From c22a3fd701afc46440b7c126e3f3a3b63f723afe Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 28 2022 07:53:41 +0000 Subject: import samba-4.10.16-19.el7_9 --- diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch index e7a075d..6528a01 100644 --- a/SOURCES/samba-4.10-redhat.patch +++ b/SOURCES/samba-4.10-redhat.patch @@ -1,7 +1,7 @@ From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 01/97] s3-rpcserver: fix security level check for +Subject: [PATCH 001/100] s3-rpcserver: fix security level check for DsRGetForestTrustInformation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644 } -- -2.34.1 +2.36.0 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 16:50:45 +0200 -Subject: [PATCH 02/97] Add a test to check dNSHostName with netbios aliases +Subject: [PATCH 002/100] Add a test to check dNSHostName with netbios aliases BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755 # Test createcomputer option of 'net ads join' # -- -2.34.1 +2.36.0 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:52:46 +0200 -Subject: [PATCH 03/97] Fix accidental overwrite of dnsHostName by the last +Subject: [PATCH 003/100] Fix accidental overwrite of dnsHostName by the last netbios alias BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); goto done; -- -2.34.1 +2.36.0 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 24 Oct 2019 19:04:51 +0300 -Subject: [PATCH 04/97] Refactor ads_keytab_add_entry() to make it iterable +Subject: [PATCH 004/100] Refactor ads_keytab_add_entry() to make it iterable so we can more easily add msDS-AdditionalDnsHostName entries. @@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644 out: SAFE_FREE(salt_princ_s); -- -2.34.1 +2.36.0 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 17:55:12 +0200 -Subject: [PATCH 05/97] Add a test for msDS-AdditionalDnsHostName entries in +Subject: [PATCH 005/100] Add a test for msDS-AdditionalDnsHostName entries in keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -- -2.34.1 +2.36.0 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:36:28 +0200 -Subject: [PATCH 06/97] Add msDS-AdditionalDnsHostName entries to the keytab +Subject: [PATCH 006/100] Add msDS-AdditionalDnsHostName entries to the keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644 { LDAPMessage *res = NULL; -- -2.34.1 +2.36.0 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:54:12 +0200 -Subject: [PATCH 07/97] Add net-ads-join dnshostname=fqdn option +Subject: [PATCH 007/100] Add net-ads-join dnshostname=fqdn option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755 exit $failed -- -2.34.1 +2.36.0 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:04:57 +0200 -Subject: [PATCH 08/97] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 008/100] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() It's good to have just a single isolated function that will generate @@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -- -2.34.1 +2.36.0 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:07:30 +0200 -Subject: [PATCH 09/97] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of +Subject: [PATCH 009/100] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to @@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), "ServerReqChallenge"); -- -2.34.1 +2.36.0 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:08:38 +0200 -Subject: [PATCH 10/97] CVE-2020-1472(ZeroLogon): libcli/auth: make use of +Subject: [PATCH 010/100] CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate @@ -1041,14 +1041,14 @@ index 817d2cd041a..0f6ca11ff96 100644 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, state->binding_handle, -- -2.34.1 +2.36.0 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 11/97] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make - use of netlogon_creds_random_challenge() +Subject: [PATCH 011/100] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: + make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1074,14 +1074,14 @@ index 87613b99fde..86b2f343e82 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.34.1 +2.36.0 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 12/97] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make - use of netlogon_creds_random_challenge() +Subject: [PATCH 012/100] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: + make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.34.1 +2.36.0 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:15:26 +0200 -Subject: [PATCH 13/97] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 013/100] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, @@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -- -2.34.1 +2.36.0 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:17:29 +0200 -Subject: [PATCH 14/97] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak +Subject: [PATCH 014/100] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: @@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644 ) -- -2.34.1 +2.36.0 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 19:20:25 +0200 -Subject: [PATCH 15/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 015/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644 ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, -- -2.34.1 +2.36.0 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Sep 2020 12:53:50 -0700 -Subject: [PATCH 16/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 016/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644 p->session_info, p->msg_ctx, -- -2.34.1 +2.36.0 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:18:45 +0200 -Subject: [PATCH 17/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 017/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. @@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644 /* -- -2.34.1 +2.36.0 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:56:53 +0200 -Subject: [PATCH 18/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 018/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". @@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.34.1 +2.36.0 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 13:37:26 +0200 -Subject: [PATCH 19/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log +Subject: [PATCH 019/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644 return NT_STATUS_OK; } -- -2.34.1 +2.36.0 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:57:22 +0200 -Subject: [PATCH 20/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 020/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644 -- -2.34.1 +2.36.0 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:23:16 +0200 -Subject: [PATCH 21/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 021/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.34.1 +2.36.0 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:42:52 +0200 -Subject: [PATCH 22/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log +Subject: [PATCH 022/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644 return NT_STATUS_OK; } -- -2.34.1 +2.36.0 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 17:27:54 +0200 -Subject: [PATCH 23/97] CVE-2020-1472(ZeroLogon): docs-xml: document 'server +Subject: [PATCH 023/100] CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644 + -- -2.34.1 +2.36.0 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 12:39:54 +1200 -Subject: [PATCH 24/97] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty +Subject: [PATCH 024/100] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd Ensure that an empty machine account password can't be set by @@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644 /* now try a random password */ password = generate_random_password(tctx, 8, 255); -- -2.34.1 +2.36.0 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 15:57:34 +1200 -Subject: [PATCH 25/97] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated +Subject: [PATCH 025/100] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge Ensure that client challenges with the first 5 bytes identical are @@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644 } -- -2.34.1 +2.36.0 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 10 Jul 2020 15:09:33 -0700 -Subject: [PATCH 26/97] s4: torture: Add smb2.notify.handle-permissions test. +Subject: [PATCH 026/100] s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. @@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644 suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); -- -2.34.1 +2.36.0 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Jul 2020 18:25:23 -0700 -Subject: [PATCH 27/97] s3: smbd: Ensure change notifies can't get set unless +Subject: [PATCH 027/100] s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. @@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644 DEBUG(1, ("change_notify_create: fsp->notify != NULL, " "fname = %s\n", fsp->fsp_name->base_name)); -- -2.34.1 +2.36.0 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:49:25 +0200 -Subject: [PATCH 28/97] CVE-2020-14323 winbind: Fix invalid lookupsids DoS +Subject: [PATCH 028/100] CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. @@ -2829,14 +2829,14 @@ index d28b5fa9f01..a289fd86f0f 100644 } if (request->extra_data.data[request->extra_len-1] != '\0') { -- -2.34.1 +2.36.0 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:48:57 +0200 -Subject: [PATCH 29/97] CVE-2020-14323 torture4: Add a simple test for invalid - lookup_sids winbind call +Subject: [PATCH 029/100] CVE-2020-14323 torture4: Add a simple test for + invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix remove the knownfail entry again. As this crashes winbind, many tests after @@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644 suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); -- -2.34.1 +2.36.0 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001 From: Laurent Menase Date: Wed, 20 May 2020 12:31:53 +0200 -Subject: [PATCH 30/97] winbind: Fix a memleak +Subject: [PATCH 030/100] winbind: Fix a memleak Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388 Signed-off-by: Laurent Menase @@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644 } -- -2.34.1 +2.36.0 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 13:39:58 +0200 -Subject: [PATCH 31/97] s3:tests: Add test for 'valid users = DOMAIN\%U' +Subject: [PATCH 031/100] s3:tests: Add test for 'valid users = DOMAIN\%U' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467 @@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755 + exit $failed -- -2.34.1 +2.36.0 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 14:12:48 +0200 -Subject: [PATCH 32/97] s3:smbd: Fix %U substitutions if it contains a domain +Subject: [PATCH 032/100] s3:smbd: Fix %U substitutions if it contains a domain name 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer @@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644 if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); -- -2.34.1 +2.36.0 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 Jul 2020 11:48:26 +0200 -Subject: [PATCH 33/97] docs: Fix documentation for require_membership_of of +Subject: [PATCH 033/100] docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644 -- -2.34.1 +2.36.0 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Jul 2020 12:14:16 +0200 -Subject: [PATCH 34/97] docs: Fix documentation for require_membership_of of +Subject: [PATCH 034/100] docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644 This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login). -- -2.34.1 +2.36.0 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 21:05:07 +0300 -Subject: [PATCH 35/97] Fix a typo in recent net man page changes +Subject: [PATCH 035/100] Fix a typo in recent net man page changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644 -- -2.34.1 +2.36.0 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 16 Jun 2020 22:01:49 +0300 -Subject: [PATCH 36/97] selftest: add tests for binary +Subject: [PATCH 036/100] selftest: add tests for binary msDS-AdditionalDnsHostName Like the short names added implicitly by Windows DC. @@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755 rm -f $dedicated_keytab_file -- -2.34.1 +2.36.0 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 16:51:27 +0300 -Subject: [PATCH 37/97] Properly handle msDS-AdditionalDnsHostName returned +Subject: [PATCH 037/100] Properly handle msDS-AdditionalDnsHostName returned from Windows DC Windows DC adds short names for each specified msDS-AdditionalDnsHostName @@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644 DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", machine_name)); -- -2.34.1 +2.36.0 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 20 Jun 2020 17:17:33 +0200 -Subject: [PATCH 38/97] Fix usage of ldap_get_values_len for +Subject: [PATCH 038/100] Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644 return NULL; } -- -2.34.1 +2.36.0 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 15 Dec 2020 15:17:04 +0100 -Subject: [PATCH 39/97] HACK:s3:winbind: Rely on the domain child for online +Subject: [PATCH 039/100] HACK:s3:winbind: Rely on the domain child for online check --- @@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644 /* Handle online/offline messages. */ -- -2.34.1 +2.36.0 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 Sep 2020 16:00:52 +0200 -Subject: [PATCH 40/97] s3:smbd: Use fsp al the talloc memory context +Subject: [PATCH 040/100] s3:smbd: Use fsp al the talloc memory context Somehow the lck pointer gets freed before we call TALLOC_FREE(). @@ -3466,13 +3466,14 @@ index de557f53a20..9a24e331ab1 100644 &mtimespec); -- -2.34.1 +2.36.0 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 12:58:31 +0100 -Subject: [PATCH 41/97] Revert "s3:smbd: Use fsp al the talloc memory context" +Subject: [PATCH 041/100] Revert "s3:smbd: Use fsp al the talloc memory + context" This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49. --- @@ -3493,13 +3494,13 @@ index 9a24e331ab1..de557f53a20 100644 &mtimespec); -- -2.34.1 +2.36.0 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 22 Jul 2020 22:42:09 -0700 -Subject: [PATCH 42/97] nsswitch/nsstest.c: Avoid nss function conflicts with +Subject: [PATCH 042/100] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h glibc 2.32 will define these varibles [1] which results in conflicts @@ -3596,13 +3597,13 @@ index 6d92806cffc..46f96795f39 100644 static void nss_test_errors(void) -- -2.34.1 +2.36.0 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:30:08 +0100 -Subject: [PATCH 43/97] lib:util: Add basic memcache unit test +Subject: [PATCH 043/100] lib:util: Add basic memcache unit test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3772,13 +3773,13 @@ index e7639c4da27..e3f7d9acb4a 100644 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) plantestsuite("samba.unittests.test_registry_regfio", "none", -- -2.34.1 +2.36.0 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:37:12 +0100 -Subject: [PATCH 44/97] lib:util: Add cache oversize test for memcache +Subject: [PATCH 044/100] lib:util: Add cache oversize test for memcache BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3856,13 +3857,13 @@ index 00000000000..0a74ace3003 @@ -0,0 +1 @@ +^samba.unittests.memcache.torture_memcache_add_oversize -- -2.34.1 +2.36.0 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 2 Feb 2021 18:10:38 +0100 -Subject: [PATCH 45/97] lib:util: Avoid free'ing our own pointer +Subject: [PATCH 045/100] lib:util: Avoid free'ing our own pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3932,14 +3933,14 @@ index 0a74ace3003..00000000000 @@ -1 +0,0 @@ -^samba.unittests.memcache.torture_memcache_add_oversize -- -2.34.1 +2.36.0 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Nov 2020 15:48:08 -0800 -Subject: [PATCH 46/97] s3: spoolss: Make parameters in call to user_ok_token() - match all other uses. +Subject: [PATCH 046/100] s3: spoolss: Make parameters in call to + user_ok_token() match all other uses. We already have p->session_info->unix_info->unix_name, we don't need to go through a legacy call to uidtoname(p->session_info->unix_token->uid). @@ -3972,13 +3973,13 @@ index f32b465afb6..c0f1803c2fa 100644 !W_ERROR_IS_OK(print_access_check(p->session_info, p->msg_ctx, -- -2.34.1 +2.36.0 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 11 Nov 2020 13:42:06 +0100 -Subject: [PATCH 47/97] s3:smbd: Fix possible null pointer dereference in +Subject: [PATCH 047/100] s3:smbd: Fix possible null pointer dereference in token_contains_name() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572 @@ -4008,13 +4009,13 @@ index 0705e197975..64276c79fbe 100644 /* Check if username starts with domain name */ if (domain_len > 0) { -- -2.34.1 +2.36.0 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 20 Feb 2021 15:50:12 +0100 -Subject: [PATCH 48/97] passdb: Simplify sids_to_unixids() +Subject: [PATCH 048/100] passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. @@ -4238,13 +4239,13 @@ index 1bb15ccb8b4..186ba17fda6 100644 } break; -- -2.34.1 +2.36.0 From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Nov 2016 09:12:59 +0100 -Subject: [PATCH 49/97] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to +Subject: [PATCH 049/100] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos @@ -4300,14 +4301,14 @@ index 6ee4929e8d7..a0a1f4baa56 100644 } else { struct tevent_req *subreq = NULL; -- -2.34.1 +2.36.0 From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Oct 2016 10:40:28 +0200 -Subject: [PATCH 50/97] CVE-2016-2124: s3:libsmb: don't fallback to non spnego - authentication if we require kerberos +Subject: [PATCH 050/100] CVE-2016-2124: s3:libsmb: don't fallback to non + spnego authentication if we require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user asked for kerberos only. @@ -4338,13 +4339,13 @@ index 9bba2665663..9a69d4b7217 100644 /* * SessionSetupAndX was introduced by LANMAN 1.0. So we skip -- -2.34.1 +2.36.0 From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 18 Jan 2020 08:06:45 +0100 -Subject: [PATCH 51/97] s3/auth: use set_current_user_info() in +Subject: [PATCH 051/100] s3/auth: use set_current_user_info() in auth3_generate_session_info_pac() This delays reloading config slightly, but I don't see how could affect @@ -4394,13 +4395,13 @@ index 167d4e00367..0e9c423efef 100644 ntuser, ntdomain, rhost)); -- -2.34.1 +2.36.0 From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Thu, 4 Nov 2021 11:51:08 +0100 -Subject: [PATCH 52/97] selftest: Fix ktest usermap file +Subject: [PATCH 052/100] selftest: Fix ktest usermap file The user was not mapped: @@ -4429,14 +4430,14 @@ index 9e4da0e6a08..2eb5003112e 100755 close(USERMAP); -- -2.34.1 +2.36.0 From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 16:42:00 +0200 -Subject: [PATCH 53/97] selftest/Samba3: replace (winbindd => "yes", skip_wait - => 1) with (winbindd => "offline") +Subject: [PATCH 053/100] selftest/Samba3: replace (winbindd => "yes", + skip_wait => 1) with (winbindd => "offline") This is much more flexible and concentrates the logic in a single place. @@ -4489,13 +4490,13 @@ index 2eb5003112e..bbbefea44b7 100755 do { if ($ret != 0) { -- -2.34.1 +2.36.0 From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Oct 2021 16:20:36 +0200 -Subject: [PATCH 54/97] CVE-2020-25719 CVE-2020-25717: selftest: remove +Subject: [PATCH 054/100] CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -4534,13 +4535,13 @@ index a7a6c4c9587..0f644661176 100755 log level = $ctx->{server_loglevel} lanman auth = Yes -- -2.34.1 +2.36.0 From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 55/97] CVE-2020-25717: s3:winbindd: make sure we default to +Subject: [PATCH 055/100] CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4708,13 +4709,13 @@ index 3245c70bb8e..315eb366a52 100644 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); -- -2.34.1 +2.36.0 From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 56/97] CVE-2020-25717: s4:auth/ntlm: make sure +Subject: [PATCH 056/100] CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4744,14 +4745,14 @@ index 3a3fa7eaa59..f754bd5cd44 100644 ev, auth_ctx, -- -2.34.1 +2.36.0 From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 57/97] CVE-2020-25717: s4:torture: start with authoritative = - 1 +Subject: [PATCH 057/100] CVE-2020-25717: s4:torture: start with authoritative + = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -4800,14 +4801,14 @@ index c237c82bbe7..72d0bf28fdd 100644 DATA_BLOB names_blob, chal, lm_resp, nt_resp; int i; -- -2.34.1 +2.36.0 From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 58/97] CVE-2020-25717: s4:smb_server: start with authoritative - = 1 +Subject: [PATCH 058/100] CVE-2020-25717: s4:smb_server: start with + authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -4842,13 +4843,13 @@ index 13f13934412..5e817eecd4b 100644 NTSTATUS status; -- -2.34.1 +2.36.0 From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 59/97] CVE-2020-25717: s4:auth_simple: start with +Subject: [PATCH 059/100] CVE-2020-25717: s4:auth_simple: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4875,14 +4876,14 @@ index fcd9050979d..da8f094a838 100644 NTSTATUS nt_status; -- -2.34.1 +2.36.0 From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 60/97] CVE-2020-25717: s3:ntlm_auth: start with authoritative - = 1 +Subject: [PATCH 060/100] CVE-2020-25717: s3:ntlm_auth: start with + authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -4967,14 +4968,14 @@ index 41591a8de33..fc0fc19bacb 100644 uchar lm_key[16]; static const uchar zeros[8] = { 0, }; -- -2.34.1 +2.36.0 From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 61/97] CVE-2020-25717: s3:torture: start with authoritative = - 1 +Subject: [PATCH 061/100] CVE-2020-25717: s3:torture: start with authoritative + = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5004,14 +5005,14 @@ index 64bc45e6a7c..48190e78bf8 100644 SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, local_nt_response); -- -2.34.1 +2.36.0 From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 62/97] CVE-2020-25717: s3:rpcclient: start with authoritative - = 1 +Subject: [PATCH 062/100] CVE-2020-25717: s3:rpcclient: start with + authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5037,13 +5038,13 @@ index 631740562c6..30fa1ed7816 100644 uint16_t validation_level; union netr_Validation *validation = NULL; -- -2.34.1 +2.36.0 From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 63/97] CVE-2020-25717: s3:auth: start with authoritative = 1 +Subject: [PATCH 063/100] CVE-2020-25717: s3:auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5087,14 +5088,14 @@ index a71c75631d7..bf7ccb4348c 100644 nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); if (!NT_STATUS_IS_OK(nt_status)) { -- -2.34.1 +2.36.0 From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 64/97] CVE-2020-25717: auth/ntlmssp: start with authoritative - = 1 +Subject: [PATCH 064/100] CVE-2020-25717: auth/ntlmssp: start with + authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5120,14 +5121,14 @@ index 140e89daeb1..eebada670be 100644 status = auth_context->check_ntlm_password_recv(subreq, -- -2.34.1 +2.36.0 From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:43:40 +0200 -Subject: [PATCH 65/97] CVE-2020-25717: loadparm: Add new parameter "min domain - uid" +Subject: [PATCH 065/100] CVE-2020-25717: loadparm: Add new parameter "min + domain uid" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 @@ -5219,13 +5220,13 @@ index 0db44e92d19..57d1d909099 100644 apply_lp_set_cmdline(); } -- -2.34.1 +2.36.0 From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 19:57:18 +0200 -Subject: [PATCH 66/97] CVE-2020-25717: s3:auth: let +Subject: [PATCH 066/100] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors Mapping everything to ACCESS_DENIED makes it hard to debug problems, @@ -5253,13 +5254,13 @@ index 4ef2270cb34..26a38f92b30 100644 } -- -2.34.1 +2.36.0 From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:45:11 +0200 -Subject: [PATCH 67/97] CVE-2020-25717: s3:auth: Check minimum domain uid +Subject: [PATCH 067/100] CVE-2020-25717: s3:auth: Check minimum domain uid BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 @@ -5300,13 +5301,13 @@ index 8ff20c33759..8801d3f0f0b 100644 result = make_server_info(tmp_ctx); -- -2.34.1 +2.36.0 From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:40:30 +0200 -Subject: [PATCH 68/97] CVE-2020-25717: s3:auth: we should not try to +Subject: [PATCH 068/100] CVE-2020-25717: s3:auth: we should not try to autocreate the guest account We should avoid autocreation of users as much as possible. @@ -5333,14 +5334,14 @@ index 8998f9c8f8a..074e8c7eb71 100644 /* extra sanity check that the guest account is valid */ -- -2.34.1 +2.36.0 From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:08:20 +0200 -Subject: [PATCH 69/97] CVE-2020-25717: s3:auth: no longer let check_account() - autocreate local users +Subject: [PATCH 069/100] CVE-2020-25717: s3:auth: no longer let + check_account() autocreate local users So far we autocreated local user accounts based on just the account_name (just ignoring any domain part). @@ -5372,13 +5373,13 @@ index 8801d3f0f0b..6ee500493e6 100644 DEBUG(3, ("Failed to find authenticated user %s via " "getpwnam(), denying access.\n", dom_user)); -- -2.34.1 +2.36.0 From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 8 Oct 2021 12:33:16 +0200 -Subject: [PATCH 70/97] CVE-2020-25717: s3:auth: remove fallbacks in +Subject: [PATCH 070/100] CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() So far we tried getpwnam("DOMAIN\account") first and @@ -5516,13 +5517,13 @@ index 6ee500493e6..161e05c2106 100644 /* Create local user if requested but only if winbindd -- -2.34.1 +2.36.0 From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 18:03:55 +0200 -Subject: [PATCH 71/97] CVE-2020-25717: s3:auth: don't let create_local_token +Subject: [PATCH 071/100] CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so @@ -5561,13 +5562,13 @@ index 161e05c2106..c0e5cfd7fa8 100644 status = create_token_from_username(session_info, server_info->unix_name, -- -2.34.1 +2.36.0 From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 11 Nov 2020 18:50:45 +0200 -Subject: [PATCH 72/97] CVE-2020-25717: Add FreeIPA domain controller role +Subject: [PATCH 072/100] CVE-2020-25717: Add FreeIPA domain controller role As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain @@ -5974,13 +5975,13 @@ index 51fed4da62b..1f09b721408 100644 return NT_STATUS_INTERNAL_ERROR; case ROLE_DOMAIN_MEMBER: -- -2.34.1 +2.36.0 From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:11:57 +0200 -Subject: [PATCH 73/97] CVE-2020-25717: auth/gensec: always require a PAC in +Subject: [PATCH 073/100] CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set @@ -6044,13 +6045,13 @@ index e185acc0c20..694661b53b5 100644 DBG_NOTICE("Unable to find PAC for %s, resorting to local " "user lookup\n", principal_string); -- -2.34.1 +2.36.0 From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 11 Oct 2021 23:17:19 +0200 -Subject: [PATCH 74/97] CVE-2020-25717: s4:auth: remove unused +Subject: [PATCH 074/100] CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() We'll require a PAC at the main gensec layer already. @@ -6188,13 +6189,13 @@ index fb88cb87f66..a8c7d8b4b85 100644 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); -- -2.34.1 +2.36.0 From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:27:28 +0200 -Subject: [PATCH 75/97] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in +Subject: [PATCH 075/100] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -6262,13 +6263,13 @@ index 3f70732a837..fefdd32bf11 100644 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); } -- -2.34.1 +2.36.0 From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:44:01 +0200 -Subject: [PATCH 76/97] CVE-2020-25717: s3:ntlm_auth: let +Subject: [PATCH 076/100] CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only @@ -6404,13 +6405,13 @@ index fefdd32bf11..ff2fd30a9ae 100644 if (!unixuser) { status = NT_STATUS_NO_MEMORY; -- -2.34.1 +2.36.0 From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 19:42:20 +0200 -Subject: [PATCH 77/97] CVE-2020-25717: s3:auth: let +Subject: [PATCH 077/100] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() @@ -6725,13 +6726,13 @@ index 26a38f92b30..3099e8f9057 100644 status = NT_STATUS_OK; -- -2.34.1 +2.36.0 From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 17:14:01 +0200 -Subject: [PATCH 78/97] CVE-2020-25717: selftest: configure 'ktest' env with +Subject: [PATCH 078/100] CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid The 'ktest' environment was/is designed to test kerberos in an active @@ -6776,13 +6777,13 @@ index bbbefea44b7..7034127ef0b 100755 } return $ret; -- -2.34.1 +2.36.0 From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:12:49 +0200 -Subject: [PATCH 79/97] CVE-2020-25717: s3:auth: let +Subject: [PATCH 079/100] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode We should be strict in standalone mode, that we only support MIT realms @@ -6861,13 +6862,13 @@ index 3099e8f9057..23f746c078e 100644 if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", -- -2.34.1 +2.36.0 From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:59:59 +0200 -Subject: [PATCH 80/97] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 080/100] CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument This code is only every called in standalone mode on a MIT realm, @@ -7011,13 +7012,13 @@ index 074e8c7eb71..7b69ca6c222 100644 bool *mapped_to_guest, char **ntuser, -- -2.34.1 +2.36.0 From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:03:04 +0200 -Subject: [PATCH 81/97] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 081/100] CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments This is only ever be called in standalone mode with an MIT realm, @@ -7114,13 +7115,13 @@ index 7b69ca6c222..b8f37cbeee0 100644 { return NT_STATUS_NOT_IMPLEMENTED; -- -2.34.1 +2.36.0 From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:39:19 +1200 -Subject: [PATCH 82/97] krb5pac.idl: Add ticket checksum PAC buffer type +Subject: [PATCH 082/100] krb5pac.idl: Add ticket checksum PAC buffer type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7154,13 +7155,13 @@ index f27e7243ee4..711b7f94b6c 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.34.1 +2.36.0 From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:40:59 +1200 -Subject: [PATCH 83/97] security.idl: Add well-known SIDs for FAST +Subject: [PATCH 083/100] security.idl: Add well-known SIDs for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7186,13 +7187,13 @@ index 5930f448955..e6065a35691 100644 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx */ -- -2.34.1 +2.36.0 From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:15:26 +1300 -Subject: [PATCH 84/97] krb5pac.idl: Add missing buffer type values +Subject: [PATCH 084/100] krb5pac.idl: Add missing buffer type values BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7218,14 +7219,14 @@ index 711b7f94b6c..141894ec5f1 100644 } PAC_TYPE; -- -2.34.1 +2.36.0 From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:38 +1300 -Subject: [PATCH 85/97] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC - buffer type +Subject: [PATCH 085/100] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO + PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7275,13 +7276,13 @@ index 141894ec5f1..4bfec2de5e6 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.34.1 +2.36.0 From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:49 +1300 -Subject: [PATCH 86/97] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC +Subject: [PATCH 086/100] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7326,13 +7327,13 @@ index 4bfec2de5e6..f750359a069 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.34.1 +2.36.0 From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 27 Sep 2021 11:20:19 +1300 -Subject: [PATCH 87/97] CVE-2020-25721 krb5pac: Add new buffers for +Subject: [PATCH 087/100] CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. @@ -7413,13 +7414,13 @@ index a9ae2c4a789..57b28df9e52 100644 NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size)); NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type)); -- -2.34.1 +2.36.0 From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 12 Nov 2021 19:06:01 +0200 -Subject: [PATCH 88/97] IPA DC: add missing checks +Subject: [PATCH 088/100] IPA DC: add missing checks When introducing FreeIPA support, two places were forgotten: @@ -7465,14 +7466,14 @@ index 57bfc596005..3f77856457e 100644 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); if (!sid) { -- -2.34.1 +2.36.0 From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Nov 2021 15:27:58 +0100 -Subject: [PATCH 89/97] CVE-2020-25717: idmap_nss: verify that the name of the - sid belongs to the configured domain +Subject: [PATCH 089/100] CVE-2020-25717: idmap_nss: verify that the name of + the sid belongs to the configured domain We already check the sid belongs to the domain, but checking the name too feels better and make it easier to understand. @@ -7557,14 +7558,14 @@ index 3fe98cbc729..243b67ccafd 100644 } return NT_STATUS_OK; -- -2.34.1 +2.36.0 From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 12 Nov 2021 20:53:30 +1300 -Subject: [PATCH 90/97] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent - uid' to make room for new accounts +Subject: [PATCH 090/100] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non + existent uid' to make room for new accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 @@ -7590,13 +7591,13 @@ index 46f96795f39..8ce7493d1b6 100644 total_errors++; printf("ERROR Non existent uid gave error %d\n", last_error); -- -2.34.1 +2.36.0 From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Nov 2021 16:10:31 +1300 -Subject: [PATCH 91/97] CVE-2020-25717: s3:auth: Fallback to a SID/UID based +Subject: [PATCH 091/100] CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -7706,13 +7707,13 @@ index c0e5cfd7fa8..b463059f259 100644 &pwd, &username_was_mapped); -- -2.34.1 +2.36.0 From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 10:57:17 +0100 -Subject: [PATCH 92/97] CVE-2020-25717: s3-auth: fix MIT Realm regression +Subject: [PATCH 092/100] CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. @@ -7769,13 +7770,13 @@ index b8f37cbeee0..169bf563368 100644 if (!unixuser) { return NT_STATUS_NO_MEMORY; -- -2.34.1 +2.36.0 From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 16:48:01 +0100 -Subject: [PATCH 93/97] CVE-2021-44142: libadouble: add defines for icon +Subject: [PATCH 093/100] CVE-2021-44142: libadouble: add defines for icon lengths From https://www.ietf.org/rfc/rfc1740.txt @@ -7801,13 +7802,13 @@ index afad70ce180..3a35620bfe4 100644 #define ADEDLEN_PRIVDEV 8 #define ADEDLEN_PRIVINO 8 -- -2.34.1 +2.36.0 From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 20 Nov 2021 16:36:42 +0100 -Subject: [PATCH 94/97] CVE-2021-44142: smbd: add Netatalk xattr used by +Subject: [PATCH 094/100] CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs This is an internal xattr that should not be user visible. @@ -7850,13 +7851,13 @@ index f8d987bbe63..406087c0419 100644 }; -- -2.34.1 +2.36.0 From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 07:19:32 +0100 -Subject: [PATCH 95/97] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() +Subject: [PATCH 095/100] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, which is used for parsing ._ AppleDouble sidecar files, and the buffer @@ -7920,13 +7921,13 @@ index 3a35620bfe4..76139e51047 100644 } -- -2.34.1 +2.36.0 From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Nov 2021 15:04:03 +0100 -Subject: [PATCH 96/97] CVE-2021-44142: libadouble: add basic cmocka tests +Subject: [PATCH 096/100] CVE-2021-44142: libadouble: add basic cmocka tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8376,13 +8377,13 @@ index 26e251f442a..5230ae32934 100644 source='smbd/server.c smbd/smbd_cleanupd.c', deps=''' -- -2.34.1 +2.36.0 From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 17:03:02 +0100 -Subject: [PATCH 97/97] CVE-2021-44142: libadouble: harden parsing code +Subject: [PATCH 097/100] CVE-2021-44142: libadouble: harden parsing code BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8544,5 +8545,182 @@ index 76139e51047..17e97d15bdb 100644 } -- -2.34.1 +2.36.0 + + +From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Fri, 5 Mar 2021 15:48:29 -0700 +Subject: [PATCH 098/100] winbind: Only use unixid2sid mapping when module + reports ID_MAPPED + +Only consider a mapping to be valid when the idmap module reports +ID_MAPPED. Otherwise return the null SID. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 + +Signed-off-by: Christof Schmitt +Reviewed-by: Volker Lendecke +(cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23) +(cherry picked from commit 3aa06edf38bc4002f031476baa50712fd1a67f4d) +--- + source3/winbindd/winbindd_dual_srv.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 0842241e02e..94331163006 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -275,8 +275,10 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p, + } + + for (i=0; iin.num_ids; i++) { +- r->out.xids[i] = maps[i]->xid; +- sid_copy(&r->out.sids[i], maps[i]->sid); ++ if (maps[i]->status == ID_MAPPED) { ++ r->out.xids[i] = maps[i]->xid; ++ sid_copy(&r->out.sids[i], maps[i]->sid); ++ } + } + + TALLOC_FREE(maps); +-- +2.36.0 + + +From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Fri, 5 Mar 2021 16:01:13 -0700 +Subject: [PATCH 099/100] idmap_rfc2307: Do not return SID from unixids_to_sids + on type mismatch + +The call to winbind_lookup_name already wrote the result in the id_map +array. The later check for the type detected a mismatch, but that did +not remove the SID from the result struct. + +Change this by first assigning the SID to a temporary variable and only +write it to the id_map array after the type checks. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 + +Signed-off-by: Christof Schmitt +(cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc) +(cherry picked from commit af37d5abae924d095e7b35620d850cf1f19021c4) +--- + source3/winbindd/idmap_rfc2307.c | 4 +++- + source3/winbindd/winbindd_dual_srv.c | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c +index e3bf58d8165..2fffaec6cca 100644 +--- a/source3/winbindd/idmap_rfc2307.c ++++ b/source3/winbindd/idmap_rfc2307.c +@@ -228,6 +228,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, + + for (i = 0; i < count; i++) { + char *name; ++ struct dom_sid sid; + enum lsa_SidType lsa_type; + struct id_map *map; + uint32_t id; +@@ -276,7 +277,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, + the following call will not recurse so this is safe */ + (void)winbind_on(); + /* Lookup name from PDC using lsa_lookup_names() */ +- b = winbind_lookup_name(dom_name, name, map->sid, &lsa_type); ++ b = winbind_lookup_name(dom_name, name, &sid, &lsa_type); + (void)winbind_off(); + + if (!b) { +@@ -300,6 +301,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, + } + + map->status = ID_MAPPED; ++ sid_copy(map->sid, &sid); + } + } + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 94331163006..34375b3858f 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -278,6 +278,8 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p, + if (maps[i]->status == ID_MAPPED) { + r->out.xids[i] = maps[i]->xid; + sid_copy(&r->out.sids[i], maps[i]->sid); ++ } else { ++ r->out.sids[i] = (struct dom_sid) { 0 }; + } + } + +-- +2.36.0 + + +From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Fri, 5 Mar 2021 16:07:54 -0700 +Subject: [PATCH 100/100] idmap_nss: Do not return SID from unixids_to_sids on + type mismatch + +The call to winbind_lookup_name already wrote the result in the id_map +array. The later check for the type detected a mismatch, but that did +not remove the SID from the result struct. + +Change this by first assigning the SID to a temporary variable and only +write it to the id_map array after the type checks. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 + +Signed-off-by: Christof Schmitt +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184 + +(cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7) +(cherry picked from commit 3f366878d33cf977230137021f6376936b2a1862) +--- + source3/winbindd/idmap_nss.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c +index 243b67ccafd..e4bf1923786 100644 +--- a/source3/winbindd/idmap_nss.c ++++ b/source3/winbindd/idmap_nss.c +@@ -56,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma + struct passwd *pw; + struct group *gr; + const char *name; ++ struct dom_sid sid; + enum lsa_SidType type; + bool ret; + +@@ -87,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma + the following call will not recurse so this is safe */ + (void)winbind_on(); + /* Lookup name from PDC using lsa_lookup_names() */ +- ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type); ++ ret = winbind_lookup_name(dom->name, name, &sid, &type); + (void)winbind_off(); + + if (!ret) { +@@ -100,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma + switch (type) { + case SID_NAME_USER: + if (ids[i]->xid.type == ID_TYPE_UID) { ++ sid_copy(ids[i]->sid, &sid); + ids[i]->status = ID_MAPPED; + } + break; +@@ -108,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma + case SID_NAME_ALIAS: + case SID_NAME_WKN_GRP: + if (ids[i]->xid.type == ID_TYPE_GID) { ++ sid_copy(ids[i]->sid, &sid); + ids[i]->status = ID_MAPPED; + } + break; +-- +2.36.0 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 6c1b77e..3f39602 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 18 +%define main_release 19 %define samba_version 4.10.16 %define talloc_version 2.1.16 @@ -3305,6 +3305,10 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Tue May 10 2022 Andreas Schneider - 4.10.16-19 +- resolves: #2081649 - Fix idmap_rfc2307 and idmap_nss returning wrong + mapping for uid/gid conflict + * Tue Jan 25 2022 Andreas Schneider - 4.10.16-18 - resolves: #2034800 - Fix usermap script regression caused by CVE-2020-25717 - resolves: #2036595 - Fix MIT realm regression caused by CVE-2020-25717