[SCM] Samba Shared Repository - annotated tag samba-4.6.6 created
The annotated tag, samba-4.6.6 has been created at 2d9729a45cd0320ed0476129114ed651a36bfd7a (tag) tagging 55d71509595075a17eb2baf0d89c4801ba2f03f3 (commit) replaces samba-4.6.5 tagged by Stefan Metzmacher on Wed Jul 12 11:23:11 2017 +0200 - Log - samba: tag release samba-4.6.6 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iD8DBQBZZep/bzORW2Vot+oRAuc5AJ0Tvrle76k05Zr/ViN/6pN3+7Wn8wCeLmAa Y0NeuljA0G4Vg+leDiQRJbc= =y6/B -END PGP SIGNATURE- Andrew Bartlett (2): WHATSNEW: Add release notes for Samba 4.6.6. VERSION: Release Samba 4.6.6 for CVE-2017-11103 Jeffrey Altman (1): CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation Karolin Seeger (1): VERSION: Bump version up to 4.6.6... --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.5.12 created
The annotated tag, samba-4.5.12 has been created at d376bc521c4e454a969d2b4efad9768b528902a8 (tag) tagging 6e6361ee4fd28098638850e3eda3d4ac2c3396f4 (commit) replaces samba-4.5.11 tagged by Stefan Metzmacher on Wed Jul 12 11:24:48 2017 +0200 - Log - samba: tag release samba-4.5.12 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iD8DBQBZZergbzORW2Vot+oRApt3AJ9KO1/VAZbExPNbyos8Ri7Hm7SRbwCfeftN RLw3Vs7cH4TA3MnOrdJr9gk= =yp/F -END PGP SIGNATURE- Bob Campbell (2): WHATSNEW: Add release notes for Samba 4.5.12 VERSION: Release Samba 4.5.12 for CVE-2017-11103 Jeffrey Altman (1): CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation Karolin Seeger (1): VERSION: Bump version up to 4.5.12... --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.4.15 created
The annotated tag, samba-4.4.15 has been created at d941bcda414abccb86c7ee7f026c6cb1e50bc7ae (tag) tagging 9fb0aa56baf317c5bf18417c5516f951207af82d (commit) replaces samba-4.4.14 tagged by Stefan Metzmacher on Wed Jul 12 11:28:56 2017 +0200 - Log - samba: tag release samba-4.4.15 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iD8DBQBZZevYbzORW2Vot+oRAmADAKCb7PT2QIoV7860F7kMmChcR1zKjgCgp5zL wgZs7rfoL/FApo60rgB02oE= =8cPP -END PGP SIGNATURE- Bob Campbell (2): WHATSNEW: Add release notes for Samba 4.4.15 VERSION: Release Samba 4.4.15 for CVE-2017-11103 Jeffrey Altman (1): CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation Jeremy Allison (8): s3: locking: Move two leases functions into a new file. s3: locking: Update oplock optimization for the leases era ! s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). s3: Test for CVE-2017-2619 regression with "follow symlinks = no". s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no" s3: smbd: Fix "follow symlink = no" regression part 2. s3: smbd: Fix "follow symlink = no" regression part 2. s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2 Karolin Seeger (7): VERSION: Bump version up to Samba 4.4.12... Merge tag 'samba-4.4.12' into v4-4-test VERSION: Bump version up to 4.4.13. Merge tag 'samba-4.4.13' into v4-4-test VERSION: Bump version up to 4.4.14. Merge tag 'samba-4.4.14' into v4-4-test VERSION: Bump version up to 4.4.15. Stefan Metzmacher (2): Revert "s3: locking: Update oplock optimization for the leases era !" Revert "s3: locking: Move two leases functions into a new file." --- -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8767547 NEWS[4.6.6]: Samba 4.6.6, 4.5.12 and 4.4.15 Available for Download via de78c05 history/security.html: use https:// links to cve.mitre.org from 2d24171 Add Samba 4.5.11. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 87675472f69ecd525a3616a54981ca9247741a09 Author: Stefan Metzmacher Date: Wed Jul 12 11:23:34 2017 +0200 NEWS[4.6.6]: Samba 4.6.6, 4.5.12 and 4.4.15 Available for Download Signed-off-by: Stefan Metzmacher commit de78c05447ee7291ae4b8be60680005ce1b087af Author: Stefan Metzmacher Date: Wed Jul 12 12:46:23 2017 +0200 history/security.html: use https:// links to cve.mitre.org metze --- Summary of changes: history/header_history.html | 3 + history/samba-4.4.15.html | 52 +++ history/samba-4.5.12.html | 52 +++ history/samba-4.6.6.html| 52 +++ history/security.html | 185 +--- posted_news/20170712-101055.4.6.6.body.html | 24 +++ posted_news/20170712-101055.4.6.6.headline.html | 3 + security/CVE-2017-11103.html| 89 8 files changed, 374 insertions(+), 86 deletions(-) create mode 100644 history/samba-4.4.15.html create mode 100644 history/samba-4.5.12.html create mode 100644 history/samba-4.6.6.html create mode 100644 posted_news/20170712-101055.4.6.6.body.html create mode 100644 posted_news/20170712-101055.4.6.6.headline.html create mode 100644 security/CVE-2017-11103.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index b6d7d22..03f4f1b 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,12 +9,14 @@ Release Notes + samba-4.6.6 samba-4.6.5 samba-4.6.4 samba-4.6.3 samba-4.6.2 samba-4.6.1 samba-4.6.0 + samba-4.5.12 samba-4.5.11 samba-4.5.10 samba-4.5.9 @@ -27,6 +29,7 @@ samba-4.5.2 samba-4.5.1 samba-4.5.0 + samba-4.4.15 samba-4.4.14 samba-4.4.13 samba-4.4.12 diff --git a/history/samba-4.4.15.html b/history/samba-4.4.15.html new file mode 100644 index 000..131d15e --- /dev/null +++ b/history/samba-4.4.15.html @@ -0,0 +1,52 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +http://www.w3.org/1999/xhtml";> + +Samba 4.4.15 - Release Notes + + +Samba 4.4.15 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.4.15.tar.gz";>Samba 4.4.15 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.4.15.tar.asc";>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.4.14-4.4.15.diffs.gz";>Patch (gzipped) against Samba 4.4.14 +https://download.samba.org/pub/samba/patches/samba-4.4.14-4.4.15.diffs.asc";>Signature + + + + == + Release Notes for Samba 4.4.15 +July 12, 2017 + == + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.4.14: +- + +o Jeffrey Altman <jalt...@secure-endpoints.com> + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + + + + + diff --git a/history/samba-4.5.12.html b/history/samba-4.5.12.html new file mode 100644 index 000..8791ad1 --- /dev/null +++ b/history/samba-4.5.12.html @@ -0,0 +1,52 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +http://www.w3.org/1999/xhtml";> + +Samba 4.5.12 - Release Notes + + +Samba 4.5.12 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.5.12.tar.gz";>Samba 4.5.12 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.5.12.tar.asc&qu
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 653e3c6 use "Samba 4.6.6, 4.5.12 and 4.4.15 Security Releases Available for Download" as headline from 8767547 NEWS[4.6.6]: Samba 4.6.6, 4.5.12 and 4.4.15 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 653e3c645bd9743b97ed98885f9c1a0a39cc05bb Author: Stefan Metzmacher Date: Wed Jul 12 13:15:59 2017 +0200 use "Samba 4.6.6, 4.5.12 and 4.4.15 Security Releases Available for Download" as headline metze --- Summary of changes: posted_news/20170712-101055.4.6.6.body.html | 2 +- posted_news/20170712-101055.4.6.6.headline.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20170712-101055.4.6.6.body.html b/posted_news/20170712-101055.4.6.6.body.html index 492ac1a..e655c35 100644 --- a/posted_news/20170712-101055.4.6.6.body.html +++ b/posted_news/20170712-101055.4.6.6.body.html @@ -1,6 +1,6 @@ 12 July 2017 -Samba 4.6.6, 4.5.12 and 4.4.15 Available for Download +Samba 4.6.6, 4.5.12 and 4.4.15 Security Releases Available for Download These are security releases in order to address CVE-2017-11103 diff --git a/posted_news/20170712-101055.4.6.6.headline.html b/posted_news/20170712-101055.4.6.6.headline.html index a07498d..a352567 100644 --- a/posted_news/20170712-101055.4.6.6.headline.html +++ b/posted_news/20170712-101055.4.6.6.headline.html @@ -1,3 +1,3 @@ - 12 July 2017 Samba 4.6.6, 4.5.12 and 4.4.15 Available for Download + 12 July 2017 Samba 4.6.6, 4.5.12 and 4.4.15 Security Releases Available for Download -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via de9d219 dbwrap: Ask CTDB for local tdb open flags via b2b7e3b ctdbd_conn: pass persistent bool instead of tdb_flags via 0077296 ctdbd_conn: move CTDB_CONTROL_ENABLE_SEQNUM control to db_open_ctdb via 6ae063a dbwrap: CTDB ignores tdb_flags passed to db attach controls via a70be43 dbwrap: enable mutexes by default for volatile TDBs via 2bce9cb ctdb: enable mutexes for volatile TDBs by default via fe7020b idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN via b3d14da selftest: add some basic tests for idmap_ad via 4a7ec5b selftest: add ad_member_idmap_ad server from 259e170 vfs_fruit: add fruit:model = parametric option https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit de9d21957706bd5d811db01b7b5d88a0bb17034b Author: Ralph Boehme Date: Tue Jul 11 21:35:17 2017 +0200 dbwrap: Ask CTDB for local tdb open flags Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Ralph Boehme Reviewed-by: Amitay Isaacs Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Jul 12 13:25:11 CEST 2017 on sn-devel-144 commit b2b7e3b9710fa22716f931177265dcd8de74532b Author: Ralph Boehme Date: Tue Jul 11 20:41:43 2017 +0200 ctdbd_conn: pass persistent bool instead of tdb_flags ctdbd_db_attach() only needs to know the ctdb database model, not the rest of the flags. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Ralph Boehme Reviewed-by: Amitay Isaacs commit 0077296cee1cd54a5adb12fc706cbf99203a8213 Author: Ralph Boehme Date: Tue Jul 11 20:36:35 2017 +0200 ctdbd_conn: move CTDB_CONTROL_ENABLE_SEQNUM control to db_open_ctdb No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Ralph Boehme Reviewed-by: Amitay Isaacs commit 6ae063a109ca88bf815fd1bf5e8865053bea41b9 Author: Amitay Isaacs Date: Tue Jul 11 00:38:59 2017 +1000 dbwrap: CTDB ignores tdb_flags passed to db attach controls Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Amitay Isaacs Reviewed-by: Ralph Boehme commit a70be43246ab74f0a2bbe245ab31f24460b70547 Author: Ralph Boehme Date: Sun Jul 9 16:23:20 2017 +0200 dbwrap: enable mutexes by default for volatile TDBs Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Ralph Boehme Reviewed-by: Amitay Isaacs commit 2bce9cb72f3ac7efc2f4f48b0cffa1876364ae8c Author: Ralph Boehme Date: Sun Jul 9 16:20:11 2017 +0200 ctdb: enable mutexes for volatile TDBs by default Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891 Signed-off-by: Ralph Boehme Reviewed-by: Amitay Isaacs commit fe7020b0d1b6fe1ca9add4815e20c2e2262cb6c9 Author: Dustin L. Howett via samba-technical Date: Fri Jun 30 16:10:01 2017 -0700 idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN All other ldap-querying methods in idmap_ad make a single retry attempt if they get TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design. This fixes the symptom described in 12720 at the cost of an additional reconnect per failed lookup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720 Signed-off-by: Dustin L. Howett Reviewed-by: Ralph Boehme commit b3d14dae18593f21fb0d16f5404326bcb15905d9 Author: Ralph Boehme Date: Mon Jul 10 16:20:23 2017 +0200 selftest: add some basic tests for idmap_ad Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett commit 4a7ec5b7604495bee174f9c83b62f55604c6efbc Author: Ralph Boehme Date: Mon Jul 10 16:19:18 2017 +0200 selftest: add ad_member_idmap_ad server Add a member server that uses idmap_ad. Gets used in the next commit. Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett --- Summary of changes: ctdb/common/tunable.c| 2 +- ctdb/config/ctdbd.conf | 2 +- ctdb/doc/ctdb-tunables.7.xml | 2 +- ctdb/doc/ctdb.1.xml | 2 +- ctdb/tests/tool/ctdb.listvars.001.sh | 2 +- nsswitch/tests/test_idmap_ad.sh | 99 selftest/target/Samba.pm | 1 + selftest/target/Samba3.pm| 89 selftest/target/Samba4.pm| 6 +++ source3/include/ctdbd_conn.h | 2 +- source3/lib/ctdbd_conn.c | 20 +--- source3/lib/dbwrap/dbwrap_ctdb.c | 43 ++-- source3/lib/dbwrap/dbwrap_open.c | 2 +- source3/selftest/tests.py| 4 +- source3/winbindd/idmap_ad.c |
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103 via 64a40b5 WHATSNEW: Add release notes for Samba 4.6.6. via 9b0972c CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via 553433a VERSION: Bump version up to 4.6.6... from 1d13a64 VERSION: Disable GIT_SNAPSHOTS for the 4.6.5 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 55d71509595075a17eb2baf0d89c4801ba2f03f3 Author: Andrew Bartlett Date: Wed Jul 12 15:07:52 2017 +1200 VERSION: Release Samba 4.6.6 for CVE-2017-11103 Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 64a40b5f64a849c754cfd3ef9d3d59b9ccf67013 Author: Andrew Bartlett Date: Wed Jul 12 15:06:31 2017 +1200 WHATSNEW: Add release notes for Samba 4.6.6. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 9b0972c8e429fee8e15f23ab508a9f0729a4e0b6 Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 8ed646d..8fc1d16 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ab2182c..75d90b7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ = + Release Notes for Samba 4.6.6 +July 12, 2017 + = + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.6.5: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.6.5 June 6, 2017 = @@ -78,8 +131,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- +
[SCM] Samba Shared Repository - branch v4-6-test updated
The branch, v4-6-test has been updated via 7b04fb4 VERSION: Bump version up to 4.6.7... via b528634 Merge branch 'v4-6-stable' into v4-6-test via 55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103 via 64a40b5 WHATSNEW: Add release notes for Samba 4.6.6. via 9b0972c CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation from 05782d5 s3:tests: Do *NOT* flush the complete gencache! https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test - Log - commit 7b04fb46d2656f88a6b1084604eef44ef1220563 Author: Stefan Metzmacher Date: Wed Jul 12 13:34:37 2017 +0200 VERSION: Bump version up to 4.6.7... and re-enable GIT_SNAPSHOTS. Signed-off-by: Stefan Metzmacher commit b528634c8376f52392dab5b5faf9980f390810fd Merge: 05782d5 55d7150 Author: Stefan Metzmacher Date: Wed Jul 12 13:32:22 2017 +0200 Merge branch 'v4-6-stable' into v4-6-test --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a14f0ff..f8575ad 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=6 +SAMBA_VERSION_RELEASE=7 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ab2182c..75d90b7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ = + Release Notes for Samba 4.6.6 +July 12, 2017 + = + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.6.5: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.6.5 June 6, 2017 = @@ -78,8 +131,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- + = Release Notes for Samba 4.6.4 diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_
[SCM] Samba Shared Repository - branch v4-5-stable updated
The branch, v4-5-stable has been updated via 6e6361e VERSION: Release Samba 4.5.12 for CVE-2017-11103 via 31b6d82 WHATSNEW: Add release notes for Samba 4.5.12 via 229735b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via af9d932 VERSION: Bump version up to 4.5.12... from 31052eb VERSION: Disable GIT_SNAPSHOTS for the 4.5.11 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log - commit 6e6361ee4fd28098638850e3eda3d4ac2c3396f4 Author: Bob Campbell Date: Wed Jul 12 15:16:06 2017 +1200 VERSION: Release Samba 4.5.12 for CVE-2017-11103 Signed-off-by: Bob Campbell Signed-off-by: Stefan Metzmacher commit 31b6d82de35ab5b287bc17dc3605c71ab2df1aa7 Author: Bob Campbell Date: Wed Jul 12 15:15:26 2017 +1200 WHATSNEW: Add release notes for Samba 4.5.12 Signed-off-by: Bob Campbell Reviewed-by: Stefan Metzmacher commit 229735bf7dc2ec1ce7e6074491f151784f46e7de Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 22871d4..b5eaa03 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0c022e7..a519b6c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ == + Release Notes for Samba 4.5.12 +July 12, 2017 + == + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.5.11: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + == Release Notes for Samba 4.5.11 July 6, 2017 == @@ -85,8 +138,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- +
[SCM] Samba Shared Repository - branch v4-4-stable updated
The branch, v4-4-stable has been updated via 9fb0aa5 VERSION: Release Samba 4.4.15 for CVE-2017-11103 via d80bf44 WHATSNEW: Add release notes for Samba 4.4.15 via fd4c30b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via c8dea65 Revert "s3: locking: Move two leases functions into a new file." via 8d23e33 Revert "s3: locking: Update oplock optimization for the leases era !" via a709729 VERSION: Bump version up to 4.4.15. via 63684f6 Merge tag 'samba-4.4.14' into v4-4-test via dea3200 VERSION: Bump version up to 4.4.14. via 4a63ccd Merge tag 'samba-4.4.13' into v4-4-test via 0839f6c s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2 via ed694d0 s3: smbd: Fix "follow symlink = no" regression part 2. via 8e3e969 s3: smbd: Fix "follow symlink = no" regression part 2. via 9a5be8b s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no" via 161a078 s3: Test for CVE-2017-2619 regression with "follow symlinks = no". via 4a6d828e s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619). via 2e00feb s3: locking: Update oplock optimization for the leases era ! via 419f5cc s3: locking: Move two leases functions into a new file. via 7086fb6 VERSION: Bump version up to 4.4.13. via f2ae4c7 Merge tag 'samba-4.4.12' into v4-4-test via ca33b7c VERSION: Bump version up to Samba 4.4.12... from f0ec0c2 VERSION: Disable GIT_SNAPSHOT for the 4.4.14 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable - Log - commit 9fb0aa56baf317c5bf18417c5516f951207af82d Author: Bob Campbell Date: Wed Jul 12 15:21:27 2017 +1200 VERSION: Release Samba 4.4.15 for CVE-2017-11103 Signed-off-by: Bob Campbell Signed-off-by: Stefan Metzmacher commit d80bf4429be217980161a95f67d86c0d22380cb3 Author: Bob Campbell Date: Wed Jul 12 15:20:28 2017 +1200 WHATSNEW: Add release notes for Samba 4.4.15 Signed-off-by: Bob Campbell Signed-off-by: Stefan Metzmacher commit fd4c30bf5266b0d3a8c9cb3a6ac44d4f7ee3ac75 Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 56 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 57 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 002f76d..1a67456 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f6688b0..476ea80 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ == + Release Notes for Samba 4.4.15 +July 12, 2017 + == + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.4.14: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samb
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via 3de773e VERSION: Bump version up to 4.5.13... via 6e6361e VERSION: Release Samba 4.5.12 for CVE-2017-11103 via 31b6d82 WHATSNEW: Add release notes for Samba 4.5.12 via 229735b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation from af9d932 VERSION: Bump version up to 4.5.12... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit 3de773efc3cafeef164f6455f042ea2c941d81fd Author: Stefan Metzmacher Date: Wed Jul 12 13:41:23 2017 +0200 VERSION: Bump version up to 4.5.13... and re-enable GIT_SNAPSHOTS. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 5942c84..3439134 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0c022e7..a519b6c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ == + Release Notes for Samba 4.5.12 +July 12, 2017 + == + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.5.11: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + == Release Notes for Samba 4.5.11 July 6, 2017 == @@ -85,8 +138,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- + == Release Notes for Samba 4.5.10 diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated via 9fb0aa5 VERSION: Release Samba 4.4.15 for CVE-2017-11103 via d80bf44 WHATSNEW: Add release notes for Samba 4.4.15 via fd4c30b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation from c8dea65 Revert "s3: locking: Move two leases functions into a new file." https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log - commit 9fb0aa56baf317c5bf18417c5516f951207af82d Author: Bob Campbell Date: Wed Jul 12 15:21:27 2017 +1200 VERSION: Release Samba 4.4.15 for CVE-2017-11103 Signed-off-by: Bob Campbell Signed-off-by: Stefan Metzmacher commit d80bf4429be217980161a95f67d86c0d22380cb3 Author: Bob Campbell Date: Wed Jul 12 15:20:28 2017 +1200 WHATSNEW: Add release notes for Samba 4.4.15 Signed-off-by: Bob Campbell Signed-off-by: Stefan Metzmacher commit fd4c30bf5266b0d3a8c9cb3a6ac44d4f7ee3ac75 Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 56 +-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 57 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ee6de5a..1a67456 100644 --- a/VERSION +++ b/VERSION @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT=no # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f6688b0..476ea80 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ == + Release Notes for Samba 4.4.15 +July 12, 2017 + == + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +=== +Details +=== + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.4.14: +- + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + == Release Notes for Samba 4.4.14 May 24, 2017 == @@ -47,8 +100,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +--
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 3d9dddb VERSION: Bump version up to 4.6.0rc3... via 27d4dfb VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc2 release via 95a3381 WHATSNEW: Add release notes for Samba 4.7.0rc2 via 4e809d0 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation from 766c59d VERSION: Bump version up to 4.7.0rc2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 3d9dddbbc5bab2958a041c496ae0d08a8e370c07 Author: Stefan Metzmacher Date: Wed Jul 12 12:04:45 2017 +0200 VERSION: Bump version up to 4.6.0rc3... and re-enable git snapshots. Signed-off-by: Stefan Metzmacher Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Wed Jul 12 16:35:11 CEST 2017 on sn-devel-144 commit 27d4dfbbbeca0a47cf18508555cac38f02737301 Author: Stefan Metzmacher Date: Wed Jul 12 12:03:28 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc2 release Signed-off-by: Stefan Metzmacher commit 95a33818676bee5fc7cc41f5ba0f3d42e212b401 Author: Stefan Metzmacher Date: Wed Jul 12 11:58:15 2017 +0200 WHATSNEW: Add release notes for Samba 4.7.0rc2 Signed-off-by: Stefan Metzmacher commit 4e809d074146a7d65922060f0ba978d89f34e971 Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 9 - source4/heimdal/lib/krb5/ticket.c | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 46eea4a..bf2f52f 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=2 +SAMBA_VERSION_RC_RELEASE=3 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8ef5428..73daedf 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the first release candidate of Samba 4.7. This is *not* +This is the second release candidate of Samba 4.7. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -283,6 +283,13 @@ KNOWN ISSUES https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc1 +== + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + ### Reporting bugs & Development Discussion ### diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.7.0rc2 created
The annotated tag, samba-4.7.0rc2 has been created at 86f1f69038bae6850315c4a388455f09709ef3c2 (tag) tagging 27d4dfbbbeca0a47cf18508555cac38f02737301 (commit) replaces samba-4.7.0rc1 tagged by Stefan Metzmacher on Wed Jul 12 16:40:30 2017 +0200 - Log - samba: tag release samba-4.7.0rc2 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iD8DBQBZZjTebzORW2Vot+oRAsIrAKCF0QLn3e6u7s7Pi0DDbf30fZEOOQCgmdQk yDfWu7vkcivUknfQyLMr9r8= =fR9T -END PGP SIGNATURE- Jeffrey Altman (1): CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation Stefan Metzmacher (3): VERSION: Bump version up to 4.7.0rc2... WHATSNEW: Add release notes for Samba 4.7.0rc2 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc2 release --- -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 866dd96 NEWS[4.7.0rc2]: Samba 4.7.0rc2 Security Release Available for Download from 653e3c6 use "Samba 4.6.6, 4.5.12 and 4.4.15 Security Releases Available for Download" as headline https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 866dd96e58b7cefec2e78fc13c28f1c3c1e06384 Author: Stefan Metzmacher Date: Wed Jul 12 16:40:42 2017 +0200 NEWS[4.7.0rc2]: Samba 4.7.0rc2 Security Release Available for Download Signed-off-by: Stefan Metzmacher --- Summary of changes: posted_news/20170712-144405.4.7.0rc2.body.html | 15 +++ posted_news/20170712-144405.4.7.0rc2.headline.html | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 posted_news/20170712-144405.4.7.0rc2.body.html create mode 100644 posted_news/20170712-144405.4.7.0rc2.headline.html Changeset truncated at 500 lines: diff --git a/posted_news/20170712-144405.4.7.0rc2.body.html b/posted_news/20170712-144405.4.7.0rc2.body.html new file mode 100644 index 000..2b59018 --- /dev/null +++ b/posted_news/20170712-144405.4.7.0rc2.body.html @@ -0,0 +1,15 @@ + +12 July 2017 +Samba 4.7.0rc2 Security Release Available for Download + +This is the second release candidate of the upcoming Samba 4.7 release series, +compared to 4.7.0rc1 is only contains the change in order to address +CVE-2017-11103 +(Orpheus' Lyre mutual authentication validation bypass). + + +The uncompressed tarball has been signed using GnuPG (ID 6F33915B6568B7EA). +The source code can be https://download.samba.org/pub/samba/rc/samba-4.7.0rc2.tar.gz";>downloaded now. +See https://download.samba.org/pub/samba/rc/samba-4.7.0rc2.WHATSNEW.txt";>the release notes for more info. + + diff --git a/posted_news/20170712-144405.4.7.0rc2.headline.html b/posted_news/20170712-144405.4.7.0rc2.headline.html new file mode 100644 index 000..29c9264 --- /dev/null +++ b/posted_news/20170712-144405.4.7.0rc2.headline.html @@ -0,0 +1,3 @@ + + 12 July 2017 Samba 4.7.0rc2 Security Release Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-7-stable updated
The branch, v4-7-stable has been updated via 27d4dfb VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc2 release via 95a3381 WHATSNEW: Add release notes for Samba 4.7.0rc2 via 4e809d0 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via 766c59d VERSION: Bump version up to 4.7.0rc2... from d4bb8fe VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc1 release https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 9 - source4/heimdal/lib/krb5/ticket.c | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 7fd1f8a..12b20ea 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8ef5428..73daedf 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the first release candidate of Samba 4.7. This is *not* +This is the second release candidate of Samba 4.7. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -283,6 +283,13 @@ KNOWN ISSUES https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc1 +== + +o Jeffrey Altman + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + ### Reporting bugs & Development Discussion ### diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3799a32 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation from de9d219 dbwrap: Ask CTDB for local tdb open flags https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3799a32e41134a2dff797ebeacf5abdb8d332e6e Author: Jeffrey Altman Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 12 17:44:50 CEST 2017 on sn-devel-144 --- Summary of changes: source4/heimdal/lib/krb5/ticket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bebf90f libwbclient: Fix CID 1414781 Dereference null return value via 9c68f99 spoolss: Fix CID 1414784 Uninitialized scalar variable from 3799a32 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bebf90f7a101e0180e39e0332f2a1b1023ea0437 Author: Volker Lendecke Date: Tue Jul 11 16:04:01 2017 +0200 libwbclient: Fix CID 1414781 Dereference null return value Basically a cut&paste error from somewhere else Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Jul 12 22:12:22 CEST 2017 on sn-devel-144 commit 9c68f99654c851491a4fb499a358af6c400a8dea Author: Volker Lendecke Date: Tue Jul 11 13:50:09 2017 +0200 spoolss: Fix CID 1414784 Uninitialized scalar variable "struct tm" can contain more members than we explicitly initialize. Initialize them all. Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider --- Summary of changes: nsswitch/libwbclient/wbc_sid.c| 2 +- source3/rpc_client/init_spoolss.c | 18 +- 2 files changed, 10 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c index baaeb60..77445af 100644 --- a/nsswitch/libwbclient/wbc_sid.c +++ b/nsswitch/libwbclient/wbc_sid.c @@ -812,7 +812,7 @@ wbcErr wbcCtxGetSidAliases(struct wbcContext *ctx, rids = (uint32_t *)wbcAllocateMemory(response.data.num_entries, sizeof(uint32_t), NULL); - BAIL_ON_PTR_ERROR(sids, wbc_status); + BAIL_ON_PTR_ERROR(rids, wbc_status); s = (const char *)response.extra_data.data; for (i = 0; i < response.data.num_entries; i++) { diff --git a/source3/rpc_client/init_spoolss.c b/source3/rpc_client/init_spoolss.c index a806fc6..e5f70c0 100644 --- a/source3/rpc_client/init_spoolss.c +++ b/source3/rpc_client/init_spoolss.c @@ -48,15 +48,15 @@ bool init_systemtime(struct spoolss_Time *r, time_t spoolss_Time_to_time_t(const struct spoolss_Time *r) { - struct tm unixtime; - - unixtime.tm_year= r->year - 1900; - unixtime.tm_mon = r->month - 1; - unixtime.tm_wday= r->day_of_week; - unixtime.tm_mday= r->day; - unixtime.tm_hour= r->hour; - unixtime.tm_min = r->minute; - unixtime.tm_sec = r->second; + struct tm unixtime = { + .tm_year= r->year - 1900, + .tm_mon = r->month - 1, + .tm_wday= r->day_of_week, + .tm_mday= r->day, + .tm_hour= r->hour, + .tm_min = r->minute, + .tm_sec = r->second, + }; return mktime(&unixtime); } -- Samba Shared Repository
[SCM] UID Wrapper Repository - annotated tag uid_wrapper-1.2.2 created
The annotated tag, uid_wrapper-1.2.2 has been created at 8319a9b802eec3af5aa80ae456f3b8b9ba6c0f2d (tag) tagging 27e9f76f1ddc72987f0323f19341b2b6afefa5cd (commit) replaces uid_wrapper-1.2.1 tagged by Andreas Schneider on Thu Jul 13 08:42:23 2017 +0200 - Log - uid_wrapper-1.2.2 -BEGIN PGP SIGNATURE- iQIzBAABCAAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAllnFlcACgkQfuD8TcwB Tj00bw//YoJenKM8l8HkQoKIlAbOZOQHVX9iKz3AZe8fauVtXy5gUKocJ2fB/I0Q h8cSU0hKW9S9/9qgrr6IpR2/8F7wxFSYwJPLTrSN+Fd0JtrMPf0yWBGVV5PNRMEo gla43mQnDkfklEVesKQf5tEnTyxnV/eH+F46OIVc9om80GvWUi92fH88Fhsqovv+ jrQQ7XtQUtNrdfFnab+pDo4rDRsWYBsIlpWWhduidmwsKtrx1aJr3QJDTefa++L/ Fj8VSXH0OWJi5Ui8L3fawNscaDISReHgvQ7Rzui62rLCzEgVpKXHG2vZM7k4jEZD IVsf02edLBgzcniXlTcHwI6haCi7h7I41joylGD4L2dVGrip42f3FwUXWvFwzZBW 9rPMApEk4pEqfgCJm3u3pssdqqwfyd/iV/XMjse5+BGRzYHYCY5gOK2O4oSxgUCs F0MF7QTN/44pQ5NZMqZPvN8iMvrYimn1BWRPwceL7G5rS1jHZDDkwrSGYkS8H8W3 Rtzhlv86eWh+r/vsyLm/ipvo+ysOp77kYHs/g0WdlT19iSruzjqPf3d2QonraBN/ DmPzw8Tb8BIM5CgwFwOt7jOGS5ubCvJrLEMGQSu1ake2QvYmRi0LgiMBD7WLcBdC ExWB40cpDJx7zOaf1YEm4rN4ZOuj1/6scKI2FapVFO4CmywiPC8= =IIm5 -END PGP SIGNATURE- Andreas Schneider (3): uwrap: Add support to initialize groups while forking tests: Add a fork and exec test Bump version to 1.2.2 Matt Turner (3): uwrap: Attempt to dlopen libc.so.*.1 as a fallback. uwrap: Use alpha-specific syscalls. tests: Use alpha-specific syscalls. Michael Adam (1): tests: fix a comment typo --- -- UID Wrapper Repository
[SCM] UID Wrapper Repository - branch master updated
The branch, master has been updated via 27e9f76 Bump version to 1.2.2 via 6d69fef tests: Add a fork and exec test via b5168be uwrap: Add support to initialize groups while forking from 0580449 tests: fix a comment typo https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master - Log - commit 27e9f76f1ddc72987f0323f19341b2b6afefa5cd Author: Andreas Schneider Date: Wed Jul 12 13:03:35 2017 +0200 Bump version to 1.2.2 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 6d69fefcc5b39cf2007ad9b43fe4972c3b835d80 Author: Andreas Schneider Date: Wed Jul 12 09:16:30 2017 +0200 tests: Add a fork and exec test Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit b5168be4128d7585c30ba98da31926cd3d0066e5 Author: Andreas Schneider Date: Tue Jul 11 11:59:33 2017 +0200 uwrap: Add support to initialize groups while forking Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- Summary of changes: CMakeLists.txt | 2 +- ChangeLog | 4 ++ src/uid_wrapper.c | 163 + tests/CMakeLists.txt | 4 +- tests/mock_exec_uid.c | 157 +++ tests/test_fork_exec.c | 88 ++ 6 files changed, 416 insertions(+), 2 deletions(-) create mode 100644 tests/mock_exec_uid.c create mode 100644 tests/test_fork_exec.c Changeset truncated at 500 lines: diff --git a/CMakeLists.txt b/CMakeLists.txt index 898440e..4dc42f2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -8,7 +8,7 @@ set(APPLICATION_NAME ${PROJECT_NAME}) set(APPLICATION_VERSION_MAJOR "1") set(APPLICATION_VERSION_MINOR "2") -set(APPLICATION_VERSION_PATCH "1") +set(APPLICATION_VERSION_PATCH "2") set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINOR}.${APPLICATION_VERSION_PATCH}") diff --git a/ChangeLog b/ChangeLog index 6f776de..cc02554 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ ChangeLog == +version 1.2.2 (released 2107-07-13) + * Added support for fork'ed and then exec'ed processes + * Added support for Alpha + version 1.2.1 (released 2016-03-16) * Documented missing options. * Fixed a comipilation issue with -O3. diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c index ded857a..6e39eb6 100644 --- a/src/uid_wrapper.c +++ b/src/uid_wrapper.c @@ -815,6 +815,66 @@ int pthread_create(pthread_t *thread, * UWRAP ID HANDLING */ +#define GROUP_STRING_SIZE 16384 + +/** + * This function exports all the IDs of the current user so if + * we fork and then exec we can setup uid_wrapper in the new process + * with those IDs. + */ +static void uwrap_export_ids(struct uwrap_thread *id) +{ + char groups_str[GROUP_STRING_SIZE] = {0}; + size_t groups_str_size = sizeof(groups_str); + char unsigned_str[32] = {0}; + int i; + + /* UIDS */ + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ruid); + setenv("UID_WRAPPER_INITIAL_RUID", unsigned_str, 1); + + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->euid); + setenv("UID_WRAPPER_INITIAL_EUID", unsigned_str, 1); + + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->suid); + setenv("UID_WRAPPER_INITIAL_SUID", unsigned_str, 1); + + /* GIDS */ + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->rgid); + setenv("UID_WRAPPER_INITIAL_RGID", unsigned_str, 1); + + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->egid); + setenv("UID_WRAPPER_INITIAL_EGID", unsigned_str, 1); + + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->sgid); + setenv("UID_WRAPPER_INITIAL_SGID", unsigned_str, 1); + + /* GROUPS */ + snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ngroups); + setenv("UID_WRAPPER_INITIAL_GROUPS_COUNT", unsigned_str, 1); + + for (i = 0; i < id->ngroups; i++) { + size_t groups_str_len = strlen(groups_str); + size_t groups_str_avail = groups_str_size - groups_str_len; + size_t len; + + len = snprintf(unsigned_str, sizeof(unsigned_str), ",%u", id->groups[i]); + if (len <= 1) { + continue; + } + if (len < groups_str_avail) { + snprintf(groups_str + groups_str_len, +groups_str_size - groups_str_len, +"%s", +i == 0 ? unsigned_str + 1 : unsigned_str); + } + } + + if (id->ngroups > 0) { + setenv("UID_WRAPPER_INITIAL_GROUPS", groups_str, 1); + } +} + stat