[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via df7efdf0465 s3: smbd: Cleanup - Make rmdir_internals() use NTSTATUS internally without depending on errno. via 28522bb3771 s3: smbd: Cleanup - make recursive_rmdir() return a more expressive NTSTATUS not bool. via b3514a57e9b smbd: Make complex if-expression in file_set_dosmode() easier to read via ab692aa6e70 smbd: Fix indentation in rename_internals_fsp() via 5567d5bca29 smbd: Save a few lines in file_set_dosmode() with "goto done;" via 2976177005f smbd: Remove unused "lret" variable from file_set_dosmode() via f60ca2e2f35 smbd: Pass dirfsp instead of a parent filename to unix_mode via be6cc4cc23f smbd: Log close_file_free() failure in copy_internals() via fbb4bd365f1 smbd: Pass dirfsp instead of an fname to open_file() via fd1dca2d175 smbd: Inherit acl from an fsp instead of a fname via d1a0862327f smbd: Remove a deref forgotten in c2ac6a9cd7b from e25d6c89bef WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit df7efdf046504aa2392a53f8fd96de9c207f854c Author: Jeremy Allison Date: Thu Mar 3 09:49:15 2022 -0800 s3: smbd: Cleanup - Make rmdir_internals() use NTSTATUS internally without depending on errno. As we already need to return NTSTATUS, map errno to NTSTATUS directly at point of failure and don't depend on keeping it around. No change in client-visible behavior but makes rmdir_internals() easier to understand (for me at least). Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Mar 4 18:39:48 UTC 2022 on sn-devel-184 commit 28522bb3771245ae69d7c9e279214b1f8ad2c526 Author: Jeremy Allison Date: Thu Mar 3 09:34:45 2022 -0800 s3: smbd: Cleanup - make recursive_rmdir() return a more expressive NTSTATUS not bool. Next cleanup the internals of rmdir_internals() to do an early map of errno -> NTSTATUS to avoid mapping back and forth. Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme commit b3514a57e9b9b35bc9983d997191c575eeebcf85 Author: Volker Lendecke Date: Fri Mar 4 08:39:01 2022 +0100 smbd: Make complex if-expression in file_set_dosmode() easier to read Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit ab692aa6e706a23722e1d3f538582d8394507adb Author: Volker Lendecke Date: Fri Mar 4 08:36:04 2022 +0100 smbd: Fix indentation in rename_internals_fsp() This one space character makes it more obvious where in the copmlex if-expression lp_store_dos_attributes() lives. Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit 5567d5bca2963534dcc4fb1728f83f18d42c9691 Author: Volker Lendecke Date: Thu Mar 3 21:49:47 2022 +0100 smbd: Save a few lines in file_set_dosmode() with "goto done;" Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit 2976177005feff38f6ef6da1ae0733041849be2b Author: Volker Lendecke Date: Thu Mar 3 21:48:26 2022 +0100 smbd: Remove unused "lret" variable from file_set_dosmode() Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit f60ca2e2f35666583f2e8cd11cb507406bb17393 Author: Volker Lendecke Date: Thu Mar 3 11:52:12 2022 +0100 smbd: Pass dirfsp instead of a parent filename to unix_mode This converts a STAT (with potential symlink race problems) into an FSTAT on the O_PATH fd we have for the directory Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit be6cc4cc23f61d4c44796621daf726733f718a1a Author: Volker Lendecke Date: Thu Mar 3 20:13:25 2022 +0100 smbd: Log close_file_free() failure in copy_internals() Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit fbb4bd365f156fef89e96f7b79040443f0d70d0a Author: Volker Lendecke Date: Thu Mar 3 11:32:20 2022 +0100 smbd: Pass dirfsp instead of an fname to open_file() Moving slowly towards passing directory handles instead of names, representing the idea that we hold a O_PATH file descriptor on directories. Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit fd1dca2d175291f2258f7963419b16ea3f5c4e31 Author: Volker Lendecke Date: Thu Mar 3 11:32:20 2022 +0100 smbd: Inherit acl from an fsp instead of a fname Moving slowly towards passing directory handles instead of names, representing the idea that we hold a O_PATH file descriptor on directories. Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit d1a0862327f37f2edd1042b3b66c2e85234b1e94 Author: Volker Lendecke Date: Thu Mar 3 11:28:57 2022 +0100 smbd: Remove a deref forgotten in c2ac6a9cd7b
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via e5607a8 Remove e-mail address via 3e57b41 Add link to security bugs in bugzilla from dac0a5d NEWS[4.16.0rc4]: Samba 4.16.0rc4 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit e5607a8c49189ae72060bbeb7d098bbf8f44bf37 Author: Andrew Bartlett Date: Tue Feb 1 15:47:21 2022 +1300 Remove e-mail address It is not our normal practice to include e-mail addresses in our advisory. Signed-off-by: Andrew Bartlett commit 3e57b41b141fbdca90774c5ba646beb93448e868 Author: Andrew Bartlett Date: Tue Aug 31 16:13:08 2021 +1200 Add link to security bugs in bugzilla Signed-off-by: Andrew Bartlett --- Summary of changes: history/security.html| 6 ++ security/CVE-2018-14629.html | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index 608884f..54118f8 100755 --- a/history/security.html +++ b/history/security.html @@ -15,6 +15,12 @@ link to full release notes for each release. https://wiki.samba.org/index.php/Samba_Release_Planning;> supported Samba versions. + A list of public https://bugzilla.samba.org/buglist.cgi?f1=alias=regexp=Last Changed=PIDL=Samba 2.2=Samba 3.0=Samba 3.2=Samba 3.3=Samba 3.4=Samba 3.5=Samba 3.6=Samba 4.0=Samba 4.1 and newer_format=advanced=^CVE-.*"> + Samba Security Bugs is available. Some minor issues will + only be listed in https://bugzilla.samba.org;> + The Samba Bugzilla and not here, if they did not result + in a security release + Samba Security Releases diff --git a/security/CVE-2018-14629.html b/security/CVE-2018-14629.html index 1aca7b9..40ffcb7 100644 --- a/security/CVE-2018-14629.html +++ b/security/CVE-2018-14629.html @@ -68,7 +68,7 @@ and then disabling the 'dns' service in the smb.conf (eg 'server services = Credits === -The initial bug was found by Florian Stülpner florian.stuelp...@hiperscan.com +The initial bug was found by Florian Stülpner Aaron Haslett of Catalyst did the investigation and wrote the patch. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e25d6c89bef WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20 via d1d47a55449 gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease) via e908bbb1b3b gitlab-ci: Print the krb5 version via d0e4b612c24 s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD) via c7be3d1fffe s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD via 5c4afce7bbf s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() via 41ffba1302b s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD via 1a4d43d38ea s4:auth: Remove trailing spaces in sam.c via ea15ecfe4d5 krb5-mit: Enable S4U client support for MIT build via 1201147d06f s4:kdc: Implement new Microsoft forwardable flag behavior via b20606b2915 s4:mitkdc: Add support for S4U2Self & S4U2Proxy via f1ca16f309a s4:mitkdc: Add support for MIT Kerberos 1.20 via ea7b1caa410 s4:mitkdc: Set KRB5_KDB_NO_AUTH_DATA_REQUIRED based on sdb no_auth_data_reqd via c9653e511d9 selftest: More tests are passing with MIT KRB5 >= 1.20 via f1ec950aeb4 s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization via cd0efd38d67 s4:kdc: Align sflags type from cb10b8704e8 s3:script: Reformat shell scripts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5 Author: Andreas Schneider Date: Thu Jan 13 08:43:23 2022 +0100 WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Mar 4 14:58:20 UTC 2022 on sn-devel-184 commit d1d47a5544998fa1bfe4ef20270d0cb35bb8adef Author: Andreas Schneider Date: Tue Jan 18 11:13:21 2022 +0100 gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease) This adds test against MIT Kerberos 1.20 (prerelease) in order to test Bronze Bit, S4U and RBCD functionality supported only in current MIT Kerberos git master. We created a Fedora COPR package for MIT KRB5 1.20 (prerelease). MIT Kerberos 1.20 will be released in autumn 2022. As soon as MIT Kerberos 1.20 will be in a Fedora release, these runners will be removed again. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit e908bbb1b3bf55011f2ee861b89b3a7b1f732af5 Author: Andreas Schneider Date: Tue Jan 18 16:22:41 2022 +0100 gitlab-ci: Print the krb5 version Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit d0e4b612c248e728b8f9575a7cca278f09ee115a Author: Andreas Schneider Date: Tue Dec 7 16:02:35 2021 +0100 s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD) Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit c7be3d1fffecff1d6709880b3293114a8c2d328d Author: Andreas Schneider Date: Tue Dec 14 11:17:15 2021 +0100 s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD This just implements a call in the MIT KDB shim layer. It will be used in the next commits in the KDB plugin. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 5c4afce7bbf8845a34efcd0f83aad51c4aa7e96c Author: Andreas Schneider Date: Tue Dec 14 11:16:12 2021 +0100 s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() This will be used by the MIT KDB plugin in the next commits. A security descriptor created by Windows looks like this: security_descriptor: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8004 (32772) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid: * owner_sid: S-1-5-32-544 group_sid: NULL sacl : NULL dacl : *