ALT Linux repos
S: | 4.17.11-alt1 |
5.0: | 3.0.33-alt4 |
4.1: | 3.0.30-alt3 |
4.0: | 3.0.33-alt1.M40.1 |
+updates: | 3.0.33-alt1.M40.1 |
3.0: | 3.0.14a-alt2 |
+backports: | 3.0.28-alt1 |
Group :: System/Servers
RPM: samba
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
23 september 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.11-alt1
- Update to security release of Samba 4.17
- smbd fileserver fixes (Samba#15419, Samba#15420, Samba#15430, Samba#15432,
Samba#15417, Samba#15346, Samba#15453, Samba#15435):
+ Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink().
+ reply_sesssetup_and_X() can dereference uninitialized tmp pointer.
+ Missing return in reply_exit_done().
+ TREE_CONNECT without SETUP causes smbd to use uninitialized pointer.
+ Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted
to remove the destination.
+ 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
+ File doesn't show when user doesn't have permission if
aio_pthread is loaded.
+ Regression DFS not working with widelinks = true. - replication fixes (Samba#15401, Samba#15407)
+ Improve GetNChanges to address some (but not all "Azure AD Connect")
syncronisation tool looping during the initial user sync phase.
+ Samba replication logs show (null) DN. - tools fixes (Samba#15384, Samba#15441, Samba#15451):
+ net ads lookup (with unspecified realm) fails
+ samba-tool ntacl get segfault if aio_pthread appended.
+ ctdb_killtcp fails to work with --enable-pcap and libpcap >= 1.9.1. - other protocol fixes (Samba#15446, Samba#9959, Samba#15463
Samba#15449, Samba#15342, Samba#15427):
+ DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
+ Windows client join fails if a second container CN=System exists somewhere.
+ macOS mdfind returns only 50 results.
+ mdssvc: Do an early talloc_free() in _mdssvc_open().
+ Spotlight sometimes returns no results on latest macOS.
+ Spotlight results return wrong date in result list. - Compatibility fixes of spec (thx asheplyakov@):
+ added missing BR: alternatives.
+ added rpm-macros-alterinatives as a pre-requirement.
+ added missing build-requirements: flex, liblmdb-devel.
+ dropped obsolete build dependency on gtk+2.
+ samba-client: libldb-cmdline-samba4.so. - Disabled tracker backend in spotlight (obsolete with version less than 3.x).
- Disabled glusterfs on armh due it not supported on this architecture.
- Update to maintenance release of Samba 4.17:
+ Secure channel faulty since Windows 10/11 update 07/2023 (KB5028166). - Security fixes (Samba#15418):
+ CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
+ CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
+ CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
+ CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
+ CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
- Update to maintenance release of Samba 4.17:
+ smbd_scavenger crashes when service smbd is stopped (Samba#15275).
+ vfs_fruit might cause a failing open for delete (Samba#15378).
+ named crashes on DLZ zone update (Samba#14030).
+ winbind recurses into itself via rpcd_lsad (Samba#15361).
+ cli_list loops 100% CPU against pre-lanman2 servers (Samba#15382).
+ smbclient leaks fds with showacls (Samba#15391).
+ aes256 smb3 encryption algorithms are not allowed in
smb3_sid_parse() (Samba#15374).
+ winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR (Samba#15413).
+ smbget memory leak if failed to download files recursively (Samba#15403). - Add check with admx-lint for group policy templates validation.
- Update to maintenance release of Samba 4.17:
+ log flood: smbd_calculate_access_mask_fsp: Access denied: message level
should be lower (Samba#15302).
+ Floating point exception (FPE) via cli_pull_send at
source3/libsmb/clireadwrite.c (Samba#15306).
+ Reduce flapping of ridalloc test (Samba#15329).
+ large_ldap test is unreliable (Samba#15351).
+ New filename parser doesn't check veto files smb.conf parameter (Samba#15143).
+ mdssvc may crash when initializing (Samba#15354).
+ Large directory optimization broken for non-lcomp path elements (Samba#15313).
+ streams_depot fails to create streams (Samba#15357).
+ shadow_copy2 and streams_depot don't play well together (Samba#15358).
+ wbinfo -u fails on ad dc with >1000 users (Samba#15366).
+ winbindd idmap child contacts the domain controller without a
need (Samba#15317).
+ idmap_autorid may fail to map sids of trusted domains for the first
time (Samba#15318).
+ idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings (Samba#15319).
+ net ads search -P doesn't work against servers in other domains (Samba#15323).
+ DS ACEs might be inherited to unrelated object classes (Samba#15338).
+ Temporary smbXsrv_tcon_global.tdb can't be parsed (Samba#15353).
+ Setting veto files = /.*/ break listing directories (Samba#15360).
+ CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes) (Samba#14810).
+ Reduce flapping of ridalloc test (Samba#15329).
+ dsgetdcname: assumes local system uses IPv4 (Samba#15325).
- Update to maintenance release of Samba 4.17 with update libldb to 2.6.2:
+ ldb wildcard matching makes excessive allocations (Samba#15331). - Security fixes (Samba#15276, Samba#15270, Samba#15315, Samba#14810):
+ CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
+ CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
+ CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
+ CVE-2020-25720 Create Child permission should not allow full write to all
attributes (additional changes).
- Update to maintenance release of Samba 4.17:
+ streams_xattr is creating unexpected locks on folders (Samba#15314).
+ Use of the Azure AD Connect cloud sync tool is now supported for password
hash synchronisation, allowing Samba AD Domains to synchronise passwords
with this popular cloud environment (Samba#10635).
+ New samba-dcerpc architecture does not scale gracefully (Samba#15310).
+ vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd()
in close and fstat (Samba#15307).
+ fd_load() function implicitly closes the fd where it should not (Samba#15311). - Revert not treat of missing include file as an error in handle_include().
This behavior differs between the source3 and source4 parts of Samba.
So, it should be the same and just not an error (Closes #44214).
- Fix doc knob
- Update to stable release of Samba 4.17 with latest bugfixes and new features:
+ Support Protected Users security group introduced in Windows Server 2012 R2.
+ Resource Based Constrained Delegation (RBCD) support with samba-dc-mitkrb5.
+ Customizable DNS listening port to use another DNS server as a front and
forward to Samba.
+ Operation without the (unsalted) NT password hash security support.
+ Suppport for modern Python API for smbconf.
+ JSON support for smbstatus.
+ LanMan Authentication and password storage removed from the AD DC. - Configure without the SMB1 Server not enabled yet.
- Update to maintenance release of Samba 4.16
- Security fixes:
+ CVE-2022-38023: Samba should refuse RC4 (aka md5) based SChannel on
NETLOGON (Samba#15240). - Major fixes:
+ smbc_getxattr() return value is incorrect (Samba#14808).
+ samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when
there is only an AAAA record for the DC in DNS (Samba#15226).
+ smbd crashes if an FSCTL request is done on a stream handle (Samba#15236).
+ auth3_generate_session_info_pac leaks wbcAuthUserInfo (Samba#15286).
+ Leak in wbcCtxPingDc2 (Samba#15164).
+ irpc_destructor may crash during shutdown (Samba#15280). - Share enumeration (netshareenum) fixes:
+ %U for include directive doesn't work for share listing (Samba#15243).
+ Shares missing from netshareenum response in samba 4.17.4 (Samba#15266).
+ Access based share enum does not work in Samba 4.16+ (Samba#15265).
+ Crash during share enumeration (Samba#15267).
- Update to maintenance release of Samba 4.16 with fixes of the Samba CVE for
the Windows Kerberos Elevation of Privilege Vulnerability disclosed by
Microsoft on Nov 8 2022 (CVE-2022-37967, CVE-2022-37966). - Security fixes:
+ CVE-2022-37966: A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96
(Samba#13135, Samba#15219, Samba#15237).
https://www.samba.org/samba/security/CVE-2022-37966.html
+ CVE-2022-37967: A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with (Samba#15231).
https://www.samba.org/samba/security/CVE-2022-37967.html
+ CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak (Samba#15240).
https://www.samba.org/samba/security/CVE-2022-38023.html
- Update text of summary for role-usershares and smb-conf-usershares.
- Update default usershare prefix allow and deny lists:
+ usershare prefix deny list = /etc /dev /sys /proc
+ usershare prefix allow list = /home /srv /mnt /media /var - Add new controls for samba-usershares:
+ smb-conf-usershare-allow-list
+ smb-conf-usershare-deny-list
+ smb-conf-usershare-owner-only
+ smb-conf-usershare-allow-guests
- Add role-sambashare control for compatibility during upgrade from previous
manual managed settings of usershares. - Trigger sambashare as role with privilege usershares (Closes: #44379).
- Avoid cycle dependencies on common service files.
- Fix cycle dependencies on libRPC and libREG samba4 libraries.
- Add role-usershares control allow or disallow for group users using of
samba usershares as privilege. - Add compatibility support for sambashare group as common privilege assigned
to usershares group (Closes: #44379).
- Update to maintenance release of Samba 4.16 (Samba#15203)
- Security fixes:
+ CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
Workaround and mitigations:
* No workaround on 32-bit systems as an AD DC
* file servers are only impacted if in a non-AD domain
* 64-bit systems are not exploitable
- Don't treat a missing include file as an error in handle_include().
This behavior differs between the source3 and source4 parts of Samba.
So, it should be the same and just not an error (Closes #44214).
- Update to maintenance release of Samba 4.16 (Samba#15134)
- Security fixes:
+ CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html - Add samba-usershares package for support for non-root user shares.
- Default smb.conf simplified - homes, printers and print$ shares enabled by
default. Original large default example smb.conf replaced to smb.conf.example.
- Update to latest stable release of Samba 4.16
- Major fixes:
+ Possible use after free of connection_struct when iterating
smbd_server_connection->connections (Samba#15128).
+ Spotlight RPC service returns wrong response when Spotlight is
disabled on a share (Samba#15086).
+ acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr (Samba#15126).
+ Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197 (Samba#15153).
+ Missing READ_LEASE break could cause data corruption (Samba#15148).
+ rpcclient can crash using setuserinfo(2) (Samba#15124).
+ Samba fails to build with glibc 2.36 caused by including
<sys/mount.h> in libreplace (Samba#15132).
+ SMB1 negotiation can fail to handle connection errors (Samba#15152).
+ samba-tool domain join segfault when joining a samba ad domain (Samba#15078).
- Add support (Heimdal only) of "ignore requester sid" global option for the
correct operation of trust relationships with oldest versions of MS AD without
KB5008380 Authentication updates (CVE-2021-42287).
- Update to latest stable release of Samba 4.16
- Major fixes:
+ New samba-dcerpcd binary to provide DCERPC in the member server setup.
+ Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support.
+ Certificate Auto Enrollment support with internal group policy mechanism.
+ Ability to add ports to dns forwarder addresses in internal DNS backend.
+ Older SMB1 protocol SMBCopy command removed.
+ SMB1 server-side wildcard expansion removed.
+ SMB1 protocol has been deprecated, particularly older dialects.
+ No longer using Linux mandatory locks for sharemodes.
- Update to security release of Samba 4.15
- Security fixes:
+ CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords (Samba#15047).
+ CVE-2022-32744: Samba AD users can forge password change requests for any
user (Samba#15074).
+ CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
or modify request (Samba#15008).
+ CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request (Samba#15009).
+ CVE-2022-32742: Server memory information leak via SMB1 (Samba#15085).
- Update to maintenance release of Samba 4.15 with latest bugfixes:
+ Setting fruit:resource = stream in vfs_fruit causes a panic (Samba#15099).
+ Fix logging dsdb audit to specific files (Samba#15076).
+ Fix vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had
been deleted (Samba#15069).
+ Remove netgroups support (Samba#15087).
+ Fix smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS (Samba#15100).
+ Fix out-by-4 error in smbd read reply max_send clamp (Samba#14443).
+ s3:libads: Check if we have a valid sockaddr (Samba#15106).
+ smbd: Make non_widelink_open() robust for non-cwd dirfsp (Samba#15105).
- Add samba-krb5-printing with CUPS backend for printing with Kerberos support.
- Fix samba-tool domain backup DC with forced local samdb.
- samba-dc: Replace internal helper program performing asynchronous
printing-related jobs (samba-bgqd) to internal package directory.
- Revert get_naming_master() for dc replica join, which requires due only domain
naming master can create application directory partitions. - Fix smbd doesn't handle UPNs for looking up names (Samba#15054).
- Fix net ads info shows LDAP Server: 0.0.0.0 (Samba#14674).
- Fix logging dsdb audit to specific files does not work (Samba#15076).
- Fix use pathref fd instead of io fd in vfs_default_durable_cookie (Samba#15042).
- Fix vfs_gpfs recalls=no option prevents listing files (Samba#15055).
- Fix smbget manpage (no &stdarg.encrypt anymore).
- Update to release of Samba 4.15 with SMB multi-channel, Offline Domain Join,
samba-tool dns zoneoptions for aging control, samba-tool domain backup offline
with the LMDB backend and always use enterprise principals for Kerberos (so
that the DC will be able to redirect ticket requests to the right DC) support.
- Update to latest bugfix release of Samba 4.14
- Fixes:
+ Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
+ Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with
same lease key.
+ NT error code is not set when overwriting a file during rename in libsmbclient.
+ net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
+ wbinfo -a doesn't work reliable with upn names.
+ Problem when winbind renews Kerberos.
+ NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
SMBC_server_internal.
+ Multpile RODC fixes: - Simple bind doesn't work against an RODC (with non-preloaded users).
- Crash of winbind on RODC.
- Uncached logon on RODC always fails once.
- Changing the machine password against an RODC likely destroys the domain join.
- Simple bind doesn't work against an RODC (with non-preloaded users).
+ Avoid mixing the main krbtgt account keys with an RODC if the
msDS-KeyVersionNumber is larger than 65535 (set 16 upper bits to zero).
+ Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+ LDAP simple binds should honour "old password allowed period".
+ Fix ldap simple bind with TLS auditing.
+ "password hash userPassword schemes = CryptSHA256" does not seem to work
with samba-tool.
- Fix linking of some libraries (libsmbldap.so.2.1.0, libpopt-samba3-samba4.so,
libsamba-modules-samba4.so, winbind_krb5_locator.so and smbpasswd.so):
+ find-requires: ERROR: /usr/lib/rpm/lib.req failed.
- Update to latest security release of Samba 4.14
- Security fixes:
+ CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
+ CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
- Update for the latest fixes release of Samba 4.14
+ Fix resolv_wrapper with glibc 2.34
+ kill_tcp_connections does not work
+ Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL
+ Can't connect to Windows shares not requiring authentication using KDE/Gnome
+ Duplicate SMB file_ids leading to Windows client cache poisoning
+ Missing pop_sec_ctx() in error path inside close_directory()
+ rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
- Apply s4u support patch for samba-4.15 (due already updated kdb code base):
+ basic local realm S4U support
+ enable S4U client support for MIT build
+ wip: for canonicalization with new MIT kdc code
- Update to latest maintenance release of Samba 4.14.
- Fix broken of recursive directory delete with veto files.
- Fix directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory.
- Update for the latest fixes release of Samba 4.14
+ CVE-2020-25727 idmap_nss, krb5 and s3-auth regressions
+ CVE-2021-3670 ldap_server, dsdb/anr and ldb (libldb-2.3.2-alt2) regressions
+ smbd: s3-dsgetdcname: handle num_ips == 0
+ dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
+ lib: handle NTTIME_THAW in nt_time_to_full_timespec()
+ IPA DC: add missing checks
+ s3:winbindd: fix "allow trusted domains = no" regression - Update tob more compatible with ALT distributions:
+ loadparm: Set parameter "min domain uid" deafult value to 500.
- Add support samba-tool-plus alternative for samba-dc build with heimdal.
- Rebuild with updated ldb-2.3.2 with backported all C code changes from
ldb-2.4.1 to be available for Samba 4.14.x.
- Update to latest security release of Samba 4.14
- Security fixes:
+ CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
https://www.samba.org/samba/security/CVE-2016-2124.html
+ CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
+ CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets
issued by an RODC.
https://www.samba.org/samba/security/CVE-2020-25718.html
+ CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
Kerberos tickets.
https://www.samba.org/samba/security/CVE-2020-25719.html
+ CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
(eg objectSid).
https://www.samba.org/samba/security/CVE-2020-25721.html
+ CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
checking of data stored.
https://www.samba.org/samba/security/CVE-2020-25722.html
+ CVE-2021-3738: Use after free in Samba AD DC RPC server.
https://www.samba.org/samba/security/CVE-2021-3738.html
+ CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
https://www.samba.org/samba/security/CVE-2021-23192.html
- Update to latest security release of Samba 4.14
- Backport bronze bit fixes, tests, and selftest improvements. Provide a fix
for MS in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation
bypass in Samba with embedded Heimdal (Fixes: CVE-2020-17049).
- Update to latest security release of Samba 4.14
- Fix performance regressions in lsa_LookupSids3/LookupNames4 since Samba 4.9 by
using an explicit database handle cache and address a signifcant in database
access in the AD DC since Samba 4.12. - Fix an unuthenticated user can crash the AD DC KDC by omitting the server name
in a TGS-REQ (Fixes: CVE-2021-3671).
- Add pythonarchdir repplacement due compatibility with alt security
python trust mode (enabled if /etc/alt/security/python-trust exists).
- Use parallel make install.
- Make building and installing more verbose.
- Explicitly list architectures where ceph is enabled
(fixes build on riscv64).
- Fix net ads join segmentation fault problem if ldap SRV host record not found.
- Add dependency lmdb-utils to samba-dc-common due it is necessary
for mdb store backend permits database sizes greater than 4Gb
- Update to latest release of Samba 4.14 with smbd fixes
- Update to latest release of Samba 4.14 with smbd and samba-tool fixes
- Update to latest release of Samba 4.14 with ensure POSIX default ACL
is mapped into returned Windows ACL for directory handles and fix
uninitialized memory read in process_symlink_open() when used with
vfs_shadow_copy2() for smbd.
- winbindd: Fix a startup race with allocate_gid (Samba#14678)
- Fix doc knob
- Update with latest fixes (Samba#14695, Samba#14696)
- Fix backward compatibility to fixed version of libldb with CVE-2021-20254.
- Replace auth and vfs libraries from samba-libs to samba-dc-libs and samba packages.
- Build without separated libnetapi private library.
- Fix buffer overrun in sids_to_unixids() (Fixes: CVE-2021-20254)
- Final migration to /run directory (Closes: 35891, 36652, 39992)
- Avoid build problems on e2k
- Multiple build fixes:
+ Revert to use macros for e2k (due ALT#36315 was fixed).
+ Add samba-common-client subpackage with smb.conf and its staff only.
+ Add dumpmscat utility with libtasn1-devel and libtasn1-utils buildrequires.
+ Replace mdfind and mvxattr to samba-client from samba-common-tools.
+ Support pdbedit in separate heimdal server build.
+ Add /usr/include/samba-4.0 directory to devel packages.
+ Shift shared libraries between samba-libs and samba-common-libs to avoid
cyclical dependencies.
- Add separate admx-samba subpackage with Samba ADMX policy templates.
- Replace ADMX policy templates to common PolicyDefinitions directory.
- Set buildarch of samba-common and samba-dc-common to noarch.
- Update to latest stable security release of the Samba 4.14
- Security fixes:
+ CVE-2020-27840: Heap corruption via crafted DN strings
+ CVE-2021-20277: Out of bounds read in AD DC LDAP server
- Update to release of Samba 4.14 with client Group Policy support
- Update to latest release of Samba 4.13
- Update to latest release of Samba 4.13:
+ Insecure wide links functionality has been moved into a separate VFS module;
+ NT4-like 'classic' Samba domain controller mode and SMBv1 only protocol
options has been deprecated. - Add snapper VFS module in separate samba-vfs-snapper package due it requires DBus.
- Add samba group policy ADMX files to samba-dc-common package.
- Add elasticsearch backend mappings json file for Metadata Search Service (mdssvc)
to samba-common package.
- Update to latest release of Samba 4.12
- Spotlight searches against an SMB server mdfind utility in samba-common-tools
conflicts with gnustep-gworkspace due it also includes mdfind (closes: 39295)
- Update to latest release of Samba 4.12
- Update to latest stable security release of the Samba 4.12
- Security fixes:
+ CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
+ CVE-2020-14323: Unprivileged user can crash winbind
+ CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records
- Update to newest release of Samba 4.12
- Update to latest stable security release of the Samba 4.11
- Update to latest stable security release of the Samba 4.11
- Security fixes:
+ CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon")
https://www.samba.org/samba/security/CVE-2020-1472.html
- Update to latest stable security release of the Samba 4.11
- Update to latest fixes from testing
- Remove derecated libwbclient install as alternative with libwbclient-sssd
- Fix pygpo double memory free stackframe in py_ads_get_gpo_list()
- Update to latest stable security release of the Samba 4.11
- Security fixes:
+ CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
LDAP Server with ASQ, VLV and paged_results
+ CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU
+ CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
+ CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd
- Update to latest stable bugfix release of the Samba 4.11
- Build with ldb 2.0.11, LMDB databases can grow without bounds.
- Fix glusterfs build requires (Closes: 38038)
- Apply patches from fedora:
+ Add use the new des_crypt56_gnutls() and remove builtin DES crypto
+ Remove DES support if MIT Kerberos version does not support it
+ Create working private krb5.conf due it used by DNS update tool and should
have enough details to authenticate with GSS-TSIG when running nsupdate
- Update to latest stable bugfix release of the Samba 4.11
- Update to latest stable security release of the Samba 4.11
- Security fixes:
+ CVE-2020-10700: Fix use-after-free in AD DC LDAP server when ASQ and paged_results combined
+ CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in Samba AD DC
- Update to latest spring release of Samba 4.11
- Fix search with scope ONE and small result sets with ldb-2.0.9
- Update to newest release of Samba 4.11
- Update to latest stable release of the Samba 4.10
- Security fixes:
+ CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic
+ CVE-2019-14907: Crash after failed character conversion at log level 3 or above
+ CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC
- Build without python2 support
- Get rid of ubt macros
- Update to last security winter release
- Security fixes:
+ CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS management server
+ CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition on Samba AD DC
- Update to second security autumn release
- Security fixes:
+ CVE-2019-10218 Client code can return filenames containing path separators
+ CVE-2019-14833 Samba AD DC check password script does not receive the full password
+ CVE-2019-14847 User with "get changes" permission can crash AD DC LDAP server via dirsync
- Update to latest autumn release
- Add requires samba-dc-mitkrb5 for samba
- Use krb5.conf from the Samba private directory in MIT KDC service
- Update to first security autumn release
- Fix samba-gpupdate check sysvol path with ignore case for compatibility
- Security fixes:
+ CVE-2019-10197 Permissions check deny can allow user to escape from the share
- Update to final summer release with fixed joining a Windows pre-2008R2 DC
- Fix lookup requests from AD DCs over LSA RPC to FreeIPA domain controller
- Change lstat to stat check in directory_create_or_exist for compatibility
with oldstyle /var/run due it symlink in modern linux installations
- Update to latest summer release
- Update to latest security release
- Security fixes:
+ CVE-2019-12435 Samba AD DC Denial of Service in DNS management server (dnsserver)
+ CVE-2019-12436 Samba AD DC LDAP server crash (paged searches)
- Partial fixes for SMBLoris vulnerability on smbd
+ Add smbd read timeout parameter
+ Set max smbd processes to 768
- Remove conflict to libwbclient-sssd due problem that apt install
it for with gssntlmssp-debuginfo (Closes: 36750) - New metapackage task-samba-dc-mitkrb5 to install complete Domain Controller
with MIT Kerberos server and libraries
- Add requires samba-common-tools for samba-common
- Build with MIT and Heimdal separately
- Fix upgrade of latest samba-4.9 builds from branches
- Update to latest security release
- Security fixes:
+ CVE-2018-16860 Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
- Initial support build with MIT and Heimdal separately:
+ Replace common DC and Winbind common files to separate subpackages
+ Add samba-vfs-cephfs and samba-vfs-glusterfs subpackages
- Update to spring security release
- Security fixes:
+ CVE-2019-3870 World writable files in Samba AD DC private/ dir
+ CVE-2019-3880 Save registry file outside share as unprivileged user
- Update to second release of Samba 4.10
- Update to first release of Samba 4.10
- Fix build compatibility for newest architectures with not exists
macroses on stable branches
- Update to latest release with security ldb fixes (CVE-2019-3824)
- Prepare to replace runtime files from /var/run to /run directory
- disable support ceph on 32-bit arch
- Merge samba and samba-DC packages into single package
- Rename samba-DC to samba-dc for compatibilty
- Merge and rebuild for e2k
- Change group access for private directory due effective mask with acl
- Update to first winter security release
- Security fixes regressions:
+ CVE-2018-16853 Do not segfault if client is not set
+ CVE-2018-14629 Fix CNAME loop prevention using counter regression
- Update to autumn security release
- Revert Samba DC to build with internal Heimdal Kerberos implementation
- Clean test module of third_party/iso8601 and subunit modules
- Security fixes:
+ CVE-2018-14629 Unprivileged adding of CNAME record causing loop in AD Internal DNS server
+ CVE-2018-16841 Double-free in Samba AD DC KDC with PKINIT
+ CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
+ CVE-2018-16852 NULL pointer de-reference in Samba AD DC DNS servers
+ CVE-2018-16853 Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)
+ CVE-2018-16857 Bad password count in AD DC not always effective
- Rebuild latest release of Samba 4.9 without ubt macros
- Update to latest autumn release
- Disable ubt macros due binary package identity change
- Update to second release of Samba 4.9
- Update to first release of Samba 4.9
- Fixed the patch which allows joining to Windows based domain controllers
- Update to latest summer release
- Update to summer security release
- Security fixes:
+ CVE-2018-1139 Weak authentication protocol allowed
+ CVE-2018-1140 Denial of Service Attack on DNS and LDAP server
+ CVE-2018-10858 Insufficient input validation on client directory
listing in libsmbclient
+ CVE-2018-10918 Denial of Service Attack on AD DC DRSUAPI server
+ CVE-2018-10919 Confidential attribute disclosure from the AD LDAP server
+ Build with subpackage for Python3
- Rebuild Samba DC with MIT Kerberos
- Fix join.py with automatically connect to domain naming master
- Update to new summer release of Samba 4.8
- Update to first summer release of Samba 4.7
- Fix doc knob: task-samba-dc should conditionally R: samba-DC-doc
- Rebuild for e2k with missing SYS_setgroups32
- Disable glusterfs and cephfs for e2k
- Disable cephfs support for mipsel
- Split samba-DC-common to separate samba-DC-common-tools
- Fix build against new python Sisyphus release with libnsl2
- Update to latest release of Samba 4.8
- Update to first spring release of Samba 4.7
- Update to latest winter release of Samba 4.7
- Rebuild security release (Fixes: CVE-2018-1050, CVE-2018-1057) with old
ceph version without libceph-common for c7/c8
- Update to spring security release
- Security fixes:
+ CVE-2018-1050 Codenomicon crashes in spoolss server code
+ CVE-2018-1057 Unprivileged user can change any user (and admin) password
- Update to second winter release with common bugfixes
- Fix trouble with joined machine account moving when it already exists.
Move it only if the admin specified an explicit OU (Samba bug #12696)
- Update to first winter release of Samba 4.7
- Update to first winter release with common bugfixes (closes: 33210)
- Backport from Heimdal upstream include/includedir directives for krb5.conf
- Update for second autumn security release of Samba 4.7
- Second autumn security release (Fixes: CVE-2017-14746, CVE-2017-15275)
- Update to third autumn release of Samba 4.7
- Update for third autumn release with common bugfixes
- Update for second autumn release with common bugfixes of Samba 4.7
- Fix KDC not works in configuration with trusted domain (samba bug #13078)
- Update for second autumn release with common bugfixes
- Fix KDC not works in configuration with trusted domain (samba bug #13078)
- rebuild with new libcephfs
- Update to new autumn release of Samba 4.7
- Revert removed lpcfg_register_defaults_hook() for openchange
- Update for autumn security release:
+ CVE-2017-12150 (SMB1/2/3 connections may not require signing where they
should)
+ CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
+ CVE-2017-12163 (Server memory information leak over SMB1)
- Avoid build trouble with ubt macros id on branch c8
- Clean code from old merged chunks
- Update to second summer release
- Rebuild with universal build tag (aka ubt macros) for p7 and c7
- Update to summer security release
- Security fixes:
+ CVE-2017-11103 Orpheus' Lyre KDC-REP service name validation
- Remove conflict samba-DC-libs with samba-libs
- Adjust python module requirement to samba-DC-common-libs
- Add conflict python-module-samba-DC with python-module-samba
- Udpate to first summer release
- Add libldb-modules-DC package with domain controller ldb modules for ldb-tools
- Add samba-DC-common-libs with libraries for common modules
- Append list of libraries consists in libwbclient-DC to not require
samba-DC-common-libs
- Update to second spring security release
- Fix longtime initialization bug in ldb proxy
- Security fixes:
+ CVE-2017-7494 Remote code execution from a writable share
- Udpate to second spring release
- Remove conflict winbind with libwbclient-sssd due upgrade problems
- Fix problem with failed to create kerberos keytab during join to domain
- Update with regression fix of spring security release
- Revert winbind problem fixes with access user to keytab due troubles in 4.6.x
- Update to spring security release
- Fixed build --without docs (closes: 33118)
- Security fixes:
+ CVE-2017-2619 Symlink race allows access outside share definition
- Udpate to first spring release
- Revert removed unused DCERPC_FAULT_UNK_IF for openchange
- Update to winter release
- Fix PAM winbind problem with access user to keytab
- Do not delete an existing valid credential cache for KEYRING type
- Set FQDN to lower at fill_mem_keytab_from_system_keytab()
- Update for release with security fixes:
- CVE-2016-2123 (ndr_pull_dnsp_name contains an integer wrap problem)
- CVE-2016-2125 (client code always requests a forwardable ticket)
- CVE-2016-2126 (crash winbindd using a legitimate Kerberos ticket)
- Udpate to first winter release
- Add conflict winbind with libwbclient-sssd due compatibility
- Update build dependencies versions for external samba libraries
- Build with separate libwbclient-DC
- Update with variety of fixes for autumn release
- Update to new autumn release
- Update for security release with CVE-2016-2119
- Apply fixes for DRSUAPI limits of too strict for some workloads,
e.g. DRSUAPI replication with large objects.
https://bugzilla.samba.org/show_bug.cgi?id=11948
+ Set DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
+ Allow a total reassembled response payload of 240 MBytes
- Package libsamba_util private headers to package
samba-DC-util-private-headers
- Update to new version
- build with libsystemd without compat libs
- add patches from fedora
- add again samba-grouppwd.patch
- Fix rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists
- New version
- Fix CVE-2016-2110/NTLMSSP regression (https://bugzilla.samba.org/show_bug.cgi?id=11849)
- New version
- Security fixes:
- CVE-2015-5370 (Multiple errors in DCE-RPC code)
- CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
- CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
- CVE-2016-2112 (LDAP client and server don't enforce integrity)
- CVE-2016-2113 (Missing TLS certificate validation)
- CVE-2016-2114 ("server signing = mandatory" not enforced)
- CVE-2016-2115 (SMB IPC traffic is not integrity protected)
- CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
- New version (https://www.samba.org/samba/history/samba-4.4.0.html)
- Remove samba-DC-test-build and samba-DC-ctdb-devel
- Rebuild with new libtalloc
- New version (https://www.samba.org/samba/history/samba-4.3.6.html)
- Security fixes:
- CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
- CVE-2016-0771 (Out-of-bounds read in internal DNS server)
- Do not use specified GID for wbpriv group
- New version (https://www.samba.org/samba/history/samba-4.3.5.html)
- New version (https://www.samba.org/samba/history/samba-4.3.4.html)
- Change services type from notify to forking
- New version (https://www.samba.org/samba/history/samba-4.3.3.html)
- Security fixes:
- CVE-2015-3223 (Denial of service in Samba Active Directory
server) - CVE-2015-5252 (Insufficient symlink verification in smbd)
- CVE-2015-5299 (Missing access control check in shadow copy
code) - CVE-2015-5296 (Samba client requesting encryption vulnerable
to downgrade attack) - CVE-2015-8467 (Denial of service attack against Windows
Active Directory server) - CVE-2015-5330 (Remote memory read in Samba LDAP server)
- NMU: dropped unused prehistoric BR: perl-Perl4-CoreLibs
- New version (https://www.samba.org/samba/history/samba-4.3.2.html)
- Enable RPATH in installed files to correct link using .pc files
- Remove libxfs-qa-devel from build requirements
- Package samba-DC-ctdb, samba-DC-ctdb-devel and samba-DC-ctdb-tests
- Enable clustering support
- New version (https://www.samba.org/samba/history/samba-4.3.1.html)
- New metapackage task-samba-dc to install complete Domain Controller
- Exclude libnss_win* from debuginfo
- Make libnss_win* symlinks to /lib*
- Package unit samba.service for systemd
- Add conditional build of winbind part
- Move all libraries to samba-DC-libs
- Remove duplicated requirements
- New version (https://www.samba.org/samba/history/samba-4.3.0.html)
- Requires /proc for doc generation
- Build in dc mode in /usr/lib64/samba-dc to prevent link conflict
with ordinary samba in repository - Build without libsmbclient, libwbclient and libnetapi
- Move documentation to /usr/share/doc/samba
- New version of Samba AD DC
- New version of Samba AD DC
- New version of Samba AD DC
- Fix post/postun hooks for samba init script
- New version of Samba AD DC
- Enable documentation build
- New version
- Security fixes:
+ fixes CVE-2015-0240 (security flaw in the smbd file server daemon)
- New version
- Security fixes:
+ CVE-2014-8143: Samba's AD DC allows the administrator to delegate
creation of user or computer accounts to specific users or groups.
However, all released versions of Samba's AD DC did not implement the
additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
userAccountControl attributes.
- New version
- New version
- Disable build documentation because it cannot built
- New version
- Do not use pidfile to stop service samba
- New version
- Build in DC mode
- Fix mitkrb5 support with and without DC mode
- Build on all available cores. Increase build and install verbosity
- Add setproctitle support
- Set verbosity level of make by VERBOSE option (-v, -vv or -vvv)
- Remove missing upgradeprovision programm
- Add initscript for samba
- Add dlz_bind9_9.so
- Rename to samba-DC conflicted by ordinary samba
- Add tdb-utils for samba_upgradedns program
- Use %force_with to really set flag for tests
- update init scripts for ALTLinux
- 4.1.11
- fixed unstrcpy macro length is invalid(CVE-2014-3560)
- 4.1.10
- 4.1.9
- fixed nmbd denial of service(CVE-2014-0244)
- fixed Segmentation fault in smbd_marshall_dir_entry(CVE-2014-3493)
- 4.1.8
- fixed CVE-2014-0239, CVE-2014-0178
- add winbind-krb5-locator package
- 4.1.7
- 4.1.6
- fixed CVE-2013-4496, CVE-2013-6442
- 4.1.4
- 4.1.3
- fixed CVE-2013-4408, CVE-2012-6150
- 4.1.2
- drop swat package
- change build options:
+ --with-profiling-data
+ drop --disable-ntdb
+ --without-fam
+ drop --builtin-libraries=ccan - build with avahi support
- build with external libntdb
- 4.0.12
- 4.0.11
- fixed CVE-2013-4475, CVE-2013-4476
- 4.0.10
- 4.0.9
- add -D options for default forking type start of services to sysV init and systemd
- 4.0.8
- fixed CVE-2013-4124
- 4.0.7
- 4.0.6
- 4.0.5
- 4.0.4 (fixed CVE-2013-186)
- add /var/cache/samba to samba-common package (ALT#28601)
- make systemctl reference indirect in packaging/NetworkManager/30-winbind-systemd (ALT#28585)
- 4.0.3
- build as default samba, replaced samba4 packages
- rename pdb_ldap to pdb_ldapsam
- obsoletes libnetapi4,libwbclient4,libsmbclient4 by samba4-libs if build without them
- 4.0.2
- fixed gensec: Allow login without a PAC by default (samba bug #9581)
- build without libnetapi
- add symlink ldapsam.so to ldap.so
- build without libsmbclient and libwbclient
- 4.0.1
- 4.0.0 release
- alpha18
- Rebuild with Python-2.7
- alpha16
- alpha15
- pre alpha15 snapshot
- Upgrade to alpha13
- initial build for ALT Linux Sisyphus
- Revert changes to %Release, use %main_release instead.
- Rebuild for perl-5.12.x.
- Once again rebuild for perl-5.12.x.
- Mass rebuild with perl-5.12.0
- Rebuild against newer libtevent
- Upgrade to alpha11
- Bump ldb_version to 0.9.10.
- Only install new command-line utilities if enable_samba4 is non-zero.
- Upgrade to alpha10
- Fix broken dependencies
- Need docbook stuff to build man pages
- Upgrade to alpha8-git20090916
- Stop building libtevent, it is now an external package
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
- Fix dependency
- Don't build talloc and tdb, they are now separate packages
- Fix a build issue in samba4-common (RH bug #494243).
- rebuild with correct CFLAGS (also fixes debuginfo)
- Second part of fix for the ldb segfault problem from upstream
- Add upstream patch to fix a problem within ldb
- Remove ldb.pc from samba4-devel (RH bug #489186).
- Make talloc,tdb,tevent,ldb easy to exclude using defines
- Fix package for non-mock "dirty" systems by deleting additional
files we are not interested in atm
- Fix typo in Requires
- Compile and have separate packages for additional samba libraries
Package in their own packages: talloc, tdb, tevent, ldb
- Update to 4.0.0alpha7
- Formal package review cleanups.
- Disable subpackages not needed by OpenChange.
- Incorporate package review feedback.
- Update to 4.0.0alpha6
- Fix another file conflict: smbstatus
- Disable the winbind subpackage because it conflicts with samba-winbind
and isn't needed to support OpenChange.
- Update to the GIT revision OpenChange is now requiring.
- Fix licence tag (the binaries are built into a GPLv3 whole, so the BSD licence need not be mentioned)
- Remove talloc and tdb dependency (per https://bugzilla.redhat.com/show_bug.cgi?id=453083)
- Fix deps on chkconfig and service to main pkg (not -common)
(per https://bugzilla.redhat.com/show_bug.cgi?id=453083)
- Use --sysconfdir instead of --with-configdir
- Add patch for C++ header compatibility
- Update per review feedback
- Update for alpha5
- Rework Fedora's Samba 3.2.0-1.rc2.16 spec file for Samba4