pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/net/samba4
Module Name: pkgsrc
Committed By: wiz
Date: Tue Jan 3 15:27:23 UTC 2023
Modified Files:
pkgsrc/net/samba4: Makefile PLIST distinfo options.mk
Log Message:
samba: update to 4.17.4.
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
RC4-HMAC Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
o CVE-2022-37967: This is the Samba CVE for the Windows
Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!
samba-tool got a new 'domain trust modify' subcommand
-----------------------------------------------------
This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
Changes since 4.17.3
--------------------
o Jeremy Allison <jra%samba.org@localhost>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andrew Bartlett <abartlet%samba.org@localhost>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15237: CVE-2022-37966.
* BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
o Ralph Boehme <slow%samba.org@localhost>
* BUG 15240: CVE-2022-38023.
* BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
o Stefan Metzmacher <metze%samba.org@localhost>
* BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
Windows.
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
vulnerability.
* BUG 15206: libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4().
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15230: Memory leak in snprintf replacement functions.
* BUG 15237: CVE-2022-37966.
* BUG 15240: CVE-2022-38023.
* BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression).
o Noel Power <noel.power%suse.com@localhost>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Anoop C S <anoopcs%samba.org@localhost>
* BUG 15198: Prevent EBADF errors with vfs_glusterfs.
o Andreas Schneider <asn%samba.org@localhost>
* BUG 15237: CVE-2022-37966.
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15257: Stack smashing in net offlinejoin requestodj.
o Joseph Sutton <josephsutton%catalyst.net.nz@localhost>
* BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15231: CVE-2022-37967.
* BUG 15237: CVE-2022-37966.
o Nicolas Williams <nico%twosigma.com@localhost>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.155 pkgsrc/net/samba4/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/net/samba4/PLIST
cvs rdiff -u -r1.87 -r1.88 pkgsrc/net/samba4/distinfo
cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/samba4/options.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/samba4/Makefile
diff -u pkgsrc/net/samba4/Makefile:1.154 pkgsrc/net/samba4/Makefile:1.155
--- pkgsrc/net/samba4/Makefile:1.154 Fri Nov 25 10:21:14 2022
+++ pkgsrc/net/samba4/Makefile Tue Jan 3 15:27:23 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.154 2022/11/25 10:21:14 wiz Exp $
+# $NetBSD: Makefile,v 1.155 2023/01/03 15:27:23 wiz Exp $
-DISTNAME= samba-4.17.3
+DISTNAME= samba-4.17.4
CATEGORIES= net
MASTER_SITES= https://download.samba.org/pub/samba/stable/
Index: pkgsrc/net/samba4/PLIST
diff -u pkgsrc/net/samba4/PLIST:1.48 pkgsrc/net/samba4/PLIST:1.49
--- pkgsrc/net/samba4/PLIST:1.48 Tue Nov 29 13:20:23 2022
+++ pkgsrc/net/samba4/PLIST Tue Jan 3 15:27:23 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.48 2022/11/29 13:20:23 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.49 2023/01/03 15:27:23 wiz Exp $
bin/cifsdd
bin/dbwrap_tool
bin/dumpmscat
@@ -476,6 +476,7 @@ ${PYSITELIB}/samba/tests/krb5/alias_test
${PYSITELIB}/samba/tests/krb5/as_canonicalization_tests.py
${PYSITELIB}/samba/tests/krb5/as_req_tests.py
${PYSITELIB}/samba/tests/krb5/compatability_tests.py
+${PYSITELIB}/samba/tests/krb5/etype_tests.py
${PYSITELIB}/samba/tests/krb5/fast_tests.py
${PYSITELIB}/samba/tests/krb5/kcrypto.py
${PYSITELIB}/samba/tests/krb5/kdc_base_test.py
@@ -1078,6 +1079,3 @@ ${PLIST.ads}share/samba/setup/secrets_in
${PLIST.ads}share/samba/setup/share.ldif
${PLIST.ads}share/samba/setup/spn_update_list
${PLIST.ads}share/samba/setup/ypServ30.ldif
-@pkgdir var/db/samba4/private
-@pkgdir var/log
-@pkgdir var/run
Index: pkgsrc/net/samba4/distinfo
diff -u pkgsrc/net/samba4/distinfo:1.87 pkgsrc/net/samba4/distinfo:1.88
--- pkgsrc/net/samba4/distinfo:1.87 Tue Nov 29 13:20:23 2022
+++ pkgsrc/net/samba4/distinfo Tue Jan 3 15:27:23 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.87 2022/11/29 13:20:23 jperkin Exp $
+$NetBSD: distinfo,v 1.88 2023/01/03 15:27:23 wiz Exp $
-BLAKE2s (samba-4.17.3.tar.gz) = c85427eb0dbd444f3e6b7478f70b45d874ce7dcdf2fbbe216c74a2ce73cbdb46
-SHA512 (samba-4.17.3.tar.gz) = a5482bfe66f7f34fdf855e69b7b0fc2a4f9e756947357201651af70f3b10e236474c1b4ae4d9367b122e2d4565601659c373d3b17717a3c5c66aa9258eb58ff0
-Size (samba-4.17.3.tar.gz) = 30805080 bytes
+BLAKE2s (samba-4.17.4.tar.gz) = 48f84916b249d40ae96aa31f48406470cab0923a3f297a35cbcb0bd6f0b8a1f7
+SHA512 (samba-4.17.4.tar.gz) = 3f8ec51e30b1a8ef947f9bf4666fe8b30463d8ea3fa8cab6ff9dc8cfe7e71e2116eaea68aec66f18c84a8726ab628f9ee320b56e3de9d537b96f2230286a64f7
+Size (samba-4.17.4.tar.gz) = 30838334 bytes
SHA1 (patch-buildtools_wafsamba_samba__conftests.py) = d927db17124d2bb5b382885e70a41f84c3929926
SHA1 (patch-buildtools_wafsamba_samba__install.py) = d801340617da325e3bb70a90350e45cc8e383c2d
SHA1 (patch-buildtools_wafsamba_samba__pidl.py) = e4c0ed3dacfcf5613a5b397b3c6cf88509497da7
Index: pkgsrc/net/samba4/options.mk
diff -u pkgsrc/net/samba4/options.mk:1.17 pkgsrc/net/samba4/options.mk:1.18
--- pkgsrc/net/samba4/options.mk:1.17 Mon Mar 7 21:40:37 2022
+++ pkgsrc/net/samba4/options.mk Tue Jan 3 15:27:23 2023
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.17 2022/03/07 21:40:37 thor Exp $
+# $NetBSD: options.mk,v 1.18 2023/01/03 15:27:23 wiz Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.samba4
-PKG_SUPPORTED_OPTIONS= ads avahi fam ldap pam winbind cups # cups option is broken for me.
+PKG_SUPPORTED_OPTIONS= ads avahi ldap pam winbind cups # cups option is broken for me.
PKG_SUGGESTED_OPTIONS= avahi ldap pam winbind
.include "../../mk/bsd.fast.prefs.mk"
@@ -22,7 +22,7 @@ PKG_SUGGESTED_OPTIONS+= snapper
.include "../../mk/bsd.options.mk"
-PLIST_VARS+= ads cups fam ldap pam snapper winbind
+PLIST_VARS+= ads cups ldap pam snapper winbind
###
### Access Control List support.
@@ -57,17 +57,6 @@ CONFIGURE_ARGS+= --disable-cups
.endif
###
-### File Alteration Monitor support.
-###
-.if !empty(PKG_OPTIONS:Mfam)
-. include "../../mk/fam.buildlink3.mk"
-CONFIGURE_ARGS+= --with-fam
-PLIST.fam= yes
-.else
-CONFIGURE_ARGS+= --without-fam
-.endif
-
-###
### Support LDAP authentication and storage of Samba account information.
###
# Active Directory requires ldap
Home |
Main Index |
Thread Index |
Old Index