Ubuntu
samba package

Merge samba from Debian unstable for 22.04

Bug #1946839 reported by Bryce Harrington
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Andreas Hasenack
Ubuntu ubuntu-22.02

Bug Description

Upstream: 4.13.12
Debian: 2:4.13.5+dfsg-2
Ubuntu: 2:4.13.5+dfsg-2ubuntu2

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

samba (2:4.13.5+dfsg-2) unstable; urgency=high

  * CVE-2021-20254: Negative idmap cache entries can cause incorrect group
    entries in the Samba file server process token (Closes: #987811)
  * Add Breaks+Replaces: samba-dev (<< 2:4.11) (Closes: #987209)

 -- Mathieu Parent <email address hidden> Thu, 06 May 2021 21:09:29 +0200

samba (2:4.13.5+dfsg-1) unstable; urgency=medium

  * New upstream version (Closes: #984863)

 -- Mathieu Parent <email address hidden> Sat, 13 Mar 2021 08:31:27 +0100

samba (2:4.13.4+dfsg-1) unstable; urgency=medium

  * New upstream version
    - GPG signature has changed
    - Update samba-libs.install
    - Update symbols
  * Never use priority high when asking for DHCP integration (Closes: #981554)
  * Sync CTDB patches with Ubuntu:
    - Add 'ctdb-config: enable syslog by default'
    - Update 'fix nfs related service names'
  * d/rules: Ubuntu specifics
    - No Ceph on i386
    - Disable some i386 packages
    - No GlusterFS

 -- Mathieu Parent <email address hidden> Tue, 09 Feb 2021 22:26:43 +0100

samba (2:4.13.3+dfsg-1) unstable; urgency=medium

  [ Andreas Hasenack ]
  * d/control: enable the liburing vfs module (Closes: #976854)
  * Add new DEP8 tests for the uring vfs module
  * Factor out common DEP8 test code into d/t/util and change the tests to
    source from it
  * Add set -x and set -e to DEP8 tests

  [ Mathieu Parent ]
  * liburing-dev is linux-any
  * New upstream version

 -- Mathieu Parent <email address hidden> Wed, 16 Dec 2020 18:23:09 +0100

samba (2:4.13.2+dfsg-3) unstable; urgency=medium

  * Ensure systemd-tmpfiles is called before testparm (Closes: #975422)
  * Only check configuration on configure step

 -- Mathieu Parent <email address hidden> Sun, 22 Nov 2020 10:44:51 +0100

samba (2:4.13.2+dfsg-2) unstable; urgency=medium

  * Upload to unstable

 -- Mathieu Parent <email address hidden> Wed, 18 Nov 2020 20:34:51 +0100

samba (2:4.13.2+dfsg-1) experimental; urgency=medium

  * New upstream major version
    - Update d/gbp.conf, d/watch and d/README.source for 4.13
    - Update patches
    - Bump build-depends ldb >= 2.2.0
    - Install new files
    - Update symbols
  * Includes the following security fixes:
    - CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
      (Closes: #973400)
    - CVE-2020-14323: Unprivileged user can crash winbind (Closes: #973399)
    - CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
      easily crafted records (Closes: #973398)
    - CVE-2020-1472: Unauthenticated domain takeover via netlogon ('ZeroLogon')
      (Closes: #971048)
  * Includes the following fixes:
    - Fixes 'samba_dnsupdate gives depreacation warnings' (Closes: #973957)
    - s3: libsmbclient.h: add missing time.h include (Closes: #946840)
  * Remove unused python3-crypto dependency (Closes: #971292)
  * Enable Spotlight with ES backend (Closes: #956096, #956482)
  * Standards-Version: 4.5.0
  * Add missing Build-Depends-Package in libsmbclient.symbols and
    libwbclient0.symbols
  * d/copyright: Fix duplicate-globbing-patterns
  * Remove outdated/malformed lintian overrides
  * d/winbind.logrotate: Only reload winbindd when running (Closes: #946821)
  * Bump to debhelper compat 13
  * Add another library-not-linked-against-libc override

 -- Mathieu Parent <email address hidden> Thu, 12 Nov 2020 11:23:01 +0100

samba (2:4.12.5+dfsg-3) unstable; urgency=high

  * Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump
    (Closes: #963971)
  * Add patch traffic_packets: fix SyntaxWarning: 'is' with a literal
    (Closes: #964165)
  * Add patch Rename mdfind to mdsearch (Closes: #963985)

 -- Mathieu Parent <email address hidden> Sat, 04 Jul 2020 23:57:59 +0200

### Old Ubuntu Delta ###

samba (2:4.13.5+dfsg-2ubuntu2) impish; urgency=medium

  * No-change rebuild due to OpenLDAP soname bump.

 -- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 18:08:36 -0400

samba (2:4.13.5+dfsg-2ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/p/VERSION.patch: Update vendor string to 'Ubuntu'.
    - debian/smb.conf;
      + Add '(Samba, Ubuntu)' to server string.
      + Comment out the default [homes] share, and add a comment about
        'valid users = %s' to show users how to restrict access to
        /server/username to only username.
    - d/control: Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
    - d/control: add a versioned libgnutls28-dev build-depends to reduce
      the amount of in-tree crypto code that is built
    - d/control: enable the liburing vfs module, except on i386 where
      liburing is not available
    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
      Skip running the tests if on i386 platform, because the uring
      package is not available there.
  * Dropped changes:
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
      [Included in 2:4.13.4+dfsg-1]
    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
      change nfs service name from nfs to nfs-kernel-server
      (LP #722201)
      [Included in 2:4.13.4+dfsg-1]
    - d/p/ctdb-config-enable-syslog-by-default.patch:
      enable syslog and systemd journal by default
      [Included in 2:4.13.4+dfsg-1]
    - debian/rules: Ubuntu i386 binary compatibility:
      + drop ceph support
      + disable the following binary packages:
        - ctdb
        - libnss-winbind
        - libpam-winbind
        - python3-samba
        - samba
        - samba-common-bin
        - samba-testsuite
        - winbind
      [Included in 2:4.13.4+dfsg-1]
    - debian/rules: Ubuntu i386 binary compatibility:
      + re-enable the following binary packages:
        - libnss-winbind
        - samba-common-bin
        - python3-samba
        - winbind
      [Included in 2:4.13.4+dfsg-1]
    - SECURITY UPDATE: wrong group entries via negative idmap cache entries
      + debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
        source3/passdb/lookup_sid.c.
      + CVE-2021-20254
      [Included in 2:4.13.5+dfsg-2]

 -- Athos Ribeiro <email address hidden> Mon, 17 May 2021 11:51:54 -0300

See original description

CVE References

Sergio Durigan Junior (sergiodj)
Changed in samba (Ubuntu):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu):
assignee: Sergio Durigan Junior (sergiodj) → Andreas Hasenack (ahasenack)
Bryce Harrington (bryce)
description: updated
Changed in samba (Ubuntu):
milestone: none → ubuntu-22.01
Revision history for this message
Bryce Harrington (bryce) wrote :

When merging this package for ubuntu 22.04, can you doublecheck whether this patch is included in the merged package?

    https://attachments.samba.org/attachment.cgi?id=16957

That patch sounds like it will resolve this bug:

    https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1955588

Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu):
milestone: ubuntu-22.01 → ubuntu-22.02
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
Rolf Leggewie (r0lf) wrote :

Thank you for your work, Andreas.

This sync has become a bit more important recently with some unpatched CVEs that still affect jammy but have already been fixed in impish and earlier.

tags: added: jammy security
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Just a quick note to mention that Samba in Jammy is a lesser version than in focal-updates and impish-updates, which should probably be addressed before Jammy is released.

 samba | 2:4.13.14+dfsg-0ubuntu2 | jammy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 samba | 2:4.13.14+dfsg-0ubuntu5 | jammy-proposed | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 samba | 2:4.13.17~dfsg-0ubuntu0.21.04.1 | focal-security | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 samba | 2:4.13.17~dfsg-0ubuntu0.21.04.1 | focal-updates | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 samba | 2:4.13.17~dfsg-0ubuntu0.21.10.1 | impish-security | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 samba | 2:4.13.17~dfsg-0ubuntu0.21.10.1 | impish-updates | source, amd64, arm64, armhf, ppc64el, riscv64, s390x

Jammy has 4.13.14+dfsg-0ubuntu5 versus 4.13.17~dfsg-0ubuntu0.21.04.1 in focal-updates.

Maybe we should try and ship 4.15.x since it has a complete implementation of CVE-2021-20316?
https://lwn.net/Articles/884052/

Christian Ehrhardt  (paelzer)
Changed in samba (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Yes, I'm building 4.15.5 currently

Changed in samba (Ubuntu):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.15.5~dfsg-0ubuntu1

---------------
samba (2:4.15.5~dfsg-0ubuntu1) jammy; urgency=medium

  * d/{gpb.conf,watch,README.source}: update for 4.15
  * New upstream release: 4.15.5 (LP: #1946839)
  * d/p/Rename-mdfind-to-mdsearch.patch: removed, applied usptream
  * d/rules: remove --with-dnsupdate, it was merged with
    --with-ads in samba 4.15.0
  * d/control: bump required build-depends
  * d/rules: drop removal of ctdb tests, they are no longer installed
  * Remove findsmb, no longer installed:
    - d/smbclient.install: remove findsmb
    - d/rules: drop fixing of findsmb shebang
  * d/ctdb.install: remove ctdb_local_daemons, part of ctdb tests,
    no longer installed
  * d/samba-libs.install: update list of installed libraries and
    modules/plugins
  * d/ctdb.install: add tdb_mutex_check
  * d/winbind.install: add async_dns_krb5_locator
  * d/samba.install: install samba-bgqd and its manpage
  * d/{libsmbclient,libwbclient0}.symbols: symbols updates
  * d/control: add python3-markdown to build-depends
  * d/watch: updated to handle ~dfsg versioning, thanks to
    Sergio Durigan Junior <email address hidden>

 -- Andreas Hasenack <email address hidden> Tue, 22 Feb 2022 17:59:22 -0300

Changed in samba (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.