[Pkg-samba-maint] [samba] branch master updated (04da991 -> fcb7933)
Jelmer Vernooij
jelmer at moszumanska.debian.org
Sat Apr 16 00:20:39 UTC 2016
This is an automated email from the git hooks/post-receive script.
jelmer pushed a change to branch master
in repository samba.
from 04da991 Release 2:4.3.7+dfsg-1 to unstable
new f787cb0c Add patch no_build_system.patch: drop host-specific define that prevents reproducible builds.
new 298378d Update watch file to retrieve 4.3.X.
new c23f677 VERSION: Bump version up to 4.3.6...
new 76f6cf5 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
new fa1c482 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
new 774e210 CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
new 0be03f1 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
new 2907193 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
new e27f9a4 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
new 062876f CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
new 63ae57f CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
new 25963b1 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
new 444ba8f CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
new ceb6dcc CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
new c68280d CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
new 7ee8a4c CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
new efaf509 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
new 7693d68 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
new df431a3 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
new 1c69840 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
new 3196b9e CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
new 18faca0 CVE-2016-0771: tests/dns: prepare script for further testing
new 51ac36e CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
new 9f7a2a1 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
new 4011a52 CVE-2016-0771: tests/dns: restore formerly segfaulting test
new 3bca5fc CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
new 63103d1 CVE-2016-0771: tests/dns: Add some more test cases for TXT records
new eb46848 CVE-2016-0771: tests/dns: modify tests to check via RPC
new 2b4c7db CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
new ad5e885 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
new 0dea999 CVE-2016-0771: tests: rename test getopt to get_opt
new 7a11d99 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
new b428ecb CVE-2016-0771: tests/dns: Remove dependencies on env variables
new d6bd81e WHATSNEW: Add release notes for Samba 4.3.6.
new c7a93d7 VERSION: Disable git snapshots for the 4.3.6 release.
new a06c22f VERSION: Bump version up to 4.3.7...
new b5c5fec Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
new 980785a asn1: Remove an unused asn1 function
new 7ef1333 asn1: Make asn1_peek_full_tag return 0/errno
new bb6607a asn1: Add overflow check to asn1_write
new 6d2f6e1 asn1: Add some early returns
new d51a607 asn1: Make "struct nesting" private
new 4b04663 asn1: Add asn1_has_error()
new 89d0afc lib: Use asn1_has_error()
new a330540 asn1: Add asn1_set_error()
new 274c9a4 lib: Use asn1_set_error()
new a44d9bb asn1: Add asn1_extract_blob()
new 2b11481 lib: Use asn1_extract_blob()
new 9ac8312 asn1: Add asn1_has_nesting
new 54aecd7 lib: Use asn1_has_nesting
new 95fa77f asn1: Add asn1_current_ofs()
new 9c89afd lib: Use asn1_current_ofs()
new c27fd04 libcli: Remove a reference to asn1->ofs
new 66ea451 asn1: Remove a reference to asn1_data internals
new 83b6653 asn1: Make 'struct asn1_data' private
new 5bbf46e s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
new 62e5169 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
new 24c6d42 s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
new e73cfb9 tls: increase Diffie-Hellman group size to 2048 bits
new 5b4999a ntlmssp: add some missing defines from MS-NLMP to our IDL.
new 1e0e8d6 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
new 42c2d63 ntlmssp: properly document version defines in IDL (from MS-NLMP).
new 1865f12 ntlmssp: when pulling messages it is important to clear memory first.
new 109618b s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
new a54b256 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
new 97ac363 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
new 14f4002 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
new 7019a9c s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
new 5530d91 s4:torture/ntlmssp fix a compiler warning
new a70f620 spnego: Correctly check asn1_tag_remaining retval
new 6b6fbcf lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
new 7f24c0b lib/util_net: add support for .ipv6-literal.net
new 16e14f9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
new 0d53d8a s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
new 0117f64 epmapper.idl: make epm_twr_t available in python bindings
new e7595fa dcerpc.idl: make WERROR RPC faults available in ndr_print output
new 3121494 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
new 49a7697 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
new 0555445 s3:libads: remove unused ads_connect_gc()
new 88a09dc wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
new 4357b22 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
new 91e2717 s3:librpc/gse: fix debug message in gse_init_client()
new 2b351b7 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
new 47272c3 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
new 5a046d5 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
new f702a9e s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
new b474d13 s4:pygensec: make sig_size() and sign/check_packet() available
new 2e6af15 auth/gensec: keep a pointer to a possible child/sub gensec_security context
new 35f80cf auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
new 9e42312 auth/gensec: make gensec_security_by_name() public
new a0feacf s3:auth_generic: add auth_generic_client_start_by_name()
new 14b2a51 s3:auth_generic: add auth_generic_client_start_by_sasl()
new aa0ed80 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
new 33f7f44 auth/ntlmssp: add gensec_ntlmssp_server_domain()
new 8800015 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
new 2dac558 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
new 0f54d60 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
new c9d2b8d s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
new cb7bf55 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
new 993420f s3:auth_generic: make use of the top level NTLMSSP client code
new 3585e41 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
new 7fcefea auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
new 7303a10 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
new 81745b6 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
new 6ee35d9 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
new aea667c winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
new db7e894 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
new 3938b90 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
new 6d18d46 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
new 34ce552 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
new c8059be auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
new a575c5e auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
new 9419ce6 auth/ntlmssp: add ntlmssp_version_blob()
new 3a52567 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
new 00fbd5b auth/ntlmssp: use ntlmssp_version_blob() in the server
new c3392f3 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
new 983edc9 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
new 30b4e8f ntlmssp.idl: make AV_PAIR_LIST public
new 3136ede librpc/ndr: add ndr_ntlmssp_find_av() helper function
new 192d5be auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
new 6d08a2a auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
new 294ef73 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
new 1016c9d auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
new debafe8 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
new 58478f4 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
new b000387 s4:libcli/ldap: fix retry authentication after a bad password
new ccc1c51 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
new e2bea35 s4:selftest: simplify the loops over samba4.ldb.ldap
new 95461fb s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
new 383d18d s3:libads: add missing TALLOC_FREE(frame) in error path
new c63d32b s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
new 4cbf13e s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
new 3d3725b s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
new e952e63 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
new d19d039 s3:libads: keep service and hostname separately in ads_service_principal
new 59b8032 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
new bbc4eb8 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
new e8b6ef4 s3:libsmb: unused ntlmssp.c
new 1498885 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
new c4c3bd6 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
new 70d546d s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
new 8a1d0a9 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
new 979fc6a s3:libsmb: remove unused cli_session_setup_kerberos*() functions
new 2d6afd9 s3:libsmb: remove unused functions in clispnego.c
new e09c17a s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
new 32ad277 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
new fd1e4ec s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
new 44e2da8 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
new 5182c93 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
new 663ec33 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
new 1346b27 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
new f91a66f selftest: s!addc.samba.example.com!addom.samba.example.com!
new 158e06d selftest: add some helper scripts to mange a CA
new 08976c4 selftest: add config and script to create a samba.example.com CA
new 8be3031 selftest: add CA-samba.example.com (non-binary) files
new f058da2 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
new 0ad8ef8 selftest: add Samba::prepare_keyblobs() helper function
new 739e896 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
new 1311631 selftest: set tls crlfile if it exist
new 3f05c5a selftest: setup information of new samba.example.com CA in the client environment
new 6a3a45d s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
new 1103a6b s3:test_rpcclient_samlogon.sh: test samlogon with schannel
new 46f52e7 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
new 8665944 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
new 1cd3836 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
new 61a09ae s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
new 5cdddba s4:torture/rpc/schannel: don't use validation level 6 without privacy
new c0beb87 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
new a6e7f49 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
new bca3039 s4:rpc_server: require access to the machine account credentials
new 6db7be4 s4-smb_server: check for return code of cli_credentials_set_machine_account().
new 656795b s3-auth: check for return code of cli_credentials_set_machine_account().
new e681d11 libsmb: Fix CID 1356312 Explicit null dereferenced
new ba36c3f libads: Fix CID 1356316 Uninitialized pointer read
new 343637b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
new cce2e6a s3:rpc_server/samr: correctly handle session_extract_session_key() failures
new 25f0a4c s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
new 8df0d59 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
new f914050 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
new 4e5c214 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
new d29c945 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
new a7a0d2e CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
new 2ee222b CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
new 677e214 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
new 8714377 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
new 0e3bb02 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
new efe18dc CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
new 9440fa8 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
new 3673533 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
new f32ad5c CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
new 3ae39af CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
new b5e95cc CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
new 8cae040 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
new 1cc7fbe CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
new a278c35 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
new 299b49f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
new 39dd2c6 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
new 95a1c91 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
new fc9df72 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
new a6d1056 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
new b76361d CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
new fb8bb0f CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
new 2f393b3 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
new b9b3b1e CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
new 630e39d CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
new 7434b8d CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
new 5074d1e CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
new 984d024 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
new 473bbfa CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
new 9784d68 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
new 8e1e621 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
new b6899e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
new 5dbffb8 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
new a1ae538 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
new f22b75d CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
new f319256 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
new eaabdc1 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
new 3dbb32c CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
new 3643bc9 CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
new e260f6a CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
new ff1e470 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
new dbdd9cb CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
new 60647fa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
new a8c60aa CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
new b723d97 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
new e072666 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
new 6977700 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
new 5172192 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
new e9cfd12 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
new b012535 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
new 963236f CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
new 90cc943 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
new c7f2a10 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
new 8dad04c CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
new a027a87 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
new 104a691 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
new 27f1625 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
new 9ca8e88 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
new fc02668 CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
new c20ee1b CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
new 54a039d CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
new 389b15e CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
new fdac236 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
new dc4f8d0 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
new d778580 CVE-2016-2113: selftest: use "tls verify peer = no_check"
new 641cbcc CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
new 2217276 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
new 67f8524 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
new 7c6c666 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
new 8611441 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
new 25b05a8 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
new 2f7d773 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
new 9fa185c CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
new 668cc85 CVE-2016-2115: docs-xml: add "client ipc signing" option
new 2c13697 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
new c21c9a3 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
new 7903203 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
new 60851a0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
new 2220923 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
new e0588d9 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
new 5859266 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
new 2b23bc3 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
new bdff08d CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
new 38552d7 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
new 9339d90 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
new 27c66c4 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
new b66500f CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
new cdad358 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
new 2d68100 CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
new fa2630f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
new 31e7611 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
new e8dc268 CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
new 5eb6341 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
new 9bfa937 CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
new 0a3d923 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
new d5659c7 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
new 9ae9c64 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
new 101e8e8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
new 979067f CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
new e7be37e CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
new 7b93802 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
new ca98500 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
new 20e4023 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
new 7869c5f CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
new 8f219a0 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
new 6045947 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
new a2d14bb CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
new 3ba93ce CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
new 1ac5f37 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
new 4762d25 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
new e9718e2 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
new 45a9ca1 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
new 6602e7e CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
new e96791f CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
new 82dd128 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
new 1c7be37 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
new 47d8c31 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
new f64b017 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
new 5be0fb1 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
new e39b737 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
new 71c2c21 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
new 0899c0a CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
new 3df2b07 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
new e6da619 CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
new 220e4ca CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
new 447f9f1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
new 821d484 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
new 21b9022 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
new 735d4ba CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
new 9b9d307 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
new 1551c41 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
new 443e00f CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
new df2dcc1 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
new 0235d72 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
new 08f976d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
new 308543b CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
new 16e3a4c CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
new f8b98b3 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
new 5325276 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
new 1077b50 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
new fd3b82e CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
new 563d8fe CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
new 3165b23 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
new 5eb3b63 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
new 69e1d93 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
new 8ba1be0 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
new 4ea6765 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
new 9f62223 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
new 6db7571 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
new 5ab994c CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
new e9511b5 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
new 2ed603a CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
new 26ad208 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
new 6b2d064 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
new 1d99eec CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
new a7d02ec CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
new 6228c53 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
new f0d318f CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
new cf0a939 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
new e0b58a1 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
new 615019f CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
new 6ed0ef7 CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
new 0e26f3c CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
new d249ce6 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
new 3239e26 CVE-2015-5370: s4:rpc_server: check frag_length for requests
new f77f9bf CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
new 67e2661 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
new 795b44e CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
new cce7265 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
new db30949 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
new 28d558e CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
new f39183c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
new f606cfd CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
new 8e691e7 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
new e87721a CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
new 0cf8404 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
new 905313c CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
new db297a7 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
new a4a828e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
new 8695339 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
new 476c2f5 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
new d11c5d3 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
new 84cbf3d CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
new e1b75bc CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
new 9832a22 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
new 11df891 CVE-2015-5370: s3:rpc_server: verify presentation context arrays
new 3f6a270 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
new dbcd01e CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
new 14d97d4 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
new adaf1ae CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
new 278cdd1 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
new f3a67c2 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
new 46ddaf3 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
new 73550f4 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
new 7f2d791 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
new 7ab9a8c CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
new bc001b0 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
new 365fffe CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
new 4449c51 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
new ac0d474 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
new cd2911f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
new 51a4a8f CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
new 6ac5ad0 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
new a141a37 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
new 21fe775 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
new 9ec6afa CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
new 0e2bcca CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
new 17e1b9f WHATSNEW: Add release notes for Samba 4.3.7.
new 6597749 VERSION: Disable git snapshots for the 4.3.7 release.
new caa886e VERSION: Bump version up to 4.3.8...
new ad9257b s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
new 10e9011 WHATSNEW: Add release notes for Samba 4.3.8.
new 4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
new 9b35890 Imported Upstream version 4.3.8+dfsg
new eb5dcf0 Merge tag 'upstream/4.3.8+dfsg' into unstable
new fcb7933 Bump version in Replaces: samba-libs for samba-vfs-modules to 4.3.2+dfsg-1, to fix jessie->stretch upgrades. Closes: #821070
The 396 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 28 +++++++++++++-
buildtools/wafsamba/wscript | 1 -
debian/changelog | 14 +++++++
debian/control | 2 +-
debian/patches/no_build_system.patch | 12 ++++++
...-prerequisite-v4-3-regression-fixes.metze01.txt | 43 ----------------------
debian/patches/series | 2 +-
debian/watch | 2 +-
docs/manpages/dbwrap_tool.1 | 4 +-
docs/manpages/eventlogadm.8 | 4 +-
docs/manpages/findsmb.1 | 4 +-
docs/manpages/idmap_ad.8 | 4 +-
docs/manpages/idmap_autorid.8 | 4 +-
docs/manpages/idmap_hash.8 | 4 +-
docs/manpages/idmap_ldap.8 | 4 +-
docs/manpages/idmap_nss.8 | 4 +-
docs/manpages/idmap_rfc2307.8 | 4 +-
docs/manpages/idmap_rid.8 | 4 +-
docs/manpages/idmap_script.8 | 4 +-
docs/manpages/idmap_tdb.8 | 4 +-
docs/manpages/idmap_tdb2.8 | 4 +-
docs/manpages/libsmbclient.7 | 4 +-
docs/manpages/lmhosts.5 | 4 +-
docs/manpages/log2pcap.1 | 4 +-
docs/manpages/net.8 | 8 ++--
docs/manpages/nmbd.8 | 4 +-
docs/manpages/nmblookup.1 | 4 +-
docs/manpages/ntlm_auth.1 | 4 +-
docs/manpages/pam_winbind.8 | 4 +-
docs/manpages/pam_winbind.conf.5 | 4 +-
docs/manpages/pdbedit.8 | 4 +-
docs/manpages/profiles.1 | 4 +-
docs/manpages/rpcclient.1 | 4 +-
docs/manpages/samba-regedit.8 | 4 +-
docs/manpages/samba-tool.8 | 4 +-
docs/manpages/samba.7 | 4 +-
docs/manpages/samba.8 | 4 +-
docs/manpages/sharesec.1 | 4 +-
docs/manpages/smb.conf.5 | 4 +-
docs/manpages/smbcacls.1 | 4 +-
docs/manpages/smbclient.1 | 4 +-
docs/manpages/smbcontrol.1 | 4 +-
docs/manpages/smbcquotas.1 | 4 +-
docs/manpages/smbd.8 | 4 +-
docs/manpages/smbget.1 | 4 +-
docs/manpages/smbgetrc.5 | 4 +-
docs/manpages/smbpasswd.5 | 4 +-
docs/manpages/smbpasswd.8 | 4 +-
docs/manpages/smbspool.8 | 4 +-
docs/manpages/smbspool_krb5_wrapper.8 | 4 +-
docs/manpages/smbstatus.1 | 4 +-
docs/manpages/smbta-util.8 | 4 +-
docs/manpages/smbtar.1 | 4 +-
docs/manpages/smbtree.1 | 4 +-
docs/manpages/testparm.1 | 4 +-
docs/manpages/vfs_acl_tdb.8 | 4 +-
docs/manpages/vfs_acl_xattr.8 | 4 +-
docs/manpages/vfs_aio_fork.8 | 4 +-
docs/manpages/vfs_aio_linux.8 | 4 +-
docs/manpages/vfs_aio_pthread.8 | 4 +-
docs/manpages/vfs_audit.8 | 4 +-
docs/manpages/vfs_btrfs.8 | 4 +-
docs/manpages/vfs_cacheprime.8 | 4 +-
docs/manpages/vfs_cap.8 | 4 +-
docs/manpages/vfs_catia.8 | 4 +-
docs/manpages/vfs_ceph.8 | 4 +-
docs/manpages/vfs_commit.8 | 4 +-
docs/manpages/vfs_crossrename.8 | 4 +-
docs/manpages/vfs_default_quota.8 | 4 +-
docs/manpages/vfs_dirsort.8 | 4 +-
docs/manpages/vfs_extd_audit.8 | 4 +-
docs/manpages/vfs_fake_perms.8 | 4 +-
docs/manpages/vfs_fileid.8 | 4 +-
docs/manpages/vfs_fruit.8 | 4 +-
docs/manpages/vfs_full_audit.8 | 4 +-
docs/manpages/vfs_glusterfs.8 | 4 +-
docs/manpages/vfs_gpfs.8 | 4 +-
docs/manpages/vfs_linux_xfs_sgid.8 | 4 +-
docs/manpages/vfs_media_harmony.8 | 4 +-
docs/manpages/vfs_netatalk.8 | 4 +-
docs/manpages/vfs_prealloc.8 | 4 +-
docs/manpages/vfs_preopen.8 | 4 +-
docs/manpages/vfs_readahead.8 | 4 +-
docs/manpages/vfs_readonly.8 | 4 +-
docs/manpages/vfs_recycle.8 | 4 +-
docs/manpages/vfs_scannedonly.8 | 4 +-
docs/manpages/vfs_shadow_copy.8 | 4 +-
docs/manpages/vfs_shadow_copy2.8 | 4 +-
docs/manpages/vfs_shell_snap.8 | 4 +-
docs/manpages/vfs_smb_traffic_analyzer.8 | 4 +-
docs/manpages/vfs_snapper.8 | 4 +-
docs/manpages/vfs_streams_depot.8 | 4 +-
docs/manpages/vfs_streams_xattr.8 | 4 +-
docs/manpages/vfs_syncops.8 | 4 +-
docs/manpages/vfs_time_audit.8 | 4 +-
docs/manpages/vfs_tsmsm.8 | 4 +-
docs/manpages/vfs_unityed_media.8 | 4 +-
docs/manpages/vfs_worm.8 | 4 +-
docs/manpages/vfs_xattr_tdb.8 | 4 +-
docs/manpages/vfs_zfsacl.8 | 4 +-
docs/manpages/vfstest.1 | 4 +-
docs/manpages/wbinfo.1 | 4 +-
docs/manpages/winbind_krb5_locator.7 | 4 +-
docs/manpages/winbindd.8 | 4 +-
105 files changed, 251 insertions(+), 243 deletions(-)
create mode 100644 debian/patches/no_build_system.patch
delete mode 100644 debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list