[SCM] Samba Shared Repository - annotated tag samba-4.6.8 created
The annotated tag, samba-4.6.8 has been created at 4a3bb952f9fac1b3a1b691eacbc6dea2a79d11c7 (tag) tagging be2ffca00a983bc3e599e0eb84ab35c517e9d07c (commit) replaces samba-4.6.7 tagged by Karolin Seeger on Wed Sep 13 13:09:12 2017 -0700 - Log - samba: tag release samba-4.6.8 -BEGIN PGP SIGNATURE- iEYEABECAAYFAlm5kGkACgkQbzORW2Vot+odjgCeNBQmGwEEIsplv4/U+LQBoQfo XCwAoLynLKomS8M39jyhcBj/zrJYnhtn =Q0cb -END PGP SIGNATURE- Jeremy Allison (1): CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. Karolin Seeger (3): VERSION: Bump version up to 4.6.8... WHATSNEW: Add release notes for Samba 4.6.8. VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. Stefan Metzmacher (10): CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.5.14 created
The annotated tag, samba-4.5.14 has been created at efa454933b34bf968ea7bc3655e5dd91bed191b9 (tag) tagging f261c9a5ef07a0a4230b891b2585c5f21945e196 (commit) replaces samba-4.5.13 tagged by Karolin Seeger on Wed Sep 13 11:32:32 2017 -0700 - Log - samba: tag release samba-4.5.14 -BEGIN PGP SIGNATURE- iEYEABECAAYFAlm5ecAACgkQbzORW2Vot+rrFACffOP4GW/eKvFZNvnM12wZlbd7 z9oAnjEHCVbILXP+jnAFNZbwYqZdPBjj =mcGl -END PGP SIGNATURE- Jeremy Allison (1): CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. Karolin Seeger (3): VERSION: Bump version up to 4.5.14... WHATSNEW: Add release notes for Samba 4.5.14. VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release. Stefan Metzmacher (9): CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.4.16 created
The annotated tag, samba-4.4.16 has been created at 0515ba553660237d8c62c85b2e869e97ae0d09cc (tag) tagging 89edb76883be2d19f490ea9b5d898ac37f8b60f1 (commit) replaces samba-4.4.15 tagged by Karolin Seeger on Wed Sep 13 11:28:47 2017 -0700 - Log - samba: tag release samba-4.4.16 -BEGIN PGP SIGNATURE- iEYEABECAAYFAlm5eOAACgkQbzORW2Vot+qA6QCfWF0fc/E66tHnxIMLy0a6WVM4 Xn4AoI4w6PYfYV4jgdDUzzK5BXT6gtb9 =zGRX -END PGP SIGNATURE- Jeremy Allison (2): s3: smbd: Fix a read after free if a chained SMB1 call goes async. CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. Karolin Seeger (3): VERSION: Bump version up to 4.5.16... WHATSNEW: Add release notes for Samba 4.4.16. VERSION: Disable GIT_SNAPSHOTS for the 4.4.16 release. Ralph Boehme (1): s3/smbd: let non_widelink_open() chdir() to directories directly Stefan Metzmacher (8): CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-stable updated
The branch, v4-5-stable has been updated via f261c9a VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release. via bb90fee WHATSNEW: Add release notes for Samba 4.5.14. via b5178cb selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping via a43b36f CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 157f2a7 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 282a1d1 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 609e6b0 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via f30ea84 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via dc24ef0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via 5d296e6 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via f82c235 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via f14a94b CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 5c645ed VERSION: Bump version up to 4.5.14... from 3c9bc04 VERSION: Disable GIT_SNAPSHOTS for the 4.5.13 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log - commit f261c9a5ef07a0a4230b891b2585c5f21945e196 Author: Karolin Seeger Date: Wed Sep 13 09:42:04 2017 -0700 VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release. Signed-off-by: Karolin Seeger commit bb90fee8f63afa6b9f77f892810e19b153239f24 Author: Karolin Seeger Date: Wed Sep 13 09:39:40 2017 -0700 WHATSNEW: Add release notes for Samba 4.5.14. Signed-off-by: Karolin Seeger commit b5178cb03bf66ccfed4d6b68b5df5f5626f64801 Author: Stefan Metzmacher Date: Tue Sep 12 05:21:35 2017 +0200 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping This is fixed in master and 4.7. For the backports we can just ignore failures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914 Signed-off-by: Stefan Metzmacher commit a43b36f5514de38b8a072bfbeb172316045c2ad0 Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher commit 157f2a703bcaca9495d50cbd4d48c24b1ceed80d Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 282a1d122f9861b0521fa5a389ad467f8da93bd1 Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 609e6b09feb4b00ee52db4a9df258cb9061f4ad8 Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f30ea84489e9ee6ab65279bc3ea62ce4f954f965 Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit dc24ef0fc4292a365900270d6b9b66c9cfc0609e Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 5d296e6ea32ca2df035dd35e6f21b82390f87f86 Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f82c235484d03e22ad78a79e9cf2f14c8455df56 Author: Stefan Metzmacher Date: Fri Dec 9 09:26:32 2016 +0100 CV
[SCM] Samba Shared Repository - branch v4-4-stable updated
The branch, v4-4-stable has been updated via 89edb76 VERSION: Disable GIT_SNAPSHOTS for the 4.4.16 release. via 2ef4251 WHATSNEW: Add release notes for Samba 4.4.16. via bf85c3d CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 50f649e CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 17019aa CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 81f1804 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 4a91f4a CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via b063223 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via 95f6e5b CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via 26b87d0 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 428ede3 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 084bf98 VERSION: Bump version up to 4.5.16... via 189a717 s3: smbd: Fix a read after free if a chained SMB1 call goes async. via 9ff57c8 s3/smbd: let non_widelink_open() chdir() to directories directly from 9fb0aa5 VERSION: Release Samba 4.4.15 for CVE-2017-11103 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable - Log - commit 89edb76883be2d19f490ea9b5d898ac37f8b60f1 Author: Karolin Seeger Date: Tue Sep 12 15:44:21 2017 -0700 VERSION: Disable GIT_SNAPSHOTS for the 4.4.16 release. Signed-off-by: Karolin Seeger commit 2ef4251057a875a52db938dd97a9c52b30d3ffee Author: Karolin Seeger Date: Tue Sep 12 15:43:26 2017 -0700 WHATSNEW: Add release notes for Samba 4.4.16. Signed-off-by: Karolin Seeger commit bf85c3d4ed7a4f1a0be4e16faf5d9b562940d33d Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher commit 50f649e7d0b27bcd7eaab7d8223ef9ccd99782dc Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 17019aa27f612f4ccc7131d40c54b26864fef444 Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 81f1804d45c1b698ee87ee4d4c84197df98ea4f2 Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 4a91f4ab82e3f729a12947ff65a74b072dd94acc Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit b06322309752f3b666ad38f42ef2e96f1c41a24a Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 95f6e5b574856453c3ef36ebe9ae86d8456e6404 Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 26b87d01b015c83a4670db62839f5c84b6e66478 Author: Stefan Metzmacher Date: Fri Dec 9 09:26:32 2016 +0100 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 428ede3dd3bbf3bba86ca1b321bedfcc9aebba79 Author: Stefan Metzmacher Date: Thu Nov 3 17:16:43 2016 +0100
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via be2ffca VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. via a308007 WHATSNEW: Add release notes for Samba 4.6.8. via 34dea82 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping via c848b10 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 105cc43 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 3157cce CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 2850666 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 28f4a8d CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via d8c6ace CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via f42ffde CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via b760a46 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 97a7ddf CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 9fb5283 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one via 0effa0f VERSION: Bump version up to 4.6.8... from a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit be2ffca00a983bc3e599e0eb84ab35c517e9d07c Author: Karolin Seeger Date: Wed Sep 13 11:12:20 2017 -0700 VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. Signed-off-by: Karolin Seeger commit a308007fd615dcad94bc419d30d689c6f3b6cb32 Author: Karolin Seeger Date: Wed Sep 13 11:07:28 2017 -0700 WHATSNEW: Add release notes for Samba 4.6.8. Signed-off-by: Karolin Seeger commit 34dea826bbfd8ac06230f41b4c7050286c21a966 Author: Stefan Metzmacher Date: Tue Sep 12 05:21:35 2017 +0200 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping This is fixed in master and 4.7. For the backports we can just ignore failures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914 Signed-off-by: Stefan Metzmacher commit c848b104aa2293f55c14722d99cf788dafc442cb Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher commit 105cc438c6cb3dc741e861855e3fa5a94a156ff0 Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 3157ccef61bd0698207054daf060cf2986d1d110 Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit 28506663282a1457708c38c58437e9eb9c0002bf Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit d8c6aceb94ab72991eb538ab5dc388686a177052 Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit b760a464ee3d94e
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 4c18f0f NEWS[4.6.8]: Samba 4.6.8, 4.5.14 and 4.4.16 Available for Download from 7f6aa86 NEWS[4.7.0rc6]: Samba 4.7.0rc6 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 4c18f0f75b7e8bb912a8f0d2260c753a127dff70 Author: Karolin Seeger Date: Wed Sep 13 13:09:28 2017 -0700 NEWS[4.6.8]: Samba 4.6.8, 4.5.14 and 4.4.16 Available for Download Signed-off-by: Karolin Seeger --- Summary of changes: history/header_history.html | 5 +- history/samba-4.6.8.html| 79 history/security.html | 21 +++ posted_news/20170920-071640.4.6.8.body.html | 26 posted_news/20170920-071640.4.6.8.headline.html | 3 + security/CVE-2017-12150.html| 76 +++ security/CVE-2017-12151.html| 80 + security/CVE-2017-12163.html| 75 +++ 8 files changed, 364 insertions(+), 1 deletion(-) create mode 100644 history/samba-4.6.8.html create mode 100644 posted_news/20170920-071640.4.6.8.body.html create mode 100644 posted_news/20170920-071640.4.6.8.headline.html create mode 100644 security/CVE-2017-12150.html create mode 100644 security/CVE-2017-12151.html create mode 100644 security/CVE-2017-12163.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 1f66566..995c08a 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ Release Notes + samba-4.6.8 samba-4.6.7 samba-4.6.6 samba-4.6.5 @@ -17,6 +18,7 @@ samba-4.6.2 samba-4.6.1 samba-4.6.0 + samba-4.5.14 samba-4.5.13 samba-4.5.12 samba-4.5.11 @@ -31,7 +33,8 @@ samba-4.5.2 samba-4.5.1 samba-4.5.0 - samba-4.4.15 + samba-4.4.16 + samba-4.4.15 samba-4.4.14 samba-4.4.13 samba-4.4.12 diff --git a/history/samba-4.6.8.html b/history/samba-4.6.8.html new file mode 100644 index 000..cfd082b --- /dev/null +++ b/history/samba-4.6.8.html @@ -0,0 +1,79 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +http://www.w3.org/1999/xhtml";> + +Samba 4.6.8 - Release Notes + + +Samba 4.6.8 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.gz";>Samba 4.6.8 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.asc";>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.gz";>Patch (gzipped) against Samba 4.6.7 +https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.asc";>Signature + + + + = + Release Notes for Samba 4.6.8 + September 20, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they + should) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12163 (Server memory information leak over SMB1) + + +=== +Details +=== + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-12150.html + o https://www.samba.org/samba/security/CVE-2017-12151.html + o https://www.samba.org/samba/security/CVE-2017-12163.html + + +Changes since 4.6.7: + + +o Jeremy Allison <j...@samba.org> + * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes + async. + * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from + writing server memory to file. + +o Ralph Boehme <s...@samba.org> + * B
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via e0c0869 Add release notes for Samba 4.5.14 and 4.4.16. from 4c18f0f NEWS[4.6.8]: Samba 4.6.8, 4.5.14 and 4.4.16 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit e0c086915750638b12c6883f7baa456149d2a002 Author: Karolin Seeger Date: Wed Sep 20 10:26:29 2017 +0200 Add release notes for Samba 4.5.14 and 4.4.16. Signed-off-by: Karolin Seeger --- Summary of changes: history/{samba-4.6.8.html => samba-4.4.16.html} | 30 ++--- history/{samba-4.6.8.html => samba-4.5.14.html} | 36 ++--- 2 files changed, 28 insertions(+), 38 deletions(-) copy history/{samba-4.6.8.html => samba-4.4.16.html} (65%) copy history/{samba-4.6.8.html => samba-4.5.14.html} (57%) Changeset truncated at 500 lines: diff --git a/history/samba-4.6.8.html b/history/samba-4.4.16.html similarity index 65% copy from history/samba-4.6.8.html copy to history/samba-4.4.16.html index cfd082b..a83edc7 100644 --- a/history/samba-4.6.8.html +++ b/history/samba-4.4.16.html @@ -2,31 +2,31 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> http://www.w3.org/1999/xhtml";> -Samba 4.6.8 - Release Notes +Samba 4.4.15 - Release Notes -Samba 4.6.8 Available for Download +Samba 4.4.15 Available for Download -https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.gz";>Samba 4.6.8 (gzipped) -https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.asc";>Signature +https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.gz";>Samba 4.4.16 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.asc";>Signature -https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.gz";>Patch (gzipped) against Samba 4.6.7 -https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.asc";>Signature +https://download.samba.org/pub/samba/patches/samba-4.4.15-4.4.16.diffs.gz";>Patch (gzipped) against Samba 4.4.14 +https://download.samba.org/pub/samba/patches/samba-4.4.15-4.4.16.diffs.asc";>Signature - = - Release Notes for Samba 4.6.8 - September 20, 2017 - = + == + Release Notes for Samba 4.4.16 + September 20, 2017 + == This is a security release in order to address the following defects: o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should) -o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) o CVE-2017-12163 (Server memory information leak over SMB1) @@ -53,8 +53,8 @@ For more details and workarounds, please see the security advisories: o https://www.samba.org/samba/security/CVE-2017-12163.html -Changes since 4.6.7: - +Changes since 4.4.15: +- o Jeremy Allison* BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes @@ -69,10 +69,8 @@ o Ralph Boehme o Stefan Metzmacher * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs redirects. - * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing + * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing when they should. - - diff --git a/history/samba-4.6.8.html b/history/samba-4.5.14.html similarity index 57% copy from history/samba-4.6.8.html copy to history/samba-4.5.14.html index cfd082b..d08f587 100644 --- a/history/samba-4.6.8.html +++ b/history/samba-4.5.14.html @@ -2,31 +2,31 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> http://www.w3.org/1999/xhtml";> -Samba 4.6.8 - Release Notes +Samba 4.5.14 - Release Notes -Samba 4.6.8 Available for Download +Samba 4.5.14 Available for Download -https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.gz";>Samba 4.6.8 (gzipped) -https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.asc";>Signature +https://download.samba.org/pub/samba/stable/samba-4.5.14.tar.gz";>Samba 4.5.14 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.5.14.tar.asc";>Signature -https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.gz";>Patch (gzipped) against Samba 4.6.7 -https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.asc";>Signature +https://download.samba.org/pub/samba/patches/samba-4.5.13-4.5.14.diffs.gz";>Patch (gzipped) against Samba 4.5.12 +https://download.samba.org/pub/samba/patches/samba-4.5.13-4.5.14.diffs.asc";>Signature -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ee4418e dsdb: Only trigger a re-index once per @INDEXLIST modification via da575f0 selftest: sort dbcheck output to avoid sort order impacting results via 9e9a8d8 s4-dnsserver: Check for too many DNS results via c174702 s4-dnsserver: Always encode user-supplied names when looking up DNS records from 3e1870c kcc: Remove unused, untested KCC code https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ee4418e73f5ed9a1c5d5dc1a5547899f80d9fb5a Author: Andrew Bartlett Date: Mon Sep 11 13:53:19 2017 +1200 dsdb: Only trigger a re-index once per @INDEXLIST modification A modify of both @INDEXLIST and @ATTRIBUTES will still trigger two re-index passes but that is a task for later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9527 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 20 12:29:49 CEST 2017 on sn-devel-144 commit da575f01313673fedfc7d15ec11ba6818dbd30d8 Author: Andrew Bartlett Date: Fri Aug 25 17:37:05 2017 +1200 selftest: sort dbcheck output to avoid sort order impacting results The GUID index code will change the returned results order Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam commit 9e9a8d8f887a3b13d06a7cc71edad78c140bb0be Author: Andrew Bartlett Date: Tue Aug 29 14:19:22 2017 +1200 s4-dnsserver: Check for too many DNS results If we had this check in when the wildcard DNS tests were written, we would have noticed that the name needed to be escaped (see previous commit). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Garming Sam commit c17470210792e6443bd3c28c18874645f1558494 Author: Andrew Bartlett Date: Tue Aug 29 11:48:46 2017 +1200 s4-dnsserver: Always encode user-supplied names when looking up DNS records BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam --- Summary of changes: source4/dsdb/samdb/ldb_modules/partition.c | 90 - source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 15 - source4/rpc_server/dnsserver/dnsdb.c| 18 +++-- testprogs/blackbox/dbcheck-links.sh | 4 +- 4 files changed, 104 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index c304efa..426fce3 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -432,30 +432,90 @@ static int partition_copy_all(struct ldb_module *module, return search_ret; } - /* now delete the object in the other partitions. Once that is - done we will re-add the object, if search_ret was not - LDB_ERR_NO_SUCH_OBJECT + /* now delete the object in the other partitions, if requried */ + if (search_ret == LDB_ERR_NO_SUCH_OBJECT) { + for (i=0; data->partitions && data->partitions[i]; i++) { + int pret; + pret = dsdb_module_del(data->partitions[i]->module, + dn, + DSDB_FLAG_NEXT_MODULE, + req); + if (pret != LDB_SUCCESS && pret != LDB_ERR_NO_SUCH_OBJECT) { + /* we should only get success or no + such object from the other partitions */ + return pret; + } + } + + return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); + } + + /* now add/modify in the other partitions */ for (i=0; data->partitions && data->partitions[i]; i++) { + struct ldb_message *modify_msg = NULL; int pret; - pret = dsdb_module_del(data->partitions[i]->module, dn, DSDB_FLAG_NEXT_MODULE, req); - if (pret != LDB_SUCCESS && pret != LDB_ERR_NO_SUCH_OBJECT) { - /* we should only get success or no - such object from the other partitions */ + unsigned int el_idx; + + pret = dsdb_module_add(data->partitions[i]->module, + res->msgs[0], + DSDB_FLAG_NEXT_MODULE, + req); + if (pret == LDB_SUCCESS) { + continue; + } + +
[SCM] Samba Shared Repository - branch v4-6-test updated
The branch, v4-6-test has been updated via bb54467 VERSION: Bump version up to 4.6.9... via adbe2eb Merge tag 'samba-4.6.8' into v4-6-test via c66a4d9 smbd/ioctl: match WS2016 ReFS set compression behaviour via be2ffca VERSION: Disable GIT_SNAPSHOTS for the 4.6.8 release. via a308007 WHATSNEW: Add release notes for Samba 4.6.8. via 34dea82 selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping via c848b10 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 105cc43 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 3157cce CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 2850666 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 28f4a8d CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via d8c6ace CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via f42ffde CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via b760a46 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 97a7ddf CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 9fb5283 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one from a86c837 ctdb-client: Initialize ctdb_ltdb_header completely for empty record https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test - Log - commit bb54467ed822bf8d422f5a20db5362406398fbc0 Author: Karolin Seeger Date: Wed Sep 20 13:01:46 2017 +0200 VERSION: Bump version up to 4.6.9... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit adbe2ebe3ebdd37a38bf26f9609f44ba513d0325 Merge: c66a4d9 be2ffca Author: Karolin Seeger Date: Wed Sep 20 13:00:48 2017 +0200 Merge tag 'samba-4.6.8' into v4-6-test samba: tag release samba-4.6.8 commit c66a4d91b1f6fd75d6d64ca30f04de88406589b6 Author: David Disseldorp Date: Thu Jan 5 17:36:02 2017 +0100 smbd/ioctl: match WS2016 ReFS set compression behaviour ReFS doesn't support compression, but responds to set-compression FSCTLs with NT_STATUS_OK if (and only if) the requested compression format is COMPRESSION_FORMAT_NONE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144 Reported-by: Nick Barrett Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144 (cherry picked from commit 28cc347876b97b7409d6efd377f031fc6df0c5f3) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 84 ++- auth/credentials/credentials.c| 16 libcli/smb/smbXcli_base.c | 5 +++ libcli/smb/smbXcli_base.h | 1 + libgpo/gpo_fetch.c| 2 +- selftest/flapping | 1 + source3/include/auth_info.h | 1 + source3/lib/popt_common.c | 6 +-- source3/lib/util_cmdline.c| 32 +++ source3/libsmb/clidfs.c | 20 +++--- source3/libsmb/clientgen.c| 13 ++ source3/libsmb/libsmb_context.c | 2 +- source3/libsmb/proto.h| 1 + source3/libsmb/pylibsmb.c | 2 +- source3/smbd/reply.c | 50 +++ source3/smbd/smb2_ioctl_filesys.c | 26 ++-- 17 files changed, 227 insertions(+), 37 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 3a8de1a..42fbbd7 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 87c4579..5b11c9f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,84 @@ = + Release Notes for Samba 4.6.8 + September 20, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they + should) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12163 (Server memory information leak over SMB1) + + +=== +Details +===
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via aba4994 VERSION: Bump version up to 4.5.15... via f84484a Merge tag 'samba-4.5.14' into v4-5-test via f261c9a VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release. via bb90fee WHATSNEW: Add release notes for Samba 4.5.14. via b5178cb selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping via a43b36f CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 157f2a7 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 282a1d1 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 609e6b0 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via f30ea84 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via dc24ef0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via 5d296e6 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via f82c235 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via f14a94b CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED from 5c645ed VERSION: Bump version up to 4.5.14... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit aba4994bd071bdef8c623632ee248cb99d68ed05 Author: Karolin Seeger Date: Wed Sep 20 13:03:53 2017 +0200 VERSION: Bump version up to 4.5.15... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit f84484ac9dc52062cefd0ab055670985d394588d Merge: 5c645ed f261c9a Author: Karolin Seeger Date: Wed Sep 20 13:03:09 2017 +0200 Merge tag 'samba-4.5.14' into v4-5-test samba: tag release samba-4.5.14 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 78 +++-- auth/credentials/credentials.c | 16 + libcli/smb/smbXcli_base.c | 5 +++ libcli/smb/smbXcli_base.h | 1 + libgpo/gpo_fetch.c | 2 +- selftest/flapping | 1 + source3/lib/util_cmdline.c | 3 ++ source3/libsmb/clidfs.c | 6 ++-- source3/libsmb/clientgen.c | 13 +++ source3/libsmb/libsmb_context.c | 2 +- source3/libsmb/proto.h | 1 + source3/libsmb/pylibsmb.c | 2 +- source3/smbd/reply.c| 50 ++ 14 files changed, 174 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 12e..e5753d2 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f3fccf7..ea845c3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,78 @@ == + Release Notes for Samba 4.5.14 + September 20, 2017 + == + + +This is a security release in order to address the following defects: + +o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they + should) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12163 (Server memory information leak over SMB1) + + +=== +Details +=== + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-12150.html + o https://www.samba.org/samba/security/CVE-2017-12151.html + o https://www.samba.org/samba/security/CVE-2017-12163.html + + +Changes since 4.5.13: +- + +o Jeremy Allison + * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from + writing server memory to file. + +o Stefan Metzmacher + * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs + redirects. + * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing + when they should. +
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated via 374fb91 VERSION: Bump version up to 4.4.17... via 09fa5f7 Merge tag 'samba-4.4.16' into v4-4-test via 89edb76 VERSION: Disable GIT_SNAPSHOTS for the 4.4.16 release. via 2ef4251 WHATSNEW: Add release notes for Samba 4.4.16. via bf85c3d CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 50f649e CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via 17019aa CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via 81f1804 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 4a91f4a CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via b063223 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via 95f6e5b CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via 26b87d0 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 428ede3 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 084bf98 VERSION: Bump version up to 4.5.16... from 189a717 s3: smbd: Fix a read after free if a chained SMB1 call goes async. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log - commit 374fb910aaebdd0c209236cc3776479ab0e83768 Author: Karolin Seeger Date: Wed Sep 20 13:05:49 2017 +0200 VERSION: Bump version up to 4.4.17... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit 09fa5f7dbb9828a9cb9f4df4b3150c884db42861 Merge: 189a717 89edb76 Author: Karolin Seeger Date: Wed Sep 20 13:05:23 2017 +0200 Merge tag 'samba-4.4.16' into v4-4-test samba: tag release samba-4.4.16 --- Summary of changes: VERSION | 4 +- WHATSNEW.txt| 84 - auth/credentials/credentials.c | 16 libcli/smb/smbXcli_base.c | 5 +++ libcli/smb/smbXcli_base.h | 1 + libgpo/gpo_fetch.c | 2 +- source3/lib/util_cmdline.c | 3 ++ source3/libsmb/clidfs.c | 6 ++- source3/libsmb/clientgen.c | 13 +++ source3/libsmb/libsmb_context.c | 2 +- source3/libsmb/proto.h | 1 + source3/libsmb/pylibsmb.c | 2 +- source3/smbd/reply.c| 50 13 files changed, 180 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 1a67456..602ba75 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=17 # If a official release has a serious bug # @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 476ea80..f97f799 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,84 @@ == + Release Notes for Samba 4.4.16 + September 20, 2017 + == + + +This is a security release in order to address the following defects: + +o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they + should) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12163 (Server memory information leak over SMB1) + + +=== +Details +=== + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-12150.html + o https://www.samba.org/samba/security/CVE-2017-12151.html + o https://www.samba.org/samba/security/CVE-2017-12163.html + + +Changes since 4.4.15: +- +
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 19df09e CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via ecb3cfd CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via c38e3a7 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via e0fe5d0 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via acd9dcb CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via dfd1156 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via d148d6d CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via f737447 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 1b6684e CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 1217df5 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one from f2f5ab6 VERSION: Bump version up to 4.7.0rc7... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 19df09e29a3c1daace945dfa9e5f7ba7c574a888 Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Sep 20 16:20:07 CEST 2017 on sn-devel-144 commit ecb3cfd8982a6d6b610f98ca80362d3db4178b50 Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit c38e3a7086164b1c58e003dd627b207ffcbe856e Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit e0fe5d09082509c8a11720f683264ffac21e7a75 Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit acd9dcb671fdc4cd543ddf76918e70599cb09259 Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit dfd11569de24064bcf8a4348b4b5271807dd501b Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit d148d6df0b39e0c2c31ba8fc1d31207a4c852af0 Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f7374475c867cb8a71fe4cf07a6bfec9f148af0b Author: Stefan Metzmacher Date: Fri Dec 9 09:26:32 2016 +0100 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 1b6684ea4e9c77229c5b9ef6399eb639ec39e50f Author: Stefan Metzmacher Date: Thu Nov 3 17:16:43 2016 +0100 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED This is an addition to the fixes for CVE-2015-5296. It applies to smb2mount -e, smbcacls -e and smbcquotas -e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 1217df5f9c507dfa08b584ecd39ce982a8d69ddc Author: Stefan Metzmacher Date: Tue Aug 29 17:06:21 2017 +0200 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one BUG: https://bugzilla.samb
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b092ed3 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via 35051a8 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via 22e22d8 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via 7074a1b CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via 6ca2cfa CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via 9c1ead5 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 52d967e CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 44b47f2 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one via 3d1c488 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via ace7274 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function from ee4418e dsdb: Only trigger a re-index once per @INDEXLIST modification https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b092ed38423e23268c389aae4b6ed46682683c12 Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Wed Sep 20 17:06:23 CEST 2017 on sn-devel-144 commit 35051a860c75bc119e0ac7755bd69a9ea06695a1 Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 22e22d8f49626109dbdbca84a85c5148c23b8a2a Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 7074a1b7e0ddafa8f09a285cd9f3ae1f26d1709e Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 6ca2cfaff9d0b4203f6964d39a0930938a099e03 Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 9c1ead502bc3258d444ea0cd5f3148653419d298 Author: Stefan Metzmacher Date: Fri Dec 9 09:26:32 2016 +0100 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 52d967e161420b5bc8b49d3597b4d34bfb5b13ac Author: Stefan Metzmacher Date: Thu Nov 3 17:16:43 2016 +0100 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED This is an addition to the fixes for CVE-2015-5296. It applies to smb2mount -e, smbcacls -e and smbcquotas -e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 44b47f2baec5336e94522938a93cb6b2a8898113 Author: Stefan Metzmacher Date: Tue Aug 29 17:06:21 2017 +0200 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 3d1c488c8155f12488116d58c7794555d0dff49f Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit ace72741ada1497cf1dc76c9e0bae0a6cd15dd5e Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://b
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 30ffc12 testsuite: Fix the 32-bit test build via f0df242 WHATSNEW: Mention code removal from "net" and "rpcclient" via 3a06a7a libnet: Remove libnet_samsync via a2fc00b net: Don't depend on libnet_samsync anymore via 66c608a net: Remove NT4-based vampire keytab via df7e7c6 net: Remove NT4-based rpc vampire ldif via adecdad net: Remove rpc vampire from NT4 domains via 4e9877d net: Remove rpc samdump via fe736f2 rpcclient: Remove sam_sync related commands via 2d97c8a Make sure smbtorture tests can run if someone has set their min protocol above NT1. from b092ed3 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 30ffc120e299df1b346f664910cf9d73d3fe7dd9 Author: Volker Lendecke Date: Wed Sep 20 00:12:33 2017 + testsuite: Fix the 32-bit test build samba_init_module returns 32-bit. For some reason on my 32-bit lxc "return 0" was converted to something but NT_STATUS_OK, making initialization fail. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Sep 21 02:49:32 CEST 2017 on sn-devel-144 commit f0df2426c0a6428ec1f7b9ede57adfa95e8d8382 Author: Volker Lendecke Date: Tue Sep 19 15:26:55 2017 -0700 WHATSNEW: Mention code removal from "net" and "rpcclient" Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 3a06a7a14e66d5f11c7ca0ea52c8f0f59927c75d Author: Volker Lendecke Date: Tue Sep 19 15:17:38 2017 -0700 libnet: Remove libnet_samsync Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit a2fc00b1f5321e67a39bd3e834f3fd72af7be337 Author: Volker Lendecke Date: Tue Sep 19 15:14:32 2017 -0700 net: Don't depend on libnet_samsync anymore Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 66c608a6baf220a91e80114dbf3ddb7e0fe66732 Author: Volker Lendecke Date: Tue Sep 19 15:09:05 2017 -0700 net: Remove NT4-based vampire keytab Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit df7e7c65eda88af9c21cd32c95bcb36868321fed Author: Volker Lendecke Date: Tue Sep 19 15:06:11 2017 -0700 net: Remove NT4-based rpc vampire ldif Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit adecdad28272b8f4ad426b9af21ae0788ed67d18 Author: Volker Lendecke Date: Tue Sep 19 15:03:43 2017 -0700 net: Remove rpc vampire from NT4 domains Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 4e9877d30465baf381ae21a32e485910b02af35d Author: Volker Lendecke Date: Tue Sep 19 15:02:09 2017 -0700 net: Remove rpc samdump This uses the NT4 replication commands. Samba does not have a server for this, no tests, and whoever needs to migrate a native domain can use an old Samba version Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit fe736f246bbe155d3621e891c7ea377b6aedf836 Author: Volker Lendecke Date: Tue Sep 19 14:33:07 2017 -0700 rpcclient: Remove sam_sync related commands These three commands don't use the netlogon credential chain correctly. They are missing the netlogon_creds_store after the dcerpc call, so they destroy the correct use of the netlogon creds. The only valid server for these calls that I know of would be NT4, and that should be gone long ago. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 2d97c8a4a5128cb00386b9799310bdad1f8971ea Author: Richard Sharpe Date: Sun Sep 10 12:50:57 2017 -0700 Make sure smbtorture tests can run if someone has set their min protocol above NT1. This code is SMB1 only, and already modifies maxprotocol, so this change is appropriate. Signed-off-by: Richard Sharpe Reviewed-by: Jeremy Allison --- Summary of changes: WHATSNEW.txt| 22 + source3/libnet/libnet_samsync.c | 437 - source3/libnet/libnet_samsync.h | 100 -- source3/libnet/libnet_samsync_display.c | 307 -- source3/libnet/libnet_samsync_keytab.c | 308 -- source3/libnet/libnet_samsync_ldif.c| 1378 --- source3/libnet/libnet_samsync_passdb.c | 882 - source3/rpcclient/cmd_netlogon.c| 352 --- source3/utils/net_proto.h |9 - source3/utils/net_rpc.c | 33 - source3/utils/net_rpc_samsync.c | 385 +--- source3/utils/wscript_build |1 - source3/wsc
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d1e6984 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. via 9c85af0 WHATSNEW: Add release notes for Samba 4.7.0. from 19df09e CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d1e69845e28c20a491c4cd60c712b46ddfcb9dc0 Author: Karolin Seeger Date: Wed Sep 20 12:53:38 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. Signed-off-by: Karolin Seeger commit 9c85af09b66c9b2b2684f7b38ecb6135b888ec14 Author: Karolin Seeger Date: Wed Sep 20 12:52:08 2017 +0200 WHATSNEW: Add release notes for Samba 4.7.0. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 4 ++-- WHATSNEW.txt | 30 ++ 2 files changed, 24 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index d460d71..d91963a 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=7 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=7 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT=no # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4da5ae3..09c7be6 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,13 +1,11 @@ -Release Announcements -= + = + Release Notes for Samba 4.7.0 +September 20, 2017 + = -This is the sixth release candidate of Samba 4.7. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. - -Samba 4.7 will be the next version of the Samba suite. +This is the first stable release of Samba 4.7. +Please read the release notes carefully before upgrading. UPGRADING = @@ -370,6 +368,22 @@ KNOWN ISSUES https://wiki.samba.org/inFdex.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc6 +== + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + + CHANGES SINCE 4.7.0rc5 == -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 16594ab VERSION: Bump version up to 4.7.1... from d1e6984 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 16594ab0468b375154d5a164f1ff06796c53c7cd Author: Karolin Seeger Date: Thu Sep 21 08:29:04 2017 +0200 VERSION: Bump version up to 4.7.1... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index d91963a..e927ea0 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=0 +SAMBA_VERSION_RELEASE=1 # If a official release has a serious bug # @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# -- Samba Shared Repository