Ian McWilliam <i.mcwill...@westernsydney.edu.au> writes: > Revision 1.219 / (download) - annotate - [select for diffs], Tue Apr 12 > 17:42:09 2016 UTC (4 months, 3 weeks ago) by jca > > Update to samba-4.3.6 > > i386 build by danj@, ok sthen@ > > The changelog between 4.1.23 and 4.3.6 is too big to be described here. > The point of updating now is that 4.1.x won't receive updates for the > freshly published security advisories. samba-4.3.8 will follow.
This is indeed the commit that introduced the regression. > > --without-acl-support \ > > Was introduced in the 4.3.6 update just before the big Samba security update > for > > CVE-2015-5370 (Multiple errors in DCE-RPC code) > CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) > CVE-2016-2111 (NETLOGON Spoofing Vulnerability) > CVE-2016-2112 (LDAP client and server don't enforce integrity) > CVE-2016-2113 (Missing TLS certificate validation) > CVE-2016-2114 ("server signing = mandatory" not enforced) > CVE-2016-2115 (SMB IPC traffic is not integrity protected) > CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) > > Now to work out the implications of re-enabling it. It's not directly related to ACLs. The root cause if that I stopped telling the build system to build ntvfs support, by removing --enable-selftest. The ntvfs code was supposedly disabled by default last year for production builds. The funny thing is that it doesn't show obvious problems at runtime, only at provisioning time. The fix below makes samba.is_ntvfs_fileserver_built() return True, and makes --use-ntvfs visible again in samba-tool domain provision. There are other problems later. Index: Makefile =================================================================== RCS file: /cvs/ports/net/samba/Makefile,v retrieving revision 1.227 diff -u -p -r1.227 Makefile --- Makefile 8 Jul 2016 18:39:50 -0000 1.227 +++ Makefile 9 Sep 2016 07:09:17 -0000 @@ -15,6 +15,7 @@ PKGNAME-tevent = tevent-${TEVENT_V} PKGNAME-util = samba-util-${VERSION} PKGNAME-docs = samba-docs-${VERSION} +REVISION-main = 0 REVISION-ldb = 0 REVISION-tevent = 0 @@ -159,7 +160,8 @@ CONFIGURE_ARGS = --enable-fhs \ --without-regedit \ --without-acl-support \ --without-libarchive \ - --disable-rpath + --disable-rpath \ + --with-ntvfs-fileserver # XXX Remember to remove --enable-developer, it prints passwords in logs. #CONFIGURE_ARGS += --enable-developer -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE