The annotated tag, samba-4.15.2 has been created
at ac8c226ed9d8c067f6053c6f7f8f6457b86c2f52 (tag)
tagging 7d0c030d4233974c4b9463dad44efdb05e6186f1 (commit)
replaces samba-4.15.1
tagged by Jule Anger
on Mon Nov 8 12:34:39 2021 +0100
- Log -----------------------------------------------------------------
samba: tag release samba-4.15.2
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGJC08ACgkQqplEL7aA
tiBiXQ/9F0F4i7ZnqSPCuRsG0WfVK3T1O3xiH9zpjNQyHpDbHEFw9kj1ts3tnbYQ
EtjX1p25brXaqLU7qL3sPW6biked1O65TuqZw+GOdKTzK2/CfsLUjnfdRvAnD8T1
+K3kK2t6Lyy9+X51E1r208R5TwLMzDczxDia9/+44BEf8JLNl0UyGAjJIwFCd6jo
S9xX9G4mjw657Uh935O8eDaApWZsYhiIhFEmbeTAcBE94aqLv0cBGC2FPZk79cLy
F9GYwsLXy+Nz3YfVMzJVVjZbh41dEZi5Fxj5eeis7LfV61Xha2OWBGjNSKfX12i7
MgUJiQcmadMZE4t2/p3u2hP/o9gnoFszKIc+jgB9do3QJGTqz1NQSfe1+QUKsRYC
HFkJw87cG39AEUdnHccBHC4ShIXiNnVHeObYyZVjKPwEmS3FC5ZFMz47Pc+dkUUy
9K0u42gEHyDfyWB+rkVypDebVGhoj6Fxi0z5vdO703A/92grZF6Uh/vb2bEGXOHC
6RCivtQvn6QqhUV83zl9LI/LEVayXOl0n7BJaHAogX+zVI2S0FQ+RIzXoHnBq7wQ
x976y4JJvbI9pAMVG8TeiWBrUnqWf789fOMBJJ+PQZxiknZYVI3VBUM/8Y1rng1i
A6PMzGXl/fKPoSv2EKDOp8KwajdR87Zi/j8hEPhgVvUJWVWTDgg=
=7Srm
-----END PGP SIGNATURE-----
Alexander Bokovoy (1):
CVE-2020-25717: Add FreeIPA domain controller role
Andreas Schneider (11):
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
CVE-2020-25719 mit-samba: Add ks_free_principal()
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db
entry
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
CVE-2020-25719 mit-samba: Rework PAC handling in
kdb_samba_db_sign_auth_data()
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on
the server entry
CVE-2020-25719 mit_samba: Create the talloc context earlier
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
Andrew Bartlett (55):
CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to
samba.tests.TestCase
CVE-2020-25722 selftest: Modernise user_account_control.py tests use a
common self.OU
CVE-2020-25722 selftest: Use addCleanup rather than tearDown in
user_account_control.py
CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control
test_uac_bits_unrelated_modify()
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add()
using @DynamicTestClass
CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set()
using @DynamicTestClass
CVE-2020-25722 selftest: Update user_account_control tests to pass
against Windows 2019
CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in
user_account_control.py test
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of
checking if any passwords are changed
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during
LDAP add/modify
CVE-2020-25722 selftest: Extend priv_attrs test - work around
UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a
password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
CVE-2020-25722 selftest: Test combinations of account type and
objectclass for creating a user
CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
CVE-2020-25722 selftest: Catch errors from samdb.modify() in
user_account_control tests
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by
default
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for
objectclass/doller/UAC
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and
objectclass.
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK
(for now)
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping
account types
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD,
so remove indentation
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a
trailing $
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new
UF_WORKSTATION_TRUST_ACCOUNT default
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type
change
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
CVE-2020-25722 selftest: Adjust sam.py
test_userAccountControl_computer_add_trust to new reality
CVE-2020-25722 selftest: New objects of objectclass=computer are
workstations by default now
CVE-2020-25722 selftest: Adapt sam.py test to
userAccountControl/objectclass restrictions
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new
default computer behaviour
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list
of errors to match with
CVE-2020-25722 selftest/user_account_control: Allow a broader set of
possible errors
CVE-2020-25722 selftest/user_account_control: more work to cope with
UAC/objectclass defaults and lock
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
CVE-2020-25722 Check all elements in acl_check_spn() not just the first
one
CVE-2020-25722 Check for all errors from acl_check_extended_right() in
acl_check_spn()
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a
array of struct dom_sid
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a
single helper function
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and
UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the
UF_PARTIAL_SECRETS_ACCOUNT bit
CVE-2020-25718 s4-rpc_server: Provide wrapper
samdb_confirm_rodc_allowed_to_repl_to()
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
CVE-2020-25718 s4-rpc_server: Explain why we use
DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular
ticket
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
CVE-2020-25722 Ensure the structural objectclass cannot be changed
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in
our domain/realm) unless a DC
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
Douglas Bagnall (35):
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're
lazy
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
CVE-2020-25722 samba-tool spn: accept -H for database url
CVE-2020-25722 samba-tool spn add: remove --force option
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
CVE-2020-25722 s4/provision: add host/ SPNs at the start
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses
samldb_get_single_valued_attr()
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change()
checks all values
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add
final value
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change
checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one
value
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Joseph Sutton (64):
CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
CVE-2020-25722 dsdb: Add tests for modifying objectClass,
userAccountControl and sAMAccountName
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to
use _generic_kdc_exchange()
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to
get_service_ticket()
CVE-2020-25722 tests/krb5: Allow creating server accounts
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
CVE-2020-25719 tests/krb5: Add method to get unique username for test
accounts
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature
checksum type is wrong
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor
create_ccache_with_user() to take credentials of target service
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user()
to return a ticket without a PAC
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request
without a PAC
CVE-2020-25719 tests/krb5: Add principal aliasing test
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC
buffer
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting
without a PAC to new error codes
CVE-2020-25722 Add test for SPN deletion followed by addition
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass
restrictions
CVE-2020-25718 tests/krb5: Fix indentation
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs
in get_tgt()
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is
not present
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new
PAC_ATTRIBUTES_INFO buffer
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user
tests
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for
S4U2Self no-PAC tests
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more
modifications to tickets
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already
obtained tickets
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC
buffer
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC
buffer
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect
pac from all TGS tickets
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for
obtaining tickets
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
CVE-2020-25719 tests/krb5: Add tests for mismatched names with
user-to-user
CVE-2020-25719 s4/torture: Expect additional PAC buffers
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that
would overwrite an existing test
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
CVE-2020-25719 heimdal:kdc: Require authdata to be present
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
CVE-2020-25719 heimdal:kdc: Check return code
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype
selection
CVE-2020-25719 heimdal:kdc: Use sname from request rather than
user-to-user TGT client name
CVE-2020-25719 heimdal:kdc: Check name in request against name in
user-to-user TGT
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user
authentication
CVE-2020-25719 heimdal:kdc: Require PAC to be present
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when
necessary
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed
account
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users
not revealed to an RODC
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on
an add operation
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames
is not bypassed for an add operation
Jule Anger (3):
VERSION: Bump version up to Samba 4.15.2...
WHATSNEW: Add release notes for Samba 4.15.2.
VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.
Nadezhda Ivanova (2):
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to
attribute
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the
Applies-to attribute
Ralph Boehme (1):
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
Samuel Cabrero (4):
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
CVE-2020-25717: selftest: Add a test for the new 'min domain uid'
parameter
CVE-2020-25717: s3:auth: Check minimum domain uid
Stefan Metzmacher (47):
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to
services anonymously and without a PAC
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac"
settings
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative
= true
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to
r->out.authoritative = true
CVE-2020-25717: s4:torture: start with authoritative = 1
CVE-2020-25717: s4:smb_server: start with authoritative = 1
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
CVE-2020-25717: s3:torture: start with authoritative = 1
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
CVE-2020-25717: s3:auth: start with authoritative = 1
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward
the low level errors
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local
users
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to
is_allowed_domain()
CVE-2020-25717: s3:auth: don't let create_local_token depend on
!winbind_ping()
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in
domain mode (DC or member)
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac()
base the name on the PAC LOGON_INFO only
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate
everything to make_server_info_wbcAuthUserInfo()
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and
idmap_autorid
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a
PAC in standalone mode
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by
removing the unused logon_info argument
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing
unused arguments
CVE-2020-25722 pytests: Give computer accounts unique (and valid)
sAMAccountNames and SPNs
CVE-2021-23192: dcesrv_core: add better debugging to
dcesrv_fault_disconnect()
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips
DCERPC_PFC_FLAG_DID_NOT_EXECUTE
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into
assertNotEqual()
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use
g_auth_level in all places
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
CVE-2021-23192: python/tests/dcerpc: add tests to check how security
contexts relate to fragmented requests
CVE-2021-23192: dcesrv_core: only the first fragment specifies the
auth_contexts
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego
authentication if we require kerberos
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if
we require kerberos
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware
dcesrv_samdb_connect_as_{system,user}() helpers
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware
dcesrv_samdb_connect_as_*() helpers
CVE-2021-3738 s4:rpc_server/dnsserver: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/lsa: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/netlogon: make use of
dcesrv_samdb_connect_as_*() helper
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*()
helper
-----------------------------------------------------------------------
--
Samba Shared Repository
