The annotated tag, samba-4.14.10 has been created at 2830e8cf78ec658f8991a166405f8f440aa54877 (tag) tagging 9312b1832e5a808a63fc7f9e7d6e70348cc9eb86 (commit) replaces ldb-2.3.2 tagged by Jule Anger on Mon Nov 8 12:43:13 2021 +0100
- Log ----------------------------------------------------------------- samba: tag release samba-4.14.10 -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGJDVEACgkQqplEL7aA tiCXug//fHd/TfSXjTSF+f/NYxZuJM4KTYqmBao+aGL4WTbqrWog9ctqW9D5LGBC NuqjKt+p4lR095xD0TFuUH65e6vATt4B6bV2rV50rf5tOB/crLFmxVicmd+avyvY hU2Bxn9Lbdh840Z3vr5FQRj1P2OqgqVd3WPTS90D/OitEpvoNBtIksC55YbPX13R r8iFj7I4gKcykEA0g3Rcy+JDEHwNx8yJEO575UEnW6bQEnJp10WUnPplN+jPEW62 ChehnrM6Mz1QqL/pZh3MJzrVqj2UxZ6I3PHoetBQrMAS41crtgxvgsx6WjulK69X ImgjAG0RRDSsTz8xRpvAfiskNanXzFGcWM2L+lHqNnr54+BahI4iCCQH/ynK1fVk EPLO5B5myC+bZBc1vY9g4nxorO5feWO8EyEl9Ft4oHAr+0gHWEeKBKuivt0kAe/C aNv4JTa2iYdhVuTr9LdipKT1XJwQlVaD07q3ClQhFwNtriMWMDIEkgaUzelmHiMq 4oGF9bJ2IaE5dkhmmcfmrZLRb2q8aFfWR6oexPhcWbB3ntRiSeiAhhjJJgfyKjDG SFxtB7P26wvmcX0UJKAMdwr00NjO61WsWXgcun0ejZxHpvDfB9Cej0jyB/Awt81X 2pGuhqAGyNlMyzS2dXiYYAvyleIhTzot/NoOWvwNDU2uL7B4tEY= =49xf -----END PGP SIGNATURE----- Alexander Bokovoy (1): CVE-2020-25717: Add FreeIPA domain controller role Andreas Schneider (13): CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env CVE-2020-25719 mit-samba: Make ks_get_principal() internally public CVE-2020-25719 mit-samba: Add ks_free_principal() CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac() CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data() CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry CVE-2020-25719 mit_samba: Create the talloc context earlier CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob() CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it Andrew Bartlett (55): CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify() CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019 CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test CVE-2020-25722 dsdb: Tests for our known set of privileged attributes CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass. CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $ CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change CVE-2020-25722 selftest: Split test_userAccountControl into unit tests CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID CVE-2020-25722 Check all elements in acl_check_spn() not just the first one CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn() CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob() CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to() CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values CVE-2020-25722 Ensure the structural objectclass cannot be changed CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present" CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal Douglas Bagnall (35): CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context CVE-2020-25722 samba-tool spn: accept -H for database url CVE-2020-25722 samba-tool spn add: remove --force option CVE-2020-25722 tests: blackbox samba-tool spn non-admin test CVE-2020-25722 s4/provision: add host/ SPNs at the start CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap CVE-2020-25722 pytest: test setting servicePrincipalName over ldap CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr() CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values() CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr() Joseph Sutton (64): CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange() CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket() CVE-2020-25722 tests/krb5: Allow creating server accounts CVE-2020-25719 tests/krb5: Add is_tgt() helper method CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC CVE-2020-25719 tests/krb5: Add principal aliasing test CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes CVE-2020-25722 Add test for SPN deletion followed by addition CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions CVE-2020-25718 tests/krb5: Fix indentation CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user CVE-2020-25719 s4/torture: Expect additional PAC buffers CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer CVE-2020-25719 heimdal:kdc: Require authdata to be present CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer CVE-2020-25719 heimdal:kdc: Check return code CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (2): WHATSNEW: Add release notes for Samba 4.14.10. VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (1): CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (48): CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true CVE-2020-25717: s4:torture: start with authoritative = 1 CVE-2020-25717: s4:smb_server: start with authoritative = 1 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 CVE-2020-25717: s3:torture: start with authoritative = 1 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 CVE-2020-25717: s3:auth: start with authoritative = 1 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors CVE-2020-25717: s3:auth: we should not try to autocreate the guest account CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info() CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper Volker Lendecke (9): CVE-2020-25717 auth3: Simplify check_samba4_security() CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm() CVE-2020-25717 auth4: Make auth_anonymous pseudo-async CVE-2020-25717 auth4: Make auth_developer pseudo-async CVE-2020-25717 auth4: Make auth_unix pseudo-async CVE-2020-25717 auth4: Make auth_sam pseudo-async CVE-2020-25717 auth4: Remove sync check_password from auth_operations CVE-2021-23192 rpc: Give dcerpc_util.c its own header CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-binding ----------------------------------------------------------------------- -- Samba Shared Repository