samba (2:4.17.12+dfsg-0+deb12u1) bookworm-security; urgency=medium * new stable security bugfix release: o CVE-2023-3961: https://www.samba.org/samba/security/CVE-2023-3961.html Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. o CVE-2023-4091: https://www.samba.org/samba/security/CVE-2023-4091.html SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" o CVE-2023-4154: https://www.samba.org/samba/security/CVE-2023-4154.html An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. o CVE-2023-42669: https://www.samba.org/samba/security/CVE-2023-42669.html Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. o CVE-2023-42670: https://www.samba.org/samba/security/CVE-2023-42670.html Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. -- Michael Tokarev <mjt@tls.msk.ru> Tue, 10 Oct 2023 18:17:19 +0300 samba (2:4.17.11+dfsg-0+deb12u1) bookworm; urgency=medium * new upstream stable/bugfix release 4.17.11, including: o https://bugzilla.samba.org/show_bug.cgi?id=9959 Windows client join fails if a second container CN=System exists somewhere o https://bugzilla.samba.org/show_bug.cgi?id=15342 Spotlight sometimes returns no results on latest macOS o https://bugzilla.samba.org/show_bug.cgi?id=15346 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2 o https://bugzilla.samba.org/show_bug.cgi?id=15384 net ads lookup (with unspecified realm) fails o https://bugzilla.samba.org/show_bug.cgi?id=15401 Improve GetNChanges to address some (but not all "Azure AD Connect") syncronisation tool looping during the initial user sync phase o https://bugzilla.samba.org/show_bug.cgi?id=15407 Samba replication logs show (null) DN o https://bugzilla.samba.org/show_bug.cgi?id=15417 Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination o https://bugzilla.samba.org/show_bug.cgi?id=15419 Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink() o https://bugzilla.samba.org/show_bug.cgi?id=15420 reply_sesssetup_and_X() can dereference uninitialized tmp pointer o https://bugzilla.samba.org/show_bug.cgi?id=15427 Spotlight results return wrong date in result list o https://bugzilla.samba.org/show_bug.cgi?id=15430 Missing return in reply_exit_done() o https://bugzilla.samba.org/show_bug.cgi?id=15432 TREE_CONNECT without SETUP causes smbd to use uninitialized pointer o https://bugzilla.samba.org/show_bug.cgi?id=15435 Regression DFS not working with widelinks = true o https://bugzilla.samba.org/show_bug.cgi?id=15441 samba-tool ntacl get segfault if aio_pthread appended o https://bugzilla.samba.org/show_bug.cgi?id=15446 DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed o https://bugzilla.samba.org/show_bug.cgi?id=15449 mdssvc: Do an early talloc_free() in _mdssvc_open() o https://bugzilla.samba.org/show_bug.cgi?id=15451 ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1 o https://bugzilla.samba.org/show_bug.cgi?id=15453 File doesn't show when user doesn't have permission if aio_pthread is loaded o https://bugzilla.samba.org/show_bug.cgi?id=15463 macOS mdfind returns only 50 results * d/control: indicate the git branch in Vcs-Git URL (-b bookworm) * d/control: fix description of samba-common-bin (samba-client) * d/salsa-ci.yml: set RELEASE to bookworm -- Michael Tokarev <mjt@tls.msk.ru> Tue, 12 Sep 2023 15:55:41 +0300 samba (2:4.17.10+dfsg-0+deb12u1) bookworm-security; urgency=medium * new upstream stable/security release 4.17.10, including: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html o BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. https://bugzilla.samba.org/show_bug.cgi?id=15418 (this has been patched in the previous upload; Closes: #1041043) -- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Jul 2023 17:55:58 +0300 samba (2:4.17.9+dfsg-0+deb12u3) bookworm; urgency=medium * +fix-unsupported-netr_LogonGetCapabilities-l2.patch Fix windows logon/trust issues with 2023-07 windows updates: https://bugzilla.samba.org/show_bug.cgi?id=15418 -- Michael Tokarev <mjt@tls.msk.ru> Fri, 14 Jul 2023 12:34:30 +0300 samba (2:4.17.9+dfsg-0+deb12u2) bookworm; urgency=medium * link with -latomic explicitly on a few architectures where gcc misses it (notable armel & mipsel), to fix FTBFS there, - the same as on sid. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81358 -- Michael Tokarev <mjt@tls.msk.ru> Sun, 09 Jul 2023 09:44:29 +0300 samba (2:4.17.9+dfsg-0+deb12u1) bookworm-proposed-updates; urgency=medium * d/copyright: filter out autogenerated manpages from the upstream source when dfsg-repacking. The manpages are generated during build if not up to date, and changes significantly in every upstream release since the version number and the release date are included in every manpage. * new upstream stable/bugfix release, with the following fixes: * https://bugzilla.samba.org/show_bug.cgi?id=14030 named crashes on DLZ zone update (this was in debian in previous upload) * https://bugzilla.samba.org/show_bug.cgi?id=15275 smbd_scavenger crashes when service smbd is stopped * https://bugzilla.samba.org/show_bug.cgi?id=15361 winbind recurses into itself via rpcd_lsad * https://bugzilla.samba.org/show_bug.cgi?id=15374 aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse() * https://bugzilla.samba.org/show_bug.cgi?id=15378 vfs_fruit might cause a failing open for delete * https://bugzilla.samba.org/show_bug.cgi?id=15382 cli_list loops 100% CPU against pre-lanman2 servers * https://bugzilla.samba.org/show_bug.cgi?id=15391 smbclient leaks fds with showacls * https://bugzilla.samba.org/show_bug.cgi?id=15403 smbget memory leak if failed to download files recursively * https://bugzilla.samba.org/show_bug.cgi?id=15404 Backport --pidl-developer fixes * https://bugzilla.samba.org/show_bug.cgi?id=15413 winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR * remove dnsserver-rename-dns_name_equal.patch (included upstream) * heimdal-to-support-KEYRING-ccache.patch: enable KEYRING in heimdal (ability to store kerberos tickets in kernel keyring) (Closes: #1023609) * d/control: build-depend on libkeyutils-dev (it is pulled by some other dep, but better to be safe) -- Michael Tokarev <mjt@tls.msk.ru> Fri, 07 Jul 2023 11:40:17 +0300 samba (2:4.17.8+dfsg-2) unstable; urgency=medium * dnsserver-rename-dns_name_equal.patch (forgotten) patch from upstream targetting next stable Fixes crashes of named with samba DLZ plugin due to symbol name conflict (dns_name_equal() function). There's no resulting code changes, just a symbol rename. https://bugzilla.samba.org/show_bug.cgi?id=14030 Closes: #1036587, #927747 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 24 May 2023 22:54:43 +0300 samba (2:4.17.8+dfsg-1) unstable; urgency=medium * upstream stable/security/bugfix release, fixing the following issues: * https://bugzilla.samba.org/show_bug.cgi?id=14810 CVE-2020-25720 Create Child permission should not allow full write to all attributes (additional changes) * https://bugzilla.samba.org/show_bug.cgi?id=15143 New filename parser doesn't check veto files smb.conf parameter * https://bugzilla.samba.org/show_bug.cgi?id=15302 log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower (this was included in Debian package already) * https://bugzilla.samba.org/show_bug.cgi?id=15306 Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c * https://bugzilla.samba.org/show_bug.cgi?id=15313 Large directory optimization broken for non-lcomp path elements * https://bugzilla.samba.org/show_bug.cgi?id=15317 winbindd idmap child contacts the domain controller without a need * https://bugzilla.samba.org/show_bug.cgi?id=15318 idmap_autorid may fail to map sids of trusted domains for the * https://bugzilla.samba.org/show_bug.cgi?id=15319 idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings * https://bugzilla.samba.org/show_bug.cgi?id=15323 net ads search -P doesn't work against servers in other domains * https://bugzilla.samba.org/show_bug.cgi?id=15325 dsgetdcname: assumes local system uses IPv4 * https://bugzilla.samba.org/show_bug.cgi?id=15328 test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners * https://bugzilla.samba.org/show_bug.cgi?id=15329 Reduce flapping of ridalloc test * https://bugzilla.samba.org/show_bug.cgi?id=15329 Reduce flapping of ridalloc test * https://bugzilla.samba.org/show_bug.cgi?id=15338 DS ACEs might be inherited to unrelated object classes * https://bugzilla.samba.org/show_bug.cgi?id=15351 large_ldap test is unreliable * https://bugzilla.samba.org/show_bug.cgi?id=15353 Temporary smbXsrv_tcon_global.tdb can't be parsed * https://bugzilla.samba.org/show_bug.cgi?id=15354 mdssvc may crash when initializing * https://bugzilla.samba.org/show_bug.cgi?id=15357 streams_depot fails to create streams * https://bugzilla.samba.org/show_bug.cgi?id=15358 shadow_copy2 and streams_depot don't play well together * https://bugzilla.samba.org/show_bug.cgi?id=15360 Setting veto files = /.*/ break listing directories * https://bugzilla.samba.org/show_bug.cgi?id=15366 wbinfo -u fails on ad dc with >1000 users * d/gbp.conf: switch debian-branch to "bookworm" -- Michael Tokarev <mjt@tls.msk.ru> Thu, 11 May 2023 10:52:40 +0300 samba (2:4.17.7+dfsg-1) unstable; urgency=high * upstream stable/security/bugfix release, fixing the following issues: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614 * update libldb symbols and versions -- Michael Tokarev <mjt@tls.msk.ru> Wed, 29 Mar 2023 17:59:17 +0300 samba (2:4.17.6+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release 4.17.6: * https://bugzilla.samba.org/show_bug.cgi?id=15314 streams_xattr is creating unexpected locks on folders. * https://bugzilla.samba.org/show_bug.cgi?id=10635 Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. * https://bugzilla.samba.org/show_bug.cgi?id=15299 Spotlight doesn't work with latest macOS Ventura. * https://bugzilla.samba.org/show_bug.cgi?id=15310 New samba-dcerpc architecture does not scale gracefully. * https://bugzilla.samba.org/show_bug.cgi?id=15307 vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. * https://bugzilla.samba.org/show_bug.cgi?id=15293 With clustering enabled samba-bgqd can core dump due to use after free. * https://bugzilla.samba.org/show_bug.cgi?id=15311 fd_load() function implicitly closes the fd where it should not. * debian/po/ro.po update from Remus-Gabriel Chelu * s3-smbd-open.c-smbd_calculate_access_mask_fsp-lower-.patch makes smbd a bit less spammy in logs * d/control: clarify some package descriptions (Closes: #1031922) -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 12:52:14 +0300 samba (2:4.17.5+dfsg-2) unstable; urgency=medium * d/control: samba: depends on exact version of python3-samba * d/control: fix typo * more tweaks for foreign/cross build * d/control: work around autodep8 #904999 again * introduce upstream-like aliases for debian .service names, add rationale -- Michael Tokarev <mjt@tls.msk.ru> Sat, 04 Feb 2023 17:15:40 +0300 samba (2:4.17.5+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release. From WHATSNEW.txt: * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS (Closes: #1023606). * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). * BUG 15243: %U for include directive doesn't work for share listing (netshareenum) (the fix was in debian before). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4 (the fix was in debian before). * BUG 15269: ctdb: use-after-free in run_proc. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. * BUG 15268: smbclient segfaults with use after free on an optimized build * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. * BUG 15281: Avoid relying on C89 features in a few places. * remove patches applied upstream: - reload-registry-shares-after-reloading-services.patch - rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch * d/control: Standards-Version: 4.6.2 (no changes) * d/control: put all doc-generating build-deps into one line * little prep for cross-compilation - build-depend on python3:any and python3-dev:any - build-depend on libpython3-dev for actual module building, and use arch-specific python3-config from there - set and export _PYTHON_SYSCONFIGDATA_NAME to get foreign-arch values provided by libpython3-dev (also helps when python itself is foreign) - depend on perl:any not just perl - export CC/CPP/LD/PKGCONFIG for ./configure (buildtools.mk) * d/gbp.conf: unignore branch * d/control: samba, ctdb, winbind: do not depend on lsb-base (the script is in sysvinit-utils now) * d/control: drop unused build-dep on libncurses5-dev -- Michael Tokarev <mjt@tls.msk.ru> Fri, 27 Jan 2023 11:15:01 +0300 samba (2:4.17.4+dfsg-3) unstable; urgency=medium * +rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch https://bugzilla.samba.org/show_bug.cgi?id=15265 * +reload-registry-shares-after-reloading-services.patch https://bugzilla.samba.org/show_bug.cgi?id=15266 * d/samba.postinst: fix /var/spool/samba => /var/tmp handling (old spooldir can be referred to in other sections too) * create common script "is-configured" to check if the service is configured in smb.conf, and stop masking services in postinst * rewrite SysV init scripts (simplify, make consistent, etc) * d/winbind.postinst: create/change /var/lib/samba/winbindd_privileged at install time only (it should be in /run/samba/ somewhere these days) * d/control: change version of samba which samba-ad-provisioning Breaks to where provisioning was split out -- Michael Tokarev <mjt@tls.msk.ru> Tue, 03 Jan 2023 10:45:36 +0300 samba (2:4.17.4+dfsg-2) unstable; urgency=medium * d/control: samba-dc-provision Replaces+Breaks samba (< 4.17.4+dfsg-2). Closes: #1026387 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 19 Dec 2022 16:36:00 +0300 samba (2:4.17.4+dfsg-1) unstable; urgency=medium * new upstream stable/security release, with the following changes: - CVE-2022-37966: Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022, see https://www.samba.org/samba/security/CVE-2022-37966.html - CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. See https://www.samba.org/samba/security/CVE-2022-37967.html - CVE-2022-38023: Weak "RC4" (rc4-hmac) protection of the NetLogon Secure channel uses, see https://www.samba.org/samba/security/CVE-2022-38023.html There are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the documents referenced above! See also the WHATSNEW.txt document, as there are several new, changed and deprecated smb.conf parameters. * Other bugfixes in this release (from WHATSNEW.txt): https://bugzilla.samba.org/show_bug.cgi?id=14929 CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST. https://bugzilla.samba.org/show_bug.cgi?id=15219 Heimdal session key selection in AS-REQ examines wrong entry. https://bugzilla.samba.org/show_bug.cgi?id=13135 The KDC logic around msDs-supportedEncryptionTypes differs from Windows. https://bugzilla.samba.org/show_bug.cgi?id=14611 CVE-2021-20251 Bad password count not incremented atomically. https://bugzilla.samba.org/show_bug.cgi?id=15206 libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4() https://bugzilla.samba.org/show_bug.cgi?id=15230 Memory leak in snprintf replacement functions. https://bugzilla.samba.org/show_bug.cgi?id=15253 RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression). https://bugzilla.samba.org/show_bug.cgi?id=15198 Prevent EBADF errors with vfs_glusterfs. https://bugzilla.samba.org/show_bug.cgi?id=15243 %U for include directive doesn't work for share listing (netshareenum). https://bugzilla.samba.org/show_bug.cgi?id=15257 Stack smashing in net offlinejoin requestodj. * removed patches which are now included upstream: - nsswitch-pam-data-time_t.patch - CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch -- Michael Tokarev <mjt@tls.msk.ru> Thu, 15 Dec 2022 21:54:31 +0300 samba (2:4.17.3+dfsg-4) unstable; urgency=medium * create samba-ad-provision package with contents of /usr/share/samba/setup. It is recommended by samba, so can be uninstalled if not needed. * create samba-ad-dc package. It is an empty metapackage for now, but with dependencies needed to run an Active Directory Domain Controller (AD-DC) * samba-ad-provision.lintian-overrides: license files * print meaningful error message if samba-ad-provision is not installed (meaningful-error-if-no-samba-ad-provision.patch) * print meaningful error message if python3-markdown is not installed (meaningful-error-if-no-python3-markdown.patch) * ctdb: move rundir from /var/run to /run * fix typo in fruit patch * a few more spelling fixes * add #DEBHELPER# tokens to libnss-winbind.{postinst,postrm} * remove mentions of /var/spool/samba from samba.lintian-overrides (moved to /var/tmp) * change embedded-library heimdal lintian override in a way to be understood by both old and new lintian, so the package can be uploaded -- Michael Tokarev <mjt@tls.msk.ru> Mon, 05 Dec 2022 14:39:43 +0300 samba (2:4.17.3+dfsg-3) unstable; urgency=medium * d/control: winbind should depend on the same binary:Version of libwbclient, or else its components can't talk to the daemon. Thank you Stefan Weichinger for the patience while finding this one! * libnss-winbind: add postinst/postrm scripts to add/remove nsswitch.conf entry for winbind (but not for wins) -- Michael Tokarev <mjt@tls.msk.ru> Thu, 01 Dec 2022 22:38:07 +0300 samba (2:4.17.3+dfsg-2) unstable; urgency=medium * fruit-disable-useless-size_t-overflow-check.patch (Closes: #974868) * CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch Fix regression on 32bit systems: https://bugzilla.samba.org/show_bug.cgi?id=15203 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 21 Nov 2022 20:41:46 +0300 samba (2:4.17.3+dfsg-1) unstable; urgency=medium * new upstream security release 4.17.3, fixing the following issue: CVE-2022-42898: Heimdal Kerberos libraries suffers from an integer multiplication overflow vulnerability which affects 32bit platforms, see https://www.samba.org/samba/security/CVE-2022-42898.html This changes third_party/heimdal/, it does not affect mitkrb5 builds. * d/rules: stop stripping +dfsg suffix from ldb version * d/control: declare dependency on password (for groupadd in postinst) for winbind and samba (Closes: #1023759) * implement pkg.samba.mitkrb5 build profile to build with system mit-krb5 (with "mitkrb5" version suffix in some packages for now) * d/control: mark libufing-dev build dep with <!pkg.samba.nouring> (to simplify out-of-archive builds for older systems) * d/rules: parametrise list of packages to omit (eg on ubuntu-i386) with ${omit-pkgs} * d/rules: use variables in a more consistent way, use single ${config-args} * d/control: tdb-tools and lmdb-utils packages are also needed for tests (everything is commented out for now anyway) * d/rules: update knownfail tests * d/rules: stop exporting buildflags, export compiler options when needed * d/rules: always define rados:Depends & vfsmods:Depends substvars * unwrap-getresgid-typo.patch - fix crash during p11-kit execution (https://bugzilla.samba.org/show_bug.cgi?id=15227) (for the testsuite only) * nsswitch-pam-data-time_t.patch - fix time_t not fit in a pointer (eg x32) (https://bugzilla.samba.org/show_bug.cgi?id=15224) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 15 Nov 2022 19:26:10 +0300 samba (2:4.17.2+dfsg-9) unstable; urgency=medium * hurd-compat.patch: some minor compatibility tweaks for hurd * d/rules compat work: - ceph is linux-only like glusterfs - d/rules: add another conditional, with_snapper - combine linux features into single block * d/rules: support "terse" build option for non-verbose build * d/rules: remove third_party/heimdal/lib/gssapi/gssapi.h before build (Closes: #1013205). This fixes -I path order and <gssapi/gssapi.h> include mess which caused samba to FTBFS on sparc64 for quite some time -- Michael Tokarev <mjt@tls.msk.ru> Sun, 06 Nov 2022 20:13:19 +0300 samba (2:4.17.2+dfsg-8) unstable; urgency=medium * d/rules: do not explicitly enable quotas on non-linux: enable everything interesting on linux explicitly and let ./configure to figure it out in other systems. This should fix FTBFS problem on hurd. * d/rules: do not disable systemd on non-linux, let ./configure figure it out * d/winbind.postinst: switch addgroup => groupadd and eliminate getent. winbind package never declared dependency on adduser but always used addgroup command in its postinst script. Finally this broke piuparts. Switch to groupadd which is even easier to use. * d/samba.postinst: switch addgroup => groupadd and eliminate getent * d/smb.conf: use useradd in example create user script too -- Michael Tokarev <mjt@tls.msk.ru> Thu, 03 Nov 2022 15:04:46 +0300 samba (2:4.17.2+dfsg-7) unstable; urgency=medium * another way to work around #1013259: provide a compatibility symlink libndr.so.2 pointing to libndr.so.3: - libndr-debug-level-compat.diff, libndr-revert-so3.diff: remove - d/samba-libs.symbols: adjust symbols/versions - d/samba-libs.install: libndr.so.2 => libndr.so.3 - d/samba-libs.links: provide the compat libndr.so.2 symlink * d/samba-libs.links: add comments describing libndr.so.N issue * d/samba-libs.links: add libndr.so.1 compat symlink too (for bullseye sssd) * d/control: unbreak bullseye/jammy sssd-ad-common, sssd-ad, sssd-ipa by samba-libs once libndr.so.1 compat link is here -- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 20:43:53 +0300 samba (2:4.17.2+dfsg-6) unstable; urgency=medium * d/control: fix comment in previous upload -- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 10:45:26 +0300 samba (2:4.17.2+dfsg-5) unstable; urgency=medium * d/control: bump version of broken-by-samba-libs sssd and add more affected sssd packages; also reformat the comment there so dpkg-gencontrol does not complain -- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 09:34:10 +0300 samba (2:4.17.2+dfsg-4) unstable; urgency=medium * d/control: stop suggesting old/orphaned/gone-upstream smbldap-tools * libndr work (Closes: #1013259): - d/control: samba-libs breaks bullseye sssd-ad due to libndr.so.1=>.2 bump - d/samba-libs.install: be more explicit about sonames of public libs to catch soname changes - libndr-debug-level-compat.diff, libndr-revert-so3.diff: revert libndr.so.2->3 soname bump by providing compat wrapper for new symbol - d/samba-libs.symbols: provide symbols for libndr.so.2 -- Michael Tokarev <mjt@tls.msk.ru> Tue, 01 Nov 2022 12:53:22 +0300 samba (2:4.17.2+dfsg-3) unstable; urgency=low * rebase on top of debian 4.16.6+dfsg-6 release, include some history of 4.17.* experimental releases in changelog * d/samba-libs.lintian-overrides: update package-name-doesnt-match-sonames to match all libs * urgency is set to low to delay unstable->testing transition a bit -- Michael Tokarev <mjt@tls.msk.ru> Sun, 30 Oct 2022 16:23:51 +0300 samba (2:4.17.2+dfsg-2) experimental; urgency=medium * d/rules: stop dh_installpam from installing samba.pam to the samba package (Closes: #1022775, #1022776) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 20:13:53 +0300 samba (2:4.17.2+dfsg-1) experimental; urgency=medium * upstream 4.17.2 security release: CVE-2022-3592 A malicious client can use a symlink to escape the exported directory. https://www.samba.org/samba/security/CVE-2022-3592.html (Samba 4.17 only) * Remove poptGetArg-misuse-fixes-1022826.diff (applied to 4.17.2) * d/rules: no need to build compile_et,asn1_compile intermediate targets anymore; also remove now-unused ${WAFv} macro -- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 14:30:44 +0300 samba (2:4.17.1+dfsg-1) experimental; urgency=medium * new upstream bugfix release containing a security fix: * CVE-2021-20251 Bad password count not incremented atomically. * Merge changes from 4.16.x (debian/master) branch. * use-bzero-instead-of-memset_s.diff : use explicit_bzero() instead of bzero() for the substitute of memset_s(). bzero() is wrong here because it, just like memset, can be optimized out by the compiler. -- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Oct 2022 21:34:11 +0300 samba (2:4.17.0+dfsg-2) experimental; urgency=medium * mention closing of CVE-2022-32743 by the 4.17.0 upload * mention closing of CVE-2022-1615 by the 4.17.0 upload * move libpac-samba4.so.0 from samba to samba-libs (Closes: #1021450) -- Michael Tokarev <mjt@tls.msk.ru> Sat, 08 Oct 2022 23:00:05 +0300 samba (2:4.17.0+dfsg-1) experimental; urgency=medium * new upstream release 4.17.0 Closes: CVE-2022-1615 Closes: #1021022, CVE-2022-32743 * removed: spelling.patch (partially applied upstream) * removed: weak-crypto-allowed-clarify.diff (applied upstream) * refresh: ctdb-create-piddir.patch * refresh: fix-nfs-service-name-to-nfs-kernel-server.patch * d/control: update minimum versions for talloc/tevent/tdb * d/rules: do not install ctdb.service, it is installed by upstream now * d/ctdb.install: do not install ctdb_wrapper (not used anymore) * d/libldb2.symbols, d/d/python3-ldb.symbols.in: new versions: 2.6.0 2.6.1 per upstream, re-version symbols added in 2.5.2 as added in 2.6.1 (ldb users needs to be recompiled anyway after updating libldb) * new: spelling.patch: a few more spelling fixes * d/control: bump Standards-Version to 4.6.1 (no changes) * Remove dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch (included in 4.17.0 already) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 13 Sep 2022 20:47:05 +0300 samba (2:4.16.6+dfsg-6) unstable; urgency=medium * d/rules: use the right dir for dh_shlibdeps -l (long-standing issue) * rewrite shlibs/symbols-generating file d/genshlibs, make whole process much more clean and strighforward, and 10x times faster too * debian/libnss-winbind.triggers: activate ldconfig trigger * add debian/samba-libs.symbols with libsmbldap library * d/samba.examples: do not install smbadduser: csh considered harmful * d/rules: remove long-unused commented-out override_dh_perl-arch * d/samba.lintian-overrides: *docs-outside-share-doc usr/share/samba/setup/ * d/genshlibs: add the forgotten mkdir for d/$pkg/DEBIAN * remove static/fixed branding d/patches/VERSION.patch * d/rules: implement dynamic branding of VERSION file based on dpkg-vendor * d/rules: simplify package interdependency checking rules * d/rules: add a lot more interpackage dependency checks * d/NEWS: merge it into d/samba.NEWS (removes several lintian warnings) -- Michael Tokarev <mjt@tls.msk.ru> Sat, 29 Oct 2022 08:28:53 +0300 samba (2:4.16.6+dfsg-5) unstable; urgency=medium * move samba:idmap_script.8.gz and samba-libs:idmap_rfc2307.8.gz manpages to winbind package where they belong and where actual idmap modules lives. (install all idmap_*.8 manpages to winbind package) * d/rules: install pam.d/samba with mode 0644, not 0755 * many lintian-override updates: - source: ctdb/doc/*.html actually has sources - source: +very-long-line-length-in-source-file * (for generated files) - source: +debian-control-has-unusual-field-spacing Breaks - winbind: +spare-manual-page for module manpages - *: update some overrides for new lintian - libpam-winbind: +spare-manual-page pam_winbind.8 - libldb2: +package-contains-empty-directory .../ldb/modules/ldb/ - *: +hardening-no-fortify-functions for some simple shared libs -- Michael Tokarev <mjt@tls.msk.ru> Wed, 26 Oct 2022 22:27:00 +0300 samba (2:4.16.6+dfsg-4) unstable; urgency=medium * poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse for popt-1.9 (Closes: #1022826) -- Michael Tokarev <mjt@tls.msk.ru> Wed, 26 Oct 2022 19:45:38 +0300 samba (2:4.16.6+dfsg-3) unstable; urgency=medium * d/rules: stop dh_installpam from installing samba.pam to the samba package (Closes: #1022775, #1022776) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 20:13:53 +0300 samba (2:4.16.6+dfsg-2) unstable; urgency=medium * d/rules: pam.d/samba should go to /etc, not / * d/README.source.md: it is README.source.md not README.source * d/control: bump Standards-Version to 4.6.1 (no changes) * d/rules: verify that samba-libs does not depend on samba -- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 13:55:33 +0300 samba (2:4.16.6+dfsg-1) unstable; urgency=medium * new upstream security release 4.16.6, fixing: CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba). https://www.samba.org/samba/security/CVE-2022-3437.html * use explicit_bzero() instead of bzero() for the substitute of memset_s() * d/rules: make it a bit more consistent with other samba packages * d/rules: stop exporting ${PYTHON} * a bunch of ubuntu-related changes: - d/rules: omit glusterfs on ubuntu-i386 - apply Ubuntu changes to smb.conf at install time (d/smb.conf.ubuntu.diff) - d/tests/: ensure io_uring module is built before testing it - d/rules: inline parallel check from dpkg/buildopts.mk (buildopts.mk does not exist on ubuntu 20.04 focal) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 12:48:20 +0300 samba (2:4.16.5+dfsg-2) unstable; urgency=medium [ Michael Tokarev ] * d/tests/util: use printf for formatting password for smbpasswd, not non-standard echo \n (mr !60) * introduce LDB_2.4.4 version symbol (Closes: #1021371) Create an empty ABI file just to make the scripts run during the build stage to introduce LDB_2.4.4 version symbol into libldb.so, and remove this empty file in the clean target. It is a bit hackish but works fine. This is only needed to upgrade from bullseye to bookworm, from 4.13.13+dfsg-1~deb11u5+ to the next release, 4.16+. Remove this for bookworm+. * dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch: GnuTLS gnutls_rnd() can fail and give predictable random values. Closes: #1021024, CVE-2022-1615 [ John Paul Adrian Glaubitz ] * disable ceph support on ppc64 and x32 (Closes: #1020781, #1012165) -- Michael Tokarev <mjt@tls.msk.ru> Sat, 08 Oct 2022 15:11:15 +0300 samba (2:4.16.5+dfsg-1) unstable; urgency=medium * new (minor) upstream release 4.16.5 * removed fix-samba-tool-domain-join-segfault.patch (included upstream) * d/gbp.conf: no need to filter orig.tar: uscan already does that -- Michael Tokarev <mjt@tls.msk.ru> Thu, 08 Sep 2022 12:44:38 +0300 samba (2:4.16.4+dfsg-2) unstable; urgency=medium * d/libldb2.symbols: include newly added symbols -- Michael Tokarev <mjt@tls.msk.ru> Mon, 01 Aug 2022 15:43:11 +0300 samba (2:4.16.4+dfsg-1) unstable; urgency=high * new upstream security release fixing: o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords. https://www.samba.org/samba/security/CVE-2022-2031.html o CVE-2022-32742: Server memory information leak via SMB1. https://www.samba.org/samba/security/CVE-2022-32742.html o CVE-2022-32744: Samba AD users can forge password change requests for any user. https://www.samba.org/samba/security/CVE-2022-32744.html o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32745.html o CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32746.html * Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 27 Jul 2022 18:35:53 +0300 samba (2:4.16.3+dfsg-1) unstable; urgency=medium [ Michael Tokarev ] * new upstream minor/bugfix releae. See WHATSNEW.txt for details. * d/watch: add the forgotten repacksuffix=+dfsg [ Andreas Hasenack ] * update nfs configuration examples for ctdb -- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Jul 2022 17:15:07 +0300 samba (2:4.16.2+dfsg-1) unstable; urgency=medium * new upstream minor/bugfix release. * removed waf-add-support-for-GNU-kFreeBSD.patch (applied upstream) * new minor version of libldb (no code changes, just the build system update to support python 3.11) * move samba-dcerpcd from samba package to samba-common-bin due to winbind New in 4.16 samba-dcerpcd binary is used by smbd and winbind, so putting it to samba package makes winbind unable to run it without samba. For now, in order to fix this issue, move this binary from samba to samba-common-bin package. It might be worth creating its own package for this binary (or maybe some more binaries), once it is clear where upstream is going to. Making this binary a part of samba-common-bin adds some more files to smbclient-only setup. (Closes: #1012240) * remove mksmbpasswd script and manpage: we have smbpasswd whcih can add entries to smbpasswd file if needed, and can handle other passwod storage formats too -- Michael Tokarev <mjt@tls.msk.ru> Mon, 13 Jun 2022 19:08:44 +0300 samba (2:4.16.1+dfsg-8) unstable; urgency=medium * fix the Breaks/Replaces versions in the previous upload for moving libsamba-utils.so, and use the same Breaks/Replaces for the -dev packages too -- Michael Tokarev <mjt@tls.msk.ru> Tue, 07 Jun 2022 14:11:09 +0300 samba (2:4.16.1+dfsg-7) unstable; urgency=medium * drop libunwind-dev build dependency again: it turned out the internal stack unwind is better anyway * move libsamba-utils.so and its dependencies from libwbclient0 into samba-libs. In the past, libwbclient were built using this library, but it does not depend on libsamba-utils anymore * d/control: libnss-winbind and libpam-winbind does not depend on samba-common. None of the files in samba-common are used by nss and pam modules; winbind does use them but not the modules. * d/rules: add --with-sockets-dir=/run/samba (or else it was /var/run/samba) -- Michael Tokarev <mjt@tls.msk.ru> Tue, 07 Jun 2022 12:09:50 +0300 samba (2:4.16.1+dfsg-6) unstable; urgency=medium * d/control: specify arch list for libunwind-dev build-dep to be the same as for libunwind itself (it is not built on all architectures) -- Michael Tokarev <mjt@tls.msk.ru> Sun, 29 May 2022 12:09:22 +0300 samba (2:4.16.1+dfsg-5) unstable; urgency=medium * add-missing-libs-deps.diff: add missing dependencies for a few samba libraries. Closes: #1010922 * point [printers] to /var/tmp/, stop shipping /var/spool/samba/. For a long time, we shipped an alternative /var/tmp/ directory with mode 01777 (so that anyone can use it to store files) but without the same setup as for regular /var/tmp/ (in particular, without removing old files and since it is not a usual place to store temp files, no one actually looked at it the same way someone would take care of /var/tmp/. Change smb.conf to use /var/tmp/ instead of /var/spool/samba/. In the postinst script, remove /var/spool/samba/, check if it is still used in smb.conf, and create a compatibility symlink pointing to tmp/, suggesting changing smb.conf. And remove this compat symlink in postrm. This probably can be accomplished by a debconf question, but the thing is complicated by the fact that smb.conf might be upgrading too at the same time. * debian/patches/weak-crypto-allowed-clarify.diff: update * testparm-do-not-fail-if-pid-dir-does-not-exist.patch: also cover samba-tool testparm too, not only regular stand-alone testparm. * fix-samba-tool-domain-join-segfault.patch: fix segfault when joining an AD-DC domain using samba-tool join. * d/rules: enable --with-profilig-data to build samba with profiling collection (if set in smb.conf) * d/control: add libunwind-dev to build-deps, to compile in stack backtrace logging in case of crash * d/control: stop build-conflicting with now-unused libtracker-miner-2.0-dev * d/control: stop build-conflicting with libtracker-sparql-2.0-dev: there's no point in explicitly disabling libtracker-sparql support (bullseye-only for now anyway) -- Michael Tokarev <mjt@tls.msk.ru> Sat, 28 May 2022 22:50:43 +0300 samba (2:4.16.1+dfsg-4) unstable; urgency=medium [ Michael Tokarev ] * fix spelling in disable-setuid-confchecks.patch * d/NEWS: split it into different $package.NEWS files * d/upstream/metadata: add Bug-Database * d/samba.postinst: create sambashare group and usershare directory on new install only * libldb2: provide compat symlinks for bullseye ldb modules dir * d/rules: provide Build-Depends-Package: for python3-ldb * samba-vfs-modules.lintian-overrides: add spare-manual-page vfs_*.8 override * winbind.lintian-overrides: add spare-manual-page idmap_*.8 override [ Arnaud Rebillout ] * Fix patch testparm-do-not-fail-if-pid-dir-does-not-exist (Closes: #1010835) -- Michael Tokarev <mjt@tls.msk.ru> Wed, 11 May 2022 09:50:03 +0300 samba (2:4.16.1+dfsg-3) unstable; urgency=medium * fix ldb package version generation in d/make_shlibs which was wrong in 2 previous uploads. Will I *ever* make it actually work someday? -- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 18:32:24 +0300 samba (2:4.16.1+dfsg-2) unstable; urgency=medium * rethink ldb version *again*, to be 2.5.0+smb4.16.1-2 or else 2.5.0+smb-1 from samba-4.16.1-2 sorts before 2.5.0+smb-7 from samba-4.16.0-7. -- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 17:02:16 +0300 samba (2:4.16.1+dfsg-1) unstable; urgency=medium * new upstream minor release 4.16.1 * move-msg.sock-from-var-lib-samba-to-run-samba.patch: move /var/lib/samba/private/msg.sock/ to /run/samba/msg.sock/. This is a (private) socket directory for IPC, it should not be in /var. * Remove /var/lib/samba/private/msg.sock/ in postinst * testparm-do-not-fail-if-pid-dir-does-not-exist.patch: testparm deliberately fails if /run/samba does not exist, while testparam itself does not use it and daemons will create it on demand. Just make it a warning instead of a fatal error, and we'll not need to pre-create this dir in a random place using hackish ways * ctdb-create-piddir.patch: create /run/ctdb/ in ctdb.service and ctdb.init before invoking ctdbd (as the latter does not create its pid directory on demand). * stop (ab)using tmpfiles.d to pre-create /run/samba/ and /run/ctdb/ and stop creating /run/samba/ in samba-common-bin.postinst just to make testparam happy. * d/rules: minor tweaks -- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 13:16:12 +0300 samba (2:4.16.0+dfsg-7) unstable; urgency=medium * another bunch of small tweaks to d/rules: - set SHELL to /bin/sh -e - rework the clean target - provide fast replacement of architecture.mk - better expression for DEB_REVISION - rearrange configure options * do not disable glusterfs on ubuntu-i386 (glusterfs is now in main) * mention closing of #1001053 by the 4.16 upload * change the ldb version string again, removing te "+samba*" suffix to allow bin-NMUs +b1 (Closes: #1010100) -- Michael Tokarev <mjt@tls.msk.ru> Sun, 24 Apr 2022 16:56:34 +0300 samba (2:4.16.0+dfsg-6) unstable; urgency=medium * another attempt to fix/work around #221618. Re-enable libsmbclient-ensure-lfs-221618.patch and change it to just define an extra type array int[sizeof(off_t)-7]. If off_t is small it will become a compile error. It is an ugly way to do it, but it should actually work, unlike various static_assert/_Static_assert which are language (C/C++) and standard-dependent. Closes: #221618. -- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 17:27:09 +0300 samba (2:4.16.0+dfsg-5) unstable; urgency=medium * disable libsmbclient-ensure-lfs-221618.patch for now. It throws errors in one or another configuration no matter what. Repoens: #221618 * d/salsa-ci.yml: re-allow blhc salsa-ci test to fail again due to different bug in blhc -- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 16:33:57 +0300 samba (2:4.16.0+dfsg-4) unstable; urgency=medium * libsmbclient-ensure-lfs-221618.patch: replace _Static_assert with static_assert (and include <assert.h> to make C++ happy too (Closes: #1009211) * disable-setuid-confchecks.patch: when running configure tests, samba tries to verify setuid/setgid etc calls are actually *working*, not just exists. This is only possible when the configure is running as root. But it turns out in some salsa-ci configuration (namely in the reprotest), the second build is actually running as root, and in that environment, actual setegid call is failing somehow. Just disable the config-time check for correctly working setgid and assume it "just works" if present, exactly like non-root build will do. * d/salsa-ci.yml: do not expect failure in blhc test (the original prob has been fixed long ago), and stop requiring experimental * mention closing of #999876 by 4.16 -- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 00:42:38 +0300 samba (2:4.16.0+dfsg-3) unstable; urgency=medium * d/control: comment out the selftest-mode build deps for now * d/control: forgotten python3-samba:Replaces against samba package too, not just samba-libs, when moving dckeytab python lib (Closes: #1009175) -- Michael Tokarev <mjt@tls.msk.ru> Fri, 08 Apr 2022 10:18:23 +0300 samba (2:4.16.0+dfsg-2) unstable; urgency=medium * use strict versioned dependency between samba-dsdb-modules and libldb2, since they're tied to each other and are now built from the same source * fix forgotten shlib symbols generation for python3-ldb * change libldb versioning scheme from ldb_2:2.5.0+samba4.16.0-1 to ldb_2:2.5.0-1+samba4.16.0 so that symbols versioning works correctly. Unfortunately the previous upload to experimental used the first form which is greather than the correct one, so temporarily (just for this 2.5.0 version of ldb) use this: ldb_2:2.5.0+smb-1+samba4.16.0 (with "+smb" suffix to be removed for 2.5.1+) * exclude samba-vfs-modules for i386 ubuntu build since this package is useless without samba itself (which is not built on this environment) * create selftest rules and add !nocheck build-dependencies (but do not enable selftests for now as they're failing) * split build system into -arch and -indep parts. We build only one arch-all package (samba-common) which contains only static files from debian/, there's no need to build whole samba to build this package. Move almost all Build-Depends to Build-Depends-Arch (and reindent them). * various updates to d/rules -- Michael Tokarev <mjt@tls.msk.ru> Thu, 07 Apr 2022 09:56:56 +0300 samba (2:4.16.0+dfsg-1) experimental; urgency=medium * New upstream major release. Closes: #1004690, CVE-2021-20316: Fileserver symlink metadata share escape Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape Closes: #1004692, CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists Closes: #1005642 (windows client data corruption due to cache poisoning) Closes: #1001053 (MIT-kerberos config broken after fix for CVE-2020-25717) Closes: #988197 (legacy printing support, 47d79d7e7e406f7dd2) Closes: #998423 (coredump connecting from macos to shares with var substs) Closes: #999876 (winbind allow trusted domains = no regression) * Notable changes in 4.16 series compared to 4.13: - modular VFS (see The_New_VFS.txt) - publishing printers in AD is more complete - group policies for winbindd cilents (like linux systems) - certificate auto enrollement in AD group policy - large list of improvements in samba-tool - SMB1 protocol has been deprecated, some subcommands has been removed - more consistend options/subcommands in samba commands * d/rules: export PYTHONHASHSEED=1. This makes lots of sporadic build-time debian-specific failures to go away, by preserving order of waf hashes * refresh patches, update build-depend versions (talloc, tdb, tevent) * refresh lintian-overrides files, add many new overrides * build-depend on python3-markdown * build-depend on libjson-perl for new heimdal bits * more consistent internal lib naming; refresh file lists everywhere * samba: install new rpc_* services, install samba-dcerpc * refresh symbols files * build libldb from samba sources, not from separate source (this moves ldb plugins from /usr/lib/$triple/ldb/plugin/ldb/ to /usr/lib/$triple/samba/ldb/ - the same where dsdb modules are). * optimizations for d/make_shlibs; also allow one to specify explicit version for some packages * as per clarifications for waf --{bundled,builtin}-libraries, remove now-wrong usage there. This also fixes build failures with current samba sources * d/rules: various optimizations to reduce startup costs by eliminating unnecessary external command calls during d/rules read by make. Including caching of LDB version information in d/ldb-version.mk file. This does not affect the buildd processing much (and does not affect runtime at all), but helps with build procedure debugging. * d/rules: numerous small fixes, cleanups and other changes, including: - clean up the install target - remove some now-irrelevant parts - fix no-glusterfs-build on non-linux * change build procedure: instead of `waf build', run `waf install'. `waf build' builds samba to be run from the build dir, and `waf install' rebuilds/relinks everything again for production. Build the production variant only, no build-dir one. * samba-common-bin.postinst: explicitly mkdir /run/samba before invoking samba binaries (Closes: #953530) * in the salsa git repository of samba, stop keeping debian patches in applied form, keep them in d/patches/ only as most other packages do. * move single python (helper) module, libsamba-policy, together with 2 internal libraries used by it, from samba-libs package to python3-samba. This makes samba-libs to be free from python-related files, and makes python3-samba to be the only python-providing package. Closes: #1006875, #878612, #862338 * also move dckeytab python module from samba to python3-samba (actually stop moving it from python3-samba to samba to incorrectly avoid a circular dependency). Also verify that python3-samba does not depend on samba package. * weak-crypto-allowed-clarify.diff: clarify "weak crypto is allowed" testparm message (Closes: #975882) * spelling.patch: fix many common spelling mistakes in the source * ctdb: simplify/cleanup instllation of READMEs/examples * d/control: remove breaks/replaces/depends on ancient versions of some packages (ancient dpkg version in Pre-Depends, ancient samba-libs) * d/rules: rework wrong shlibdeps handling * move helper programs from /usr/lib/$multiarch/ to /usr/libexec/ where they belongs. This should not affect users. * smbclient: re-do the fix for an old bug, #221618. The original "fix" did not fix anything (it is too late already to #define _FILE_OFFSET_BITS when all types has already been defined). From now on, raise an error if off_t is less than 64bits (it should >=64 when #include'ing <libsmbclient.h> with proper LFS defines). In theory this can break some sources which either included libsmbclient.h without a reason or which didn't use any of the functions which deals with off_t (smbc_lseek etc), - which did not explicitly enable LFS on a 32bit system. Please email us if you faced such situation. * drop 07_private_lib patch: we do not need to force rpath for private libraries into every samba binary, upstream build system does a good job here. -- Michael Tokarev <mjt@tls.msk.ru> Tue, 05 Apr 2022 16:01:25 +0300 samba (2:4.13.14+dfsg-1) unstable; urgency=high * New upstream security release in order to address the following defects: - CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos - MS CVE-2020-17049 in Samba: 'Bronze bit' S4U2Proxy Constrained Delegation bypass - CVE-2020-25717: A user on the domain can become root on domain members - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers + Bump build-depends ldb >= 2.2.3 - CVE-2020-25719: AD DC Username based races when no PAC is given - CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid) - CVE-2020-25722: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues) - CVE-2021-3738: crash in dsdb stack - CVE-2021-23192: dcerpc requests don't check all fragments against the first auth_state + Update d/samba-libs.install for libdcerpc-pkt-auth.so.0 * Add patch to fix "allow trusted domains" * Bump ldb build-depends to 2.2.3 * Update d/samba-libs.install -- Mathieu Parent <sathieu@debian.org> Tue, 09 Nov 2021 20:53:03 +0100 samba (2:4.13.13+dfsg-1) unstable; urgency=high [ Athos Ribeiro ] * Add autopkgtest to verify tmpfiles setup (LP: #1905387) - d/t/reinstall-samba-common-bin: make sure /run/samba is created by the samba-common-bin installation process (postinst script) - d/t/control: run new reinstall-samba-common-bin test case [ Paride Legovini ] * samba.postinst: do not populate sambashare from the Ubuntu admin group (LP: #1942195) [ Mathieu Parent ] * New upstream version - Remove CVE-2021-20254.patch - Bump build-depends ldb >= 2.2.0 * libwbclient0: Add Breaks+Replaces: libsamba-util0 (<< 2:4.0.0) (Closes: #988170) -- Mathieu Parent <sathieu@debian.org> Mon, 01 Nov 2021 08:59:20 +0100 samba (2:4.13.5+dfsg-2) unstable; urgency=high * CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token (Closes: #987811) * Add Breaks+Replaces: samba-dev (<< 2:4.11) (Closes: #987209) -- Mathieu Parent <sathieu@debian.org> Thu, 06 May 2021 21:09:29 +0200 samba (2:4.13.5+dfsg-1) unstable; urgency=medium * New upstream version (Closes: #984863) -- Mathieu Parent <sathieu@debian.org> Sat, 13 Mar 2021 08:31:27 +0100 samba (2:4.13.4+dfsg-1) unstable; urgency=medium * New upstream version - GPG signature has changed - Update samba-libs.install - Update symbols * Never use priority high when asking for DHCP integration (Closes: #981554) * Sync CTDB patches with Ubuntu: - Add "ctdb-config: enable syslog by default" - Update "fix nfs related service names" * d/rules: Ubuntu specifics - No Ceph on i386 - Disable some i386 packages - No GlusterFS -- Mathieu Parent <sathieu@debian.org> Tue, 09 Feb 2021 22:26:43 +0100 samba (2:4.13.3+dfsg-1) unstable; urgency=medium [ Andreas Hasenack ] * d/control: enable the liburing vfs module (Closes: #976854) * Add new DEP8 tests for the uring vfs module * Factor out common DEP8 test code into d/t/util and change the tests to source from it * Add set -x and set -e to DEP8 tests [ Mathieu Parent ] * liburing-dev is linux-any * New upstream version -- Mathieu Parent <sathieu@debian.org> Wed, 16 Dec 2020 18:23:09 +0100 samba (2:4.13.2+dfsg-3) unstable; urgency=medium * Ensure systemd-tmpfiles is called before testparm (Closes: #975422) * Only check configuration on configure step -- Mathieu Parent <sathieu@debian.org> Sun, 22 Nov 2020 10:44:51 +0100 samba (2:4.13.2+dfsg-2) unstable; urgency=medium * Upload to unstable -- Mathieu Parent <sathieu@debian.org> Wed, 18 Nov 2020 20:34:51 +0100 samba (2:4.13.2+dfsg-1) experimental; urgency=medium * New upstream major version - Update d/gbp.conf, d/watch and d/README.source for 4.13 - Update patches - Bump build-depends ldb >= 2.2.0 - Install new files - Update symbols * Includes the following security fixes: - CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify (Closes: #973400) - CVE-2020-14323: Unprivileged user can crash winbind (Closes: #973399) - CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (Closes: #973398) - CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon") (Closes: #971048) * Includes the following fixes: - Fixes "samba_dnsupdate gives depreacation warnings" (Closes: #973957) - s3: libsmbclient.h: add missing time.h include (Closes: #946840) * Remove unused python3-crypto dependency (Closes: #971292) * Enable Spotlight with ES backend (Closes: #956096, #956482) * Standards-Version: 4.5.0 * Add missing Build-Depends-Package in libsmbclient.symbols and libwbclient0.symbols * d/copyright: Fix duplicate-globbing-patterns * Remove outdated/malformed lintian overrides * d/winbind.logrotate: Only reload winbindd when running (Closes: #946821) * Bump to debhelper compat 13 * Add another library-not-linked-against-libc override -- Mathieu Parent <sathieu@debian.org> Thu, 12 Nov 2020 11:23:01 +0100 samba (2:4.12.5+dfsg-3) unstable; urgency=high * Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump (Closes: #963971) * Add patch traffic_packets: fix SyntaxWarning: "is" with a literal (Closes: #964165) * Add patch Rename mdfind to mdsearch (Closes: #963985) -- Mathieu Parent <sathieu@debian.org> Sat, 04 Jul 2020 23:57:59 +0200 samba (2:4.12.5+dfsg-2) unstable; urgency=high * Add missing symbol (path_expand_tilde) -- Mathieu Parent <sathieu@debian.org> Thu, 02 Jul 2020 15:27:25 +0200 samba (2:4.12.5+dfsg-1) unstable; urgency=high * New upstream security release: - CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results - CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU - CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. - CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. - Bump build-depends ldb >= 2.1.4 -- Mathieu Parent <sathieu@debian.org> Thu, 02 Jul 2020 14:03:36 +0200 samba (2:4.12.3+dfsg-2) unstable; urgency=medium * Upload to unstable -- Mathieu Parent <sathieu@debian.org> Sun, 28 Jun 2020 11:45:14 +0200 samba (2:4.12.3+dfsg-1) experimental; urgency=medium * New upstream major version (Closes: #963106) - Update d/gbp.conf, d/watch and d/README.source for 4.12 - Drop merged patches - Bump build-depends talloc >= 2.3.1, tdb >= 1.4.3, tevent >= 0.10.2 and ldb >= 2.1.3 - Upstream fixes: + pygpo: use correct method flags (Closes: #963242, #961585, #960171, #956428) + CVE-2020-10700: A use-after-free flaw was found in the way samba AD DC LDAP servers, handled 'Paged Results' control is combined with the 'ASQ' control. A malicious user in a samba AD could use this flaw to cause denial of service (Closes: #960189) + CVE-2020-10704: A flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability (Closes: #960188) - intel aes-ni no more needed as GnuTLS is used - Install new files - Update symbols - Update samba-libs.lintian-overrides * d/control: Remove unused libattr1-dev Build-Depends (Closes: #953915) -- Mathieu Parent <sathieu@debian.org> Wed, 24 Jun 2020 23:12:11 +0200 samba (2:4.11.5+dfsg-1) unstable; urgency=medium * New upstream security release - CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. - CVE-2019-14907: Crash after failed character conversion at log level 3 or above. - CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. - Bump build-depends ldb >= 2.0.8 -- Mathieu Parent <sathieu@debian.org> Tue, 28 Jan 2020 07:19:46 +0100 samba (2:4.11.3+dfsg-1) unstable; urgency=high * New upstream security release - Drop merged patches for previous security fixes - CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name. - CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. * d/control: drop python3-matplotlib * d/control: Fix stronger-dependency-implies-weaker (samba depends -> recommends python3-dnspython) -- Mathieu Parent <sathieu@debian.org> Mon, 16 Dec 2019 09:47:45 +0100 samba (2:4.11.1+dfsg-3) unstable; urgency=medium * Add some python dependencies: - python3-matplotlib : samba-tool visualize - python3-markdown : samba-tool domain schemaupgrade - python3-dnspython : samba-tool dns * Only build with default python3 (Closes: #943635) -- Mathieu Parent <sathieu@debian.org> Sun, 17 Nov 2019 14:48:02 +0100 samba (2:4.11.1+dfsg-2) unstable; urgency=high * New upstream security release - CVE-2019-10218: Malicious servers can cause Samba client code to return filenames containing path separators to calling code. - CVE-2019-14833: When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string. -- Mathieu Parent <sathieu@debian.org> Fri, 18 Oct 2019 20:26:45 +0200 samba (2:4.11.1+dfsg-1) unstable; urgency=medium * New upstream release -- Mathieu Parent <sathieu@debian.org> Fri, 18 Oct 2019 19:00:46 +0200 samba (2:4.11.0+dfsg-11) unstable; urgency=medium * Stop building with spotlight support which pulls glib (Closes: #941654) * Force quota support (Closes: #941899) * Standards-Version: 4.4.1, no change -- Mathieu Parent <sathieu@debian.org> Mon, 14 Oct 2019 12:16:04 +0200 samba (2:4.11.0+dfsg-10) unstable; urgency=medium * Add libwbclient-dev to samba-dev depends as samba-util was moved there (Closes: #941750) -- Mathieu Parent <sathieu@debian.org> Sat, 05 Oct 2019 15:57:07 +0200 samba (2:4.11.0+dfsg-9) unstable; urgency=medium * Remove versioned depends on libtdb-dev (>= 2) and add libldb-dev (>= 2:2) -- Mathieu Parent <sathieu@debian.org> Thu, 03 Oct 2019 19:08:17 +0200 samba (2:4.11.0+dfsg-8) unstable; urgency=medium * d/gbp.conf: sign-tags = True * Do not check smb.conf with testparm when server role=active directory domain controller (Closes: #931734) * Force one job during configure step with -j 1 (Closes: #941467). Not setting -j leads to default which is number of cpus -- Mathieu Parent <sathieu@debian.org> Thu, 03 Oct 2019 07:52:39 +0200 samba (2:4.11.0+dfsg-7) unstable; urgency=medium * Always evaluate WAF_NO_PARALLEL to ensure correct value (Closes: #941467) * This version is built with talloc from sid (Closes: #940963) -- Mathieu Parent <sathieu@debian.org> Wed, 02 Oct 2019 20:45:24 +0200 samba (2:4.11.0+dfsg-6) unstable; urgency=medium * Do not run waf configure in parallel. Fix FTBFS on arm (Closes: #941467) -- Mathieu Parent <sathieu@debian.org> Tue, 01 Oct 2019 22:35:36 +0200 samba (2:4.11.0+dfsg-5) experimental; urgency=medium * d/gitlabracadabra.yml: only_allow_merge_if_pipeline_succeeds: false * Remove patches: - "build: Remove tests for _readdir() and __readdir()" - "build: Remove tests for rdchk()" - "build: Remove tests for _pwrite() and __pwrite()" * Add patches by Ralph Boehme: - "wscript: remove all checks for _FUNC and __FUNC" - "wscript: split function check to one per line and sort alphabetically" -- Mathieu Parent <sathieu@debian.org> Mon, 30 Sep 2019 13:37:50 +0200 samba (2:4.11.0+dfsg-4) experimental; urgency=medium * Use the same arches for librados-dev than libcephfs-dev (Fix missing build-depends on alpha and sh4) * Split vfsmods:Recommends substvar into {vfsceph,vfsglusterfs,vfssnapper}:Recommends to make the code more readable and fix FTBFS on linux platforms without ceph (hppa and sparc64, and also alpha and sh4) * Add patch for "build: Remove tests for _readdir() and _readdir()", to hopefully fix FTBFS on armel -- Mathieu Parent <sathieu@debian.org> Sun, 29 Sep 2019 09:29:03 +0200 samba (2:4.11.0+dfsg-3) experimental; urgency=medium * Try to fix FTBFS on armel (armhf is fixed): - Add patch for build: Remove tests for rdchk() -- Mathieu Parent <sathieu@debian.org> Sat, 28 Sep 2019 22:17:04 +0200 samba (2:4.11.0+dfsg-2) experimental; urgency=medium * d/gitlabracadabra.yml: Add samba-team/libsmb2 * Try to fix FTBFS on armel and armhf: - Add patch for build: Remove tests for _pwrite() and __pwrite() -- Mathieu Parent <sathieu@debian.org> Sat, 28 Sep 2019 11:47:56 +0200 samba (2:4.11.0+dfsg-1) experimental; urgency=medium [ Mathieu Parent ] * Upload to experimental * New upstream major release - Update d/gbp.conf, d/watch and d/README.source for 4.11 - Import upstream release - Update fix-nfs-service-name-to-nfs-kernel-server.patch - Bump build-depends talloc >= 2.2.0, tdb >= 1.4.2, tevent >= 0.10.0 and ldb >= 2:2.0.7 - libsamba-passdb.so bumped to 0.28.0 - libnon-posix-acls is now a subsystem - Drop libparse-pidl-perl package (Closes: #939419) - Add new files to d/*.install - Move libsamba-util.so.* to libwbclient0, to avoid circular dependencies - Move libsamba-util deps to libwbclient0 * Add build-Remove-tests-for-getdents-and-getdirentries.patch, to fix FTBFS on armel and armhf * salsa-ci: Build on experimental [ John Paul Adrian Glaubitz ] * Disable cephfs support on architectures where it's not stable (Closes: #940697) [ Louis van Belle ] * d/control, d/samba.install: added libtasn1-bin, libtasn1-6-dev to build dumpmscat * d/control, d/rules: Enable spotlight (TimeMachine) * d/control: Bump libtdb-dev (>= 2) in samba-dev deps * Update libwbclient0.symbols * d/rules: adjust LDB_DEPENDS -- Mathieu Parent <sathieu@debian.org> Thu, 26 Sep 2019 09:37:51 +0200 samba (2:4.10.8+dfsg-1) unstable; urgency=medium * Upload to unstable * New upstream release: - CVE-2019-10197: Combination of parameters and permissions can allow user to escape from the share path definition -- Mathieu Parent <sathieu@debian.org> Tue, 10 Sep 2019 18:46:54 +0200 samba (2:4.10.7+dfsg-1) experimental; urgency=medium [ Mathieu Parent ] * New upstream release - Update patches - Drop nsswitch-Add-try_authtok-option-to-pam_winbind.patch, merged - libsamba-passdb.so bumped to 0.27.2 - Update symbols - Update installed files * samba-libs: Fix Breaks+Replaces: libndr-standard0 (<< 2:4.0.9) (Closes: #910242) * Add missing Breaks+Replace found by piuparts (Closes: #929217) * Enable vfs_nfs4acl_xattr (Closes: #930540) * ctdb: - enable ceph and etcd recovery lock - Downgrade ctdb_mutex_ceph_rados_helper shlibdeps to recommends * Add gitlabracadabra.yml * Update salsa-ci.yml [ Rafael David Tinoco ] * debian/rules: Make DEB_HOST_ARCH_CPU initialized through dpkg-architecture (Closes: #931138) * CTDB NFS fixes from Ubuntu (Closes: #929931, LP: #722201): - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: change nfs service name from nfs to nfs-kernel-server - ctdb-config: depend on /etc/ctdb/nodes file - d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d to allow pid file to exist - added /var/lib/ctdb/* directories - d/ctdb.postrm: remove leftovers from /var/lib/ctdb/* - Add examples of NFS HA CTDB config files + helper script [ Mathieu Parent ] * Update d/gbp.conf, d/watch and d/README.source for 4.10 * Drop ctdb-config-depend-on-etc-default-nodes-file.patch, merged upstream * Bump build-depends talloc >= 2.1.16, tdb >= 1.3.18, tevent >= 0.9.39 and ldb >= 2:1.5.5 * Bump libcmocka-dev builddep to 1.1.3 * d/rules: Remove 1.5.1+really prefix from LDB_DEPENDS * d/copyright: - s/GPL-3+/GPL-3.0+/ and s/LGPL-3+/LGPL-3.0+/ - Move License details to end of file - Add waf licences - Add lib/replace licences - Update lib/{ldb,talloc,tdb} licences * Move to Python3 (from Ubuntu) * Bump debhelper from old 11 to 12. * Standards-Version: 4.4.0 * Replace all reference of /var/run to /run (Closes: #934540) * Replace python shbang by python3 in d/*.py -- Mathieu Parent <sathieu@debian.org> Thu, 29 Aug 2019 14:32:52 +0200 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog libwbclient0`.
Generated by dwww version 1.15 on Sat May 18 06:53:35 CEST 2024.