The annotated tag, samba-4.2.11 has been created
at f9d2691f5569edfc48e36181ff0c34b7b31f936d (tag)
tagging cdf4f21e282599fc2b00d8d4ff38d92b4af1fd0b (commit)
replaces samba-4.2.9
tagged by Karolin Seeger
on Mon Apr 11 11:01:19 2016 +0200
- Log -----------------------------------------------------------------
samba: tag release samba-4.2.11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQBXC2ffbzORW2Vot+oRAscaAJ9tMpnGDnE71oLzfU4bUVyiZWTKEgCbBnfx
bxGJKYZRcCGaND6H/q2hR7c=
=pFyT
-----END PGP SIGNATURE-----
Andreas Schneider (4):
s4-gensec: Check if we have delegated credentials.
torture: Fix the usage of the MEMORY credential cache.
torture: Correctly invalidate the memory ccache.
torture: Free the temporary memory context
Andrew Bartlett (4):
libsmb: Print the principal name that we failed to kinit for.
docs: Explain that winbindd enforces smb signing by default.
lib/tls: Add new 'tls priority' option
lib/tls: Change default supported TLS versions.
Björn Jacke (1):
tls: increase Diffie-Hellman group size to 2048 bits
Christian Ambach (1):
s4:torture/ntlmssp fix a compiler warning
Günther Deschner (15):
gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
lib/util: globally include herrors in error.h
ntlmssp: add some missing defines from MS-NLMP to our IDL.
ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
ntlmssp: properly document version defines in IDL (from MS-NLMP).
ntlmssp: when pulling messages it is important to clear memory first.
s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp
messages.
s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and
AUTHENTICATE messages.
s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in
gensec_ntlmssp_server_negotiate().
s4-smb_server: check for return code of
cli_credentials_set_machine_account().
s3-auth: check for return code of cli_credentials_set_machine_account().
CVE-2016-2111: s3:rpc_server/netlogon: always go through
netr_creds_server_step_check()
Jelmer Vernooij (15):
Reduce number of places where sys.path is (possibly) updated for external
module paths.
Avoid importing TestCase and TestSkipped from testtools.
Rename TestSkipped to Skiptest, consistent with Python 2.7.
selftest/tests/*.py: remove use of testtools.
Fix use of TestCase.skipTest on python2.6 now that we no longer use
testtools.
Add custom implementations of TestCase.assertIs and TestCase.assertIsNot,
for Python2.6.
Add replacement addCleanup.
Use Samba TestCase class, as the python 2.6 one doesn't have assertIs,
assertIsInstance or addCleanup.
Provide TestCase.assertIsInstance for python < 2.7.
Use samba TestCase so we get all compatibility functions on Python < 2.7.
Run cleanup after tearDown, for consistency with Python >= 2.7.
Handle skips when running on python2.6.
Implement assertIsNone for Python < 2.7.
Implement TestCase.assertIn for older versions of Python.
Implement TestCase.assertIsNotNone for python < 2.7.
Jeremy Allison (2):
s3: smbclient: asn1_extract_blob() stops further asn1 processing by
setting has_error.
CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't
violate the spec
Kamen Mazdrashki (3):
s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
s4-tests: Print out what the error is in delete_force()
s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
Ralph Boehme (13):
CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth"
option
CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting
to "no_check"
CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client
ipc max protocol" options
CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and
lp_client_ipc_{min,max}_protocol()
CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect"
defaulting to "yes"
Richard Sharpe (5):
Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
Convert all uint32/16/8 to _t in source3/libsmb.
Convert all uses of uint32/16/8 to _t in source3/rpc_server.
Convert all uses of uint32/16/8 to _t in source3/rpc_client.
Prevent a crash in Python modules that try to authenticate by ensuring we
reject cases where credendials fields are not intialized.
Stefan Metzmacher (360):
VERSION: Bump version up to 4.2.10...
s4:auth/gensec_gssapi: remove compiler warnings
s4:lib/tls: add tls_cert_generate() prototype to tls.h
s4:lib/tls: remove allow_warnings=True
auth/kerberos: avoid compiler warnings
auth/kerberos: remove allow_warnings=True
s4:auth/gensec_gssapi: remove allow_warnings=True
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of
SAMBA4_USES_HEIMDAL
s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all
backends
s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes
keys more clear
s3:libads/sasl: use gensec_max_{input,wrapped}_size() in
ads_sasl_spnego_ntlmssp_bind
s4:lib/tls: fix tstream_tls_connect_send() define
s4:lib/tls: ignore non-existing ca and crl files in
tstream_tls_params_client()
s4:libcli/ldap: conversion to tstream
s4:auth/gensec: remove unused and untested cyrus_sasl module
s4:auth/gensec: remove unused include of lib/socket/socket.h
s4:auth/gensec: remove unused gensec_socket_init()
auth/gensec: remove unused gensec_[un]wrap_packets() hooks
s3:ntlm_auth: don't start gensec backend twice
auth/credentials: anonymous should not try to use kerberos
midltests: add valid/midltests_DRS_EXTENSIONS.*
librpc/rpc: add faultcode to nt_status mappings
librpc/rpc: add dcerpc_fault_from_nt_status()
librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
s4:pyrpc: add base.bind_time_features_syntax(features)
lib/util: fix output format in dump_data*()
librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
python/samba/tests: don't lower case path names in connect_samdb()
python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
python/samba/tests: move hexdump() from DNSTest to TestCase
python/samba/tests: let the output of hexdump() match our C code in
dump_data_cb()
s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a
specific status
libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE
instead of EIO
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc
connection is not connected
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in
torture_rpc_alter_context()
python:samba/tests: don't use the x.alter_context() method in
dcerpc/bare.py
s4:pyrpc: remove pointless alter_context() method
dcerpc.idl: fix calculatin of uint16 secondary_address_size;
heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with
arcfour-hmac-md5
auth/kerberos: add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
s3:librpc/gse: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
s4:gensec/gssapi: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
security.idl: add
KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
s4:selftest: run rpc.netlogon.admin against also ad_dc
s4:rpc_server: pass the remote address to gensec_set_remote_address()
s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
lib/util_net: move ipv6 linklocal handling into
interpret_string_addr_internal()
lib/util_net: add support for .ipv6-literal.net
s3:test_smbclient_auth.sh: test using the ip address in the unc path
(incl. ipv6-literal.net)
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with
$SERVER_IPV6
epmapper.idl: make epm_twr_t available in python bindings
dcerpc.idl: make WERROR RPC faults available in ndr_print output
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and
BAD_STUB_DATA
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
s3:libads: remove unused ads_connect_gc()
wscript_configure_system_mitkrb5: add configure checks for
GSS_KRB5_CRED_NO_CI_FLAGS_X
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
s3:librpc/gse: fix debug message in gse_init_client()
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if
available
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
s4:pygensec: make sig_size() and sign/check_packet() available
auth/gensec: keep a pointer to a possible child/sub gensec_security
context
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
auth/gensec: make gensec_security_by_name() public
s3:auth_generic: add auth_generic_client_start_by_name()
s3:auth_generic: add auth_generic_client_start_by_sasl()
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct
talloc context
auth/ntlmssp: add gensec_ntlmssp_server_domain()
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
s3:auth_generic: make use of the top level NTLMSSP client code
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
s3:auth_generic: add "ntlmssp_resume_ccache" backend in
auth_generic_client_prepare()
winbindd: make use of ntlmssp_resume_ccache backend for
WINBINDD_CCACHE_NTLMAUTH
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and
"gss-spnego-client"
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
auth/ntlmssp: add ntlmssp_version_blob()
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
auth/ntlmssp: use ntlmssp_version_blob() in the server
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
ntlmssp.idl: make AV_PAIR_LIST public
librpc/ndr: add ndr_ntlmssp_find_av() helper function
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
s4:libcli/ldap: fix retry authentication after a bad password
s4:selftest: we don't need to run ldap test with
--option=socket:testnonblock=true
s4:selftest: simplify the loops over samba4.ldb.ldap
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
s3:libads: add missing TALLOC_FREE(frame) in error path
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
s3:libads: don't pass given_principal to ads_generate_service_principal()
anymore.
s3:libads: keep service and hostname separately in ads_service_principal
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with
Kerberos
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
s3:libsmb: unused ntlmssp.c
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
s3:libsmb: call cli_state_remote_realm() within
cli_session_setup_spnego_send()
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
s3:libsmb: remove unused functions in clispnego.c
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
s4:torture:samba3rpc: use an authenticated SMB connection and an
anonymous DCERPC connection on top
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on
local transports
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
s4:rpc_server: dcesrv_generic_session_key should only work on local
transports
selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
selftest: add some helper scripts to mange a CA
selftest: add config and script to create a samba.example.com CA
selftest: add CA-samba.example.com (non-binary) files
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
selftest: add Samba::prepare_keyblobs() helper function
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
selftest: set tls crlfile if it exist
selftest: setup information of new samba.example.com CA in the client
environment
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order
to be realistic
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and
validation level 6
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName()
without NCACN_NP
s4:torture/rpc/schannel: don't use validation level 6 without privacy
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for
AUTH_TYPE_NONE
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
s4:rpc_server: require access to the machine account credentials
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
s3:rpc_server/samr: correctly handle session_extract_session_key()
failures
s3:ntlm_auth: pass manage_squid_request() needs a valid struct
ntlm_auth_state from within get_password()
CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB
flag
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return
NTSTATUS
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags
variables
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to
LM_AUTH
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change
ntlmssp_state->use_ntlmv2
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require
flags depending on the requested features
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require
NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH
response
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum
spnego_negResult
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for
new_spnego backends
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide
GENSEC_FEATURE_SIGN
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in
cli_credentials_get_ntlm_response()
CVE-2016-2110: auth/credentials: pass server_timestamp to
cli_credentials_get_ntlm_response()
CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to
cli_credentials_get_ntlm_response()
CVE-2016-2110: libcli/auth: pass server_timestamp to
SMBNTLMv2encrypt_hash()
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
checking (as server)
CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support
including MIC checking (as server)
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
generation (as client)
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher
in schannel_update()
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL}
in schannel_have_feature()
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes'
restriction
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY
for validation level 6
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY
for validation level 6
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds()
helper function
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for
SEC_CHAN_WKSTA
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for
SEC_CHAN_WKSTA
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in
raw.samba3badpath
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in
base.samba3error
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without
"client lanman auth = yes"
CVE-2016-2111: s4:param: use "client use spnego" to initialize
options->use_spnego
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want
to use spnego
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want
to use spnego
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and
"client use spnego" interaction
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after
STRONG_AUTH_REQUIRED
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for
plain connections
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong
auth" option
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
CVE-2016-2112: selftest: servers with explicit "ldap server require
strong auth" options
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs,
fl2008r2dc and fl2003dc
CVE-2016-2112: docs-xml: change the default of "ldap server require
strong auth" to "yes"
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host
cert with the ca cert
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer
verification
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to
"no_check"
CVE-2016-2113: s4:selftest: explicitly use
'--option="tlsverifypeer=no_check" for some ldaps tests
CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname
if configured
CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and
hostname if configured
CVE-2016-2113: selftest: test all "tls verify peer" combinations with
ldaps
CVE-2016-2113: selftest: use "tls verify peer = no_check"
CVE-2016-2113: docs-xml: let "tls verify peer" default to
"as_strict_as_possible"
CVE-2016-2114: s4:smb2_server: fix session setup with required signing
CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the
reality
CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc
max protocol" options
CVE-2016-2115: docs-xml: add "client ipc signing" option
CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in
smb_raw_negotiate*()
CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for
ncacn_np
CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc
min/max protocol"
CVE-2016-2115: docs-xml: always default "client ipc signing" to
"mandatory"
CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level
on a presentation context
CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
CVE-2016-2118: s4:rpc_server/dnsserver: require at least
DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: s3: rpcclient: change the default auth level from
DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: librpc: change the default auth level from
DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting
to "yes"
CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level
connect"
CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by
default
CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by
default
CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT
by default
CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by
default
CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by
default
CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by
default
CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level
connect"
CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject
DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with
PRIVACY...
CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with
PRIVACY...
CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE
defines
CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if
auth_length is 0
CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if
needed
CVE-2015-5370: s4:librpc/rpc: maintain
dcecli_security->auth_{type,level,context_id}
CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in
ncacn_push_request_sign()
CVE-2015-5370: s4:librpc/rpc: avoid using
hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in
ncacn_pull_request_auth()
CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for
DCERPC_PKT_RESPONSE pdus
CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in
dcerpc_request_prepare_vt()
CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in
dcerpc_ship_next_request()
CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and
use per request values
CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected
auth_{type,level,context_id} values
CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header()
helper function
CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of
cli_pipe_validate_current_pdu()
CVE-2015-5370: s3:rpc_client: remove useless frag_length check in
rpc_api_pipe_got_pdu()
CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in
dcerpc_bind_recv_handler()
CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything
else in dcerpc_alter_context_recv_handler()
CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to
verify BIND_ACK,ALTER_RESP,RESPONSE pdus
CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against
too large payloads
CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
CVE-2015-5370: s4:rpc_server: no authentication is indicated by
pkt->auth_length == 0
CVE-2015-5370: s4:rpc_server: check the result of
dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
CVE-2015-5370: s4:rpc_server: maintain
dcesrv_auth->auth_{type,level,context_id}
CVE-2015-5370: s4:rpc_server: make use of
dce_call->conn->auth_state.auth_* in dcesrv_request()
CVE-2015-5370: s4:rpc_server/lsa: make use of
dce_call->conn->auth_state.auth_{level,type}
CVE-2015-5370: s4:rpc_server/samr: make use of
dce_call->conn->auth_state.auth_level
CVE-2015-5370: s4:rpc_server/netlogon: make use of
dce_call->conn->auth_state.auth_{level,type}
CVE-2015-5370: s4:rpc_server: correctly maintain
dcesrv_connection->max_{recv,xmit}_frag
CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags()
helper function
CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak()
responses
CVE-2015-5370: s4:rpc_server: return the correct secondary_address in
dcesrv_bind()
CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a
connection after a response
CVE-2015-5370: s4:rpc_server: verify the protocol headers before
processing pdus
CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't
violate the spec
CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per
dcesrv_call_state
CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't
change auth_{type,level,context_id}
CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect
the connection with a protocol error
CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from
dcesrv_bind()
CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in
dcesrv_alter()
CVE-2015-5370: s4:rpc_server: changing an existing presentation context
via alter_context is a protocol error
CVE-2015-5370: s4:rpc_server: fix the order of error checking in
dcesrv_alter()
CVE-2015-5370: s4:rpc_server: failing authentication should generate a
SEC_PKG_ERROR
CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication
as invalid
CVE-2015-5370: s4:rpc_server: disconnect after a failing
dcesrv_auth_request()
CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid
auth_level values
CVE-2015-5370: s4:rpc_server: check frag_length for requests
CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the
connection (association)
CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with
DCERPC_FAULT_NO_CALL_ACTIVE
CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in
dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding
within dcerpc_check_auth()
CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level}
against the expected values.
CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:rpc_client: make use of
dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too
large payloads
CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in
rpc_pipe_bind_step_one_done()
CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in
api_pipe_{bind_req,alter_context,bind_auth3}()
CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark
the connection as broken
CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in
api_pipe_bind_req()
CVE-2015-5370: s3:rpc_server: don't ignore failures of
dcerpc_push_ncacn_packet()
CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was
already finished
CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication
as invalid
CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by
alter_context or auth3
CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables
in api_pipe_alter_context()
CVE-2015-5370: s3:rpc_server: verify presentation context arrays
CVE-2015-5370: s3:rpc_server: make use of
dcerpc_verify_ncacn_packet_header() to verify incoming pdus
CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal
FAULT pdu
CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as
broken
CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for
protocol errors
CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
CVE-2015-5370: s3:rpc_server: check the transfer syntax in
check_bind_req() first
CVE-2015-5370: s3:rpc_server: don't allow an existing context to be
changed in check_bind_req()
CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to
create_rpc_{bind_auth3,alter_context}()
CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in
dcerpc_add_auth_footer()
CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in
dcerpc_check_auth()
CVE-2015-5370: s3:rpc_client: verify auth_context_id in
rpc_pipe_bind_step_one_done()
CVE-2015-5370: s3:rpc_server: verify auth_context_id in
api_pipe_{bind_auth3,alter_context}
CVE-2015-5370: libcli/smb: use a max timeout of 1 second in
tstream_smbXcli_np_destructor()
CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol
errors
CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol
tests for DCERPC
CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against
plugin_s4_dc
WHATSNEW: Add release notes for Samba 4.2.10.
VERSION: Disable git snapshots for the 4.2.10 release.
VERSION: Bump version up to 4.2.11...
s3:libads: sasl wrapped LDAP connections against with kerberos and
arcfour-hmac-md5
WHATSNEW: Add release notes for Samba 4.2.11.
VERSION: Disable git snapshots for the 4.2.11 release.
Volker Lendecke (23):
rpc_server: Fix CID 1035534 Uninitialized scalar variable
rpc_server: Fix CID 1035535 Uninitialized scalar variable
asn1: Remove an unused asn1 function
asn1: Make asn1_peek_full_tag return 0/errno
asn1: Add overflow check to asn1_write
asn1: Add some early returns
asn1: Make "struct nesting" private
asn1: Add asn1_has_error()
lib: Use asn1_has_error()
asn1: Add asn1_set_error()
lib: Use asn1_set_error()
asn1: Add asn1_extract_blob()
lib: Use asn1_extract_blob()
asn1: Add asn1_has_nesting
lib: Use asn1_has_nesting
asn1: Add asn1_current_ofs()
lib: Use asn1_current_ofs()
libcli: Remove a reference to asn1->ofs
asn1: Remove a reference to asn1_data internals
asn1: Make 'struct asn1_data' private
spnego: Correctly check asn1_tag_remaining retval
libsmb: Fix CID 1356312 Explicit null dereferenced
libads: Fix CID 1356316 Uninitialized pointer read
-----------------------------------------------------------------------
--
Samba Shared Repository
