[Pkg-samba-maint] [samba] 04/07: CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default

Mathieu Parent sathieu at moszumanska.debian.org
Sun Dec 25 16:40:50 UTC 2016

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch master
in repository samba.

commit 238ce24ab3e983647ed7ba8a8d81c9f47023a4ff
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 11:44:22 2016 +0100

    CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
    This disabled the usage of GSS_C_DELEG_FLAG by default, as
    GSS_C_DELEG_POLICY_FLAG is still used by default we let the
    KDC decide if we should send delegated credentials to a remote server.
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Simo Sorce <idra at samba.org>
 source4/auth/gensec/gensec_gssapi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {

Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list