[Pkg-samba-maint] [samba] branch experimental updated (1329238 -> 9b7c700)
Jelmer Vernooij
jelmer at moszumanska.debian.org
Wed Apr 27 01:17:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
jelmer pushed a change to branch experimental
in repository samba.
from 1329238 Release 2:4.4.1+dfsg-1 to experimental
adds 0d47877 Merge in 4.3 history.
adds 2a33a44 VERSION: Bump version up to 4.0.1...
adds 0c1671a ntlmssp: add some missing defines from MS-NLMP to our IDL.
adds 9ed62a3 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
adds 3b93cf0 ntlmssp: properly document version defines in IDL (from MS-NLMP).
adds b1f72ca ntlmssp: when pulling messages it is important to clear memory first.
adds 98466ff s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
adds dd6b293 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
adds f39d6d4 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
adds baa0a10 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
adds 2e8f4c8 s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
adds 4d73b84 s4:torture/ntlmssp fix a compiler warning
adds 84f8c9a spnego: Correctly check asn1_tag_remaining retval
adds b0c603c lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
adds c51b125 lib/util_net: add support for .ipv6-literal.net
adds 338e1a9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
adds 557fc14 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
adds b6a1b04 epmapper.idl: make epm_twr_t available in python bindings
adds 6ea3642 dcerpc.idl: make WERROR RPC faults available in ndr_print output
adds d356450 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
adds 93332f4 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
adds 1a5f082 s3:libads: remove unused ads_connect_gc()
adds 26d4f25 wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
adds 73f2fa6 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
adds b10c1db s3:librpc/gse: fix debug message in gse_init_client()
adds 55b0f3c s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
adds 1448dba s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
adds 8614c6c s3:librpc/gse: don't log gss_acquire_creds failed at level 0
adds 028c609 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
adds 9e8749a s4:pygensec: make sig_size() and sign/check_packet() available
adds 7cad825 auth/gensec: keep a pointer to a possible child/sub gensec_security context
adds 967282e auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
adds 1317625 auth/gensec: make gensec_security_by_name() public
adds 4f97bcb s3:auth_generic: add auth_generic_client_start_by_name()
adds 76e22d9 s3:auth_generic: add auth_generic_client_start_by_sasl()
adds 3d0fc91 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
adds c6aef8c auth/ntlmssp: add gensec_ntlmssp_server_domain()
adds 6b766dc s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
adds b8eabce s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
adds 06e6d37 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
adds eab2039 s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
adds 6ed7942 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
adds 17d6b17 s3:auth_generic: make use of the top level NTLMSSP client code
adds 4f94262 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
adds 4e2e1f6 auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
adds 333e02b auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
adds cb0719d auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
adds 8f69094 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
adds b57c0e7 winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
adds 75bdf52 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
adds 2663f44 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
adds 2e40c60 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
adds 3adc8f5 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
adds 7494612 auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
adds 28725ef auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
adds 423f193 auth/ntlmssp: add ntlmssp_version_blob()
adds 47cebc5 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
adds 62d31f6 auth/ntlmssp: use ntlmssp_version_blob() in the server
adds 159be66 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
adds e2e7ffe ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
adds 92d7499 ntlmssp.idl: make AV_PAIR_LIST public
adds 5c61712 librpc/ndr: add ndr_ntlmssp_find_av() helper function
adds c9edc04 auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
adds eafd97e auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
adds 2a496ba auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
adds 8f747f6 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
adds 482555b auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
adds 2ace844 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
adds f74c031 s4:libcli/ldap: fix retry authentication after a bad password
adds ff77277 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
adds 0577097 s4:selftest: simplify the loops over samba4.ldb.ldap
adds c5da725 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
adds 52629ac s3:libads: add missing TALLOC_FREE(frame) in error path
adds ea56849 s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
adds 468c68c s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
adds 8e7229d s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
adds 1571a9f s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
adds 6507d6f s3:libads: keep service and hostname separately in ads_service_principal
adds a16bbec s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
adds 7767d82 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
adds 20c847f s3:libsmb: unused ntlmssp.c
adds 4b55e96 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
adds a7f8e94 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
adds a167728 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
adds d1921c6 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
adds 506ac99 s3:libsmb: remove unused cli_session_setup_kerberos*() functions
adds 5a8126d s3:libsmb: remove unused functions in clispnego.c
adds b282ac7 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
adds 528db7f s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
adds fe4cdee s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
adds 934f731 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
adds 511dfb4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
adds bb63122 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
adds df14c6a s4:rpc_server: dcesrv_generic_session_key should only work on local transports
adds da66e65 selftest: s!addc.samba.example.com!addom.samba.example.com!
adds 03479af selftest: add some helper scripts to mange a CA
adds 6a09084 selftest: add config and script to create a samba.example.com CA
adds bbb66a9 selftest: add CA-samba.example.com (non-binary) files
adds 91d2c97 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
adds 0e5d2dd selftest: add Samba::prepare_keyblobs() helper function
adds 5e62983 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
adds 46fa417 selftest: set tls crlfile if it exist
adds 8b90698 selftest: setup information of new samba.example.com CA in the client environment
adds ff65d5b s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
adds 402d4ac s3:test_rpcclient_samlogon.sh: test samlogon with schannel
adds 10eda28 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
adds 8dea510 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
adds dba5783 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
adds eef3a10 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
adds 2c1fa78 s4:torture/rpc/schannel: don't use validation level 6 without privacy
adds 2779ec8 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
adds cbeff28 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
adds 168b015 s4:rpc_server: require access to the machine account credentials
adds 1b646bb s4-smb_server: check for return code of cli_credentials_set_machine_account().
adds 9f3ae00 s3-auth: check for return code of cli_credentials_set_machine_account().
adds 9af768f libsmb: Fix CID 1356312 Explicit null dereferenced
adds 40b3284 libads: Fix CID 1356316 Uninitialized pointer read
adds 54cd107 s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
adds b4125aa s3:rpc_server/samr: correctly handle session_extract_session_key() failures
adds 1437724 s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
adds ebd79e5 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
adds 00d1eaa9 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
adds e6e8da9 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
adds 5b86a85 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
adds 67787ff CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
adds 45a1008 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
adds 03ccba7 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
adds fc3582b CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
adds 3a934e1 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
adds beb1f96 CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
adds 77d59f1 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
adds 6a56dd2 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
adds ce87fef CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
adds 6675796 CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
adds 6b0ee68 CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
adds 769eec8 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
adds 95af5d9 CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
adds f77cf81 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
adds d35bc35 CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
adds c5032e9 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
adds 4956428 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
adds 861b86d CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
adds 0654735 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
adds e1101a6 CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
adds d960002 CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
adds 1d33ade CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
adds aaf3893 CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
adds ab0e71b CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
adds a193154 CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
adds 80401c9 CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
adds 8421d13 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
adds 54fef0f CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
adds b38d560 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
adds 7f303d7 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
adds 379604a CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
adds dc359da CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
adds 7e5966f CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
adds acd6697 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
adds f5035af CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
adds 7bad35b CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
adds 5d69272 CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
adds 560213f CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
adds ae29971 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
adds be45c4b CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
adds 0d2e185 CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
adds 187e32b CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
adds 76b1826 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
adds 01acb21 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
adds c4f9336 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
adds 52ae0cc CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
adds 483a926 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
adds 8105ff1 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
adds f44664d CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
adds d68c225 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
adds 39c169b CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
adds 5fbce21 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
adds 6db65fb CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
adds 2d2ab58 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
adds 36ec246 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
adds 5ec881c CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
adds cd4b292 CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
adds a443abe CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
adds 660dbb8 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
adds 5c94dfa CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
adds 2ced06d CVE-2016-2113: selftest: use "tls verify peer = no_check"
adds b2af10b CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
adds 4177489 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
adds cc8bbc3 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
adds 0b05bc9 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
adds 2c3649c CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
adds 09a7576 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
adds 39282d2 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
adds 863d419 CVE-2016-2115: docs-xml: add "client ipc signing" option
adds 8466fe8 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
adds f3da02a CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
adds ee4f114 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
adds dbe7a43 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
adds 2c62a54 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
adds f1dea29 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
adds 1309832 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
adds afda479 CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
adds 80102ed CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
adds 0422c64 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
adds fdd2807 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
adds 084b20e CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
adds f76e6f9 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
adds e7ef30e CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
adds d8c3cf1 CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
adds 3502195 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
adds e1de6ec CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
adds 778dab9 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
adds 5d4d8ec CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
adds be98e7e CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
adds 6142767 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
adds 70ba7b0 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
adds d565761 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
adds 2e9824e CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
adds 1a3c82e CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
adds c98143b CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
adds 34969d6 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
adds 6568d5d CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
adds 4862ee5 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
adds 36278e3 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
adds 2e4f09b CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
adds 3133233 CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
adds ba69e95 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
adds 6750ffd CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
adds f425bfd CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
adds e675f63 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
adds fa0d681 CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
adds 22ab56d CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
adds b77eab0 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
adds b095508 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
adds 4867460 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
adds 32d8e05 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
adds 3f447f6 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
adds 25e48af CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
adds 7ee85d6 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
adds 4907895 CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
adds 245fc41 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
adds 33ee36e CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
adds 23f4243 CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
adds e05c7dd CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
adds d3bb3ef CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
adds ac8910f CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
adds f64f451 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
adds 94de482 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
adds f89c218 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
adds a96543e CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
adds 50fc638 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
adds 7f348a7 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
adds b0349be CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
adds 8332714 CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
adds 58b1cdf CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
adds dc15870 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
adds 1ed3e26 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
adds 8ad4695 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
adds 62f8a54 CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
adds 08ec7e7 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
adds 83d93a8 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
adds f9ed1a9 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
adds 7c2984a CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
adds 448435a CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
adds eb16dfa CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
adds a689216 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
adds c8a1adb CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
adds b5d0de4 CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
adds e3c1c20 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
adds 75d9b58 CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
adds 503d08d CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
adds af03332e CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
adds e365d16 CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
adds e3775db CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
adds bf333e9 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
adds cace627 CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
adds 3d075a4 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
adds 9e86b09 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
adds 6a9b4ca CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
adds a3008ec CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
adds d7af609 CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
adds 74347a4 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
adds d1ffe41 CVE-2015-5370: s4:rpc_server: check frag_length for requests
adds 2fd10be CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
adds 9625f91 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
adds 7e682ed CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
adds ddd4d03 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
adds b1b538a CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
adds dd2c270 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
adds 569781f CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
adds dfab482 CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
adds 654d8a5 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
adds f4ef85f CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
adds 5c495ab CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
adds 4c51c89 CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
adds 8c7d8c8 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
adds 56014f6 CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
adds e6cdac4 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
adds 087b363 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
adds bf4a716 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
adds 198ecf4 CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
adds 5148a26 CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
adds 218bd4a CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
adds d2c964f CVE-2015-5370: s3:rpc_server: verify presentation context arrays
adds 6456408 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
adds 9c2592f CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
adds a9c46e8 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
adds 5cfe5ec CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
adds 7b902c3 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
adds 6fd2714 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
adds e84519d CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
adds 57d5a84 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
adds 6d509e3 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
adds a3fc86d CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
adds a663ad5 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
adds 518f8bb CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
adds 49379e4 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
adds 97a0811 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
adds b65429f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
adds 45a2445 CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
adds 4a496d3 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
adds 9d953e2 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
adds 78b84d5 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
adds 2c6f01d CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
adds 13e3e81 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
adds bd94b86 WHATSNEW: Add release notes for Samba 4.4.1.
adds c8180d1 VERSION: Disable git snapshots for the 4.4.1 release.
adds bfc9525 VERSION: Bump version up to 4.4.2...
adds 87fb3b8 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
adds 370b3dd WHATSNEW: Add release notes for Samba 4.4.2.
adds 71de921 VERSION: Disable git snapshots for the 4.4.2 release.
adds ecc3685 Imported Upstream version 4.4.2+dfsg
adds 94dc541 Merge tag 'upstream/4.4.2+dfsg' into experimental
adds 5e55407 New upstream release.
adds 411c6db Bump standards version to 3.9.8 (no changes).
adds f02ade3 Fix NEWS file syntax.
adds 6d08067 Fix formatting of my last name.
adds a63ddff Drop build dependency on perl-modules; depend on perl instead.
adds e75c984 Update overrides.
adds 9b7c700 releasing package samba version 2:4.4.2+dfsg-1
No new revisions were added by this update.
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 28 ++++++++++++-
debian/NEWS | 2 +-
debian/changelog | 9 ++++
debian/control | 5 +--
...-prerequisite-v4-4-regression-fixes.metze01.txt | 48 ----------------------
debian/patches/series | 1 -
debian/samba-libs.lintian-overrides | 3 +-
docs/manpages/cifsdd.8 | 4 +-
docs/manpages/dbwrap_tool.1 | 4 +-
docs/manpages/eventlogadm.8 | 4 +-
docs/manpages/findsmb.1 | 4 +-
docs/manpages/idmap_ad.8 | 4 +-
docs/manpages/idmap_autorid.8 | 4 +-
docs/manpages/idmap_hash.8 | 4 +-
docs/manpages/idmap_ldap.8 | 4 +-
docs/manpages/idmap_nss.8 | 4 +-
docs/manpages/idmap_rfc2307.8 | 4 +-
docs/manpages/idmap_rid.8 | 4 +-
docs/manpages/idmap_script.8 | 4 +-
docs/manpages/idmap_tdb.8 | 4 +-
docs/manpages/idmap_tdb2.8 | 4 +-
docs/manpages/libsmbclient.7 | 4 +-
docs/manpages/lmhosts.5 | 4 +-
docs/manpages/log2pcap.1 | 4 +-
docs/manpages/net.8 | 4 +-
docs/manpages/nmbd.8 | 4 +-
docs/manpages/nmblookup.1 | 4 +-
docs/manpages/ntlm_auth.1 | 4 +-
docs/manpages/pam_winbind.8 | 4 +-
docs/manpages/pam_winbind.conf.5 | 4 +-
docs/manpages/pdbedit.8 | 4 +-
docs/manpages/profiles.1 | 4 +-
docs/manpages/rpcclient.1 | 4 +-
docs/manpages/samba-regedit.8 | 4 +-
docs/manpages/samba-tool.8 | 4 +-
docs/manpages/samba.7 | 4 +-
docs/manpages/samba.8 | 4 +-
docs/manpages/sharesec.1 | 4 +-
docs/manpages/smb.conf.5 | 4 +-
docs/manpages/smbcacls.1 | 4 +-
docs/manpages/smbclient.1 | 4 +-
docs/manpages/smbcontrol.1 | 4 +-
docs/manpages/smbcquotas.1 | 4 +-
docs/manpages/smbd.8 | 4 +-
docs/manpages/smbget.1 | 4 +-
docs/manpages/smbgetrc.5 | 4 +-
docs/manpages/smbpasswd.5 | 4 +-
docs/manpages/smbpasswd.8 | 4 +-
docs/manpages/smbspool.8 | 4 +-
docs/manpages/smbspool_krb5_wrapper.8 | 4 +-
docs/manpages/smbstatus.1 | 4 +-
docs/manpages/smbtar.1 | 4 +-
docs/manpages/smbtree.1 | 4 +-
docs/manpages/testparm.1 | 4 +-
docs/manpages/vfs_acl_tdb.8 | 4 +-
docs/manpages/vfs_acl_xattr.8 | 4 +-
docs/manpages/vfs_aio_fork.8 | 4 +-
docs/manpages/vfs_aio_linux.8 | 4 +-
docs/manpages/vfs_aio_pthread.8 | 4 +-
docs/manpages/vfs_audit.8 | 4 +-
docs/manpages/vfs_btrfs.8 | 4 +-
docs/manpages/vfs_cacheprime.8 | 4 +-
docs/manpages/vfs_cap.8 | 4 +-
docs/manpages/vfs_catia.8 | 4 +-
docs/manpages/vfs_ceph.8 | 4 +-
docs/manpages/vfs_commit.8 | 4 +-
docs/manpages/vfs_crossrename.8 | 4 +-
docs/manpages/vfs_default_quota.8 | 4 +-
docs/manpages/vfs_dirsort.8 | 4 +-
docs/manpages/vfs_extd_audit.8 | 4 +-
docs/manpages/vfs_fake_perms.8 | 4 +-
docs/manpages/vfs_fileid.8 | 4 +-
docs/manpages/vfs_fruit.8 | 4 +-
docs/manpages/vfs_full_audit.8 | 4 +-
docs/manpages/vfs_glusterfs.8 | 4 +-
docs/manpages/vfs_gpfs.8 | 4 +-
docs/manpages/vfs_linux_xfs_sgid.8 | 4 +-
docs/manpages/vfs_media_harmony.8 | 4 +-
docs/manpages/vfs_netatalk.8 | 4 +-
docs/manpages/vfs_offline.8 | 4 +-
docs/manpages/vfs_prealloc.8 | 4 +-
docs/manpages/vfs_preopen.8 | 4 +-
docs/manpages/vfs_readahead.8 | 4 +-
docs/manpages/vfs_readonly.8 | 4 +-
docs/manpages/vfs_recycle.8 | 4 +-
docs/manpages/vfs_shadow_copy.8 | 4 +-
docs/manpages/vfs_shadow_copy2.8 | 4 +-
docs/manpages/vfs_shell_snap.8 | 4 +-
docs/manpages/vfs_snapper.8 | 4 +-
docs/manpages/vfs_streams_depot.8 | 4 +-
docs/manpages/vfs_streams_xattr.8 | 4 +-
docs/manpages/vfs_syncops.8 | 4 +-
docs/manpages/vfs_time_audit.8 | 4 +-
docs/manpages/vfs_tsmsm.8 | 4 +-
docs/manpages/vfs_unityed_media.8 | 4 +-
docs/manpages/vfs_worm.8 | 4 +-
docs/manpages/vfs_xattr_tdb.8 | 4 +-
docs/manpages/vfs_zfsacl.8 | 4 +-
docs/manpages/vfstest.1 | 4 +-
docs/manpages/wbinfo.1 | 4 +-
docs/manpages/winbind_krb5_locator.7 | 4 +-
docs/manpages/winbindd.8 | 4 +-
source3/libads/sasl.c | 8 +++-
104 files changed, 239 insertions(+), 247 deletions(-)
delete mode 100644 debian/patches/security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list