17.0rc2;
|
||
(bso#15146).
|
||
* Manpage for smbstatus json is missing; (bso#15147).
|
||
* Backport fileserver related changed to 4.17.0rc2;
|
||
(bso#15146).
|
||
* Performance regression on contended path based operations;
|
||
(bso#15125).
|
||
* Backport fileserver related changed to 4.17.0rc2;
|
||
(bso#15146).
|
||
* Fix issues found by coverity in smbstatus json code;
|
||
(bso#15140).
|
||
* Backport fileserver related changed to 4.17.0rc2;
|
||
(bso#15146).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 1 06:07:15 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
||
|
||
- Migration to /usr/etc: Saving user changed configuration files
|
||
in /etc and restoring them while an RPM update.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 28 11:56:31 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.16.4
|
||
* CVE-2022-2031: Samba AD users can bypass certain restrictions
|
||
associated with changing passwords; (bsc#1201495); (bso#15047);
|
||
* CVE-2022-32744: Samba AD users can forge password change
|
||
requests for any user; (bsc#1201493); (bso#15074);
|
||
* CVE-2022-32745: Samba AD users can crash the server process
|
||
with an LDAP add or modify request; (bsc#1201492); (bso#15008);
|
||
* CVE-2022-32746: Samba AD users can induce a use-after-free in
|
||
the server process with an LDAP add or modify request;
|
||
(bsc#1201490); (bso#15009);
|
||
* CVE-2022-32742: Server memory information leak via SMB1;
|
||
(bsc#1201496); (bso#15085);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 19 11:25:59 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.16.3
|
||
* Using vfs_streams_xattr and deleting a file causes a panic;
|
||
(bso#15099);
|
||
* Add support for bind 9.18; (bso#14986);
|
||
* logging dsdb audit to specific files does not work;
|
||
(bso#15076);
|
||
* Problem when winbind renews Kerberos; (bso#14979);
|
||
(bsc#1196224);
|
||
* Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
|
||
developer mode; (bso#15095);
|
||
* Crash in streams_xattr because fsp->base_fsp->fsp_name is
|
||
NULL; (bso#15105);
|
||
* Crash in rpcd_classic - NULL pointer deference in
|
||
mangle_is_mangled(); (bso#15118);
|
||
* smbclient commands del & deltree fail with
|
||
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
|
||
(bsc#1200556);
|
||
* Fix check for chown when processing NFSv4 ACL; (bso#15120);
|
||
* The pcap background queue process should not be stopped;
|
||
(bso#15082);
|
||
* testparm: Fix typo in idmap rangesize check; (bso#15097);
|
||
* net ads info returns LDAP server and LDAP server name as
|
||
null; (bso#15106);
|
||
* ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
|
||
(bso#15108);
|
||
* CTDB child process logging does not work as expected;
|
||
(bso#15090);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 12 10:48:47 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update spec file to fix the optional Heimdal DC build
|
||
- Fix external trusts with MIT Kerberos 1.20
|
||
- Add missing samba-client requirement to samba-winbind package;
|
||
(bsc#1198255);
|
||
- Move pdb backends from package samba-libs to package
|
||
samba-client-libs and remove samba-libs requirement from
|
||
samba-winbind; (bsc#1200964); (bsc#1198255);
|
||
- Add sysuser-shadow requirement for packages using
|
||
systemd-sysusers
|
||
- Use the canonical realm name to refresh the Kerberos tickets;
|
||
(bsc#1196224); (bso#14979);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 21 14:29:52 UTC 2022 - Stefan Schubert <schubi@suse.de>
|
||
|
||
- Moved logrotate files from user specific directory /etc/logrotate.d
|
||
to vendor specific directory /usr/etc/logrotate.d.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 13 13:32:24 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.16.2
|
||
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
|
||
(bso#15042);
|
||
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
|
||
file had been deleted; (bso#15069);
|
||
* Reintroduce netgroups support; (bso#15087);
|
||
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
|
||
server; (bso#14674);
|
||
* Update from 4.15 to 4.16 breaks discovery of [homes] on
|
||
standalone server from Win and IOS; (bso#15062);
|
||
* waf produces incorrect names for python extensions with Python
|
||
3.11; (bso#15071);
|
||
* smbclient -E doesn't work as advertised; (bso#15075);
|
||
* The samba background daemon doesn't refresh the printcap cache
|
||
on startup; (bso#15081);
|
||
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
|
||
- Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
|
||
- Support building with MIT Kerberos 1.20
|
||
- Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
|
||
(CVE-2020-17049);
|
||
- Resource Based Constrained Delegation (RBCD) for Samba AD DC
|
||
- Support building with gcc 12.1
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 11 09:30:15 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Use requires_eq macro to require the libldb2 version available at
|
||
samba-dsdb-modules build time; (bsc#1199362);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 3 07:38:02 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.16.1
|
||
* Share and server swapped in smbget password prompt; (bso#14831);
|
||
* Durable handles won't reconnect if the leased file is written to;
|
||
(bso#15022);
|
||
* rmdir silently fails if directory contains unreadable files and
|
||
hide unreadable is yes; (bso#15023);
|
||
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
|
||
on renamed file handle; (bso#15038);
|
||
* Need to describe --builtin-libraries= better (compare with
|
||
--bundled-libraries); (bso#8731);
|
||
* vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
|
||
(bso#14957);
|
||
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
|
||
(bso#15035);
|
||
* PAM Kerberos authentication incorrectly fails with a clock skew
|
||
error; (bso#15046);
|
||
* Username map - samba erroneously applies unix group memberships
|
||
to user account entries; (bso#15041);
|
||
* KVNO off by 100000; (bso#14951);
|
||
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
|
||
* vfs_gpfs recalls=no option prevents listing files; (bso#15055);
|
||
* smbd doesn't handle UPNs for looking up names; (bso#15054);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 20 09:00:49 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Update update-apparmor-samba-profile script, replace
|
||
non-printable delimiter with more human readable separator as
|
||
sed can accept separators that can appear in the input data.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 13 15:33:22 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Fix update-apparmor-samba-profile script, sed doesn't like
|
||
multibyte separators; (bsc#1198309).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 24 15:00:36 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.16.0
|
||
* New samba-dcerpcd binary to provide DCERPC in the member server
|
||
setup
|
||
* Certificate Auto Enrollment
|
||
* Ability to add ports to dns forwarder addresses in internal DNS
|
||
backend
|
||
* No longer using Linux mandatory locks for sharemodes
|
||
* SMB1 protocol has been deprecated, particularly older dialects
|
||
* SMB1 protocol SMBCopy command removed
|
||
* SMB1 server-side wildcard expansion removed
|
||
- Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
|
||
- Use systemd-sysusers to create system users; (bsc#1182847);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 15 17:54:57 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.15.6
|
||
* Renaming file on DFS root fails with
|
||
NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
|
||
* Samba does not response STATUS_INVALID_PARAMETER when opening 2
|
||
objects with same lease key; (bso#14737);
|
||
* NT error code is not set when overwriting a file during rename
|
||
in libsmbclient; (bso#14938);
|
||
* Fix ldap simple bind with TLS auditing; (bso#14996);
|
||
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
|
||
server; (bso#14674);
|
||
* Problem when winbind renews Kerberos; (bso#14979);
|
||
(bsc#1196224);
|
||
* pam_winbind will not allow gdm login if password about to
|
||
expire; (bso#8691);
|
||
* virusfilter_vfs_openat: Not scanned: Directory or special file;
|
||
(bso#14971);
|
||
* DFS fix for AIX broken; (bso#13631);
|
||
* Solaris and AIX acl modules: wrong function arguments;
|
||
(bso#14974);
|
||
* Function aixacl_sys_acl_get_file not declared / coredump;
|
||
(bso#7239);
|
||
* Regression: Samba 4.15.2 on macOS segfaults intermittently
|
||
during strcpy in tdbsam_getsampwnam; (bso#14900);
|
||
* Fix a use-after-free in SMB1 server; (bso#14989);
|
||
* smb2_signing_decrypt_pdu() may not decrypt with
|
||
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
|
||
(bso#14968);
|
||
* Changing the machine password against an RODC likely destroys
|
||
the domain join; (bso#14984);
|
||
* authsam_make_user_info_dc() steals memory from its struct
|
||
ldb_message *msg argument; (bso#14993);
|
||
* Use Heimdal 8.0 (pre) rather than an earlier snapshot;
|
||
(bso#14995);
|
||
* Samba autorid fails to map AD users if id rangesize fits in the
|
||
id range only once; (bso#14967);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 07 16:05:42 UTC 2022 - David Mulder <dmulder@suse.com>
|
||
|
||
- Fix mismatched version of libldb2; (bsc#1196788).
|
||
- Drop obsolete SuSEfirewall2 service files.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 4 20:25:41 UTC 2022 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
|
||
(bsc#1080338).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 23 10:04:15 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Fix ntlm authentications with "winbind use default domain = yes";
|
||
(bso#13126); (bsc#1173429); (bsc#1196308).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 14 18:15:29 UTC 2022 - David Mulder <dmulder@suse.com>
|
||
|
||
- Fix samba-ad-dc status warning notification message by disabling
|
||
systemd notifications in bgqd; (bsc#1195896); (bso#14947).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 07 20:15:46 UTC 2022 - David Mulder <dmulder@suse.com>
|
||
|
||
- libldb version mismatch in Samba dsdb component; (bsc#1118508);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 31 14:23:44 UTC 2022 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to 4.15.5
|
||
* CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
|
||
outside target of a symlink exists; (bso#14911);
|
||
(bsc#1193690).
|
||
* CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
|
||
module; (bso#14914); (bsc#1194859).
|
||
* CVE-2022-0336: Re-adding an SPN skips subsequent SPN
|
||
conflict checks; bso#14950); (bsc#1195048).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 26 12:00:35 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- CVE-2021-44141: Information leak via symlinks of existance of
|
||
files or directories outside of the exported share; (bso#14911);
|
||
(bsc#1193690);
|
||
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
|
||
in VFS module vfs_fruit allows code execution; (bso#14914);
|
||
(bsc#1194859);
|
||
- CVE-2022-0336: Samba AD users with permission to write to an
|
||
account can impersonate arbitrary services; (bso#14950);
|
||
(bsc#1195048);
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 21 12:37:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.15.4
|
||
* Duplicate SMB file_ids leading to Windows client cache
|
||
poisoning; (bso#14928);
|
||
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
|
||
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
|
||
* kill_tcp_connections does not work; (bso#14934);
|
||
* Can't connect to Windows shares not requiring authentication
|
||
using KDE/Gnome; (bso#14935);
|
||
* smbclient -L doesn't set "client max protocol" to NT1 before
|
||
calling the "Reconnecting with SMB1 for workgroup listing"
|
||
path; (bso#14939);
|
||
* Cross device copy of the crossrename module always fails;
|
||
(bso#14940);
|
||
* symlinkat function from VFS cap module always fails with an
|
||
error; (bso#14941);
|
||
* Fix possible fsp pointer deference; (bso#14942);
|
||
* Missing pop_sec_ctx() in error path inside close_directory();
|
||
(bso#14944);
|
||
* "smbd --build-options" no longer works without an smb.conf file;
|
||
(bso#14945);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 18 09:14:20 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- Use pkgconfig(krb5) as dependency for the -devel package: allow
|
||
OBS to pick the right flavor of krb5-devel (full vs mini).
|
||
- Do not require the 'krb5' symbol by samba-client-libs: this
|
||
package has an automatic dependency due to linkage on
|
||
libgssapi_krb5.so.2. Automatic deps are always better.
|
||
- Do not require the 'krb5' symbol from samba-libs: samba-libs
|
||
requires samba-client-libs, which in turn requires krb5
|
||
libraries. Samba-libs itself has no need for krb5 (but get it
|
||
indirectly anyway).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 13 19:39:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Reorganize libs packages. Split samba-libs into samba-client-libs,
|
||
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
|
||
public libraries depending on internal samba libraries into these
|
||
packages as there were dependency problems everytime one of these
|
||
public libraries changed its version (bsc#1192684). The devel
|
||
packages are merged into samba-devel.
|
||
- Rename package samba-core-devel to samba-devel
|
||
- Add python-rpm-macros to build requirements
|
||
- Update the symlink create by samba-dsdb-modules to private samba
|
||
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
|
||
/usr/lib64/ldb2/modules/ldb/samba
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 10 17:13:28 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.15.3
|
||
* Recursive directory delete with veto files is broken in 4.15.0;
|
||
(bso#14878);
|
||
* A directory containing dangling symlinks cannot be deleted by
|
||
SMB2 alone when they are the only entry in the directory;
|
||
(bso#14879);
|
||
* SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
|
||
uninitialized in rmdir_internals(); (bso#14892);
|
||
* MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694);
|
||
* The CVE-2020-25717 username map [script] advice has undesired
|
||
side effects for the local nt token; (bso#14901); (bsc#1192849);
|
||
* User with multiple spaces (eg Fred<space><space>Nurk) become
|
||
un-deletable; (bso#14902);
|
||
* Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127);
|
||
* smbXsrv_client_global record validation leads to crash if existing
|
||
record points at non-existing process; (bso#14882);
|
||
* Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call;
|
||
(bso#14890);
|
||
* Samba process doesn't log to logfile; (bso#14897);
|
||
* set_ea_dos_attribute() fallback calling get_file_handle_for_metadata()
|
||
triggers locking.tdb assert; (bso#14907);
|
||
* Kerberos authentication on standalone server in MIT realm broken;
|
||
(bso#14922);
|
||
* Segmentation fault when joining the domain; (bso#14923);
|
||
* Support for ROLE_IPA_DC is incomplete; (bso#14903);
|
||
* rpcclient cannot connect to ncacn_ip_tcp services anymore;
|
||
(bso#14767);
|
||
* winexe crashes since 4.15.0 after popt parsing; (bso#14893);
|
||
* net ads status -P broken in a clustered environment; (bso#14908);
|
||
* Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
|
||
smbd_smb2_ioctl_send; (bso#14788);
|
||
* winbindd doesn't start when "allow trusted domains" is off;
|
||
(bso#14899);
|
||
* smbclient login without password using '-N' fails with
|
||
NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883);
|
||
* A schannel client incorrectly detects a downgrade connecting to
|
||
an AES only server; (bso#14912);
|
||
* Possible null pointer dereference in winbind; (bso#14921);
|
||
* Fix -k legacy option for client tools like smbclient, rpcclient,
|
||
net, etc.; (bso#14846);
|
||
* Add Debian 11 CI bootstrap support; (bso#14872);
|
||
* Crash in recycle_unlink_internal(); (bso#14888);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 18 17:18:40 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix dependency problem upgrading from libndr0 to libndr2 and
|
||
from libsamba-credentials0 to libsamba-credentials1;
|
||
(bsc#1192684);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 10 10:26:01 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix regression introduced by CVE-2020-25717 patches, winbindd
|
||
does not start when 'allow trusted domains' is off; (bso#14899);
|
||
|
||
- Update to 4.15.2
|
||
* CVE-2016-2124: SMB1 client connections can be downgraded to
|
||
plaintext authentication; (bso#12444); (bsc#1014440);
|
||
* CVE-2020-25717: A user on the domain can become root on domain
|
||
members; (bso#14556); (bsc#1192284);
|
||
* CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
|
||
tickets issued by an RODC; (bso#14558); (bsc#1192246);
|
||
* CVE-2020-25719: Samba AD DC did not always rely on the SID and
|
||
PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
|
||
* CVE-2020-25721: Kerberos acceptors need easy access to stable
|
||
AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
|
||
* CVE-2020-25722: Samba AD DC did not do suffienct access and
|
||
conformance checking of data stored; (bso#14564);
|
||
(bsc#1192283);
|
||
* CVE-2021-3738: Use after free in Samba AD DC RPC server;
|
||
(bso#14468); (bsc#1192215);
|
||
* CVE-2021-23192: Subsequent DCE/RPC fragment injection
|
||
vulnerability; (bso#14875); (bsc#1192214);
|
||
|
||
- Update to 4.15.1
|
||
* vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
|
||
* Log clutter from filename_convert_internal; (bso#14685);
|
||
* MacOSX compilation fixes; (bso#14862);
|
||
* rodc_rwdc test flaps; (bso#14868);
|
||
* Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
||
bit' S4U2Proxy Constrained Delegation bypass in Samba with
|
||
embedded Heimdal; (bso#14642);
|
||
* Python ldb.msg_diff() memory handling failure; (bso#14836);
|
||
* "in" operator on ldb.Message is case sensitive; (bso#14845);
|
||
* Release LDB 2.4.1 for Samba 4.15.1; (bso#14848);
|
||
* samldb_krbtgtnumber_available() looks for incorrect string;
|
||
(bso#14854);
|
||
* Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871);
|
||
* Allow special chars like "@" in samAccountName when generating
|
||
the salt; (bso#14874);
|
||
* Correctly ignore comments in CTDB public addresses file;
|
||
(bso#14826);
|
||
* Fix transit path validation; (bso#12998);
|
||
* Fix that child winbindd logs to log.winbindd instead of
|
||
log.wb-<DOMAIN>; (bso#14852);
|
||
* SMB3 cancel requests should only include the MID together with
|
||
AsyncID when AES-128-GMAC is used; (bso#14855);
|
||
* Prepare to operate with MIT krb5 >= 1.20; (bso#14870);
|
||
* Heimdal prefers RC4 over AES for machine accounts; (bso#14864);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 13 17:07:47 UTC 2021 - David Mulder <dmulder@suse.com>
|
||
|
||
- Enable samba-tool without ad dc.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 30 15:57:14 UTC 2021 - Noel Power <nopower@suse.com>
|
||
|
||
- Adjust spec to use pam macros; (bsc#1191046).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 29 08:58:28 UTC 2021 - Noel Power <nopower@suse.com>
|
||
|
||
- Adjust spec for size
|
||
* allow some Recommends instead Requires to be configured
|
||
for cifs-utils, samba-libs-python3 & samba-gpupdate;
|
||
(bsc#1182847).
|
||
* remove fam, undocumented and unneeded.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 23 11:41:44 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Add missing build dependency on bison when building with the
|
||
embedded Heimdal Kerberos
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 20 14:25:41 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.15.0
|
||
* Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10
|
||
* VFS layer modernized.
|
||
* Add the ability to set allow/deny lists for zone transfer clients
|
||
in Bind DLZ plugin
|
||
* Server multi-channel support no longer experimental
|
||
* Improved command line user experience, unifying the options in
|
||
different commands
|
||
* Winbindd no longer scans trusted domains on startup and will use
|
||
enterprise principals by default.
|
||
* The net utility is now able to support the offline domain join feature
|
||
* New options for 'samba-tool dns zoneoptions' for aging control
|
||
and to mark old records as static or dynamic
|
||
* DNS tombstones are now deleted as appropriate and use a consistent
|
||
timestamp format
|
||
* The 'samba-tool dns update' command validates and rejects now malformed
|
||
IPv4 and IPv6 addresses
|
||
* The 'samba-tool domain backup' command correctly takes out locks
|
||
against concurrent modification during backup when using the LMDB
|
||
backend
|
||
* TruACL support has been removed
|
||
* NIS support has been removed
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 16 07:55:35 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.14.7
|
||
* smbd panic on force-close share during offload write; (bso#14769);
|
||
* smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK;
|
||
(bso#12033);
|
||
* Fix returned attributes on fake quota file handle and avoid hitting
|
||
the VFS; (bso#14731);
|
||
* vfs_shadow_copy2 fix inodes not correctly updating inode numbers;
|
||
(bso#14756);
|
||
* Fix build on Solaris; (bso#14774);
|
||
* Make dos attributes available for unreadable files; (bso#14654);
|
||
* Work around special SMB2 READ response behavior of NetApp Ontap
|
||
7.3.7; (bso#14607);
|
||
* Start the SMB encryption as soon as possible; (bso#14793);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 17 16:30:25 UTC 2021 - David Mulder <dmulder@suse.com>
|
||
|
||
- Add Certificate Auto Enrollment Policy; (jsc#SLE-18457).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 23 16:05:05 UTC 2021 - David Mulder <dmulder@suse.com>
|
||
|
||
- Update to 4.14.6
|
||
* s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722).
|
||
* smbd: Fix pathref unlinking in create_file_unixpath(); (bso#14732).
|
||
* s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown(); (bso#14734).
|
||
* s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
|
||
change_file_owner_to_parent() error path; (bso#14736).
|
||
* NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
|
||
glusterfs VFS module; (bso#14730).
|
||
* s3/modules: fchmod: Fallback to path based chmod if pathref; (bso#14734).
|
||
* Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740).
|
||
* gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750).
|
||
* smbXsrv_{open,session,tcon}: protect
|
||
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records;
|
||
(bso#14752).
|
||
* samba-tool domain backup offline doesn't work against bind DLZ
|
||
backend; (bso#14027).
|
||
* netcmd: Use next_free_rid() function to calculate a SID for
|
||
restoring a backup; (bso#14669).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 1 08:38:12 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.14.5
|
||
* s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success;
|
||
(bso#14696);
|
||
* s3: smbd: Ensure POSIX default ACL is mapped into returned Windows
|
||
ACL for directory handles; (bso#14708);
|
||
* s3: smbd: Fix uninitialized memory read in process_symlink_open()
|
||
when used with vfs_shadow_copy2(); (bso#14721);
|
||
* docs: Expand the "log level" docs on audit logging; (bso#14689);
|
||
* smbd: Correctly initialize close timestamp fields; (bso#14714);
|
||
* Fix gcc11 compiler issues; (bso#14699);
|
||
* docs-xml: Update smbcacls manpage; (bso#14718);
|
||
* docs: Update list of available commands in rpcclient; (bso#14719);
|
||
* ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475);
|
||
* s3:winbind: For 'security = ADS' require realm/workgroup to be set;
|
||
(bso#14695);
|
||
* lib:replace: Do not build strndup test with gcc 11 or newer;
|
||
(bso#14699);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 29 08:34:02 UTC 2021 - Noel Power <nopower@suse.com>
|
||
- Update to 4.14.4
|
||
* CVE-2021-20254: Fix buffer overrun in sids_to_unixids();
|
||
(bso#14571); (bsc#1184677).
|
||
|
||
- Update to 4.14.3
|
||
* s3:modules:vfs_virusfilter: Recent New_VFS changes break
|
||
vfs_virusfilter_openat; (bso#14671).
|
||
* build: Notice if flex is missing at configure time; (bso#14586).
|
||
* Fix smbd panic when two clients open same file; (bso#14672).
|
||
* Fix memory leak in the RPC server; (bso#14675).
|
||
* s3: smbd: fix deferred renames; (bso#14679).
|
||
* s3-iremotewinspool: Set the per-request memory context;
|
||
(bso#14675)
|
||
* Fix memory leak in the RPC server; (bso#14675).
|
||
* third_party: Update socket_wrapper to version 1.3.2;
|
||
(bso#11899).
|
||
* third_party: Update socket_wrapper to version 1.3.3;
|
||
(bso#14640).
|
||
* samba-gpupdate: Test that sysvol paths download in
|
||
case-insensitive way; (bso#14665).
|
||
* smbd: Ensure errno is preserved across fsp destructor;
|
||
(bso#14662).
|
||
* idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
|
||
conflict; (bso#14663).
|
||
* build: Only add -Wl,--as-needed when supported; (bso#14288).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 31 14:59:15 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.14.2
|
||
* Release with dependency on ldb version 2.3.0.
|
||
|
||
- Update to 4.14.1
|
||
* CVE-2021-20277: Fix out of bounds read in ldb_handler_fold; (bso#14655);
|
||
* CVE-2020-27840: Fix unauthenticated remote heap corruption via bad DNs;
|
||
(bso#14595);
|
||
|
||
- Update to 4.14.0
|
||
* VFS layer modernized.
|
||
* Printers publishing in AD improved.
|
||
* Client group policies support for sudoers configuration and
|
||
cron jobs.
|
||
* Improved consistency of samba-tool subcommands.
|
||
* CTDB now uses the terms leader and follower instead of master and
|
||
slave. Configuration options have changed accordingly.
|
||
* The ctdb isnotrecmaster command is removed.
|
||
* For details on all items see WHATSNEW.txt in samba-doc package.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 1 12:09:56 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Spec file fixes around systemd and requires; (bsc#1182830);
|
||
- Align systemd service unit files with upstream provided ones.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 26 15:15:08 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.13.4
|
||
* Work around special SMB2 IOCTL response behavior of NetApp Ontap
|
||
7.3.7; (bso#14607);
|
||
* Temporary DFS share setup doesn't set case parameters in the same
|
||
way as a regular share definition does; (bso#14612);
|
||
* lib: Avoid declaring zero-length VLAs in various messaging functions;
|
||
(bso#14605);
|
||
* Do not create an empty DB when accessing a sam.ldb; (bso#14579);
|
||
* vfs_fruit may close wrong backend fd; (bso#14596);
|
||
* Temporary DFS share setup doesn't set case parameters in the same way
|
||
as a regular share definition does; (bso#14612);
|
||
* vfs_virusfilter: Allocate separate memory for config char*; (bso#14606);
|
||
* vfs_fruit may close wrong backend fd; (bso#14596);
|
||
* Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7;
|
||
(bso#14607);
|
||
* The cache directory for the user gencache should be created recursively;
|
||
(bso#14601);
|
||
* Be more flexible with repository names in CentOS 8 test environments;
|
||
(bso#14594);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 28 09:41:57 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Uninstalling samba-client: Failed to disable unit, cifs.service
|
||
does not exists; (bsc#1180388);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 16 11:30:25 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.13.3
|
||
+ libcli: smb2: Never print length if smb2_signing_key_valid() fails for
|
||
crypto blob; (bso#14210);
|
||
+ s3: modules: gluster. Fix the error I made in preventing talloc leaks
|
||
from a function; (bso#14486);
|
||
+ s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL
|
||
via TALLOC_FREE(); (bso#14515);
|
||
+ s3: spoolss: Make parameters in call to user_ok_token() match all other
|
||
uses; (bso#14568);
|
||
+ s3: smbd: Quiet log messages from usershares for an unknown share;
|
||
(bso#14590);
|
||
+ samba process does not honor max log size; (bso#14248);
|
||
+ vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE;
|
||
(bso#14587);
|
||
+ s3-libads: Pass timeout to open_socket_out in ms; (bso#13124);
|
||
+ s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486);
|
||
+ smbclient: Fix recursive mget; (bso#14517);
|
||
+ clitar: Use do_list()'s recursion in clitar.c; (bso#14581);
|
||
+ manpages/vfs_glusterfs: Mention silent skipping of write-behind
|
||
translator; (bso#14486);
|
||
+ vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573);
|
||
+ interface: Fix if_index is not parsed correctly; (bso#14514);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 16 09:30:52 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.13.2
|
||
+ s3: modules: vfs_glusterfs: Fix leak of char **lines onto
|
||
mem_ctx on return; (bso#14486);
|
||
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
|
||
(bso#14471);
|
||
+ smb.conf.5: Add clarification how configuration changes reflected
|
||
by Samba; (bso#14538);
|
||
+ daemons: Report status to systemd even when running in foreground;
|
||
(bso#14552);
|
||
+ DNS Resolver: Support both dnspython before and after 2.0.0;
|
||
(bso#14553);
|
||
+ s3-vfs_glusterfs: Refuse connection when write-behind xlator is
|
||
present; (bso#14486);
|
||
+ provision: Add support for BIND 9.16.x; (bso#14487);
|
||
+ ctdb-common: Avoid aliasing errors during code optimization;
|
||
(bso#14537);
|
||
+ libndr: Avoid assigning duplicate versions to symbols; (bso#14541);
|
||
+ docs: Fix default value of spoolss:architecture; (bso#14522);
|
||
+ winbind: Fix a memleak; (bso#14388);
|
||
+ s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531);
|
||
+ docs-xml/manpages: Add warning about write-behind translator for
|
||
vfs_glusterfs; (bso#14486);
|
||
+ nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
|
||
+ vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530);
|
||
+ third_party: Update resolv_wrapper to version 1.1.7; (bso#14547);
|
||
+ examples:auth: Do not install example plugin; (bso#14550);
|
||
+ ctdb-recoverd: Drop unnecessary and broken code; (bso#14513);
|
||
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
|
||
(bso#14471);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 5 12:23:49 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Adjust smbcacls '--propagate-inheritance' feature to align with
|
||
upstream; (bsc#1178469).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 6 16:52:00 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.13.1
|
||
+ CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
|
||
easily crafted records; (bsc#1177613); (bso#14472);
|
||
+ CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994);
|
||
(bso#14436);
|
||
+ CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify;
|
||
(bsc#1173902); (bso#14434);
|
||
- Adjust systemd tmpfiles.d configuration, use /run/samba instead of
|
||
/var/run/samba; (bsc#1177355);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 5 12:44:53 UTC 2020 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Fix vfs_ceph query_directory regression; (bso#14519)
|
||
- Drop liburing-devel for SLE15-SP2; (bsc#1177245)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 24 16:01:26 UTC 2020 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Register CTDB recovery lock holder with ceph-mgr
|
||
- Add liburing-devel dependency
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 22 16:20:33 UTC 2020 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Update to samba 4.13.0
|
||
+ Require Python 3.6
|
||
+ Move wide links functionality into VFS module
|
||
+ Deprecate NT4-like 'classic' Samba domain controllers
|
||
+ Deprecate SMBv1 only protocol options
|
||
+ Remove deprecated "ldap ssl ads" option
|
||
+ Unify asynchronous DCE-RPC server; (jsc#SES-645)
|
||
+ Replay multichannel lease break requests; (bso#11897); (jsc#SES-655)
|
||
+ Drop internal byteorder.h header from util-devel package
|
||
+ Remove final code for the AD DC LDAP backend
|
||
+ Add AD DC Group Policy Scripts
|
||
+ Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399)
|
||
+ Fix %U substitutions if it contains a domain name; (bso#14467)
|
||
+ Fix krb5.conf creation for 'net ads join'; (bso#14479)
|
||
+ Fix build problem if libbsd-dev is not installed; (bso#14482)
|
||
+ Toggle vfs_snapper using "--with-shared-modules"; (bso#14437)
|
||
+ Fix idmap_ad RFC4511 response handling; (bso#14465)
|
||
+ Fix panic in get_lease_type(); (bso#14428)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 18 13:24:12 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.12.7
|
||
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
|
||
netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579);
|
||
(bso#14497);
|
||
+ CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
|
||
"server require schannel:WORKSTATION$ = no" about unsecure configurations;
|
||
(bsc#1176579); (bso#14497);
|
||
+ CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client
|
||
challenge; (bsc#1176579); (bso#14497);
|
||
+ CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in
|
||
netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no";
|
||
(bsc#1176579); (bso#14497);
|
||
|
||
- Update to samba 4.12.6
|
||
+ s3: libsmb: Fix SMB2 client rename bug to a Windows server;
|
||
(bso#14403).
|
||
+ dsdb: Allow "password hash userPassword schemes = CryptSHA256"
|
||
to work on RHEL7; (bso#14424).
|
||
+ dbcheck: Allow a dangling forward link outside our known NCs;
|
||
(bso#14450).
|
||
+ lib/debug: Set the correct default backend loglevel to
|
||
MAX_DEBUG_LEVEL; (bso#14426).
|
||
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
|
||
+ util: Fix build on AIX by fixing the order of replace.h include;
|
||
(bso#14422).
|
||
+ srvsvc_NetFileEnum asserts with open files; (bso#14355).
|
||
+ KDC breaks with DES keys still in the database and
|
||
msDS-SupportedEncryptionTypes 31 indicating support for it;
|
||
(bso#14354).
|
||
+ s3:smbd: Make sure vfs_ChDir() always sets
|
||
conn->cwd_fsp->fh->fd = AT_FDCWD; (bso#14427).
|
||
+ PANIC: Assert failed in get_lease_type(); (bso#14428).
|
||
+ docs: Fix documentation for require_membership_of of
|
||
pam_winbind.conf; (bso#14358).
|
||
+ ctdb-scripts: Use nfsconf utility for variable values in CTDB
|
||
NFS scripts; (bso#14444).
|
||
+ s3:winbind:idmap_ad: Make failure to get attrnames for schema
|
||
mode fatal; (bso#14425).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 28 13:25:09 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||
|
||
- Don't install SuSEfirewall2 services, we don't have that package
|
||
anymore
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 2 15:18:42 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.12.5
|
||
+ Fix smbd panic on force-close share during async
|
||
io; (bso#14301).
|
||
+ Fix segfault when using SMBC_opendir_ctx() routine for
|
||
share folder that contains incorrect symbols in any
|
||
file name; (bso#14374)
|
||
+ Fix DFS links; (bso#14391).
|
||
+ Can't use DNS functionality after a Windows DC has been
|
||
in domain; (bso#14310).
|
||
+ ldapi search to FreeIPA crashes; (bso#14413).
|
||
+ Add net-ads-join dnshostname=fqdn option; (bso#14396)
|
||
+ Fix adding msDS-AdditionalDnsHostName to keytab with
|
||
Windows DC; (bso#14406).
|
||
+ docs-xml: Update list of posible VFS operations for
|
||
vfs_full_audit; (bso#14386).
|
||
+ winbindd: Fix a use-after-free when winbind clients exit;
|
||
(bso#14382).
|
||
+ Client tools are not able to read gencache anymore;
|
||
(bso#14370).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 2 11:56:15 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.12.4
|
||
+ CVE-2020-10730: NULL de-reference in AD DC LDAP server when
|
||
ASQ and VLV combined; (bso#14364); (bsc#1173159)
|
||
+ CVE-2020-10745: invalid DNS or NBT queries containing dots use
|
||
several seconds of CPU each; (bso#14378); (bsc#1173160).
|
||
+ CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP
|
||
server with paged_result or VLV; (bso#14402); (bsc#1173161)
|
||
+ CVE-2020-14303: Endless loop from empty UDP packet sent to
|
||
AD DC nbt_server; (bso#14417); (bsc#1173359).
|
||
|
||
-------------------------------------------------------------------
|
||
Sat May 30 15:42:34 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||
|
||
- add libnetapi-devel to baselibs conf, for wine usage (bsc#1172307)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 28 10:56:26 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Add system-user-nobody to samba package requirements
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 20 15:56:03 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.12.3
|
||
+ Fix smbd panic on force-close share during async io; (bso#14301);
|
||
+ s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[] array;
|
||
(bso#14343);
|
||
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
|
||
+ Fix smbd crashes when MacOS Catalina connects if iconv initialization
|
||
fails; (bso#14372);
|
||
+ Exporting from macOS Adobe Illustrator creates multiple copies;
|
||
(bso#14150);
|
||
+ smbd does a chdir() twice per request; (bso#14256);
|
||
+ smbd mistakenly updates a file's write-time on close; (bso#14320);
|
||
+ vfs_shadow_copy2: implement case canonicalisation in
|
||
shadow_copy2_get_real_filename(); (bso#14350);
|
||
+ Fix Windows 7 clients problem after upgrading samba file server;
|
||
(bso#14375);
|
||
+ s3: Pass DCE RPC handle type to create_policy_hnd; (bso#14359);
|
||
+ Fix uxsuccess test with new MIT krb5 library 1.18; (bso#14155);
|
||
+ mit-kdc: Explicitly reject S4U requests; (bso#14342);
|
||
+ dbwrap_watch: Set rec->value_valid while returning nested
|
||
share_mode_do_locked(); (bso#14352);
|
||
+ lib:util: Fix smbclient -l basename dir; (bso#14345);
|
||
+ s3:libads: Fix ads_get_upn(); (bso#14336);
|
||
+ ctdb: Fix a memleak; (bso#14348);
|
||
+ Malicous SMB1 server can crash libsmbclient; (bso#14366);
|
||
+ ldb: Bump version to 2.1.3, LMDB databases can grow without bounds;
|
||
(bso#14330);
|
||
+ vfs_io_uring: Fix data corruption with Windows clients; (bso#14361);
|
||
+ s3/librpc/crypto: Fix double free with unresolved credential cache;
|
||
(bso#14344);
|
||
+ docs-xml: Fix usernames in pam_winbind manpages; (bso#14358);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 11 14:53:16 UTC 2020 - David Mulder <dmulder@dmulder.com>
|
||
|
||
- Installing: samba - samba-ad-dc.service does not exist and unit
|
||
not found; (bsc#1171437);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 4 10:33:43 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- libsmb: Don't try to find posix stat info in SMBC_getatr();
|
||
(bso#14101); (bsc#1169242);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 29 15:48:50 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Move libdcerpc-server-core.so to samba-libs package, this was
|
||
initially erroneously located in samba-ad-dc.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 28 11:44:07 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.12.2
|
||
+ CVE-2020-10700: A client combining the 'ASQ' and
|
||
'Paged Results' LDAP controls can cause a use-after-free
|
||
in Samba's AD DC LDAP server;(bso#14331); (bsc#1169850)
|
||
+ CVE-2020-10704: A deeply nested filter in an un-authenticated
|
||
LDAP search can exhaust the LDAP server's stack memory causing
|
||
a SIGSEGV; (bso#14334); (bsc#1169851).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 13 09:07:02 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.12.1
|
||
+ nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14295);
|
||
+ samba-tool group: Handle group names with special chars correctly;
|
||
(bso#14296);
|
||
+ Add missing check for DMAPI offline status in async DOS attributes;
|
||
(bso#14293);
|
||
+ Starting ctdb node that was powered off hard before results in recovery
|
||
loop; (bso#14295);
|
||
+ smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs;
|
||
(bso#14307);
|
||
+ vfs_recycle: Prevent flooding the log if we're called on non-existant
|
||
paths; (bso#14316);
|
||
+ librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313);
|
||
+ nsswitch: Fix use-after-free causing segfault in _pam_delete_cred;
|
||
(bso#14327);
|
||
+ fruit:time machine max size is broken on arm; (bso#13622);
|
||
+ CTDB recovery corner cases can cause record resurrection and node
|
||
banning; (bso#14294);
|
||
+ s3/utils: Fix double free error with smbtree; (bso#14332);
|
||
+ CTDB recovery corner cases can cause record resurrection and node
|
||
banning; (bso#14294);
|
||
+ Starting ctdb node that was powered off hard before results in recovery
|
||
loop; (bso#14295);
|
||
+ CTDB recovery daemon can crash due to dereference of NULL pointer;
|
||
(bso#14324);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 25 12:52:55 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- s3: libsmbclient.h: add missing time.h include to fix
|
||
ffmpeg build and make it compatible with -std=c99.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 16 10:40:16 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- ndrdump tests: Make the tests less fragile
|
||
- python/samba/gp_parse: Fix test errors with python3.8
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 13 14:19:30 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Starting ctdb node that was powered off hard before results
|
||
in recovery loop; (bso#14295); (bsc#1162680).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 6 15:38:01 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.12.0
|
||
+ For details on all items see WHATSNEW.txt in samba-doc
|
||
package.
|
||
+ Samba 4.12 raises this minimum version to Python
|
||
3.5.
|
||
+ Samba now requires GnuTLS 3.4.7 to be installed.
|
||
+ New Spotlight backend for Elasticsearch.
|
||
+ Retiring DES encryption types in Kerberos. With this release,
|
||
support for DES encryption types has been removed from
|
||
Samba, and setting DES_ONLY flag for an account will cause
|
||
Kerberos authentication to fail for that account (see
|
||
RFC-6649).
|
||
+ Samba-DC: DES keys no longer saved in DB.
|
||
+ The netatalk VFS module has been removed.
|
||
+ The BIND9_FLATFILE DNS backend is deprecated in this release
|
||
and will be removed in the future.
|
||
+ CTDB changes
|
||
+ The ctdb_mutex_fcntl_helper periodically re-checks the
|
||
lock file.
|
||
+ Bugs
|
||
+ Retire DES encryption types in Kerberos; (bso#14202);
|
||
bsc#(1165574).
|
||
+ dsdb: Correctly handle memory in objectclass_attrs;
|
||
(bso#14258).
|
||
+ s3: DFS: Don't allow link deletion on a read-only share;
|
||
(bso#14269).
|
||
+ pidl/wscript: configure should insist on Parse::Yapp::Driver;
|
||
(bso#14284).
|
||
+ smbd fails to handle EINTR from open(2) properly;
|
||
(bso#14285).
|
||
+ ldb: version 2.1.1; (bso#14270)).
|
||
+ vfs: Set getting and setting of MS-DFS redirects on the
|
||
filesystem to go through two new VFS functions
|
||
SMB_VFS_CREATE_DFS_PATHAT() and
|
||
SMB_VFS_READ_DFS_PATHAT(); (bso#14282).
|
||
+ bootstrap: Remove un-used dependency python3-crypto;
|
||
(bso#14255)
|
||
+ Fix CID 1458418 and 1458420; (bso#14247).
|
||
+ lib: Fix a shutdown crash with "clustering = yes";
|
||
(bso#14281).
|
||
+ Winbind member (source3) fails local SAM auth with empty
|
||
domain name; (bso#14247).
|
||
+ winbindd: Handle missing idmap in getgrgid(); (bso#14265).
|
||
+ Don't use forward declaration for GnuTLS typedefs; (bso#14271).
|
||
+ Add io_uring vfs module; (bso#14280).
|
||
+ libcli:smb: Improve check for
|
||
gnutls_aead_cipher_(en|de)cryptv2; (bso#14250).
|
||
+ s3: lib: nmblib. Clean up and harden nmb packet processing;
|
||
(bso#14239);
|
||
+ lib:util: Log mkdir error on correct debug levels; (bso#14253).
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Feb 2 20:42:05 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||
|
||
- Remove unused pwdutils buildrequires
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 30 09:04:04 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.11.6
|
||
+ pygpo: Use correct method flags; (bso#14209);
|
||
+ Avoiding bad call flags with python 3.8, using METH_NOARGS
|
||
instead of zero; (bso#14209);
|
||
+ source4/utils/oLschema2ldif: Include stdint.h before cmocka.h;
|
||
(bso#14218);
|
||
+ docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc;
|
||
(bso#14122);
|
||
+ smbd: Fix the build with clang; (bso#14251);
|
||
+ upgradedns: Ensure lmdb lock files linked; (bso#14199);
|
||
+ s3: VFS: glusterfs: Reset nlinks for symlink entries during
|
||
readdir; (bso#14182);
|
||
+ smbc_stat() doesn't return the correct st_mode and also the
|
||
uid/gid is not filled (SMBv1) file; (bso#14101);
|
||
+ librpc: Fix string length checking in ndr_pull_charset_to_null();
|
||
(bso#14219);
|
||
+ ctdb-scripts: Strip square brackets when gathering connection info;
|
||
(bso#14227);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 21 16:55:36 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix nmbstatus not reporting detailed information about workgroups;
|
||
(bsc#1159464);
|
||
- Fix querying all names registered within broadcast area; (bso#8927);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 21 16:31:07 UTC 2020 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samab 4.11.5
|
||
+ CVE-2019-14902: Replication of ACLs down subtree on
|
||
AD Directory is not automatic; (bso#12497); (bsc#1160850).
|
||
+ CVE-2019-19344: Fix server crash with
|
||
dns zone scavenging = yes; (bso#14050); (bsc#1160852).
|
||
+ CVE-2019-14907: server-side crash after charset conversion
|
||
failure (eg during NTLMSSP processing); (bso#14208);
|
||
(bsc#1160888).
|
||
|
||
- Update to samba 4.11.4
|
||
+ Ensure SMB1 cli_qpathinfo2() doesn't return an inode number;
|
||
(bso#14161).
|
||
+ Ensure we don't call cli_RNetShareEnum() on an SMB1
|
||
connection; (bso#14174).
|
||
+ NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in
|
||
SMBC_opendir_ctx; (bso#14176).
|
||
+ SMB2 - Ensure we use the correct session_id if encrypting
|
||
an interim response; (bso#14189).
|
||
+ Prevent smbd crash after invalid SMB1 negprot; (bso#14205).
|
||
+ printing: Fix %J substition; (bso#13745).
|
||
+ Remove now unneeded call to cmdline_messaging_context();
|
||
(bso#13925).
|
||
+ Fix incomplete conversion of former parametric options;
|
||
(bso#14069).
|
||
+ Fix sync dosmode fallback in async dosmode codepath;
|
||
(bso#14070).
|
||
+ vfs_fruit returns capped resource fork length; (bso#14171).
|
||
+ libnet_join: Add SPNs for additional-dns-hostnames entries;
|
||
(bso#14116).
|
||
+ smbd: Increase a debug level; (bso#14211).
|
||
+ Prevent azure ad connect from reporting discovery errors
|
||
reference-value-not-ldap-conformant; (bso#14153).
|
||
+ krb5_plugin: Fix developer build with newer heimdal system
|
||
library; (bso#14179).
|
||
+ replace: Only link libnsl and libsocket if required;
|
||
(bso#14168);
|
||
+ ctdb: Incoming queue can be orphaned causing communication;
|
||
breakdown; (bso#14175).
|
||
+ ldb: Release ldb 2.0.8. Cross-compile will not take
|
||
cross-answers or cross-execute; (bso#13846).
|
||
+ heimdal-build: Avoid hard-coded /usr/include/heimdal in
|
||
asn1_compile-generated code; (bso#13856).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 20 17:59:01 UTC 2019 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 10 09:57:23 UTC 2019 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.11.3
|
||
+ CVE-2019-14861: DNSServer RPC server crash, an authenticated user
|
||
can crash the DCE/RPC DNS management server by creating records
|
||
with matching the zone name; (bso#14138); (bsc#1158108).
|
||
+ CVE-2019-14870: DelegationNotAllowed not being enforced, the
|
||
DelegationNotAllowed Kerberos feature restriction was not being
|
||
applied when processing protocol transition requests (S4U2Self),
|
||
in the AD DC KDC; (bso#14187); (bsc#1158109).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 29 17:22:30 UTC 2019 - Jim McDonough <jmcdonough@suse.com>
|
||
|
||
- Update to samba 4.11.2
|
||
+ CVE-2019-10218: Client code can return filenames containing
|
||
path separators; (bsc#1144902); (bso#14071).
|
||
+ CVE-2019-14833: Samba AD DC check password script does not
|
||
receive the full password; (bso#12438).
|
||
+ CVE-2019-14847: User with "get changes" permission can crash
|
||
AD DC LDAP server via dirsync; (bso#14040).
|
||
- Fixes from 4.11.1
|
||
+ Overlinking libreplace against librt and pthread against every
|
||
binary or library causes issues; (bso#14140);
|
||
+ kpasswd fails when built with MIT Kerberos; (bso#14155);
|
||
+ Fix spnego fallback from kerberos to ntlmssp in smbd server;
|
||
(bso#14106);
|
||
+ Stale file handle error when using mkstemp on a share; (bso#14137);
|
||
+ non-AES schannel broken; (bso#14134);
|
||
+ Joining Active Directory should not use SAMR to set the password;
|
||
(bso#13884);
|
||
+ smbclient can blunder into the SMB1 specific cli_RNetShareEnum()
|
||
call on an SMB2 connection; (bso#14152);
|
||
+ Deleted records can be resurrected during recovery; (bso#14147);
|
||
+ getpwnam and getpwuid need to return data for ID_TYPE_BOTH group;
|
||
(bso#14141);
|
||
+ winbind does not list forest trusts with additional trust
|
||
attributes; (bso#14130);
|
||
+ fault report points to outdated documentation; (bso#14139);
|
||
+ pam_winbind with krb5_auth or wbinfo -K doesn't work for users of
|
||
trusted domains/forests; (bso#14124);
|
||
+ classicupgrade results in uncaught exception - a bytes-like object
|
||
is required, not 'str'; (bso#14136);
|
||
+ pod2man is not longer required, stop checking at build time;
|
||
(bso#14131);
|
||
+ Exit code of ctdb nodestatus should not be influenced by deleted
|
||
nodes; (bso#14129);
|
||
+ username/password authentication doesn't work with CUPS and
|
||
smbspool; (bso#14128);
|
||
+ smbc_readdirplus() is incompatible with smbc_telldir() and
|
||
smbc_lseekdir(); (bso#14094);
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 5 14:20:06 UTC 2019 - James McDonough <jmcdonough@suse.com>
|
||
|
||
- Update to samba 4.11.0
|
||
+ For details on all items see WHATSNEW.txt in samba-doc
|
||
package
|
||
+ Python2 runtime support removed; python 3.4 or later required
|
||
+ Security improvements:
|
||
- SMB1 disabled by default
|
||
- lanman and plaintext authentication deprecated
|
||
- winbind: PAM_AUTH and NTLM_AUTH events logged
|
||
- GnuTLS 3.2 required; system FIPS mode setting honored
|
||
+ CephFS Snapshot integration, exposed as previous file
|
||
versions
|
||
+ ctdb changes:
|
||
- onnode -o option removed
|
||
- ctdbd logs when using more than 90% of a CPU thread
|
||
- CTDB_MONITOR_SWAP_USAGE variable removed
|
||
+ AD Domain controller improvements:
|
||
- Upgrade AD databse format
|
||
- BIND9_FLATFILE deprecated
|
||
- default process model chagned to prefork
|
||
- bind9 dns operation duration logging
|
||
- Default schema updated to 2012_R2; function level is
|
||
unchanged
|
||
- many performance improvements
|
||
+ Configuration webserver support removed
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 3 09:18:38 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba 4.10.8
|
||
+ CVE-2019-10197: user escape from share path definition;
|
||
(bso#14035); (bsc#1141267);
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 30 13:10:01 UTC 2019 - Noel Power <nopower@suse.com>
|
||
|
||
- Fix build on newer systems by modifying samba.spec to use
|
||
consistent non-relative paths for pammodules in configure line
|
||
and specification of pam_winbind.so library to package.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 27 14:47:44 UTC 2019 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba 4.10.7
|
||
+ Unable to create or rename file/directory inside shares
|
||
configured with vfs_glusterfs_fuse module; (bso#14010).
|
||
+ build: Allow build when '--disable-gnutls' is set; (bso#13844)
|
||
+ samba-tool: Add 'import samba.drs_utils' to fsmo.py;
|
||
(bso#13973).
|
||
+ Fix 'Error 32 determining PSOs in system' message on old DB
|
||
with FL upgrade; (bso#14008).
|
||
+ s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021)
|
||
+ join: Use a specific attribute order for the DsAddEntry
|
||
nTDSDSA object; (bso#14046).
|
||
+ vfs_catia: Pass stat info to synthetic_smb_fname();
|
||
(bso#14015).
|
||
+ lookup_name: Allow own domain lookup when flags == 0;
|
||
(bso#14091).
|
||
+ s4 librpc rpc pyrpc: Ensure tevent_context deleted last;
|
||
(bso#13932).
|
||
+ DEBUGC and DEBUGADDC doesn't print into a class specific log
|
||
file; (bso#13915).
|
||
+ Request to keep deprecated option "server schannel",
|
||
VMWare Quickprep requires "auto"; (bso#13949).
|
||
+ dbcheck: Fallback to the default tombstoneLifetime of 180 days;
|
||
(bso#13967).
|
||
+ dnsProperty fails to decode values from older Windows versions;
|
||
(bso#13969).
|
||
+ samba-tool: Use only one LDAP modify for dns partition fsmo
|
||
role transfer; (bso#13973).
|
||
+ third_party: Update waf to version 2.0.17; (bso#13960).
|
||
+ netcmd: Allow 'drs replicate --local' to create partitions;
|
||
(bso#14051).
|
||
+ ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 7 13:03:55 UTC 2019 - npower <nopower@suse.com>
|
||
|
||
- Prepare for use future use of kernel keyrings, modify
|
||
/etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 1 10:00:00 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update samba-winbind script to work with systemd; (bsc#1132739);
|
||
- Drop samba dhcpcd hook scripts
|
||
- Update to samba 4.10.6
|
||
+ s3: winbind: Fix crash when invoking winbind idmap scripts;
|
||
(bso#13956).
|
||
+ smbd does not correctly parse arguments passed to dfree and quota
|
||
scripts; (bso#13964).
|
||
+ samba-tool dns: use bytes for inet_ntop; (bso#13965).
|
||
+ samba-tool domain provision: Fix --interactive module in python3;
|
||
(bso#13828).
|
||
+ ldb_kv: Skip @ records early in a search full scan; (bso#13893).
|
||
+ docs: Improve documentation of "lanman auth" and "ntlm auth"
|
||
connection; (bso#13981).
|
||
+ python/ntacls: Use correct "state directory" smb.conf option instead
|
||
of "state dir"; (bso#14002).
|
||
+ registry: Add a missing include; (bso#13840).
|
||
+ Fix SMB guest authentication; (bso#13944).
|
||
+ AppleDouble conversion breaks Resourceforks; (bso#13958).
|
||
+ vfs_fruit makes direct use of syscalls like mmap() and pread();
|
||
(bso#13968).
|
||
+ s3:mdssvc: Fix flex compilation error; (bso#13987).
|
||
+ s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872).
|
||
+ dsdb:samdb: schemainfo update with relax control; (bso#13799).
|
||
+ s3:util: Move static file_pload() function to lib/util; (bso#13964).
|
||
+ smbd: Fix a panic; (bso#13957).
|
||
+ ldap server: Generate correct referral schemes; (bso#12478).
|
||
+ s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value;
|
||
(bso#13941).
|
||
+ s4 dsdb: Fix use after free in samldb_rename_search_base_callback;
|
||
(bso#13942).
|
||
+ dsdb/repl: we need to replicate the whole schema before we can apply it;
|
||
(bso#12204).
|
||
+ ldb: Release ldb 1.5.5; (bso#12478).
|
||
+ Schema replication fails if link crosses chunk boundary backwards;
|
||
(bso#13713).
|
||
+ 'samba-tool domain schemaupgrade' uses relax control and skips the
|
||
schemaInfo update provision; (bso#13799).
|
||
+ dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)]
|
||
..."; (bso#13916).
|
||
+ python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to
|
||
get the ACL; (bso#13917).
|
||
+ s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary;
|
||
(bso#13947).
|
||
+ Using Kerberos credentials to print using spoolss doesn't work;
|
||
(bso#13939).
|
||
+ wafsamba: Use native waf timer; (bso#13998).
|
||
+ ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 19 09:20:12 UTC 2019 - Noel Power <nopower@suse.com>
|
||
|
||
- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3)
|
||
+ CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
|
||
in DnssrvOperation2; (bso#13922); (bsc#1137815).
|
||
+ CVE-2019-12436 dsdb/paged_results: Ignore successful results
|
||
without messages; (bso#13951); (bsc#1137816).
|
||
- Update to samba-4.10.4
|
||
+ s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938).
|
||
+ py/provision: Fix for Python 2.6; (bso#13882).
|
||
+ netcmd: Fix 'passwordsettings --max-pwd-age' command;
|
||
(bso#13873).
|
||
+ s3-libnet_join: 'net ads join' to child domain fails when
|
||
using "-U admin@forestroot"; (bso#13861).
|
||
+ vfs_ceph: Explicitly enable libcephfs POSIX ACL support;
|
||
(bso#13896); (bsc#1130245).
|
||
+ vfs_ceph: Fix cephwrap_flistxattr() debug message;
|
||
(bso#13940); (bsc#1134697).
|
||
+ ctdb-common: Avoid race between fd and signal events;
|
||
(bso#13895).
|
||
+ ctdb-common: Fix memory leak in run_proc; (bso#13943).
|
||
+ lib: Initialize getline() arguments; (bso#13892).
|
||
+ winbind: Fix overlapping id ranges; (bco#13903).
|
||
+ lib util debug: Increase format buffer to 4KiB; (bso#13902).
|
||
+ nsswitch pam_winbind: Fix Asan use after free; (bso#13927).
|
||
+ s4 lib socket: Ensure address string owned by parent struct;
|
||
(bso#13929).
|
||
+ s3 rpc_client: Fix Asan stack use after scope; (bso#13936).
|
||
+ s3:smbd: Handle IO_REPARSE_TAG_DFS in
|
||
SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097).
|
||
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344).
|
||
+ smb2_sesssetup: avoid STATUS_PENDING responses for session setup;
|
||
(bso#12845).
|
||
+ smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698).
|
||
+ smb2_sesssetup: avoid STATUS_PENDING responses for session
|
||
setup; (bso#13796).
|
||
+ dbcheck: Fix the err_empty_attribute() check; (bso#13843).
|
||
+ vfs_snapper: Drop unneeded fstat handler; (bso#13858).
|
||
+ vfs_default: Fix vfswrap_offload_write_send()
|
||
NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862).
|
||
+ smb2_server: Grant all 8192 credits to clients; (bso#13863).
|
||
+ smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling;
|
||
(bso#13919).
|
||
+ s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872).
|
||
+ s3: modules: ceph: Use current working directory instead of
|
||
share path; (bso#13918); (bsc#1134452).
|
||
+ winbind: Use domain name from lsa query for sid_to_name cache
|
||
entry; (bso#13831).
|
||
+ memcache: Increase size of default memcache to 512k;
|
||
(bso#13865).
|
||
+ docs: Update smbclient manpage for "--max-protocol";
|
||
(bso#13857).
|
||
+ s3:utils: If share is NULL in smbcacls, don't print it;
|
||
(bso#13937).
|
||
+ s3:smbspool: Fix regression printing with Kerberos credentials;
|
||
(bso#13939).
|
||
+ ctdb-scripts: CTDB restarts failed NFS RPC services by hand,
|
||
which is incompatible with systemd; (bso#13860).
|
||
+ ctdb-daemon: Revert "We can not assume that just because we
|
||
could complete a TCP handshake"; (bso#13888).
|
||
+ ctdb-daemon: Never use 0 as a client ID; (bso#13930).
|
||
+ ctdb-common: Fix memory leak; (bso#13943).
|
||
+ s3:debug: Enable logging for early startup failures;
|
||
(bso#13904)
|
||
|
||
- Update to samba-4.10.3
|
||
+ CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
|
||
checksum; (bso#13685); (bsc#1134024).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 14 14:22:11 UTC 2019 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697).
|
||
- Add ceph_snapshots VFS module; (jsc#SES-183).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 8 12:42:31 UTC 2019 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 17 11:20:32 UTC 2019 - npower <nopower@suse.com>
|
||
|
||
- Update to samba-4.10.2:
|
||
+ CVE-2019-3870 (World writable files in
|
||
Samba AD DC private/ dir); (bso#13834).
|
||
+ CVE-2019-3880 (Save registry file outside share as
|
||
unprivileged user); (bso#13851).
|
||
+ py/kcc_utils: py2.6 compatibility; (bso#13837).
|
||
+ libcli: permit larger values of DataLength in
|
||
SMB2_ENCRYPTION_CAPABILITIES of negotiate response;
|
||
(bso#13869).
|
||
+ regfio: Improve handling of malformed registry hive files;
|
||
(bso#13840).
|
||
+ ctdb-version: Simplify version string usage; (bso#13789).
|
||
+ lib: Make fd_load work for non-regular files; (bso#13859).
|
||
+ dbcheck: in the middle of the tombstone garbage collection
|
||
causes replication failures,
|
||
dbcheck: add --selftest-check-expired-tombstones cmdline
|
||
option; (bso#13816).
|
||
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
|
||
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818).
|
||
+ s4/messaging: Fix undefined reference in linking
|
||
libMESSAGING-samba4.so; (bso#13854).
|
||
+ acl_read: Fix regression for empty lists; (bso#13836).
|
||
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841).
|
||
+ s3:client: Fix printing via smbspool backend with kerberos
|
||
auth; (bso#13832).
|
||
+ s4:librpc: Fix installation of Samba; (bso#13847).
|
||
+ s3:lib: Fix the debug message for adding cache entries;
|
||
(bso#13848).
|
||
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username;
|
||
(bso#13793).
|
||
+ s3:lib: Fix the debug message for adding cache entries;
|
||
(bso#13848).
|
||
+ s3:waf: Fix the detection of makdev() macro on Linux;
|
||
(bso#13853).
|
||
* ctdb-build: Drop creation of .distversion in tarball;
|
||
(bso#13789).
|
||
* ctdb-packaging: Test package requires tcpdump, ctdb package
|
||
should not own system library directory; (bso#13838).
|
||
- Update to samba-4.10.1:
|
||
+ py/kcc_utils: py2.6 compatibility; (bso#13837);
|
||
+ libcli: permit larger values of DataLength in
|
||
SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869);
|
||
+ regfio: Improve handling of malformed registry hive files; (bso#13840);
|
||
+ ctdb-version: Simplify version string usage; (bso#13789);
|
||
+ lib: Make fd_load work for non-regular files; (bso#13859);
|
||
+ dbcheck in the middle of the tombstone garbage collection causes
|
||
replication failures, dbcheck: add --selftest-check-expired-tombstones
|
||
cmdline option; (bso#13816);
|
||
+ ndr_spoolss_buf: Fix out of scope use of stack variable in
|
||
NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818);
|
||
+ s4/messaging: Fix undefined reference in linking
|
||
libMESSAGING-samba4.so; (bso#13854);
|
||
+ acl_read: Fix regression for empty lists; (bso#13836);
|
||
+ s4:dlz make b9_has_soa check dc=@ node; (bso#13841);
|
||
+ s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832);
|
||
+ s4:librpc: Fix installation of Samba; (bso#13847);
|
||
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
|
||
+ s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793);
|
||
+ s3:lib: Fix the debug message for adding cache entries; (bso#13848);
|
||
+ s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853);
|
||
+ ctdb-build: Drop creation of .distversion in tarball; (bso#13789);
|
||
+ ctdb-packaging: Test package requires tcpdump, ctdb package
|
||
should not own system library directory; (bso#13838);
|
||
- Update to samba-4.10.0:
|
||
+ s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760);
|
||
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
|
||
+ s4/scripting/bin: Open unicode files with utf8 encoding and write
|
||
+ unicode string.
|
||
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
|
||
files; (bso#13759);
|
||
+ Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813);
|
||
+ passdb: Update ABI to 0.27.2.
|
||
+ lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813);
|
||
+ lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Apr 14 22:31:32 UTC 2019 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 2 08:38:28 UTC 2019 - npower <nopower@suse.com>
|
||
|
||
- CVE-2019-3880: Save registry file outside share as unprivileged
|
||
user; (bso#13851); (bsc#1131060 ).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 27 18:47:07 UTC 2019 - David Mulder <dmulder@suse.com>
|
||
|
||
- Update to samba-4.9.5
|
||
+ audit_logging: Remove debug log header and JSON Authentication:
|
||
prefix; (bso#13714);
|
||
+ Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760);
|
||
+ s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso#
|
||
CID: 1433607; (bso#11495);
|
||
+ smbd: uid: Don't crash if 'force group' is added to an existing
|
||
share connection; (bso#13690);
|
||
+ s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility
|
||
code; (bso#13770);
|
||
+ s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803);
|
||
+ s3:utils/smbget fix recursive download with empty source
|
||
directories; (bso#13199);
|
||
+ samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716);
|
||
+ s3:libsmb: cli_smb2_list() can sometimes fail initially on a
|
||
connection; (bso#13736);
|
||
+ join: Throw CommandError instead of Exception for simple errors; (bso#13747);
|
||
+ ldb: Avoid inefficient one-level searches; (bso#13762);
|
||
+ s3: libsmb: use smb2cli_conn_max_trans_size() in
|
||
cli_smb2_list(); (bso#13736);
|
||
+ tldap: Avoid use after free errors; (bso#13776);
|
||
+ Fix idmap xid2sid cache churn; (bso#13802);
|
||
+ access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812);
|
||
+ s3-smbd: Avoid assuming fsp is always intact after close_file
|
||
call; (bso#13720);
|
||
+ s3-vfs-fruit: Add close call; (bso#13725);
|
||
+ s3-smbd: Use fruit:model string for mDNS registration; (bso#13746);
|
||
+ s3-vfs: add glusterfs_fuse vfs module; (bso#13774);
|
||
+ printing: Check lp_load_printers() prior to pcap cache update; (bso#13766);
|
||
+ vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS)
|
||
ftruncate and fallocate; (bso#13807);
|
||
+ lib/audit_logging: Actually create talloc; (bso#13737);
|
||
+ netcmd/user: python[3]-gpgme unsupported and replaced by
|
||
python[3]-gpg; (bso#13728);
|
||
+ dns: Changing onelevel search for wildcard to subtree; (bso#13738);
|
||
+ samba-tool: Don't print backtrace on simple DNS errors; (bso#13721);
|
||
+ sambaundoguididx: Use the right escaped oder unescaped sam ldb
|
||
files; (bso#13759);
|
||
+ ctdb: Print locks latency in machinereadable stats; (bso#13742);
|
||
+ messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786);
|
||
+ audit_logging: auth_json_audit required auth_json; (bso#13715);
|
||
+ man pages: Document prefork process model; (bso#13765);
|
||
+ CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773);
|
||
+ s3:auth: ignore create_builtin_guests() failing without a valid
|
||
idmap configuration; (bso#13697);
|
||
+ s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC
|
||
without trusts; (bso#13722);
|
||
+ s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd
|
||
is not available; (bso#13723);
|
||
+ s4:server: Add support for 'smbcontrol samba shutdown' and
|
||
'smbcontrol <pid> debug/debuglevel'; (bso#13752);
|
||
+ Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616);
|
||
+ vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330);
|
||
+ s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774);
|
||
+ notifyd: Fix SIGBUS on sparc; (bso#13704);
|
||
+ waf: Check for libnscd; (bso#13787);
|
||
+ s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770);
|
||
+ lib/util: Count a trailing line that doesn't end in a newline; (bso#13717);
|
||
+ Recovery lock bug fixes; (bso#13800);
|
||
+ s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726);
|
||
+ s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727);
|
||
+ vfs_fileid: Fix get_connectpath_ino; (bso#13741);
|
||
+ vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 4 12:42:36 UTC 2019 - David Disseldorp <ddiss@suse.com>
|
||
|
||
- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 22 11:58:53 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Fix update-apparmor-samba-profile script after apparmor switched
|
||
to using named profiles. The change is backwards compatible;
|
||
(bsc#1126377);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 7 16:13:15 UTC 2019 - David Mulder <dmulder@suse.com>
|
||
|
||
- LoadParm().load_default() fails with "Unable to load default file";
|
||
(bsc#1089758);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 7 00:27:42 UTC 2019 - ddiss@suse.com
|
||
|
||
- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 4 12:38:55 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit();
|
||
(bso#13173); (bsc#1123755);
|
||
- s3:winbind: Fix regression introduced with bso #12851;
|
||
(bso#12851); (bsc#1123755);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 8 11:38:40 UTC 2019 - nopower@suse.com
|
||
|
||
- Update to samba-4.9.4
|
||
+ libcli/smb: Don't overwrite status code; (bso#9175).
|
||
+ wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164).
|
||
+ Session setup reauth fails to sign response; (bso#13661).
|
||
+ vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677).
|
||
+ vfs_shadow_copy2: Nicely deal with attempts to open previous
|
||
version for writing; (bso#13688).
|
||
+ Restoring previous version of stream with vfs_shadow_copy2 fails
|
||
with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455).
|
||
+ CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571).
|
||
+ s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708)
|
||
+ PEP8: fix E231: missing whitespace after ','.
|
||
+ winbindd: Fix crash when taking profiles;(bso#13629)
|
||
+ CVE-2018-14629 dns: Fix CNAME loop prevention using counter
|
||
regression; (bso#13600)
|
||
+ 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686).
|
||
+ CVE-2018-16853: Do not segfault if client is not set; (bso#13571).
|
||
+ lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679)
|
||
+ ctdb-daemon: Exit with error if a database directory does not
|
||
exist; (bso#13696).
|
||
+ s3:libads: Add net ads leave keep-account option; (bso#13498).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 20 15:15:54 UTC 2018 - David Mulder <dmulder@suse.com>
|
||
|
||
- s3:passdb: Do not return OK if we don't have pinfo set up;
|
||
(bsc#1099590); (bso#13376);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 6 20:55:23 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
||
|
||
- Drop more %if..%endif guards which are idempotent.
|
||
- Drop requires on ldconfig which are already auto-discovered.
|
||
- Do not ignore errors from useradd/groupadd.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 29 15:54:27 UTC 2018 - David Mulder <dmulder@suse.com>
|
||
|
||
- Remove python2 build dependency from samba-libs; (bsc#1116900);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 28 09:35:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update update-apparmor-samba-profile script to ignore the shares's
|
||
paths containing substitution variables in any place, not only at the
|
||
beginning of the path.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 19 12:28:56 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba-4.9.3
|
||
+ CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD
|
||
Internal DNS server; (bso#13600); (bsc#1116319);
|
||
+ CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628);
|
||
(bsc#1116320);
|
||
+ CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server;
|
||
(bso#13674); (bsc#1116322);
|
||
+ CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers;
|
||
(bso#13669); (bsc#1116321);
|
||
+ CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos
|
||
configuration (unsupported); (bso#13678); (bsc#1116324);
|
||
+ CVE-2018-16857: Bad password count in AD DC not always effective;
|
||
window; (bso#13683); (bsc#1116323);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 8 17:53:14 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- s3: winbind: Remove fstring from wb_acct_info struct; (bsc#1114459);
|
||
- Use foreground execution mode for systemd samba daemons; (bsc#1112223);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 8 15:06:37 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba-4.9.2
|
||
+ dsdb: Add comments explaining the limitations of our current backlink
|
||
behaviour; (bso#13418);
|
||
+ Fix problems running domain backups (handling SMBv2, sites); (bso#13621);
|
||
+ testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3;
|
||
(bso#13465);
|
||
+ Make vfs_fruit able to cleanup AppleDouble files; (bso#13642);
|
||
+ File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646);
|
||
+ Enabling vfs_fruit looses FinderInfo; (bso#13649);
|
||
+ Cancelling of SMB2 aio reads and writes returns wrong error
|
||
NT_STATUS_INTERNAL_ERROR; (bso#13667);
|
||
+ Fix CTDB recovery record resurrection from inactive nodes and simplify
|
||
vacuuming; (bso#13641);
|
||
+ examples: Fix the smb2mount build; (bso#13465);
|
||
+ libtevent: Fix build due to missing open_memstream on Illiumos;
|
||
(bso#13629);
|
||
+ winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662);
|
||
+ dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path;
|
||
(bso#13653);
|
||
+ Extended DN SID component missing for member after switching group
|
||
membership; (bso#13418);
|
||
+ Return STATUS_SESSION_EXPIRED error encrypted, if the request was
|
||
encrypted; (bso#13624);
|
||
+ python: Allow forced signing via smb.SMB(); (bso#13621);
|
||
+ lib:socket: If returning early, set ifaces; (bso#13665);
|
||
+ ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8
|
||
encoded unicode; (bso#13616);
|
||
+ smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute;
|
||
(bso#13673);
|
||
+ waf: Add -fstack-clash-protection; (bso#13601);
|
||
+ winbind: Fix segfault if an invalid passdb backend is configured;
|
||
(bso#13668);
|
||
+ Fix bugs in CTDB event handling; (bso#13659);
|
||
+ Misbehaving nodes are sometimes not banned; (bso#13670);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 29 14:38:56 UTC 2018 - dmulder@suse.com
|
||
|
||
- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 23 18:44:53 UTC 2018 - dmulder@suse.com
|
||
|
||
- winbind requires latest version of libtevent-util0 to start
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 12 14:58:08 UTC 2018 - dmulder@suse.com
|
||
|
||
- Backport latest gpo code from master
|
||
+ Read policy from local gpt cache
|
||
+ Offline policy application
|
||
+ Make group policy extensible via register/unregister gpext
|
||
+ gpext's run via a process_group_policy method
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 8 08:36:43 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to 4.6.16; (bsc#1110943);
|
||
+ CVE-2018-10919: Fix unauthorized attribute access via searches;
|
||
(bso#13434);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 26 22:45:40 UTC 2018 - jmcdonough@suse.com
|
||
|
||
- Enable profiling data collection
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 25 20:26:47 UTC 2018 - dmulder@suse.com
|
||
|
||
- Change samba-kdc package name to samba-ad-dc
|
||
- Move samba-ad-dc.service to the samba-ad-dc package
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 24 09:43:08 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba-4.9.1
|
||
+ s3: nmbd: Stop nmbd network announce storm; (bso#13620);
|
||
+ s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds;
|
||
(bso#13597);
|
||
+ CTDB recovery lock has some race conditions; (bso#13617);
|
||
+ s3-rpc_client: Advertise Windows 7 client info; (bso#13597);
|
||
+ ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 13 19:19:34 UTC 2018 - dmulder@suse.com
|
||
|
||
- Tumbleweed doesn't define the sle_version macro, so we must
|
||
include a check for suse_version also. Otherwise python3 is
|
||
disabled on Tumbleweed.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 13 13:28:06 UTC 2018 - Samuel Cabrero <scabrero@suse.de>
|
||
|
||
- Update to samba-4.9.0
|
||
+ samba_dnsupdate: Honor 'dns zone scavenging' option, only update if
|
||
needed; (bso#13605);
|
||
+ wafsamba: Fix 'make -j<jobs>'; (bso#13606);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 10 20:46:20 UTC 2018 - dmulder@suse.com
|
||
|
||
- Update to samba-4.9.0rc5
|
||
+ s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only
|
||
returns absolute pathnames; (bso#13565);
|
||
+ s3: util: Do not take over stderr when there is no log file; (bso#13578);
|
||
+ Durable Reconnect fails because cookie.allow_reconnect is not
|
||
set; (bso#13549);
|
||
+ krb5-samba: Interdomain trust uses different salt principal; (bso#13539);
|
||
+ vfs_fruit: Don't unlink the main file; (bso#13441);
|
||
+ smbd: Fix a memleak in async search ask sharemode; (bso#13602);
|
||
+ Fix Samba GPO issue when Trust is enabled; (bso#11517);
|
||
+ samba-tool: Add "virtualKerberosSalt" attribute to
|
||
'user getpassword/syncpasswords'; (bso#13539);
|
||
+ Fix CTDB configuration issues; (bso#13589);
|
||
+ ctdbd logs an error until it can successfully connect to
|
||
eventd; (bso#13592);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 29 15:49:29 UTC 2018 - dmulder@suse.com
|
||
|
||
- Update to samba-4.9.0rc4
|
||
+ s3: smbd: Ensure get_real_filename() copes with empty
|
||
pathnames; (bso#13585);
|
||
+ samba domain backup online/rename commands force user to specify
|
||
password on CLI; (bso#13566);
|
||
+ wafsamba/samba_abi: Always hide ABI symbols which must be
|
||
local; (bso#13579);
|
||
+ Fix a panic if fruit_access_check detects a locking conflict; (bso#13584);
|
||
+ Fix memory and resource leaks; (bso#13567);
|
||
+ python: Fix print in dns_invalid.py; (bso#13580);
|
||
+ Aliasing issue causes incorrect IPv6 checksum; (bso#13588);
|
||
+ Fix CTDB configuration issues; (bso#13589);
|
||
+ s3: vfs: time_audit: fix handling of token_blob in
|
||
smb_time_audit_offload_read_recv(); (bso#13568);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 27 09:34:11 UTC 2018 - vcizek@suse.com
|
||
|
||
- Add missing zlib-devel dependency which was previously pulled in
|
||
by libopenssl-devel
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 21 13:39:49 UTC 2018 - dmulder@suse.com
|
||
|
||
- Update to samba-4.9.0rc3+git.22.3fff23ae36e
|
||
+ CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
|
||
returns from malicious servers; (bso#13453);
|
||
+ CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
|
||
with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374);
|
||
+ CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
|
||
not servicePrincipalName is set on a user; (bso#13552);
|
||
+ CVE-2018-10919: acl_read: Fix unauthorized attribute access via
|
||
searches; (bso#13434);
|
||
+ ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540);
|
||
+ CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
|
||
is disabled via "ntlm auth"; (bso#13360);
|
||
+ s3-tldap: do not install test_tldap; (bso#13529);
|
||
+ ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540);
|
||
+ CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
|
||
ltdb_index_dn_attr(); (bso#13374);
|
||
+ ctdb-eventd: Fix CID 1438155; (bso#13554);
|
||
+ Fix CIDs 1438243, (Unchecked return value) 1438244
|
||
(Unsigned compared against 0), 1438245 (Dereference before null check) and
|
||
1438246 (Unchecked return value); (bso#13553);
|
||
+ ctdb: Fix a cut&paste error; (bso#13554);
|
||
+ systemd: Only start smb when network interfaces are up; (bso#13559);
|
||
+ Fix quotas don't work with SMB2; (bso#13553);
|
||
+ s3/smbd: Ensure quota code is only called when quota support
|
||
detected; (bso#13563);
|
||
+ s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204);
|
||
+ s3:waf: Install eventlogadm to /usr/sbin; (bso#13561);
|
||
+ Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 20 21:25:27 UTC 2018 - ddiss@suse.com
|
||
|
||
- Update to 4.6.15
|
||
+ Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230);
|
||
+ Allow idmap_rid to have primary group other than "Domain Users";
|
||
(bsc#1087931).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 20 15:03:01 MDT 2018 - dmulder@suse.com
|
||
|
||
- Update to samba-4.9.0rc2+git.21.a1069afb007
|
||
+ s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537);
|
||
+ s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check();
|
||
(bso#13535);
|
||
+ samba-tool trust: Support discovery via netr_GetDcName; (bso#13538);
|
||
+ s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542);
|
||
+ Fix portability issues on freebsd; (bso#13520);
|
||
+ DNS wildcard search does not handle multiple labels correctly; (bso#13536);
|
||
+ samba-tool domain trust: Fix trust compatibility to Windows
|
||
Server 1709 and FreeIPA; (bso#13308);
|
||
+ Fix portability issues on freebsd; (bso#13520);
|
||
+ ctdb-protocol: Fix CTDB compilation issues; (bso#13545);
|
||
+ ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT
|
||
option; (bso#13546);
|
||
+ ctdb-doc: Provide an example script for migrating old
|
||
configuration; (bso#13550);
|
||
+ ctdb-event: Implement event tool "script list" command; (bso#13551);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 14 13:06:03 UTC 2018 - nopower@suse.com
|
||
|
||
- Update to samba-4.8.4+git.37.a7a861d7982;
|
||
+ CVE-2018-1139: Weak authentication protocol allowed;
|
||
(bsc#1095048); (bsc#13360);
|
||
+ CVE-2018-1140: Denial of Service Attack on DNS and LDAP server;
|
||
(bsc#1095056); (bso#13466); (bso#13374);
|
||
+ CVE-2018-10858: Insufficient input validation on client directory
|
||
listing in libsmbclient; (bsc#1103411); (bso#13453);
|
||
+ CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server;
|
||
(bsc#1103414); (bso#13552);
|
||
+ CVE-2018-10919: Confidential attribute disclosure from the AD
|
||
LDAP server; (bsc#1095057); (bso#13434);
|
||
+ s3:winbind: winbind normalize names' doesn't work for users;
|
||
(bso#12851);
|
||
+ winbind: Fix UPN handling in canonicalize_username(); (bso#13369);
|
||
+ s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428);
|
||
+ samdb: Fix building Samba with gcc 8.1; (bso#13437);
|
||
+ s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440);
|
||
+ smbd: Flush dfree memcache on service reload; (bso#13446);
|
||
+ ldb: Save a copy of the index result before calling the
|
||
+ lib/util: No Backtrace given by Samba's AD DC by default;
|
||
(bso#13454).
|
||
+ s3: smbd: printing: Re-implement delete-on-close semantics for
|
||
print files missing since 3.5.x; (bso#13457).
|
||
+ python: Fix talloc frame use in make_simple_acl(); (bso#13474).
|
||
+ krb5_wrap: Fix keep_old_entries logic for older Kerberos
|
||
libraries;(bso#13478).
|
||
+ krb5_plugin: Add winbind localauth plugin for MIT Kerberos;
|
||
(bso#13480).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 1 14:57:51 UTC 2018 - scabrero@suse.de
|
||
|
||
- CVE-2018-10858: Insufficient input validation on client directory
|
||
listing in libsmbclient; (bso#13453); (bsc#1103411);
|
||
- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
|
||
(bso#12851);
|
||
- winbind: avoid using fstrcpy in _dual_init_connection;
|
||
(bso#13294); (bsc#1087303);
|
||
- Fix ntlm authentications with "winbind use default domain = yes";
|
||
(bso#13126); (bsc#1068059);
|
||
- net: fix net ads keytab handling; (bso#13166); (bsc#1067700);
|
||
- fix vfs_ceph flock stub; (bso#13506).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 29 12:08:15 UTC 2018 - scabrero@suse.de
|
||
|
||
- Add missing package descriptions; (bsc#1093864);
|
||
- Fix dependency issue between samba-python and samba-kdc; (bsc#1062876);
|
||
- Call update-apparmor-samba-profile when running samba-ad-dc;
|
||
(bsc#1092099);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 23 14:01:16 UTC 2018 - ddiss@suse.com
|
||
|
||
- Fix vfs_ceph with "aio read size" or "aio write size" > 0;
|
||
(bsc#1093664).
|
||
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
|
||
+ Fix memory leak in vfs_ceph; (bso#13424).
|
||
|
||
- Update to 4.6.14
|
||
+ winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection;
|
||
(bso#13294).
|
||
+ s3:smb2_server: correctly maintain request counters for compound
|
||
requests; (bso#13215).
|
||
+ s3: smbd: Unix extensions attempts to change wrong field in fchown
|
||
call; (bso#13375).
|
||
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338).
|
||
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
|
||
(bso#13297).
|
||
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
|
||
support fdopendir(); (bso#13270).
|
||
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we
|
||
don't own it here; (bso#13244).
|
||
+ s3:libsmb: allow -U"\\administrator" to work; (bso#13206).
|
||
+ CVE-2018-1057: s4:dsdb: fix unprivileged password changes;
|
||
(bso#13272); (bsc#1081024).
|
||
+ s3:smbd: Do not crash if we fail to init the session table;
|
||
(bso#13315).
|
||
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310).
|
||
+ smbXcli: Add "force_channel_sequence"; (bso#13215).
|
||
+ smbd: Fix channel sequence number checks for long-running requests;
|
||
(bso#13215).
|
||
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on
|
||
expired sessions; (bso#13197).
|
||
+ s3:smbd: return the correct error for cancelled SMB2 notifies on
|
||
expired sessions; (bso#13197).
|
||
+ samba: Only use async signal-safe functions in signal handler;
|
||
(bso#13240).
|
||
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 23 09:52:28 UTC 2018 - jmcdonough@suse.com
|
||
|
||
- Update to 4.8.2
|
||
+ After update to 4.8.0 DC failed with "Failed to find our own
|
||
NTDS Settings objectGUID" (bso#13335).
|
||
+ fix incorrect reporting of stream dos attributes on a
|
||
directory (bso#13380).
|
||
+ vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412).
|
||
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425)
|
||
+ vfs_ceph: Fix memory leak; (bso#13424).
|
||
+ libsmbclient: Fix hard-coded connection error return of
|
||
ETIMEDOUT; (bso#13419).
|
||
+ s4-lsa: Fix use-after-free in LSA server; (bso#13420).
|
||
+ winbindd: Do re-connect if the RPC call fails in the passdb
|
||
case; (bso#13430).
|
||
+ cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416).
|
||
+ cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd
|
||
unclean process shutdown; (bso#13414).
|
||
+ ctdb-client: Remove ununsed functions from old client code;
|
||
(bso#13411).
|
||
+ printing: Return the same error code as windows does on upload
|
||
failures; (bso#13395).
|
||
+ nsswitch: Fix memory leak in winbind_open_pipe_sock() when the
|
||
privileged pipe is not accessable; (bso#13400).
|
||
+ s4:lsa_lookup: remove TALLOC_FREE(state) after all
|
||
dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420).
|
||
+ rpc_server: Fix NetSessEnum with stale sessions; (bso#13407).
|
||
+ s3:smbspool: Fix cmdline argument handling; (bso#13417).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 27 13:57:14 UTC 2018 - scabrero@suse.de
|
||
|
||
- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is
|
||
required by some client libs; (bsc#1074135);
|
||
- Update to 4.8.1; (bsc#1091179);
|
||
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error,
|
||
we don't own it here; (bso#13244);
|
||
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
|
||
support fdopendir(); (bso#13270);
|
||
+ Round-tripping ACL get/set through vfs_fruit will increase the number of
|
||
ACE entries without limit; (bso#13319);
|
||
+ s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit
|
||
issues; (bso#13347);
|
||
+ s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without
|
||
delete access; (bso#13358);
|
||
+ s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372);
|
||
+ s3: smbd: Unix extensions attempts to change wrong field in fchown call;
|
||
(bso#13375);
|
||
+ ms_schema/samba-tool visualize: Fix python2.6 incompatibility;
|
||
(bso#13337);
|
||
+ Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352);
|
||
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
|
||
+ winbindd: Recover loss of netlogon secure channel in case the peer DC is
|
||
rebooted; (bso#13332);
|
||
+ s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363);
|
||
+ ctdb-client: Fix bugs in client code; (bso#13356);
|
||
+ ctdb-scripts: Drop "net serverid wipe" from 50.samba event script;
|
||
(bso#13359);
|
||
+ s3: lib: messages: Don't use the result of sec_init() before calling
|
||
sec_init(); (bso#13368);
|
||
+ libads: Fix the build '--without-ads'; (bso#13273);
|
||
+ winbind: Keep "force_reauth" in invalidate_cm_connection, add
|
||
'smbcontrol disconnect-dc'; (bso#13332);
|
||
+ vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343);
|
||
+ dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367);
|
||
+ rpc_server: Fix core dump in dfsgetinfo; (bso#13370);
|
||
+ smbclient: Fix notify; (bso#13382);
|
||
+ Fix smbd panic if the client-supplied channel sequence number wraps;
|
||
(bso#13215);
|
||
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
|
||
+ lib/util: Remove unused '#include <sys/syscall.h>' from tests/tfork.c;
|
||
(bso#13342);
|
||
+ Fix build errors with cc from developerstudio 12.5 on Solaris;
|
||
(bso#13343);
|
||
+ Fix the picky-developer build on FreeBSD 11; (bso#13344);
|
||
+ s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345);
|
||
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338);
|
||
+ lib:replace: Fix linking when libtirpc-devel overwrites system headers;
|
||
(bso#13341);
|
||
+ winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid
|
||
query; (bso#13312);
|
||
+ s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376);
|
||
+ Allow AESNI to be used on all processor supporting AESNI; (bso#13302);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 11 14:55:09 UTC 2018 - aaptel@suse.com
|
||
|
||
- Use new foreground execution flags for systemd samba daemons;
|
||
(bsc#1088574); (bsc#1071090); (bsc#1065551);
|
||
+ Add %post scriptlet to clear old sysconfig flags
|
||
- Update vendor-files to commit 880b3e7.
|
||
+ Set samba sysconfig template variables to ""
|
||
+ Add required daemon flags directly to systemd unit
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 26 22:37:15 UTC 2018 - jengelh@inai.de
|
||
|
||
- Specfile cleanup
|
||
+ Remove %if..%endif guards which don't affect the build
|
||
+ Remove redundant %clean section
|
||
+ Replace old $RPM_* shell vars with macros
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 22 16:28:02 UTC 2018 - dimstar@opensuse.org
|
||
|
||
- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in
|
||
place of systemd and systemd-devel: Allow OBS to optimize the
|
||
workload by allowing the usage of the 'build-optimized' systemd
|
||
packages.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 22 14:20:44 UTC 2018 - dmulder@suse.com
|
||
|
||
- Enable building samba with python3, and create a samba-python3 package.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 15 11:29:04 UTC 2018 - jmcdonough@suse.com
|
||
|
||
- Update to 4.8
|
||
+ New GUID Index mode in sam.ldb for the AD DC
|
||
+ GPO support for samba KDC
|
||
+ Time machine support with vfs_fruit
|
||
+ Encrypted secrets
|
||
+ AD Replication visualization
|
||
+ Improved trust support
|
||
- ability to not scan global trust list
|
||
- AD external trusts have limited support
|
||
- verbose trusted domain listing
|
||
+ VirusFilter VFS module
|
||
+ NT4-style replication removed
|
||
+ vfs_aio_linux removed
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 13 20:12:10 UTC 2018 - david.mulder@suse.com
|
||
|
||
- Disable samba-pidl package, due to the removal of dependency
|
||
perl-Parse-Yapp; (bsc#1085150);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 13 09:49:44 UTC 2018 - jmcdonough@suse.com
|
||
|
||
- Update to 4.7.6;
|
||
+ CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
|
||
(bso#11343); (bsc#1081741);
|
||
+ CVE-2018-1057: Authenticated users can change other users' password;
|
||
(bso#13272); (bsc#1081024).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 7 11:54:50 UTC 2018 - jmcdonough@suse.com
|
||
|
||
- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
|
||
(bso#11343); (bsc#1081741);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 6 23:36:51 UTC 2018 - ddiss@suse.com
|
||
|
||
- Update to 4.6.13; (bsc#1084191)
|
||
+ ceph_statx configure time check doesn't work with a non-default
|
||
--with-libcephfs path; (bso#13250).
|
||
- follow up fix for libceph-common detection; (bso#13277).
|
||
+ Fail to copy file with empty FinderInfo from Windows client to Samba
|
||
share with fruit; (bso#13181).
|
||
+ vfs_ceph uses a local statvfs() call to determine FS capabilities;
|
||
(bso#13208).
|
||
+ smbd tries to release not leased oplock during oplock II downgrade;
|
||
(bso#13193).
|
||
+ smbd panic when chdir returns error during exit; (bso#13189).
|
||
+ ctdb_recovery_helper crashes if recovery process times out; (bso#13188).
|
||
+ POSIX ACL support is broken on hpux and possibly other big-endian OSs;
|
||
(bso#13176).
|
||
+ Kerberos: PKINIT: Can't decode algorithm parameters in
|
||
clientPublicValue; (bso#12986).
|
||
+ g_lock conflict detection broken when processing stale entries.;
|
||
(bso#13195).
|
||
+ The KDC on an RWDC doesn't send error replies in some situations;
|
||
(bso#13132).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 26 22:09:49 UTC 2018 - aaptel@suse.com
|
||
|
||
- Disable python until full python3 port is done; (bsc#1082139);
|
||
+ Remove contents of package samba-python
|
||
+ Remove contents of package libsamba-policy0
|
||
+ Remove contents of package libsamba-policy-devel
|
||
+ Remove library libsamba-python-samba4.so from samba-libs package
|
||
+ Remove library libsamba-net-samba4.so from samba-libs package
|
||
+ Remove smbtorture binary and manpage from samba-test
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 23 15:27:07 UTC 2018 - dmulder@suse.com
|
||
|
||
- samba fails to build with glibc2.27; (bsc#1081042);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 12 09:12:02 UTC 2018 - scabrero@suse.com
|
||
|
||
- Update to 4.7.5; (bsc#1080545);
|
||
+ smbd tries to release not leased oplock during oplock II downgrade;
|
||
(bso#13193);
|
||
+ Fix copying file with empty FinderInfo from Windows client to Samba share
|
||
with fruit; (bso#13181);
|
||
+ build: Deal with recent glibc sunrpc header removal; (bso#10976);
|
||
+ Make Samba work with tirpc and libnsl2; (bso#13238);
|
||
+ vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208);
|
||
(bsc#1075206);
|
||
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
|
||
(bso#12986);
|
||
+ ctdb-recovery-helper: Deregister message handler in error paths;
|
||
(bso#13188);
|
||
+ samba: Only use async signal-safe functions in signal handler; (bso#13240);
|
||
+ Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
|
||
(bso#12986);
|
||
+ repl_meta_data: Fix linked attribute corruption on databases
|
||
with unsorted links on expunge. dbcheck: Add functionality to fix the
|
||
corrupt database; (bso#13228);
|
||
+ Fix smbd panic when chdir returns error during exit; (bso#13189);
|
||
+ Make Samba work with tirpc and libnsl2; (bso#13238);
|
||
+ Fix POSIX ACL support on HPUX and possibly other big-endian OSs;
|
||
(bso#13176);
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 9 13:25:11 UTC 2018 - scabrero@suse.com
|
||
|
||
- Update to 4.7.4; (bsc#1080545);
|
||
+ s3: smbclient: Implement 'volume' command over SMB2; (bso#13140);
|
||
+ s3: libsmb: Fix valgrind read-after-free error in
|
||
cli_smb2_close_fnum_recv(); (bso#13171);
|
||
+ s3: libsmb: Fix reversing of oldname/newname paths when creating a
|
||
reparse point symlink on Windows from smbclient; (bso#13172);
|
||
+ Build man page for vfs_zfsacl.8 with Samba; (bso#12934);
|
||
+ repl_meta_data: Allow delete of an object with dangling backlinks;
|
||
(bso#13095);
|
||
+ s4:samba: Fix default to be running samba as a deamon; (bso#13129);
|
||
+ Performance regression in DNS server with introduction of DNS wildcard,
|
||
ldb: Release 1.2.3; (bso#13191);
|
||
+ vfs_zfsacl: Fix compilation error; (bso#6133);
|
||
+ "smb encrypt" setting changes are not fully applied until full smbd
|
||
restart; (bso#13051);
|
||
+ winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052);
|
||
+ vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155);
|
||
+ winbindd: Dependency on trusted-domain list in winbindd in critical auth
|
||
codepath; (bso#13173);
|
||
+ repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120);
|
||
+ ctdb: sock_daemon leaks memory; (bso#13153);
|
||
+ TCP tickles not getting synchronised on CTDB restart; (bso#13154);
|
||
+ winbindd: winbind parent and child share a ctdb connection; (bso#13150);
|
||
+ pthreadpool: Fix deadlock; (bso#13170);
|
||
+ pthreadpool: Fix starvation after fork; (bso#13179);
|
||
+ messaging: Always register the unique id; (bso#13180);
|
||
+ s4/smbd: set the process group; (bso#13129);
|
||
+ Fix broken linked attribute handling; (bso#13095);
|
||
+ The KDC on an RWDC doesn't send error replies in some situations;
|
||
(bso#13132);
|
||
+ libnet_join: Fix 'net rpc oldjoin'; (bso#13149);
|
||
+ g_lock conflict detection broken when processing stale entries;
|
||
(bso#13195);
|
||
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired
|
||
sessions; (bso#13197);
|
||
+ s3:libads: net ads keytab list fails with "Key table name malformed";
|
||
(bso#13166); (bsc#1067700);
|
||
+ Fix crash in pthreadpool thread after failure from pthread_create;
|
||
(bso#13170);
|
||
+ s4:samba: Allow samba daemon to run in foreground; (bso#13129);
|
||
(bsc#1065551);
|
||
+ third_party: Link the aesni-intel library with "-z noexecstack";
|
||
(bso#13174);
|
||
+ vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I"
|
||
options; (bso#13125);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 6 17:52:41 UTC 2017 - kukuk@suse.de
|
||
|
||
- Re-enable usage of libnsl (did got lost with glibc change)
|
||
- Use TI-RPC (sunrpc is deprecated and will be removed soon from
|
||
glibc)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 30 09:31:53 UTC 2017 - scabrero@suse.com
|
||
|
||
- Update to 4.6.11; (bsc#1084191)
|
||
+ vfs_glusterfs: Fix exporting subdirs with shadow_copy2; (bso#13091);
|
||
+ s3: smbclient: Ensure we call client_clean_name() before all
|
||
operations on remote pathnames; (bso#13093);
|
||
+ Non-smbd processes using kernel oplocks can hang smbd; (bso#13121);
|
||
+ python: use communicate to fix Popen deadlock; (bso#13127);
|
||
+ smbd on disk file corruption bug under heavy threaded load; (bso#13130);
|
||
+ tevent: version 0.9.34; (bso#13130);
|
||
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
|
||
+ smbd: Move check for SMB2 compound request to new function; (bso#13047);
|
||
+ s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd(); (bso#13100);
|
||
+ s4:pyparam: Fix resource leaks on error; (bso#13101);
|
||
+ s3:smbd: Fix delete-on-close after smb2_find; (bso#13118);
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 29 16:59:07 UTC 2017 - david.mulder@suse.com
|
||
|
||
- smbc_opendir should not return EEXIST with invalid login credentials;
|
||
(bnc#1065868).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 28 17:07:26 UTC 2017 - scabrero@suse.com
|
||
|
||
- Update to 4.7.3; (bsc#1069666);
|
||
+ Non-smbd processes using kernel oplocks can hang smbd;
|
||
(bso#13121);
|
||
+ python: use communicate to fix Popen deadlock; (bso#13127);
|
||
+ smbd on disk file corruption bug under heavy threaded load;
|
||
(bso#13130);
|
||
+ tevent: version 0.9.34; (bso#13130);
|
||
+ s3: smbd: Fix delete-on-close after smb2_find; (bso#13118);
|
||
+ CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug;
|
||
(bsc#1060427);(bso#13041);
|
||
+ CVE-2017-15275: s3: smbd: Chain code can return uninitialized
|
||
memory when talloc buffer is grown; (bsc#1063008); (bso#13077);
|
||
- Build with AD DC support only in openSUSE.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 27 14:23:09 UTC 2017 - rbrown@suse.com
|
||
|
||
- Replace references to /var/adm/fillup-templates with new
|
||
%_fillupdir macro (boo#1069468)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 15 17:00:50 UTC 2017 - dmulder@suse.com
|
||
|
||
- samba-tool requires samba-python; (bnc#1067771).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 8 17:21:41 UTC 2017 - scabrero@suse.de
|
||
|
||
- CVE-2017-14746: Use-after-free vulnerability; (bso#13041);
|
||
(bsc#1060427);
|
||
- CVE-2017-15275: Server heap memory information leak;
|
||
(bso#13077); (bsc#1063008);
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 7 07:43:54 UTC 2017 - scabrero@suse.com
|
||
|
||
- Run all daemons in the foreground and let systemd handle it; (bsc#1065551).
|
||
- Update to 4.7.1;
|
||
+ Fix exporting subdirs with shadow_copy2; (bso#13091);
|
||
+ Currently if getwd() fails after a chdir(), we panic; (bso#13027);
|
||
+ Ensure default SMB_VFS_GETWD() call can't return a partially completed
|
||
struct smb_filename; (bso#13068);
|
||
+ sys_getwd() can leak memory or possibly return the wrong errno on older
|
||
systems; (bso#13069);
|
||
+ smbclient doesn't correctly canonicalize all local names before use;
|
||
(bso#13093);
|
||
+ Fix broken linked attribute handling; (bso#13095);
|
||
+ Missing LDAP query escapes in DNS rpc server; (bso#12994);
|
||
+ Link to -lbsd when building replace.c by hand; (bso#13087);
|
||
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
|
||
(bso#6133);
|
||
+ Map SYNCHRONIZE acl permission statically in zfs_acl vfs module;
|
||
(bso#7909);
|
||
+ Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module;
|
||
(bso#7933);
|
||
+ Missing assignment in sl_pack_float; (bso#12991);
|
||
+ Wrong Samba access checks when changing DOS attributes; (bso#12995);
|
||
+ samba_runcmd_send() leaves zombie processes on timeout; (bso#13062);
|
||
+ groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
|
||
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
|
||
(bso#13076);
|
||
+ man pages: Properly ident lists; (bso#9613);
|
||
+ smb.conf.5: Sort parameters alphabetically; (bso#13081);
|
||
+ Fix GUID string format on GetPrinter info; (bso#12993);
|
||
+ Remote serverid check doesn't check for the unique id; (bso#13042);
|
||
+ CTDB starts consuming memory if there are dead nodes in the cluster;
|
||
(bso#13056);
|
||
+ ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070);
|
||
+ libgpo doesn't sort the GPOs in the correct order; (bso#13046);
|
||
+ Remote serverid check doesn't check for the unique id; (bso#13042);
|
||
+ vfs_catia: Fix a potential memleak; (bso#13090);
|
||
+ Fix file change notification for renames; (bso#12903);
|
||
+ Samba DNS server does not honour wildcards; (bso#12952);
|
||
+ Can't change password in samba from a Windows client if Samba runs on
|
||
IPv6 only interface; (bso#13079);
|
||
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
|
||
+ Apple client can't cope with SMB2 async replies when creating symlinks;
|
||
(bso#13047);
|
||
+ s4:rpc_server:backupkey: Move variable into scope; (bso#12959);
|
||
+ Fix ntstatus_gen.h generation on 32bit; (bso#13099);
|
||
+ Fix a double free in vfs_gluster_getwd(); (bso#13100);
|
||
+ Fix resouce leaks and pointer issues; (bso#13101);
|
||
+ vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 27 07:48:17 UTC 2017 - scabrero@suse.de
|
||
|
||
- Update to 4.6.9; (bsc#1065066);
|
||
+ Reverse sense of 'clear all attributes', ignore attribute change in SMB2
|
||
to match SMB1; (bso#12899);
|
||
+ SMBC_setatr() initially uses an SMB1 call before falling back;
|
||
(bso#12913);
|
||
+ Fix segfault on MacOS 10.12.3 clients caused by SMB_VFS_GET_COMPRESSION;
|
||
(bso#13003);
|
||
+ sys_getwd() can leak memory or possibly return the wrong errno on older
|
||
systems; (bso#13069);
|
||
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
|
||
(bso#6133);
|
||
+ Map SYNCHRONIZE acl permission statically; (bso#7909);
|
||
+ Honor SEC_STD_WRITE_OWNER bit; (bso#7933);
|
||
+ Kernel oplocks still have issues with named streams; (bso#12791);
|
||
+ Handle EACCES when fetching DOS attributes; (bso#12944);
|
||
+ Missing assignment in sl_pack_float; (bso#12991);
|
||
+ Fix wrong Samba access checks when changing DOS attributes; (bso#12995);
|
||
+ Groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
|
||
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
|
||
(bso#13076);
|
||
+ Fix GUID string format on GetPrinter info; (bso#12993);
|
||
+ Match WS2016 ReFS set compression behaviour; (bso#12144);
|
||
+ Fix implementation of process_exists control; (bso#13012);
|
||
+ GET_DB_SEQNUM control can cause ctdb to deadlock when databases are
|
||
frozen; (bso#13021);
|
||
+ Free up record data if a call request is deferred; (bso#13029);
|
||
+ Initialize ctdb_ltdb_header completely for empty record; (bso#13036);
|
||
+ CTDB starts consuming memory if there are dead nodes in the cluster;
|
||
(bso#13056);
|
||
+ Ignore event scripts with multiple '.'s; (bso#13070);
|
||
+ Sort the GPOs in the correct order; (bso#13046);
|
||
+ 'smbd' uses a lot of CPU on startup of a connection; (bso#12973);
|
||
+ Fix str[n]casecmp_m() by comparing lower case values; (bso#13018);
|
||
+ Can't change password in Samba from a windows client if Samba runs on
|
||
IPv6 only interface; (bso#13079);
|
||
+ Fix file change notification for renames; (bso#12903);
|
||
+ Avoid a socket leak after fork; (bso#13006);
|
||
+ Fix a potential memleak; (bso#13090);
|
||
+ Fix passing of errno from async calls; (bso#12983);
|
||
+ Fix segfault when running with log level 10; (bso#13032);
|
||
+ Do not report an invalid range for AD DC role; (bso#12629);
|
||
+ Print the kinit failed message with DBGLVL_NOTICE; (bso#12704);
|
||
+ Fix changing passwords with Kerberos; (bso#12956);
|
||
+ Fix changing the password with 'smbpasswd' as a local user on a domain
|
||
member; (bso#12975);
|
||
+ Fix a read after free if a chained SMB1 call goes async; (bso#12836);
|
||
+ CVE-2017-12163: Prevent client short SMB1 write from writing server memory
|
||
to file; (bso#13020);
|
||
+ Let non_widelink_open() chdir() to directories directly; (bso#12885);
|
||
+ CVE-2017-12151: Keep required encryption across SMB3 dfs redirects;
|
||
(bso#12996);
|
||
+ CVE-2017-12150: Some code path don't enforce smb signing when they should;
|
||
(bso#12997);
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 23 15:10:32 UTC 2017 - dimstar@opensuse.org
|
||
|
||
- Add samba-kdc to baselibs.conf.
|
||
- Do not wrap samba-kdc's package definition into if/endif: the
|
||
package won't be generated simply based on the fact that there is
|
||
no files section for the package. Allows the source validator to
|
||
ensure samba-kdc is a built package.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 28 11:25:54 UTC 2017 - scabrero@suse.com
|
||
|
||
- Update to 4.7.0;
|
||