[SCM] Samba Shared Repository - branch v3-5-stable updated

2013-01-30 Thread Karolin Seeger 
The branch, v3-5-stable has been updated
   via  f6b6d3b swat: Use additional nonce on XSRF protection
   via  e9cd100 swat: Use X-Frame-Options header to avoid clickjacking
   via  4f0de0f WHATSNEW: Prepare release notes for Samba 3.5.21.
  from  71dbced WHATSNEW: Start release notes for Samba 3.5.21.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -
commit f6b6d3bf9d43d45560d352b76c12fe0c87a16fa3
Author: Kai Blin k...@samba.org
Date:   Mon Jan 28 23:13:43 2013 +0100

swat: Use additional nonce on XSRF protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.

commit e9cd10049e0b5c1e24e454cc3277eb4bea033dfb
Author: Kai Blin k...@samba.org
Date:   Fri Jan 18 23:11:07 2013 +0100

swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.

commit 4f0de0faf15e2c157ad88800a11648c181d82b65
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 29 10:49:29 2013 +0100

WHATSNEW: Prepare release notes for Samba 3.5.21.

This is a Security Release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).

Karolin

---

Summary of changes:
 WHATSNEW.txt |   37 +++--
 source3/web/cgi.c|   39 ++-
 source3/web/swat.c   |5 -
 source3/web/swat_proto.h |1 +
 4 files changed, 62 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c96f46f..a7766a9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,19 +1,44 @@
==
Release Notes for Samba 3.5.21
-, 2013
+January 30, 2013
==
 
 
-This is the latest stable release of Samba 3.5.
-
-Major enhancements in Samba 3.5.21 include:
-
-o  
-
-Changes since 3.5.19:
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated 
into
+   a malicious web page via a frame or iframe and then overlaid by other 
content,
+   an attacker could trick an administrator to potentially change Samba 
settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to 
manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a 
standalone
+   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT 
has
+   not been installed or enabled (which is the default install state for Samba)
+   this advisory can be ignored.
+
+
+Changes since 3.5.20:
 -
 
-o   Jeremy Allison j...@samba.org
+o   Kai Blin k...@samba.org
+* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
 
 
 ##
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 0c8e9cb..afa2e63 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -45,6 +45,7 @@ static const char *baseurl;
 static char *pathinfo;
 static char *C_user;

[SCM] Samba Shared Repository - annotated tag samba-3.5.21 created

2013-01-30 Thread Karolin Seeger 
The annotated tag, samba-3.5.21 has been created
at  fd775354f326e343342a744fe6da1e677c657dc2 (tag)
   tagging  f6b6d3bf9d43d45560d352b76c12fe0c87a16fa3 (commit)
  replaces  samba-3.5.20
 tagged by  Karolin Seeger
on  Tue Jan 29 12:26:30 2013 +0100

- Log -
tag samba-3.5.21
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)

iD8DBQBRB7HsbzORW2Vot+oRAr2fAJ9UPLEPH7xZHjlNM7oFJsHjZiGNtwCgjmyN
7vjCfXlVB9NQp0smztDgAlY=
=tO1T
-END PGP SIGNATURE-

Kai Blin (2):
  swat: Use X-Frame-Options header to avoid clickjacking
  swat: Use additional nonce on XSRF protection

Karolin Seeger (3):
  VERSION: Bump version number up to 3.5.21.
  WHATSNEW: Start release notes for Samba 3.5.21.
  WHATSNEW: Prepare release notes for Samba 3.5.21.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-6-stable updated

2013-01-30 Thread Karolin Seeger 
The branch, v3-6-stable has been updated
   via  91f4275 swat: Use additional nonce on XSRF protection
   via  7122594 swat: Use X-Frame-Options header to avoid clickjacking
   via  184d5ab WHATSNEW: Prepare release notes for Samba 3.6.12.
  from  5f8ab89 WHATSNEW: Start release notes for Samba 3.6.12.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable


- Log -
commit 91f4275873ebeda8f57684f09df67162ae80515a
Author: Kai Blin k...@samba.org
Date:   Mon Jan 28 21:41:07 2013 +0100

swat: Use additional nonce on XSRF protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.

commit 71225948a249f079120282740fcc39fd6faa880e
Author: Kai Blin k...@samba.org
Date:   Fri Jan 18 23:11:07 2013 +0100

swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.

commit 184d5ab26a553ca7ef3f529e90e4dd8c9aded75d
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 29 09:45:06 2013 +0100

WHATSNEW: Prepare release notes for Samba 3.6.12.

This is a Security Release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).

Karolin

---

Summary of changes:
 WHATSNEW.txt |   35 ++-
 source3/web/cgi.c|   40 ++--
 source3/web/swat.c   |5 -
 source3/web/swat_proto.h |1 +
 4 files changed, 61 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2f414bc..8d058e3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,19 +1,44 @@
==
Release Notes for Samba 3.6.12
-  March 18, 2013
+  January 30, 2013
==
 
 
-This is is the latest stable release of Samba 3.6.
-
-Major enhancements in Samba 3.6.12 include:
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated 
into
+   a malicious web page via a frame or iframe and then overlaid by other 
content,
+   an attacker could trick an administrator to potentially change Samba 
settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to 
manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a 
standalone
+   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT 
has
+   not been installed or enabled (which is the default install state for Samba)
+   this advisory can be ignored.
 
-o  
 
 Changes since 3.6.11:
 
 
-o   Jeremy Allison j...@samba.org
+o   Kai Blin k...@samba.org
+* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
 
 
 ##
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index ef1b856..861bc84 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -48,6 +48,7 @@ static const char *baseurl;
 static char *pathinfo;
 static char *C_user;
 static char

[SCM] Samba Shared Repository - annotated tag samba-3.6.12 created

2013-01-30 Thread Karolin Seeger 
The annotated tag, samba-3.6.12 has been created
at  0095b0780a555e86ae041c749d8bb256b66d5eca (tag)
   tagging  91f4275873ebeda8f57684f09df67162ae80515a (commit)
  replaces  samba-3.6.11
 tagged by  Karolin Seeger
on  Tue Jan 29 12:25:48 2013 +0100

- Log -
tag samba-3.6.12
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)

iD8DBQBRB7HPbzORW2Vot+oRAprCAJsGAbtdGy0NV+SWNmpjB+Pe87yJYACfZURm
SqngdLC5jmLaeQrrJD4XY2M=
=qYlx
-END PGP SIGNATURE-

Kai Blin (2):
  swat: Use X-Frame-Options header to avoid clickjacking
  swat: Use additional nonce on XSRF protection

Karolin Seeger (3):
  VERSION: Bump version number up to 3.6.12.
  WHATSNEW: Start release notes for Samba 3.6.12.
  WHATSNEW: Prepare release notes for Samba 3.6.12.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-0-stable updated

2013-01-30 Thread Karolin Seeger 
The branch, v4-0-stable has been updated
   via  1c2abd4 VERSION: Bump version number up to 4.0.2.
   via  0b40842 WHATSNEW: Update release notes for Samba 4.0.2.
   via  6762959 swat: Use additional nonce on XSRF protection
   via  4f24f1c swat: Use X-Frame-Options header to avoid clickjacking
  from  d2e9007 VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-stable


- Log -
commit 1c2abd4cffe63bdc95449d97c9e823e96de04a8e
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 29 11:11:55 2013 +0100

VERSION: Bump version number up to 4.0.2.

Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.

Signed-off-by: Karolin Seeger ksee...@samba.org

commit 0b4084297fa893eccf4054091bb0a1ba02f57304
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 29 11:09:41 2013 +0100

WHATSNEW: Update release notes for Samba 4.0.2.

Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.

Signed-off-by: Karolin Seeger ksee...@samba.org

commit 6762959a45bfc78183055162ae583733e589062f
Author: Kai Blin k...@samba.org
Date:   Sun Jan 20 08:58:08 2013 +0100

swat: Use additional nonce on XSRF protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9577 - CVE-2013-0214: Potential XSRF in SWAT.

commit 4f24f1c72088867e683bcd2207807ef4da272420
Author: Kai Blin k...@samba.org
Date:   Fri Jan 18 23:11:07 2013 +0100

swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.

---

Summary of changes:
 VERSION  |2 +-
 WHATSNEW.txt |   70 -
 source3/web/cgi.c|   39 -
 source3/web/swat.c   |5 ++-
 source3/web/swat_proto.h |1 +
 5 files changed, 99 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index d7d5459..f1cc2a6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c69ca9..0711f96 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=
+   Release Notes for Samba 4.0.2
+ January 30, 2013
+   =
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated 
into
+   a malicious web page via a frame or iframe and then overlaid by other 
content,
+   an attacker could trick an administrator to potentially change Samba 
settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to 
manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a 
standalone
+   server launched from inetd or xinetd, or as a CGI plugin to

[SCM] Samba Shared Repository - annotated tag samba-4.0.2 created

2013-01-30 Thread Karolin Seeger 
The annotated tag, samba-4.0.2 has been created
at  64d15c762b19d98117424a3bbcb451ce09f55e94 (tag)
   tagging  1c2abd4cffe63bdc95449d97c9e823e96de04a8e (commit)
  replaces  samba-4.0.1
 tagged by  Karolin Seeger
on  Tue Jan 29 11:28:54 2013 +0100

- Log -
samba: tag release samba-4.0.2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)

iD8DBQBRB6RubzORW2Vot+oRAmMvAJ91FizNdkPx4rAtacXQ5KEk55AwuwCeJ/Rh
iB577cvQ5Z3HhRqv9q4JJYU=
=DSGO
-END PGP SIGNATURE-

Kai Blin (2):
  swat: Use X-Frame-Options header to avoid clickjacking
  swat: Use additional nonce on XSRF protection

Karolin Seeger (2):
  WHATSNEW: Update release notes for Samba 4.0.2.
  VERSION: Bump version number up to 4.0.2.

---


-- 
Samba Shared Repository

[SCM] Samba Website Repository - branch master updated

2013-01-30 Thread Karolin Seeger 
The branch, master has been updated
   via  e6160ed Announce Samba 4.0.4, 3.6.12 and 3.5.21.
  from  3160184 samba-fr moved to hosting at renater

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit e6160ed77a7c41f8cb5dfd7931f11c99d0fa2731
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 09:59:15 2013 +0100

Announce Samba 4.0.4, 3.6.12 and 3.5.21.

CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT)

Karolin

---

Summary of changes:
 generated_news/latest_10_bodies.html|   49 +---
 generated_news/latest_10_headlines.html |4 +-
 generated_news/latest_2_bodies.html |   52 ++
 history/header_history.html |3 +
 history/samba-3.5.21.html   |   59 
 history/samba-3.6.12.html   |   59 
 history/samba-4.0.2.html|   59 
 history/security.html   |   18 ++
 latest_stable_release.html  |6 +-
 security/CVE-2013-0213.html |   80 +++
 security/CVE-2013-0214.html |   92 +++
 11 files changed, 456 insertions(+), 25 deletions(-)
 create mode 100755 history/samba-3.5.21.html
 create mode 100755 history/samba-3.6.12.html
 create mode 100755 history/samba-4.0.2.html
 create mode 100644 security/CVE-2013-0213.html
 create mode 100644 security/CVE-2013-0214.html


Changeset truncated at 500 lines:

diff --git a/generated_news/latest_10_bodies.html 
b/generated_news/latest_10_bodies.html
index a666f9c..e4bc79d 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,43 @@
+   h5a name=4.0.230 January 2013/a/h5
+   p class=headlineSamba 4.0.2, 3.6.12 and 3.5.21 bSecurity 
Releases/b Available for Download/p
+   pThese are security releases in order to address
+   a 
href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0213;CVE-2013-0213/a
+   (Samba 3.0.x to 4.0.1 (incl.) are affected by a bclickjacking issue 
in SWAT/b) and br
+   a 
href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0214;CVE-2013-0214
 /a
+   (Samba 3.0.x to 4.0.1 (incl.) are affected by a bpotential XSRF in 
SWAT/b)./p
+
+pThe uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA)./p
+p
+The source code can be downloaded here:
+lia href=http://samba.org/samba/ftp/stable/samba-4.0.2.tar.gz;download
+Samba 4.0.2/a,/li
+lia href=http://samba.org/samba/ftp/stable/samba-3.6.12.tar.gz;download
+Samba 3.6.12/a,/li
+lia href=http://samba.org/samba/ftp/stable/samba-3.5.21.tar.gz;download
+Samba 3.5.21/a./li
+/p
+
+p
+Patches against the parents are also available:
+lia 
href=http://samba.org/samba/ftp/patches/patch-4.0.1-4.0.2.diffs.gz;patch Samba
+4.0.1/4.0.2/a,/li
+lia 
href=http://samba.org/samba/ftp/patches/patch-3.6.11-3.6.12.diffs.gz;patch
+Samba 3.6.11/3.6.12/a,/li
+lia 
href=http://samba.org/samba/ftp/patches/patch-3.5.20-3.5.21.diffs.gz;patch
+Samba 3.5.20/3.5.21/a./li
+/p
+
+p
+Please see the release notes for more info:
+lia href=http://samba.org/samba/history/samba-4.0.2.html;release notes
+Samba 4.0.2/a,/li
+lia href=http://samba.org/samba/history/samba-3.6.12.html;release notes
+Samba 3.6.12/a,/li
+lia href=http://samba.org/samba/history/samba-3.5.21.html;release notes
+Samba 3.5.21/a./li
+/p
+
h5a name=3.6.1121 January 2013/a/h5
p class=headlineSamba 3.6.11 Available for Download/p
pThis is the latest stable release of the Samba 3.6 series./p
@@ -98,12 +138,3 @@ See a 
href=https://download.samba.org/pub/samba/rc/WHATSNEW-4-0-0rc5.txt;the
 using GnuPG (ID 6568B7EA).  The source code can be
 a href=http://samba.org/samba/ftp/stable/samba-3.5.19.tar.gz;downloaded
 now/a. A a 
href=http://samba.org/samba/ftp/patches/patch-3.5.18-3.5.19.diffs.gz;patch 
against Samba 3.5.18/a is also available. See a 
href=http://samba.org/samba/history/samba-3.5.19.html;the release notes for 
more info/a./p
-
-   h5a name=4.0.0rc430 October 2012/a/h5
-   p class=headlineSamba 4.0.0rc4 Available for Download/p
-   pThis is the fourth release candidate of the Samba 4.0 series./p
-
-pThe uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA).  The source code can be
-a 
href=https://download.samba.org/pub/samba/rc/samba-4.0.0rc4.tar.gz;downloaded 
now/a.
-See a 
href=https://download.samba.org/pub/samba/rc/WHATSNEW-4-0-0rc4.txt;the 
release notes for more info/a./p
diff --git a/generated_news/latest_10_headlines.html 
b/generated_news/latest_10_headlines.html
index 492893b..4d5c638 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,6 @@
 ul
+

[SCM] Samba Website Repository - branch master updated

2013-01-30 Thread Karolin Seeger 
The branch, master has been updated
   via  fecbc7c Add missing description to the security page.
  from  e6160ed Announce Samba 4.0.4, 3.6.12 and 3.5.21.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit fecbc7c5764a22978353c52e956a464202266f87
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 10:08:01 2013 +0100

Add missing description to the security page.

Karolin

---

Summary of changes:
 history/security.html |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/history/security.html b/history/security.html
index 2df2d4e..06a3257 100755
--- a/history/security.html
+++ b/history/security.html
@@ -29,7 +29,7 @@ link to full release notes for each release./p
patch for Samba 3.6.11/a
a 
href=/samba/ftp/patches/security/samba-3.5.20-CVE-2013-0213-CVE-2013-0214.patch
patch for Samba 3.5.20/a
-   td/td
+   tdClickjacking issue and potential XSRF in SWAT./td
td3.0.x-4.0.1/td
tda 
href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0213;CVE-2013-0213/a,
 
a 
href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0214;CVE-2013-0214/a


-- 
Samba Website Repository

[SCM] Samba Shared Repository - branch v3-6-test updated

2013-01-30 Thread Karolin Seeger 
The branch, v3-6-test has been updated
   via  2d8c6de WHATSNEW: Start release notes for Samba 3.6.13.
   via  a9f770e VERSION: Bump version number up to 3.6.13.
   via  a36370e swat: Use additional nonce on XSRF protection
   via  4eb9c2d swat: Use X-Frame-Options header to avoid clickjacking
   via  02396c3 WHATSNEW: Prepare release notes for Samba 3.6.12.
  from  022e1d8 Fix bug #9585 - Samba 3.6.x not correctly signing any but 
the last response in a compound request/response

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -
commit 2d8c6de869b88d3c8c9313290ee285c419fec58a
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:42:53 2013 +0100

WHATSNEW: Start release notes for Samba 3.6.13.

Karolin

commit a9f770e65876fbcfd3967a893dbd1f0770d2789a
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:42:18 2013 +0100

VERSION: Bump version number up to 3.6.13.

Karolin

commit a36370e6d511da8d9e77c845778cce7fa627b994
Author: Kai Blin k...@samba.org
Date:   Mon Jan 28 21:41:07 2013 +0100

swat: Use additional nonce on XSRF protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
(cherry picked from commit 91f4275873ebeda8f57684f09df67162ae80515a)

commit 4eb9c2d365e9238566f1155e1db440b7c92da4bb
Author: Kai Blin k...@samba.org
Date:   Fri Jan 18 23:11:07 2013 +0100

swat: Use X-Frame-Options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin k...@samba.org

Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
(cherry picked from commit 71225948a249f079120282740fcc39fd6faa880e)

commit 02396c30db14db3c5177431e48d81202467b9e60
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 29 09:45:06 2013 +0100

WHATSNEW: Prepare release notes for Samba 3.6.12.

This is a Security Release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).

Karolin
(cherry picked from commit 184d5ab26a553ca7ef3f529e90e4dd8c9aded75d)

---

Summary of changes:
 WHATSNEW.txt |   79 ++---
 source3/VERSION  |2 +-
 source3/web/cgi.c|   40 +++
 source3/web/swat.c   |5 ++-
 source3/web/swat_proto.h |1 +
 5 files changed, 105 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2f414bc..d5b94c3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,19 +1,20 @@
==
-   Release Notes for Samba 3.6.12
-  March 18, 2013
+   Release Notes for Samba 3.6.13
+   March 18, 2013
==
 
 
 This is is the latest stable release of Samba 3.6.
 
-Major enhancements in Samba 3.6.12 include:
+Major enhancements in Samba 3.6.13 include:
 
-o  
+o   
 
-Changes since 3.6.11:
+
+Changes since 3.6.12:
 
 
-o   Jeremy Allison j...@samba.org
+o   
 
 
 ##
@@ -39,6 +40,72 @@ Release notes for older releases follow:
 
 
==
+   Release Notes for Samba 3.6.12
+  January 30, 2013
+   ==
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated 
into
+   a malicious web page via a frame or iframe and then overlaid by other 
content,
+   an attacker could trick an administrator to potentially change Samba 
settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd,

[SCM] Samba Shared Repository - branch v3-6-stable updated

2013-01-30 Thread Karolin Seeger 
The branch, v3-6-stable has been updated
   via  07eb335 WHATSNEW: Start release notes for Samba 3.6.13.
   via  4128d35 VERSION: Bump version number up to 3.6.13.
  from  91f4275 swat: Use additional nonce on XSRF protection

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable


- Log -
commit 07eb335759f27cb4f80d644634369661f64809ea
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:42:53 2013 +0100

WHATSNEW: Start release notes for Samba 3.6.13.

Karolin
(cherry picked from commit 2d8c6de869b88d3c8c9313290ee285c419fec58a)

commit 4128d35c1d0e914d37234fe5ff3b25e616ee4f77
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:42:18 2013 +0100

VERSION: Bump version number up to 3.6.13.

Karolin
(cherry picked from commit a9f770e65876fbcfd3967a893dbd1f0770d2789a)

---

Summary of changes:
 WHATSNEW.txt|   46 --
 source3/VERSION |2 +-
 2 files changed, 45 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8d058e3..d5b94c3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,45 @@
==
+   Release Notes for Samba 3.6.13
+   March 18, 2013
+   ==
+
+
+This is is the latest stable release of Samba 3.6.
+
+Major enhancements in Samba 3.6.13 include:
+
+o   
+
+
+Changes since 3.6.12:
+
+
+o   
+
+
+##
+Reporting bugs  Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+Release notes for older releases follow:
+
+
+   ==
Release Notes for Samba 3.6.12
   January 30, 2013
==
@@ -60,8 +101,9 @@ database (https://bugzilla.samba.org/).
 == The Samba Team
 ==
 
-Release notes for older releases follow:
-
+
+--
+
 
==
Release Notes for Samba 3.6.11
diff --git a/source3/VERSION b/source3/VERSION
index c36d474..ab58022 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
 
 
 # Bug fix releases use a letter for the patch revision #


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-5-stable updated

2013-01-30 Thread Karolin Seeger 
The branch, v3-5-stable has been updated
   via  81aa6c38 VERSION: Bump Version number up to 3.5.22.
  from  f6b6d3b swat: Use additional nonce on XSRF protection

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -
commit 81aa6c38f50ee67e47987b0acfb3f9b8e728cc58
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:48:43 2013 +0100

VERSION: Bump Version number up to 3.5.22.

Karolin

---

Summary of changes:
 source3/VERSION |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/VERSION b/source3/VERSION
index bdf294e..8f0d025 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=21
+SAMBA_VERSION_RELEASE=22
 
 
 # Bug fix releases use a letter for the patch revision #


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-0-test updated

2013-01-30 Thread Karolin Seeger 
The branch, v4-0-test has been updated
   via  4eadddc VERSION: Bump version number up to 4.0.3.
   via  baacf3e Merge commit 'samba-4.0.2' into v4-0-test
   via  1c2abd4 VERSION: Bump version number up to 4.0.2.
   via  0b40842 WHATSNEW: Update release notes for Samba 4.0.2.
   via  6762959 swat: Use additional nonce on XSRF protection
   via  4f24f1c swat: Use X-Frame-Options header to avoid clickjacking
  from  7ba52a1 Regression test for bug #9571 - Unlink after open causes 
smbd to panic

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -
commit 4eadddcfecc22fd2d5b71a0e2d019aa8d201d735
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:55:47 2013 +0100

VERSION: Bump version number up to 4.0.3.

Signed-off-by: Karolin Seeger ksee...@samba.org

Karolin

commit baacf3e951628be656c2a624f683db53a6bbfdca
Merge: 7ba52a12bb930cfaddc3092cac291e4f7d503c05 
1c2abd4cffe63bdc95449d97c9e823e96de04a8e
Author: Karolin Seeger ksee...@samba.org
Date:   Wed Jan 30 11:54:45 2013 +0100

Merge commit 'samba-4.0.2' into v4-0-test

---

Summary of changes:
 VERSION  |2 +-
 WHATSNEW.txt |   70 -
 source3/web/cgi.c|   39 -
 source3/web/swat.c   |5 ++-
 source3/web/swat_proto.h |1 +
 5 files changed, 99 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index e3efbd7..8f3a310 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c69ca9..0711f96 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=
+   Release Notes for Samba 4.0.2
+ January 30, 2013
+   =
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated 
into
+   a malicious web page via a frame or iframe and then overlaid by other 
content,
+   an attacker could trick an administrator to potentially change Samba 
settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to 
manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a 
standalone
+   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT 
has
+   not been installed or enabled (which is the default install state for Samba)
+   this advisory can be ignored.
+
+
+Changes since 4.0.1:
+
+
+o   Kai Blin k...@samba.org
+* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+###
+Reporting bugs  Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+   =
Release Notes for Samba 4.0.1

[SCM] Samba Shared Repository - branch master updated

2013-01-30 Thread Christian Ambach 
The branch, master has been updated
   via  7b0b1d6 smbd: Fix a typo
   via  fa06414 smbd: Fix a typo
  from  394622e s3:winbindd: change getpwsid() to return a passwd struct 
for a group sid id-mapped with ID_TYPE_BOTH

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7b0b1d6d48d31a729f0ad176a8b53f8c3a8d2d16
Author: Volker Lendecke v...@samba.org
Date:   Wed Jan 30 15:53:27 2013 +0100

smbd: Fix a typo

Signed-off-by: Volker Lendecke v...@samba.org
Reviewed-by: Christian Ambach a...@samba.org

Autobuild-User(master): Christian Ambach a...@samba.org
Autobuild-Date(master): Wed Jan 30 18:21:19 CET 2013 on sn-devel-104

commit fa064140edf13c16085acf061d781fa06abfce3b
Author: Volker Lendecke v...@samba.org
Date:   Tue Jan 15 13:17:00 2013 +0100

smbd: Fix a typo

Signed-off-by: Volker Lendecke v...@samba.org
Reviewed-by: Christian Ambach a...@samba.org

---

Summary of changes:
 source3/lib/server_mutex.c |2 +-
 source3/smbd/process.c |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/server_mutex.c b/source3/lib/server_mutex.c
index 619fbd0..41da0a1 100644
--- a/source3/lib/server_mutex.c
+++ b/source3/lib/server_mutex.c
@@ -29,7 +29,7 @@
may (in certain situations) cause connections to be reset,
or access to be denied.
 
-   This locking allows smbd's mutlithread architecture to look
+   This locking allows smbd's multithread architecture to look
like the single-connection that NT makes. */
 
 struct named_mutex {
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index a02aeda..0d815f1 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -88,7 +88,7 @@ static bool smbd_lock_socket_internal(struct 
smbd_server_connection *sconn)
return false;
}
 
-   DEBUG(10,(pid[%d] got for socket lock\n, (int)getpid()));
+   DEBUG(10,(pid[%d] got socket lock\n, (int)getpid()));
 
return true;
 }


-- 
Samba Shared Repository

[SCM] Samba Website Repository - branch master updated

2013-01-30 Thread Lars Müller 
The branch, master has been updated
   via  c7b8e48 Update Sirius details
  from  fecbc7c Add missing description to the security page.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit c7b8e48c4fa3b33d9e2fc9bd4ea262715ffece71
Author: Lars Müller l...@samba.org
Date:   Wed Jan 30 21:41:18 2013 +0100

Update Sirius details

---

Summary of changes:
 support/uk.html |   11 +--
 1 files changed, 9 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/support/uk.html b/support/uk.html
index 03f9e14..7628b3e 100644
--- a/support/uk.html
+++ b/support/uk.html
@@ -96,13 +96,20 @@ Sirius Corporation plc
 Rivermead House, Hamm Moor Lane
 Weybridge, Surrey, KT15 2SF
 
-a href=http://www.siriusit.co.uk;http://www.siriusit.co.uk/a
+a 
href=http://www.siriusopensource.com/samba-support;http://www.siriusopensource.com/samba-support/a
 0870 608 0063
 a href=mailto:i...@siriusit.co.uk;i...@siriusit.co.uk/a OR a 
href=mailto:sa...@siriusit.co.uk;sa...@siriusit.co.uk/a
 Kelly Flitter
 /small/pre
 p
-We specialise in Open Source software. We provide consultancy services, 
training, support and managed services.
+Sirius is the UK's leading open source services provider. Genuine
+24/7/365 operation, and specialising in support, managed services, 
+outsourcing, consultancy, deployment and training. Trusted to look
+after thousands of machines responsible for billions of pounds, euros
+and dollars of business value. Sirius designs, builds, supports and
+manages Samba systems since 1998 for diverse clients from Schools to
+Specsavers, London Financial Institution to Local Authorities. Garages
+to Governments.
 /pp
 Specialty samba capabilities: Enterprise deployment, Integration with policy 
based desktops, Integration with clients from XP to Windows 7, up to 24/7 
technical support.
 /p


-- 
Samba Website Repository

[SCM] Samba Shared Repository - branch master updated

2013-01-30 Thread Richard Sharpe 
The branch, master has been updated
   via  48d954b Fix the compound tests to correctly pass against Windows 
when run with --signing=required.
   via  1624d83 Add new function smbXcli_session_copy(), to be used when 
creating compound SMB2 requests.
  from  7b0b1d6 smbd: Fix a typo

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 48d954b90e6aa14721d236180df959a038416672
Author: Jeremy Allison j...@samba.org
Date:   Mon Jan 28 16:52:11 2013 -0800

Fix the compound tests to correctly pass against Windows when run with 
--signing=required.

Signed-off-by: Jeremy Allison j...@samba.org
Reviewed-by: Richard Sharpe realrichardsha...@gmail.org

Autobuild-User(master): Richard Sharpe sha...@samba.org
Autobuild-Date(master): Thu Jan 31 03:53:55 CET 2013 on sn-devel-104

commit 1624d83fdeb675ee4032f5d3cabcf86d5b05a3cb
Author: Jeremy Allison j...@samba.org
Date:   Mon Jan 28 16:51:25 2013 -0800

Add new function smbXcli_session_copy(), to be used when creating compound 
SMB2 requests.

Copies the signing state needed to make client compound requests work
on signed connections.

Signed-off-by: Jeremy Allison j...@samba.org
Reviewed-by: Richard Sharpe realrichardsha...@gmail.com

---

Summary of changes:
 libcli/smb/smbXcli_base.c   |   27 +++
 libcli/smb/smbXcli_base.h   |2 ++
 source4/torture/smb2/compound.c |   12 ++--
 3 files changed, 35 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c547515..421e884 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4482,6 +4482,33 @@ struct smbXcli_session 
*smbXcli_session_create(TALLOC_CTX *mem_ctx,
return session;
 }
 
+struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
+   struct smbXcli_session *src)
+{
+   struct smbXcli_session *session;
+
+   session = talloc_zero(mem_ctx, struct smbXcli_session);
+   if (session == NULL) {
+   return NULL;
+   }
+   session-smb2 = talloc_zero(session, struct smb2cli_session);
+   if (session-smb2 == NULL) {
+   talloc_free(session);
+   return NULL;
+   }
+
+   session-conn = src-conn;
+   *session-smb2 = *src-smb2;
+   session-smb2_channel = src-smb2_channel;
+   session-disconnect_expired = src-disconnect_expired;
+
+   DLIST_ADD_END(src-conn-sessions, session, struct smbXcli_session *);
+   talloc_set_destructor(session, smbXcli_session_destructor);
+
+   return session;
+}
+
+
 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
 TALLOC_CTX *mem_ctx,
 DATA_BLOB *key)
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index b720bc6..f7b60d3 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -260,6 +260,8 @@ NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
 
 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
   struct smbXcli_conn *conn);
+struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
+  struct smbXcli_session *src);
 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
 TALLOC_CTX *mem_ctx,
 DATA_BLOB *key);
diff --git a/source4/torture/smb2/compound.c b/source4/torture/smb2/compound.c
index e75f682..4a47e14 100644
--- a/source4/torture/smb2/compound.c
+++ b/source4/torture/smb2/compound.c
@@ -92,8 +92,8 @@ static bool test_compound_related1(struct torture_context 
*tctx,
0, /* capabilities */
0 /* maximal_access */);
 
-   tree-session-smbXcli = smbXcli_session_create(tree-session,
-   
tree-session-transport-conn);
+   tree-session-smbXcli = smbXcli_session_copy(tree-session,
+   tree-session-smbXcli);
smb2cli_session_set_id_and_flags(tree-session-smbXcli, UINT64_MAX, 0);
 
req[1] = smb2_close_send(tree, cl);
@@ -171,8 +171,8 @@ static bool test_compound_related2(struct torture_context 
*tctx,
0, /* capabilities */
0 /* maximal_access */);
 
-   tree-session-smbXcli = smbXcli_session_create(tree-session,
-   
tree-session-transport-conn);
+   tree-session-smbXcli = smbXcli_session_copy(tree-session,
+