Last commit made on 2017-12-09
Get this branch:
git clone -b debian/jessie https://git.launchpad.net/ubuntu/+source/samba
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

01ab148... by Mathieu Parent on 2017-11-12

Import patches-unapplied version 2:4.2.14+dfsg-0+deb8u9 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: a17b1f40c91997c4632a430bdbb74ba23aeb81e3

New changelog entries:
  * This is a security release in order to address the following defects:
    - CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when
      talloc buffer is grown.
    - CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
  * This is a security release in order to address the following defects:
    - CVE-2017-12150: Some code path don't enforce smb signing, when they should
    - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects
    - CVE-2017-12163: Server memory information leak over SMB1
  * This is a security release in order to address the following defect:
    - CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
      (Closes: #868209)

a17b1f4... by Salvatore Bonaccorso on 2017-05-18

Import patches-unapplied version 2:4.2.14+dfsg-0+deb8u6 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: a3e354ca5b332629bc12ff83a18d7d47bd2ad93f

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside

a3e354c... by Mathieu Parent on 2017-04-01

Import patches-unapplied version 2:4.2.14+dfsg-0+deb8u5 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 4fd6889e68a7c966a3413f6970fd58785b265acd

New changelog entries:
  * This is a security release in order to fix regressions from CVE-2017-2619
  * Fix "follow symlink = no" (Closes: #858564)
    - s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496
    - s3: smbd: Fix "follow symlink = no" regression part 2.
    - s3: smbd: Fix "follow symlink = no" regression part 2.
  * Fix shadow_copy2 (Closes: #858648, #858590)
    - vfs_shadow_copy: handle non-existant files and wildcards
    - vfs_shadow_copy2: fix crash in 4.2.x backport
    - vfs_shadow_copy2: add a blackbox test suite
    - s3: libsmb: Correctly align create contexts in a create call.
    - s3: libsmb: Add return args to clistr_is_previous_version_path().
    - s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy
      info over SMB2.
    - s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data().
    - s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and
      transform to a timewarp token.
    - s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes
    - selftest: add content to files created during shadow_copy2 test
    - selftest: check file readability in shadow_copy2 test
    - selftest: test listing directories inside snapshots
  * Fix `net ads join` freeze when run a second time (Closes: #859101) since 4.2
    - libads: Fix deadlock when re-joining a domain and updating keytab
  * Non-maintainer upload by the Security Team.
  * Add additional changes required for the CVE-2017-2619 fix
    - s3/smbd: re-open directory after dptr_CloseDir()
    - s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
  * This is a security release in order to address the following defects:
    - CVE-2017-2619: symlink race permits opening files outside share directory
  * CVE-2017-2619 requires the following changes:
    - s3: vfs: dirsort doesn't handle opendir of "." correctly.
    - s3: smbd: Correctly canonicalize any incoming shadow copy path.
    - s3: lib: Add canonicalize_absolute_path().
    - s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path().
    - s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped
    - s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly
      relative and terminated.
    - s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep
      a length.
    - s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet
    - s3: VFS: shadow_copy2: Add a wrapper function to call the original
    - s3: VFS: shadow_copy2: Change a parameter name.
    - s3: VFS: shadow_copy2: Add two currently unused functions to make
      pathnames absolute or relative to $cwd.
    - s3: VFS: shadow_copy2: Fix chdir to store off the needed private
    - vfs_shadow_copy2: add shadow_copy2_do_convert()
    - vfs_shadow_copy2: fix case where snapshots are outside the share
    - s3: VFS: Allow shadow_copy2_connectpath() to return the cached path
      derived from $cwd.
    - s3: VFS: Ensure shadow:format cannot contain a / path separator.
    - s3: VFS: Add utility function check_for_converted_path().
    - s3: VFS: shadow_copy2: Fix module to work with variable current working
    - s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function.
    - s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on
    - s3: VFS: Don't allow symlink, link or rename on already converted paths.
    - s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same
      path as streams_xattr_recheck().
    - vfs_streams_xattr: use fsp, not base_fsp
    - s3: vfs: streams_depot. Use conn->connectpath not conn->cwd.
    - s3: smbd: Create wrapper function for OpenDir in preparation for making
    - s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
    - s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
    - s3: smbd: OpenDir_fsp() use early returns.
    - s3: smbd: OpenDir_fsp() - Fix memory leak on error.
    - s3: smbd: Move the reference counting and destructor setup to just before
      retuning success.
    - s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported
      on system.
    - s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
    - s3: smbd: Move special handling of symlink errno's into a utility
    - s3: smbd: Add the core functions to prevent symlink open races.
    - s3: smbd: Use the new non_widelink_open() function.

4fd6889... by Mathieu Parent on 2016-12-08

Import patches-unapplied version 2:4.2.14+dfsg-0+deb8u2 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 6a3e09ca308b9f4563f044133607916a8c78f604

New changelog entries:
  * This is a security release in order to address the following defects:
    - CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
      Overflow Remote Code Execution Vulnerability).
    - CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
      trusted realms).
    - CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
  * Fix smbclient compatibility with Windows 10 (Closes: #820794)
  * New upstream release.
   + Fixes CVE-2016-2119: Client side SMB2/3 required signing can be downgraded.
   + Various fixes for regressions introduced by the 4.2.10 security fixes.
   Closes: #820965, #827141
   + Fixes for segfault with clustering. Closes: #824177
   + Bump tevent dependency up to 0.9.28.
  * Drop obsolete patch security-2016-04-12-prerequisite-v4-2-regression-
  * Drop patch sockets-with-htons.patch; applied upstream.
  * Drop patch CVE-2016-2110-NTLMSSP-regression.patch; fixed upstream.
  * Drop patch s3-smbd-fix-anonymous-authentication-if-signing-is-
    m.patch: fixed upstream.

6a3e09c... by Salvatore Bonaccorso on 2016-06-01

Import patches-unapplied version 2:4.2.10+dfsg-0+deb8u3 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: a5df8a6c518c8f35f00c2ab4aa3b2661f65b2ff8

New changelog entries:
  * Non-maintainer upload by the Security Team.
  [ Salvatore Bonaccorso ]
  * Add missing Breaks+Replaces for samba-libs binary package.
    The 2:4.2.10+dfsg-0+deb8u2 update moved some libraries back to the
    samba-libs binary package from the samba binary package but did not add
    respective Breaks and Replaces package relations. (Closes: #821002)
  * Add Patchset for regression introduced by CVE-2016-2110.
    NetAPP SMB servers don't negotiate NTLMSSP_SIGN. (Closes: #822937)
  [ Steven Chamberlain ]
  * ctdb: Fix detection of gnukfreebsd (Closes: #802621)
    GNU/kFreeBSD's platform name is 'gnukfreebsd', not just 'kfreebsd'.
  [ Andrew Bartlett ]
  * Add back better NEWS item for 2:4.2.10+dfsg-0+deb8u1
  [ Salvatore Bonaccorso ]
  * s3:smbd: fix anonymous authentication if signing is mandatory
  * Non-maintainer upload by the Security Team.
  * Move libraries back to samba-libs
    libsmbd-base.so.0, process_model/*.so and libprocess-model.so.0
    libraries back to the samba-libs binary package. (Closes: #820947)
  [ Jelmer Vernooij ]
  * New upstream release.
   + Drop patch Fix-CTDB-build-with-PMDA.patch: applied upstream.
  * Re-enable cluster support.
  * Add patch no_wrapper: avoid dependencies on
  [ Mathieu Parent ]
  * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406)
  * Don't build ctdb twice:
    - Shorten build time
    - Fix ctdb log path from /var/log/log.ctdb to /var/log/ctdb/log.ctdb
    - Remove unused /usr/lib/*/ctdb/*.so files
  [ Andrew Bartlett ]
  * New upstream release
   + Fixes:
    - CVE-2015-5370 (Multiple errors in DCE-RPC code)
    - CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
    - CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
    - CVE-2016-2112 (LDAP client and server don't enforce integrity)
    - CVE-2016-2113 (Missing TLS certificate validation)
    - CVE-2016-2114 ("server signing = mandatory" not enforced)
    - CVE-2016-2115 (SMB IPC traffic is not integrity protected)
    - CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
  * Backport BackupKey patches from Samba 4.3.0 to avoid regressions
  * Additional regression fix for 'net ads join' to a Windows 2003 domain by metze
  * Revert the change to made libsamba-debug a library, allowing openchange
    to link to Samba 4.2
  * Add Breaks against openchangeproxy that uses an API and ABI that has changed
  [ Marc Deslauriers ]
  * Fix double-free in pam_smbpass

a5df8a6... by Jelmer Vernooij on 2014-12-07

Import patches-unapplied version 2:4.2.1+dfsg-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 4fca257342da0ea2bd5092df0cb37af4be9ed75d

New changelog entries:
  [ Jelmer Vernooij ]
  * New upstream release.
   + Drop patch do-not-install-smbclient4-and-nmbclient4: applied upstream.
   + Drop patch
     present upstream.
   + Refresh patch 26_heimdal_compat.26_heimdal_compat.
   + Add build-dependency on libarchive-dev.
  * Drop samba_bug_11077_torturetest.patch: applied upstream.
  * Drop dependency on ctdb - now bundled with Samba.
  * Use bundled Heimdal as the system Heimdal doesn't contain the
    changes required for Samba.
  * Add patch heimdal-rfc3454.txt: patch in truncated rfc3454.txt for
    building bundled heimdal.
  * Drop patches 25_heimdal_api_changes and 26_heimdal_compat.
  * Disable cluster support; it breaks the build.
  * Add patch no_wrapper: avoid dependencies on
  * Move some libraries around.
  * Move ownership of var/lib/samba and var/lib/samba/private to samba-
    common, remove obsolete samba4.dirs. Closes: #793866
  * Remove ctdb-tests and ctdb-pcp-pmda packages as they contain problems
    and unclear what they are useful for, now ctdb now longer provides
    an external API.
  [ Mathieu Parent ]
  * Merge ctdb source package
    - initial merge
    - libctdb-dev has been dropped
    - ctdb-dbg renamed to ctdb-tests, debug files moved to samba-dbg
    - ctdb-tests depends on python
  * Fix CTDB socketpath parsing
  * Fix CTDB build with PMDA
  * ctdb: Fix privacy breach on google.com (from documentation)

4fca257... by Ivo De Decker <email address hidden> on 2015-03-07

Import patches-unapplied version 2:4.1.17+dfsg-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5c7b5f80a405a3805f3c08b92336cd8ff6eaf112

New changelog entries:
  [ Andreas Beckmann ]
  * Add samba.preinst to temporarily deactivate the old qtsmbstatusd
    initscript which has dependencies incompatible with the new samba
    initscript. This will ensure a clean upgrade path for samba if the
    qtsmbstatus-server package was installed previously. (Closes: #779666)

5c7b5f8... by Ivo De Decker <email address hidden> on 2015-02-23

Import patches-unapplied version 2:4.1.17+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: dd34c6516f8429104d1c5b80bf62094e7148b6f3

New changelog entries:
  * New upstream release. Fixes:
  - CVE-2014-8143: Elevation of privilege to Active Directory Domain
                   Controller. Closes: #776993
  - CVE-2015-0240: Unexpected code execution in smbd. Closes: #779033
  * Refresh patch add-so-version-to-private-libraries.
  * Add new smbtorture test rpc.schannel_anon_setpw to detect the conditions
    leading to CVE-2015-0240.
  * Add breaks on qtsmbstatus-server (<< 2.2.1-3~). Closes: #775041
  * Build-depend on reverted ldb version (with increased epoch).

dd34c65... by Jelmer Vernooij on 2014-12-10

Import patches-unapplied version 2:4.1.13+dfsg-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b07abe5f2ac5f544842b6c849e0c9adbba51d9fd

New changelog entries:
  * Revert previous patch, since ldb has an active module version check.
    Instead, just depend on ldb 1.1.18. Closes: #771991

b07abe5... by Jelmer Vernooij on 2014-12-04

Import patches-unapplied version 2:4.1.13+dfsg-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 88c404ec0fd29bd6e7ed6ebd18ddccb6e3a0c10a

New changelog entries:
  * Update debian/rules to allow support for multiple upstream ldb
    versions, when verified. Closes: #771991