[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5442c47dad2 libsmb: increase a debug level when site-aware DC lookup failed from 9bab902fc50 CVE-2023-3347: smbd: fix "server signing = mandatory" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5442c47dad2d1c018b60a3a1e19c400bd0f4b4ac Author: Ralph Boehme Date: Thu Jul 20 17:08:19 2023 +0200 libsmb: increase a debug level when site-aware DC lookup failed Signed-off-by: Ralph Boehme Reviewed-by: Noel Power Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Jul 21 16:19:35 UTC 2023 on atb-devel-224 --- Summary of changes: source3/libsmb/namequery.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 4733aaed693..e6c0c7d2a09 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -3472,10 +3472,10 @@ NTSTATUS get_sorted_dc_list(TALLOC_CTX *ctx, ); if (NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) && sitename) { - DBG_NOTICE("no server for name %s available" - " in site %s, fallback to all servers\n", - domain, - sitename); + DBG_WARNING("No server for domain '%s' available" + " in site '%s', fallback to all servers\n", + domain, + sitename); status = get_dc_list(ctx, domain, NULL, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9bab902fc50 CVE-2023-3347: smbd: fix "server signing = mandatory" via 5a222ac3718 CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot() via 59131d6c345 CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing() via 1662eeeb7a6 CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing() via a9a2b182df7 CVE-2023-3347: CI: add a test for server-side mandatory signing via 578e434a941 CVE-2023-34968: mdssvc: return a fake share path via 94fcbec8af5 CVE-2023-34968: mdscli: return share relative paths via d402c0cc6ad CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack() via ac9008a20c8 CVE-2023-34968: mdssvc: switch to doing an early return via 33b82c6185b CVE-2023-34968: mdssvc: remove response blob allocation via 5c9efa9604d CVE-2023-34968: rpcclient: remove response blob allocation via 6d77daa3af0 CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c via e85e09eee93 CVE-2023-34968: mdscli: remove response blob allocation via 617fe37cc2a CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob via 70184ef3b40 CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties() via 02552493e37 CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map via 4c60e35add4 CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key() via 3b3c30e2acf CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key() via 38664163fca CVE-2023-34966: mdssvc: harden sl_unpack_loop() via 10b6890d26b CVE-2023-34966: CI: test for sl_unpack_loop() via e067c523b17 CVE-2022-2127: ntlm_auth: cap lanman response length value via b2de71734f0 CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks from 76ad44f446c lib/cmdline: Also redact --newpassword in samba_cmdline_burn() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9bab902fc50f88869b253c4089d83b3e33a1075a Author: Ralph Boehme Date: Tue Jun 20 15:33:02 2023 +0200 CVE-2023-3347: smbd: fix "server signing = mandatory" This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when calling srv_init_signing() very early after accepting the connection in smbd_add_connection(), conn->protocol is still PROTOCOL_NONE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme Autobuild-User(master): Jule Anger Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224 commit 5a222ac37183ba5dd717d81c7e57f78e59695a67 Author: Ralph Boehme Date: Tue Jun 20 18:13:23 2023 +0200 CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot() This is just going to bitrot. Anyone who's interested can just grep for "signing_mandatory" and look up what it does. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Author: Ralph Boehme Date: Wed Jun 21 15:10:58 2023 +0200 CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing() It's now a one-line function, imho the overall code is simpler if that code is just inlined. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Author: Ralph Boehme Date: Wed Jun 21 15:06:12 2023 +0200 CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing() No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit a9a2b182df738fd283f820e162d189d20010ad63 Author: Ralph Boehme Date: Tue Jun 20 12:46:31 2023 +0200 CVE-2023-3347: CI: add a test for server-side mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 578e434a94147dc2d7dbfc006d2ab84807859c1d Author: Ralph Boehme Date: Mon Jun 5 18:02:20 2023 +0200 CVE-2023-34968: mdssvc: return a fake share path Instead of returning the real server-side absolute path of shares and search results, return a fake absolute path replacing the path of the share with the share name, iow for a share "test" with a server-side path of "/foo/bar", we previously returned /foo/bar and /foo/bar/search/result and now return /test and /test/search/result BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 76ad44f446c lib/cmdline: Also redact --newpassword in samba_cmdline_burn() via 414b3803bb6 lib/cmdline: Also burn the --password2 parameter if given via a53ebc288f4 samba-tool: Use samba.glue.get_burnt_cmdline rather than regex via 3f9e4558985 python: Add glue.burn_commandline() method via 5afd206d1d8 python: Remove const from PyList_AsStringList() via fd81759e2ed python: Move PyList_AsStringList to common code so we can reuse via 848fea1a01a lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn() from 0da6cc71054 claims.idl: Fix AD claims encoding https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 76ad44f446c42832e87b2c60a4731a8de3a0018f Author: Andrew Bartlett Date: Fri Jul 21 15:39:28 2023 +1200 lib/cmdline: Also redact --newpassword in samba_cmdline_burn() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224 commit 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03 Author: Andrew Bartlett Date: Fri Jul 21 14:35:20 2023 +1200 lib/cmdline: Also burn the --password2 parameter if given BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit a53ebc288f47329c997d52325eeeb5e91ce43b75 Author: Andrew Bartlett Date: Fri Jul 21 13:30:39 2023 +1200 samba-tool: Use samba.glue.get_burnt_cmdline rather than regex This use avoids having two different methods to match on command-line passwords. We already have a dependency on the setproctitle python module, and this does not change as the (C) libbsd setproctitle() can't be run from within a python module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3f9e455898554b726bf1689f743b2d9cb6b59537 Author: Andrew Bartlett Date: Fri Jul 21 13:29:22 2023 +1200 python: Add glue.burn_commandline() method This uses samba_cmdline_burn() to as to have common command line redaction code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5afd206d1d8f0344a2f1fa7a238204d1fb164eda Author: Andrew Bartlett Date: Fri Jul 21 14:32:46 2023 +1200 python: Remove const from PyList_AsStringList() The returned strings are not owned by python, so need not be const. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit fd81759e2ed44cac3bc67243a39256f953969103 Author: Andrew Bartlett Date: Fri Jul 21 14:31:30 2023 +1200 python: Move PyList_AsStringList to common code so we can reuse BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 848fea1a01a4ddc1598150823d5d0784d3ef0be4 Author: Andrew Bartlett Date: Fri Jul 21 15:27:00 2023 +1200 lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: lib/cmdline/cmdline.c | 17 +-- lib/cmdline/cmdline.h | 4 ++- python/modules.c | 35 + python/modules.h | 7 + python/pyglue.c| 60 python/samba/getopt.py | 69 -- python/samba/tests/cred_opt.py | 14 ++--- python/wscript | 1 + source4/auth/pyauth.c | 38 ++- source4/auth/wscript_build | 4 ++- 10 files changed, 156 insertions(+), 93 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index de34a798aaf..db962146bd2 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -135,8 +135,9 @@ void samba_cmdline_set_machine_account_fn( cli_credentials_set_machine_account_fn = fn; } -void samba_cmdline_burn(int argc, char *argv[]) +bool samba_cmdline_burn(int argc, char *argv[]) { + bool burnt = false; bool found = false; bool is_user = false; char *p = NULL; @@ -146,9 +147,13 @@ void samba_cmdline_burn(int argc, char *argv[]) for (i = 0; i < argc; i++) { p = argv[i]; if (p == NULL) { - return; +