ubuntu/+source/samba:ubuntu/artful-security

Last commit made on 2018-03-13
Get this branch:
git clone -b ubuntu/artful-security https://git.launchpad.net/ubuntu/+source/samba
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/artful-security
Repository:
lp:ubuntu/+source/samba

Recent commits

f493ee1... by Marc Deslauriers on 2018-03-06

Import patches-unapplied version 2:4.6.7+dfsg-1ubuntu3.2 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 449990910520d558997c322d0d1c595d82489957

New changelog entries:
  * SECURITY UPDATE: Denial of Service Attack on external print server
    - debian/patches/CVE-2018-1050.patch: protect against null pointer
      derefs in source3/rpc_server/spoolss/srv_spoolss_nt.c.
    - CVE-2018-1050
  * SECURITY UPDATE: Authenticated users can change other users password
    - debian/patches/CVE-2018-1057-*.patch: fix password changing logic.
    - CVE-2018-1057

4499909... by Marc Deslauriers on 2017-11-15

Import patches-unapplied version 2:4.6.7+dfsg-1ubuntu3.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 8b3f7676ec9a9c1dfce97a1b5c89d7738e2019fc

New changelog entries:
  * SECURITY UPDATE: Use-after-free vulnerability
    - debian/patches/CVE-2017-14746.patch: fix use-after-free crash bug in
      source3/smbd/process.c, source3/smbd/reply.c.
    - CVE-2017-14746
  * SECURITY UPDATE: Server heap memory information leak
    - debian/patches/CVE-2017-15275.patch: zero out unused grown area in
      source3/smbd/srvstr.c.
    - CVE-2017-15275

8b3f767... by Marc Deslauriers on 2017-09-21

Import patches-unapplied version 2:4.6.7+dfsg-1ubuntu3 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: e233207f792582ee515bc230651f355da52fb56e

New changelog entries:
  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
    they should
    - debian/patches/CVE-2017-12150-1.patch: don't turn a guessed username
      into a specified one in source3/include/auth_info.h,
      source3/lib/popt_common.c, source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
      source3/lib/util_cmdline.c.
    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
      source3/libsmb/pylibsmb.c.
    - debian/patches/CVE-2017-12150-4.patch: add SMB_SIGNING_REQUIRED to
      libgpo/gpo_fetch.c.
    - debian/patches/CVE-2017-12150-5.patch: add check for
      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
    - debian/patches/CVE-2017-12150-6.patch: add
      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
    - debian/patches/CVE-2017-12150-7.patch: only fallback to anonymous if
      authentication was not requested in source3/libsmb/clidfs.c.
    - CVE-2017-12150
  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
    redirects
    - debian/patches/CVE-2017-12151-1.patch: add
      cli_state_is_encryption_on() helper function to
      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
    - debian/patches/CVE-2017-12151-2.patch: make use of
      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
      source3/libsmb/libsmb_context.c.
    - CVE-2017-12151
  * SECURITY UPDATE: Server memory information leak over SMB1
    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
      from writing server memory to file in source3/smbd/reply.c.
    - CVE-2017-12163

e233207... by Andreas Hasenack on 2017-09-01

Import patches-unapplied version 2:4.6.7+dfsg-1ubuntu2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 35577f16dfad23b6b642fa3c185811e0916d8e0d
Upload parent: 088559842c2999d144bd20a66e94101d9ccfbd4d

New changelog entries:
  * d/source_samba.py: use the new recommended findmnt(8) tool to list
    mountpoints and correctly filter by the cifs filesystem type.
    (LP: #1703604)

0885598... by Andreas Hasenack on 2017-09-05

Pass option '-n' to findmnt so we don't get a header line. This makes its
output very much like what we would have had with mount.cifs.

40a47e0... by Andreas Hasenack on 2017-09-05

changelog

d2f38ea... by Andreas Hasenack on 2017-09-05

  * d/source_samba.py: use the new recommended findmnt(8) tool to list
    mountpoints and correctly filter by the cifs filesystem type.
    (LP: #1703604)

9d94681... by Andreas Hasenack on 2017-09-01

changelog

c78cbb7... by Andreas Hasenack on 2017-09-01

  * d/source_samba.py: fix the mount call that lists cifs mountpoints
    (LP: #1703604)

35577f1... by Andreas Hasenack on 2017-08-21

Import patches-unapplied version 2:4.6.7+dfsg-1ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 783710e73a17f83a139765bae53c5b366288fb21
Upload parent: 7d7237bcaf402259b6b2380d16af077480654a38

New changelog entries:
  * Merge with Debian unstable (LP: #1710281).
    - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
      symlinks to directories (LP: #1701073)
  * Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247