lp:ubuntu/intrepid-updates/samba

Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/intrepid-updates/samba
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

61. By Marc Deslauriers

* SECURITY UPDATE: arbitrary file disclosure via wide links
  - debian/patches/security-CVE-2010-0926.patch: disable wide links when
    UNIX extensions are enabled in source/param/loadparm.c,
    source/smbd/service.c, source/smbd/trans2.c, source/smbd/vfs.c,
    docs/htmldocs/manpages/smb.conf.5.html and docs/manpages/smb.conf.5.
  - CVE-2010-0926
* WARNING: This changes the default samba behaviour. For security
  reasons, it is no longer possible to use wide links and UNIX
  extensions at the same time. After applying this security update, wide
  links will be disabled automatically as UNIX extensions are turned on
  by default. If wide links are required, you may re-enable them by
  adding "unix extensions = no" to the [global] section of
  the /etc/samba/smb.conf configuration file.

60. By Marc Deslauriers

* SECURITY UPDATE: privilege escalation via mount.cifs race
  - debian/patches/security-CVE-2009-3297.patch: validate mount point and
    perform mount in "." to prevent race in source/client/mount.cifs.c.
  - CVE-2009-3297

59. By Marc Deslauriers

* SECURITY UPDATE: denial of service via string vulnerabilities in
  smbclient
  - debian/patches/security-CVE-2009-1886.patch: fix string format
    vulnerabilities in source/client/client.c.
  - CVE-2009-1886
* SECURITY UPDATE: access control list modification when dos filemode is
  enabled
  - debian/patches/security-CVE-2009-1888.patch: fix group checking in
    acl_group_override in source/smbd/posix_acls.c.
  - CVE-2009-1888
* SECURITY UPDATE: whole filesystem share via user with no home directory
  - debian/patches/security-CVE-2009-2813.patch: make sure home directory
    is set in source/param/loadparm.c, source/smbd/service.c.
  - CVE-2009-2813
* SECURITY UPDATE: credentials file disclosure and unauthorized usage via
  setuid mount.cifs
  - debian/patches/security-CVE-2009-2948.patch: don't open credentials
    file if user doesn't have permission, and don't print password when
    using verbose option in source/client/mount.cifs.c.
  - CVE-2009-2948
* SECURITY UPDATE: denial of service via unexpected oplock break
  notification reply
  - debian/patches/security-CVE-2009-2906.patch: track messages already
    processed in source/include/smb.h, source/smbd/process.c.
  - CVE-2009-2906

58. By Marc Deslauriers

* SECURITY UPDATE: potential access to the root filesystem when using an
  empty string share name.
  - debian/patches/security-CVE-2009-0022.patch: make sure a non-empty share
    name is used in load_registry_service() in source/smbd/service.c.
  - CVE-2009-0022

57. By Marc Deslauriers

* SECURITY UPDATE: potential arbitrary memory leak and crash via secondary
  trans, trans2 and nttrans requests.
  - debian/patches/security-CVE-2008-4314.patch: fix the offset checks in the
    trans routines in source/smbd/{ipc.c,nttrans.c,trans2.c}.
  - CVE-2008-4314
* debian/rules: do not update po tree for security updates.

56. By Thierry Carrez

* Fix pam-smbpass.so crashing because it misses /var/lib/samba (LP: #260687)
  - debian/samba-common.dirs: create /var/lib/samba in samba-common
  - debian/samba.postrm: don't completely remove /var/lib/samba on purge
    (just let samba-common postrm do it)

55. By Thierry Carrez

Make libwbclient0 replace/conflict with hardy's likewise-open (LP: #254434)

54. By Chuck Short

* Merge from debian unstable, remaining changes:
  - debian/patches/VERSION.patch:
    + set SAMBA_VERSION_SUFFIX to Ubuntu.
  - debian/smb.conf:
    + add "(Samba, Ubuntu)" to server string.
    + comment on the default [homes] shares, and add a comment about "valid user = %s"
      to show users how to restrict access to \\server\username to only username.
    + add map to guest = Bad user, maps bad username to guest access. (LP: #32067)
  - debian/samba-common.postinst:
    + Fix upgrade from a first installation done with feisty, edgy, or dapper.
     (LP: #201059)
    + When populating the new sambashare group, it's not an error if the user
      simply doesn't exist; test for this case and the install continue instead
      of aborting. (LP: #206036)
  - debian/samba-common.config:
    + do not change priority to HIGH if dhclient3 is installed.
    + use priority medium instead of HIGH for the workgroup question.
  - debian/winbind.files:
    + include additional files
  - debian/mksambapasswd.awk:
    + Don't add user with UID less than 1000 to smbpasswd.
  - debian/control:
    + Depend on lsb-base >= 3.2-14, which has the status_of_proc() function.
    + Make libpam-smbpass depend on libpam-runtime for allowing libpam-smbpasss
      to auto-configure itself.
  - debian/samba.init:
    + Replace the previous 'status' gathering mechanism with the common one
      now provided by status_of_proc() (LP: #247087).
  - debian/winbind.init:
    + Add a pid variable and a 'status' action.
  - debian/libpam-smbpass.pam-config, debian/libpam-smbpass.postinst,
    debian/libpam-smbpass.files, debian/rules: provide a config block for the
    new PAM framework, allowing his PAM module to auto-configure itself.
  - debian/libpam-smbpass.prerm: call pam-auth-update --remove on removal,
    to clean up after ourselves.
  - debian/rules: enable "native" PIE hardening.

[Jamie Strandboge]
* Add ufw integration (thanks Nicolas Valcárcel) (LP: #261544)
  - Created debian/samba.ufw.profile
  - debian/rules: install profile
  - debian/control: have samba Suggests ufw

53. By Kees Cook

* debian/{control,rules}: revert sledge-hammer PIE approach.
* debian/rules: enable "native" PIE hardening.

52. By Kees Cook

debian/{control,rules}: enable PIE hardening

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/lucid/samba
This branch contains Public information 
Everyone can see this information.

Subscribers