diff --git a/SOURCES/samba-CVE-2015-3223.patch b/SOURCES/samba-CVE-2015-3223.patch new file mode 100644 index 0000000..eebe5e3 --- /dev/null +++ b/SOURCES/samba-CVE-2015-3223.patch @@ -0,0 +1,219 @@ +From 7a4129ad1075b54e902af703d2582ffb79b99c49 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Tue, 24 Nov 2015 13:47:16 +1300 +Subject: [PATCH 5/9] CVE-2015-5330: Fix handling of unicode near string + endings + +Until now next_codepoint_ext() and next_codepoint_handle_ext() were +using strnlen(str, 5) to determine how much string they should try to +decode. This ended up looking past the end of the string when it was not +null terminated and the final character looked like a multi-byte encoding. +The fix is to let the caller say how long the string can be. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599 + +Signed-off-by: Douglas Bagnall +Pair-programmed-with: Andrew Bartlett +Reviewed-by: Ralph Boehme +--- + lib/util/charset/charset.h | 9 +++++---- + lib/util/charset/codepoints.c | 24 ++++++++++++++++-------- + lib/util/charset/util_str.c | 3 ++- + lib/util/charset/util_unistr.c | 3 ++- + 4 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/lib/util/charset/charset.h b/lib/util/charset/charset.h +index e4297e4..060f1cf 100644 +--- a/lib/util/charset/charset.h ++++ b/lib/util/charset/charset.h +@@ -171,15 +171,16 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic, + charset_t from, charset_t to); + const char *charset_name(struct smb_iconv_handle *ic, charset_t ch); + +-codepoint_t next_codepoint_ext(const char *str, charset_t src_charset, +- size_t *size); ++codepoint_t next_codepoint_ext(const char *str, size_t len, ++ charset_t src_charset, size_t *size); + codepoint_t next_codepoint(const char *str, size_t *size); + ssize_t push_codepoint(char *str, codepoint_t c); + + /* codepoints */ + codepoint_t next_codepoint_handle_ext(struct smb_iconv_handle *ic, +- const char *str, charset_t src_charset, +- size_t *size); ++ const char *str, size_t len, ++ charset_t src_charset, ++ size_t *size); + codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic, + const char *str, size_t *size); + ssize_t push_codepoint_handle(struct smb_iconv_handle *ic, +diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c +index 0984164..542eeae 100644 +--- a/lib/util/charset/codepoints.c ++++ b/lib/util/charset/codepoints.c +@@ -319,7 +319,8 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic, + */ + _PUBLIC_ codepoint_t next_codepoint_handle_ext( + struct smb_iconv_handle *ic, +- const char *str, charset_t src_charset, ++ const char *str, size_t len, ++ charset_t src_charset, + size_t *bytes_consumed) + { + /* it cannot occupy more than 4 bytes in UTF16 format */ +@@ -339,7 +340,7 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext( + * we assume that no multi-byte character can take more than 5 bytes. + * This is OK as we only support codepoints up to 1M (U+100000) + */ +- ilen_orig = strnlen(str, 5); ++ ilen_orig = MIN(len, 5); + ilen = ilen_orig; + + descriptor = get_conv_handle(ic, src_charset, CH_UTF16); +@@ -395,9 +396,16 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext( + return INVALID_CODEPOINT if the next character cannot be converted + */ + _PUBLIC_ codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic, +- const char *str, size_t *size) ++ const char *str, size_t *size) + { +- return next_codepoint_handle_ext(ic, str, CH_UNIX, size); ++ /* ++ * We assume that no multi-byte character can take more than 5 bytes ++ * thus avoiding walking all the way down a long string. This is OK as ++ * Unicode codepoints only go up to (U+10ffff), which can always be ++ * encoded in 4 bytes or less. ++ */ ++ return next_codepoint_handle_ext(ic, str, strnlen(str, 5), CH_UNIX, ++ size); + } + + /* +@@ -459,11 +467,11 @@ _PUBLIC_ ssize_t push_codepoint_handle(struct smb_iconv_handle *ic, + return 5 - olen; + } + +-_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, charset_t src_charset, +- size_t *size) ++_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, size_t len, ++ charset_t src_charset, size_t *size) + { +- return next_codepoint_handle_ext(get_iconv_handle(), str, +- src_charset, size); ++ return next_codepoint_handle_ext(get_iconv_handle(), str, len, ++ src_charset, size); + } + + _PUBLIC_ codepoint_t next_codepoint(const char *str, size_t *size) +diff --git a/lib/util/charset/util_str.c b/lib/util/charset/util_str.c +index d2e6cbb..2653bfc 100644 +--- a/lib/util/charset/util_str.c ++++ b/lib/util/charset/util_str.c +@@ -210,7 +210,8 @@ _PUBLIC_ size_t strlen_m_ext_handle(struct smb_iconv_handle *ic, + + while (*s) { + size_t c_size; +- codepoint_t c = next_codepoint_handle_ext(ic, s, src_charset, &c_size); ++ codepoint_t c = next_codepoint_handle_ext(ic, s, strnlen(s, 5), ++ src_charset, &c_size); + s += c_size; + + switch (dst_charset) { +diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c +index e4ae650..f299269 100644 +--- a/lib/util/charset/util_unistr.c ++++ b/lib/util/charset/util_unistr.c +@@ -112,7 +112,8 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle, + + while (n-- && *src) { + size_t c_size; +- codepoint_t c = next_codepoint_handle(iconv_handle, src, &c_size); ++ codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n, ++ CH_UNIX, &c_size); + src += c_size; + + c = toupper_m(c); +-- +2.5.0 + + +From 382a9146a88b7aac7db4c64519b3da5611c817ef Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Tue, 24 Nov 2015 13:49:09 +1300 +Subject: [PATCH 6/9] CVE-2015-5330: strupper_talloc_n_handle(): properly count + characters + +When a codepoint eats more than one byte we really want to know, +especially if the string is not NUL terminated. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599 + +Signed-off-by: Douglas Bagnall +Pair-programmed-with: Andrew Bartlett +Reviewed-by: Ralph Boehme +--- + lib/util/charset/util_unistr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c +index f299269..2cc8718 100644 +--- a/lib/util/charset/util_unistr.c ++++ b/lib/util/charset/util_unistr.c +@@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle, + return NULL; + } + +- while (n-- && *src) { ++ while (n && *src) { + size_t c_size; + codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n, + CH_UNIX, &c_size); + src += c_size; ++ n -= c_size; + + c = toupper_m(c); + +-- +2.5.0 + + +From f317c31922a9ee8ae5ee9c0895a72ee6828d2c81 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Tue, 24 Nov 2015 13:54:09 +1300 +Subject: [PATCH 7/9] CVE-2015-5330: next_codepoint_handle_ext: don't + short-circuit UTF16 low bytes + +UTF16 contains zero bytes when it is encoding ASCII (for example), so we +can't assume the absense of the 0x80 bit means a one byte encoding. No +current callers use UTF16. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599 + +Signed-off-by: Douglas Bagnall +Pair-programmed-with: Andrew Bartlett +Reviewed-by: Ralph Boehme +--- + lib/util/charset/codepoints.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c +index 542eeae..19d084f 100644 +--- a/lib/util/charset/codepoints.c ++++ b/lib/util/charset/codepoints.c +@@ -331,7 +331,10 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext( + size_t olen; + char *outbuf; + +- if ((str[0] & 0x80) == 0) { ++ ++ if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS || ++ src_charset == CH_UNIX || ++ src_charset == CH_UTF8)) { + *bytes_consumed = 1; + return (codepoint_t)str[0]; + } +-- +2.5.0 + + + diff --git a/SOURCES/samba-CVE-2015-5252.patch b/SOURCES/samba-CVE-2015-5252.patch new file mode 100644 index 0000000..d33a3c6 --- /dev/null +++ b/SOURCES/samba-CVE-2015-5252.patch @@ -0,0 +1,64 @@ +From 5801fe1f6ca8ea03af5b485872097e5c9a1689b4 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 9 Jul 2015 10:58:11 -0700 +Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file + access outside the share). + +Ensure matching component ends in '/' or '\0'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke +--- + source3/smbd/vfs.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c +index 1281322..7138759 100644 +--- a/source3/smbd/vfs.c ++++ b/source3/smbd/vfs.c +@@ -996,6 +996,7 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, + struct smb_filename *smb_fname_cwd = NULL; + struct privilege_paths *priv_paths = NULL; + int ret; ++ bool matched; + + DEBUG(3,("check_reduced_name_with_privilege [%s] [%s]\n", + fname, +@@ -1090,7 +1091,10 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, + } + + rootdir_len = strlen(conn_rootdir); +- if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) { ++ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); ++ ++ if (!matched || (resolved_name[rootdir_len] != '/' && ++ resolved_name[rootdir_len] != '\0')) { + DEBUG(2, ("check_reduced_name_with_privilege: Bad access " + "attempt: %s is a symlink outside the " + "share path\n", +@@ -1230,6 +1234,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) + if (!allow_widelinks || !allow_symlinks) { + const char *conn_rootdir; + size_t rootdir_len; ++ bool matched; + + conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); + if (conn_rootdir == NULL) { +@@ -1240,8 +1245,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) + } + + rootdir_len = strlen(conn_rootdir); +- if (strncmp(conn_rootdir, resolved_name, +- rootdir_len) != 0) { ++ matched = (strncmp(conn_rootdir, resolved_name, ++ rootdir_len) == 0); ++ if (!matched || (resolved_name[rootdir_len] != '/' && ++ resolved_name[rootdir_len] != '\0')) { + DEBUG(2, ("check_reduced_name: Bad access " + "attempt: %s is a symlink outside the " + "share path\n", fname)); +-- +2.5.0 + diff --git a/SOURCES/samba-CVE-2015-5296.patch b/SOURCES/samba-CVE-2015-5296.patch new file mode 100644 index 0000000..8196104 --- /dev/null +++ b/SOURCES/samba-CVE-2015-5296.patch @@ -0,0 +1,175 @@ +From 02c216582331ee4bafc6f558c3c7de65d08c655f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Sep 2015 21:17:02 +0200 +Subject: [PATCH 1/3] CVE-2015-5296: s3:libsmb: force signing when requiring + encryption in do_connect() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/libsmb/clidfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c +index b823370..5dfddee 100644 +--- a/source3/libsmb/clidfs.c ++++ b/source3/libsmb/clidfs.c +@@ -114,6 +114,11 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, + const char *domain; + NTSTATUS status; + int flags = 0; ++ int signing_state = get_cmdline_auth_info_signing_state(auth_info); ++ ++ if (force_encrypt) { ++ signing_state = SMB_SIGNING_REQUIRED; ++ } + + /* make a copy so we don't modify the global string 'service' */ + servicename = talloc_strdup(ctx,share); +@@ -152,7 +157,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, + + status = cli_connect_nb( + server, NULL, port, name_type, NULL, +- get_cmdline_auth_info_signing_state(auth_info), ++ signing_state, + flags, &c); + + if (!NT_STATUS_IS_OK(status)) { +-- +2.5.0 + + +From 9e607c8fd3dfb6091477a34b1bbdfa18526c9f98 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Sep 2015 21:17:02 +0200 +Subject: [PATCH 2/3] CVE-2015-5296: s3:libsmb: force signing when requiring + encryption in SMBC_server_internal() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/libsmb/libsmb_server.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c +index 5410099..0a58d8c 100644 +--- a/source3/libsmb/libsmb_server.c ++++ b/source3/libsmb/libsmb_server.c +@@ -273,6 +273,7 @@ SMBC_server_internal(TALLOC_CTX *ctx, + char *newserver, *newshare; + int flags = 0; + struct smbXcli_tcon *tcon = NULL; ++ int signing_state = SMB_SIGNING_DEFAULT; + + ZERO_STRUCT(c); + *in_cache = false; +@@ -439,6 +440,10 @@ SMBC_server_internal(TALLOC_CTX *ctx, + flags |= CLI_FULL_CONNECTION_USE_NT_HASH; + } + ++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) { ++ signing_state = SMB_SIGNING_REQUIRED; ++ } ++ + if (port == 0) { + if (share == NULL || *share == '\0' || is_ipc) { + /* +@@ -446,7 +451,7 @@ SMBC_server_internal(TALLOC_CTX *ctx, + */ + status = cli_connect_nb(server_n, NULL, NBT_SMB_PORT, 0x20, + smbc_getNetbiosName(context), +- SMB_SIGNING_DEFAULT, flags, &c); ++ signing_state, flags, &c); + } + } + +@@ -456,7 +461,7 @@ SMBC_server_internal(TALLOC_CTX *ctx, + */ + status = cli_connect_nb(server_n, NULL, port, 0x20, + smbc_getNetbiosName(context), +- SMB_SIGNING_DEFAULT, flags, &c); ++ signing_state, flags, &c); + } + + if (!NT_STATUS_IS_OK(status)) { +@@ -745,6 +750,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, + ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$", + pp_workgroup, pp_username, pp_password); + if (!ipc_srv) { ++ int signing_state = SMB_SIGNING_DEFAULT; + + /* We didn't find a cached connection. Get the password */ + if (!*pp_password || (*pp_password)[0] == '\0') { +@@ -766,6 +772,9 @@ SMBC_attr_server(TALLOC_CTX *ctx, + if (smbc_getOptionUseCCache(context)) { + flags |= CLI_FULL_CONNECTION_USE_CCACHE; + } ++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) { ++ signing_state = SMB_SIGNING_REQUIRED; ++ } + + nt_status = cli_full_connection(&ipc_cli, + lp_netbios_name(), server, +@@ -774,7 +783,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, + *pp_workgroup, + *pp_password, + flags, +- SMB_SIGNING_DEFAULT); ++ signing_state); + if (! NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("cli_full_connection failed! (%s)\n", + nt_errstr(nt_status))); +-- +2.5.0 + + +From 289cbf6636e02c1e5125de990e0b22bbb30a0504 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Sep 2015 21:23:25 +0200 +Subject: [PATCH 3/3] CVE-2015-5296: libcli/smb: make sure we require signing + when we demand encryption on a session + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + libcli/smb/smbXcli_base.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index 69599bd..b00afbc 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -5085,6 +5085,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session) + if (conn->mandatory_signing) { + security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; + } ++ if (session->smb2->should_sign) { ++ security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; ++ } + + return security_mode; + } +@@ -5383,6 +5386,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, + + NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session) + { ++ if (!session->smb2->should_sign) { ++ /* ++ * We need required signing on the session ++ * in order to prevent man in the middle attacks. ++ */ ++ return NT_STATUS_INVALID_PARAMETER_MIX; ++ } ++ + if (session->smb2->should_encrypt) { + return NT_STATUS_OK; + } +-- +2.5.0 + diff --git a/SOURCES/samba-CVE-2015-5299.patch b/SOURCES/samba-CVE-2015-5299.patch new file mode 100644 index 0000000..2d9a956 --- /dev/null +++ b/SOURCES/samba-CVE-2015-5299.patch @@ -0,0 +1,96 @@ +From 9588c4950c9b3dd6c16b899156e6d985c7b43187 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 23 Oct 2015 14:54:31 -0700 +Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on + snapdir + +Fix originally from + +https://bugzilla.samba.org/show_bug.cgi?id=11529 + +Signed-off-by: Jeremy Allison +Reviewed-by: David Disseldorp +--- + source3/modules/vfs_shadow_copy2.c | 45 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c +index 439df5d..c5c2015 100644 +--- a/source3/modules/vfs_shadow_copy2.c ++++ b/source3/modules/vfs_shadow_copy2.c +@@ -30,6 +30,7 @@ + */ + + #include "includes.h" ++#include "smbd/smbd.h" + #include "system/filesys.h" + #include "include/ntioctl.h" + #include +@@ -1179,6 +1180,42 @@ static char *have_snapdir(struct vfs_handle_struct *handle, + return NULL; + } + ++static bool check_access_snapdir(struct vfs_handle_struct *handle, ++ const char *path) ++{ ++ struct smb_filename smb_fname; ++ int ret; ++ NTSTATUS status; ++ ++ ZERO_STRUCT(smb_fname); ++ smb_fname.base_name = talloc_asprintf(talloc_tos(), ++ "%s", ++ path); ++ if (smb_fname.base_name == NULL) { ++ return false; ++ } ++ ++ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname); ++ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) { ++ TALLOC_FREE(smb_fname.base_name); ++ return false; ++ } ++ ++ status = smbd_check_access_rights(handle->conn, ++ &smb_fname, ++ false, ++ SEC_DIR_LIST); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(0,("user does not have list permission " ++ "on snapdir %s\n", ++ smb_fname.base_name)); ++ TALLOC_FREE(smb_fname.base_name); ++ return false; ++ } ++ TALLOC_FREE(smb_fname.base_name); ++ return true; ++} ++ + /** + * Find the snapshot directory (if any) for the given + * filename (which is relative to the share). +@@ -1328,6 +1365,7 @@ static int shadow_copy2_get_shadow_copy_data( + const char *snapdir; + struct dirent *d; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); ++ bool ret; + + snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle, fsp->fsp_name); + if (snapdir == NULL) { +@@ -1337,6 +1375,13 @@ static int shadow_copy2_get_shadow_copy_data( + talloc_free(tmp_ctx); + return -1; + } ++ ret = check_access_snapdir(handle, snapdir); ++ if (!ret) { ++ DEBUG(0,("access denied on listing snapdir %s\n", snapdir)); ++ errno = EACCES; ++ talloc_free(tmp_ctx); ++ return -1; ++ } + + p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0); + +-- +2.5.0 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index a64de2b..bd88734 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 10 +%define main_release 11 %define samba_version 4.2.3 %define talloc_version 2.1.2 @@ -117,6 +117,10 @@ Patch4: samba-4.2.3-fix_net_ads_keytab_segfault.patch Patch5: samba-4.2.3-fix_force_group.patch Patch6: samba-4.2.3-fix_map_to_guest_bad_uid.patch Patch7: samba-4.2.3-fix_nss_wins.patch +Patch8: samba-CVE-2015-3223.patch +Patch9: samba-CVE-2015-5299.patch +Patch10: samba-CVE-2015-5252.patch +Patch11: samba-CVE-2015-5296.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -697,6 +701,10 @@ and use CTDB instead. %patch5 -p1 -b .samba-4.2.3-fix_force_group.patch %patch6 -p1 -b .samba-4.2.3-fix_map_to_guest_bad_uid.patch %patch7 -p1 -b .samba-4.2.3-fix_nss_wins.patch +%patch8 -p1 -b .samba-CVE-2015-3223.patch +%patch9 -p1 -b .samba-CVE-2015-5299.patch +%patch10 -p1 -b .samba-CVE-2015-5252.patch +%patch11 -p1 -b .samba-CVE-2015-5296.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1993,6 +2001,14 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Fri Dec 11 2015 Guenther Deschner - 4.2.3-11 +- resolves: #1290710 +- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server +- CVE-2015-5299 Missing access control check in shadow copy code +- CVE-2015-5252 Insufficient symlink verification in smbd +- CVE-2015-5296 Samba client requesting encryption vulnerable to + downgrade attack + * Tue Oct 27 2015 Andreas Schneider - 4.2.3-10 - related: #1273393 - Fix use after free with nss_wins module loaded