[Pkg-samba-maint] [samba] annotated tag debian/2%4.2.14+dfsg-0+deb8u6 created (now 296edc1)

Salvatore Bonaccorso carnil at debian.org
Wed May 24 08:13:02 UTC 2017


This is an automated email from the git hooks/post-receive script.

carnil pushed a change to annotated tag debian/2%4.2.14+dfsg-0+deb8u6
in repository samba.

        at  296edc1   (tag)
   tagging  60568f26bc3aa6f0df686e8d7040f239bece36f1 (commit)
  replaces  debian/2%4.2.10+dfsg-0+deb8u3
 tagged by  Salvatore Bonaccorso
        on  Fri May 19 19:32:09 2017 +0200

- Log -----------------------------------------------------------------
tagging package samba version debian/2%4.2.14+dfsg-0+deb8u6
-----BEGIN PGP SIGNATURE-----

iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkfLBlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ea6QP/1RgLOSJTaWobp7jIk4hV/VWkgTMSKLa
dTFo7/3cCpuK9dWfPiPTOAjnJPD/qVwt0GyBW2a4WIllhiPWfaHfIPb8KexxJtOu
bjob3hCyssAZe7IJ9nAefsyZuVOTsCXX7GKZh+rTyOS+ipApwD8NWKqHfCzG6ro1
bMGCbzN7qXoFqr8iZTdsDjDpjjX5s9l/y6hPa+7ht/FIjGdCFGgD1kNA9g+qZyWf
ylIRDn3LRewLAH039Jka1ZM3YIT5nLwYZISJpZoHidLhg6Pks+EUqWzGBPvRofYB
qbNcwwxPqjdElCKXkrkpgqZ3QYKVlE3rOK8OJReIhK/gXFuoEWCudbOwZfqiOctr
FmKGeQI7aiC9AXq2RLVlnhGOhujUB9xMjhmHCcTelkS17wENzpaiZMIcKP7/lCKS
H5wRpwSqCTrHQt0d9HU0kjxuEVdrjr83El+/sgzO9ClnBkTSph3QWqD4QP3m/8ZM
J0UDuEviy8wDOS3GqkF4ogGdAEQa9/grqlGNNqKzDFD/eU1QRBSGXGzPdDPHETPg
pR4+4IEbS7GSMV7q3RFjpHZg6cf05Upepm25qPKkBGxBdAqkzFnH9k4/OkCKxYpT
cn4vCbkmtHpLS8ZHQOqSg7PGtP8vckoGa/0IJ9wUKQn5GK7nWw6ketcpMCcH0Els
NO4dL3pSMUA8
=VM5h
-----END PGP SIGNATURE-----

Amitay Isaacs (3):
      ctdb-common: Protocol argument must be in host order for socket() call
      ctdb-common: Use documented names for protocol family in socket()
      ctdb-common: For AF_PACKET socket types, protocol is in network order

Andreas Schneider (7):
      s3-client: Add a KRB5 wrapper for smbspool
      waf: Only build smb_krb5_wrapper if we have CUPS
      docs: Add smbspool_krb5_wrapper manpage
      s4-gensec: Check if we have delegated credentials.
      torture: Fix the usage of the MEMORY credential cache.
      torture: Correctly invalidate the memory ccache.
      torture: Free the temporary memory context

Andrew Bartlett (8):
      smbd: Only check dev/inode in open_directory, not the full stat()
      libsmb: Print the principal name that we failed to kinit for.
      docs: Explain that winbindd enforces smb signing by default.
      lib/tls: Add new 'tls priority' option
      lib/tls: Change default supported TLS versions.
      pydsdb: Also accept ldb.MessageElement values to dsdb routines
      pydsdb: Fix returning of ldb.MessageElement.
      build: mark explicit dependencies on pytalloc-util

Berend De Schouwer (1):
      docs: Add example for domain logins to smbspool man page.

Björn Jacke (1):
      tls: increase Diffie-Hellman group size to 2048 bits

Christian Ambach (2):
      s3:utils/smbget fix recursive download
      s4:torture/ntlmssp fix a compiler warning

Günther Deschner (20):
      docs-xml: fix typo in smbspool_krb5_wrapper manpage.
      gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
      lib/util: globally include herrors in error.h
      ntlmssp: add some missing defines from MS-NLMP to our IDL.
      ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
      ntlmssp: properly document version defines in IDL (from MS-NLMP).
      ntlmssp: when pulling messages it is important to clear memory first.
      s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
      s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
      s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
      s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
      s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
      auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
      s4-smb_server: check for return code of cli_credentials_set_machine_account().
      s3-auth: check for return code of cli_credentials_set_machine_account().
      CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
      libsmb/pysmb: add pytalloc-util dependency to fix the build.
      lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
      s3:librpc:crypto:gse: increase debug level for gse_init_client().
      libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().

Hemanth Thummala (2):
      loadparm: Fix memory leak issue.
      Real memeory leak(buildup) issue in loadparm.

Jelmer Vernooij (15):
      Reduce number of places where sys.path is (possibly) updated for external module paths.
      Avoid importing TestCase and TestSkipped from testtools.
      Rename TestSkipped to Skiptest, consistent with Python 2.7.
      selftest/tests/*.py: remove use of testtools.
      Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
      Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
      Add replacement addCleanup.
      Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
      Provide TestCase.assertIsInstance for python < 2.7.
      Use samba TestCase so we get all compatibility functions on Python < 2.7.
      Run cleanup after tearDown, for consistency with Python >= 2.7.
      Handle skips when running on python2.6.
      Implement assertIsNone for Python < 2.7.
      Implement TestCase.assertIn for older versions of Python.
      Implement TestCase.assertIsNotNone for python < 2.7.

Jelmer Vernooij (16):
      Simplify handling of dependencies on external libraries in test_headers.
      tevent: Only set public headers field when installing as a public library.
      New upstream version 4.2.14+dfsg
      Merge tag 'upstream/4.2.14+dfsg' into jessie
      New upstream release.
      Drop obsolete patch security-2016-04-12-prerequisite-v4-2-regression- fixes.metze01.txt.
      Drop patch sockets-with-htons; applied upstream.
      Drop patch CVE-2016-2110-NTLMSSP-regression.patch; fixed upstream.
      Drop patch s3-smbd-fix-anonymous-authentication-if-signing-is- m.patch: fixed upstream.
      Reapply patches.
      Ignore *.debhelper.log files.
      Re-add rfc3454.txt-table.
      Install smbspool_krb5_wrapper.
      Extend debian/.gitignore.
      Bump tevent dependency up to 0.9.28.
      releasing package samba version 2:4.2.14+dfsg-0+deb8u1

Jeremy Allison (56):
      s3: smbd: Fix timestamp rounding inside SMB2 create.
      s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support.
      s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
      CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
      lib: tevent: Initial checkin of threaded tevent context calling code.
      lib: tevent: Initial test of tevent threaded context code.
      lib: tevent: tests: Add a second thread test that does request/reply.
      lib: tevent: docs: Add tutorial on thread usage.
      lib: tevent: Fix bug in poll backend - poll_event_loop_poll()
      lib: tevent: Whitespace cleanup.
      lib: tevent: Fix memory leak reported by Pavel Březina <pbrezina at redhat.com> when old signal action restored.
      s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope.
      s3: krb5: keytab - The done label can be jumped to with context == NULL.
      Fix smbclient compatibility with Windows 10 (Closes: #820794)
      s3: vfs: dirsort doesn't handle opendir of "." correctly.
      s3: smbd: Correctly canonicalize any incoming shadow copy path.
      s3: lib: Add canonicalize_absolute_path().
      s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path().
      s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables.
      s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated.
      s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length.
      s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet used.
      s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot().
      s3: VFS: shadow_copy2: Change a parameter name.
      s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd.
      s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables.
      vfs_shadow_copy2: fix case where snapshots are outside the share
      s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd.
      s3: VFS: Ensure shadow:format cannot contain a / path separator.
      s3: VFS: Add utility function check_for_converted_path().
      s3: VFS: shadow_copy2: Fix module to work with variable current working directory.
      s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function.
      s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error.
      s3: VFS: Don't allow symlink, link or rename on already converted paths.
      s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck().
      s3: vfs: streams_depot. Use conn->connectpath not conn->cwd.
      s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
      s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
      s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
      s3: smbd: OpenDir_fsp() use early returns.
      s3: smbd: OpenDir_fsp() - Fix memory leak on error.
      s3: smbd: Move the reference counting and destructor setup to just before retuning success.
      s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
      s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
      s3: smbd: Move special handling of symlink errno's into a utility function.
      s3: smbd: Add the core functions to prevent symlink open races.
      s3: smbd: Use the new non_widelink_open() function.
      CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
      s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
      s3: smbd: Fix "follow symlink = no" regression part 2.
      s3: smbd: Fix "follow symlink = no" regression part 2.
      s3: libsmb: Correctly align create contexts in a create call.
      s3: libsmb: Add return args to clistr_is_previous_version_path().
      s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy info over SMB2.
      s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data().
      s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and transform to a timewarp token.

Jorge Schrauwen (1):
      configure: Don't check for inotify on illumos

Jose A. Rivera (1):
      s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file.

Justin Maggard (2):
      s3:smbd: rework negprot remote arch detection
      s3:smbd: add negprot remote arch detection for OSX

Kamen Mazdrashki (3):
      s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
      s4-tests: Print out what the error is in delete_force()
      s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment

Karolin Seeger (12):
      VERSION: Bump version up to 4.2.9...
      WHATSNEW: Start release notes for Samba 4.2.12.
      WHATSNEW: Update release notes.
      WHATSNEW: Last bugfix release.
      WHATSNEW: Add release date.
      VERSION: Disable git snapshots for the 4.2.12 release.
      VERSION: Bump version up to 4.2.12...
      WHATSNEW: Add release notes for Samba 4.2.13.
      VERSION: Disable git snapshots for the 4.2.13 release.
      VERSION: Bump version up to 4.2.14...
      WHATSNEW: Add release notes for Samba 4.2.14.
      VERSION: Disable git snapshots for the 4.2.14 release.

Martin Schwenke (1):
      ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."

Mathieu Parent (11):
      Add one more closed bug
      Changelog for previous commit
      Release 2:4.2.14+dfsg-0+deb8u2
      Add security-2016-12-19.patch
      Release 2:4.2.14+dfsg-0+deb8u2
      Patch for CVE-2017-2619
      Release 2:4.2.14+dfsg-0+deb8u3
      Add patches for previous commits
      Release 2:4.2.14+dfsg-0+deb8u5
      Add patch for previous commit
      Re-release 2:4.2.14+dfsg-0+deb8u5

Nathan Huff (1):
      Fix ETIME handling for Solaris event ports.

Ralph Boehme (16):
      lib/tsocket: workaround sockets not supporting FIONREAD
      CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
      CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
      CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
      CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
      CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
      CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
      CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
      CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
      vfs_streams_xattr: use fsp, not base_fsp
      CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag

Richard Sharpe (5):
      Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
      Convert all uint32/16/8 to _t in source3/libsmb.
      Convert all uses of uint32/16/8 to _t in source3/rpc_server.
      Convert all uses of uint32/16/8 to _t in source3/rpc_client.
      Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.

Salvatore Bonaccorso (3):
      Release 2:4.2.14+dfsg-0+deb8u4
      CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
      Prepare changelog for release

Stefan Metzmacher (410):
      Merge tag 'samba-4.2.9' into v4-2-test
      VERSION: Bump version up to 4.2.10...
      VERSION: Bump version up to 4.2.10...
      s4:auth/gensec_gssapi: remove compiler warnings
      s4:lib/tls: add tls_cert_generate() prototype to tls.h
      s4:lib/tls: remove allow_warnings=True
      auth/kerberos: avoid compiler warnings
      auth/kerberos: remove allow_warnings=True
      s4:auth/gensec_gssapi: remove allow_warnings=True
      s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
      auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
      s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
      s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
      s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
      s4:lib/tls: fix tstream_tls_connect_send() define
      s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
      s4:libcli/ldap: conversion to tstream
      s4:auth/gensec: remove unused and untested cyrus_sasl module
      s4:auth/gensec: remove unused include of lib/socket/socket.h
      s4:auth/gensec: remove unused gensec_socket_init()
      auth/gensec: remove unused gensec_[un]wrap_packets() hooks
      s3:ntlm_auth: don't start gensec backend twice
      auth/credentials: anonymous should not try to use kerberos
      midltests: add valid/midltests_DRS_EXTENSIONS.*
      librpc/rpc: add faultcode to nt_status mappings
      librpc/rpc: add dcerpc_fault_from_nt_status()
      librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
      s4:pyrpc: add base.bind_time_features_syntax(features)
      lib/util: fix output format in dump_data*()
      librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
      python/samba/tests: don't lower case path names in connect_samdb()
      python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
      python/samba/tests: move hexdump() from DNSTest to TestCase
      python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
      s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
      libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
      s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
      s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
      python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
      s4:pyrpc: remove pointless alter_context() method
      dcerpc.idl: fix calculatin of uint16 secondary_address_size;
      heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
      heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
      heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
      heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
      heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
      heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
      auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
      s4:selftest: run rpc.netlogon.admin against also ad_dc
      s4:rpc_server: pass the remote address to gensec_set_remote_address()
      s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
      s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
      lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
      lib/util_net: add support for .ipv6-literal.net
      s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
      s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
      epmapper.idl: make epm_twr_t available in python bindings
      dcerpc.idl: make WERROR RPC faults available in ndr_print output
      librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
      s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
      s3:libads: remove unused ads_connect_gc()
      wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
      s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
      s3:librpc/gse: fix debug message in gse_init_client()
      s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
      s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
      s3:librpc/gse: don't log gss_acquire_creds failed at level 0
      s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
      s4:pygensec: make sig_size() and sign/check_packet() available
      auth/gensec: keep a pointer to a possible child/sub gensec_security context
      auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
      auth/gensec: make gensec_security_by_name() public
      s3:auth_generic: add auth_generic_client_start_by_name()
      s3:auth_generic: add auth_generic_client_start_by_sasl()
      auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
      auth/ntlmssp: add gensec_ntlmssp_server_domain()
      s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
      s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
      s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
      selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
      s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
      winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
      s3:auth_generic: make use of the top level NTLMSSP client code
      s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
      auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
      auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
      auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
      s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
      winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
      s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
      auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
      auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
      auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
      auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
      auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
      auth/ntlmssp: add ntlmssp_version_blob()
      auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
      auth/ntlmssp: use ntlmssp_version_blob() in the server
      security.idl: add LSAP_TOKEN_INFO_INTEGRITY
      ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
      ntlmssp.idl: make AV_PAIR_LIST public
      librpc/ndr: add ndr_ntlmssp_find_av() helper function
      auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
      auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
      s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
      s4:libcli/ldap: fix retry authentication after a bad password
      s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
      s4:selftest: simplify the loops over samba4.ldb.ldap
      s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: add missing TALLOC_FREE(frame) in error path
      s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
      s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
      s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
      s3:libads: keep service and hostname separately in ads_service_principal
      s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
      s3:libsmb: make use gensec based SPNEGO/NTLMSSP
      s3:libsmb: unused ntlmssp.c
      s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
      s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
      s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
      s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
      s3:libsmb: remove unused cli_session_setup_kerberos*() functions
      s3:libsmb: remove unused functions in clispnego.c
      s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
      s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
      s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
      s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
      s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
      s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
      s4:rpc_server: dcesrv_generic_session_key should only work on local transports
      selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
      selftest: add some helper scripts to mange a CA
      selftest: add config and script to create a samba.example.com CA
      selftest: add CA-samba.example.com (non-binary) files
      selftest: mark commands in manage-CA-samba.example.com.sh as DONE
      selftest: add Samba::prepare_keyblobs() helper function
      selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
      selftest: set tls crlfile if it exist
      selftest: setup information of new samba.example.com CA in the client environment
      s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
      s3:test_rpcclient_samlogon.sh: test samlogon with schannel
      s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
      s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
      s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
      s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
      s4:torture/rpc/schannel: don't use validation level 6 without privacy
      auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
      auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
      s4:rpc_server: require access to the machine account credentials
      s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
      s3:rpc_server/samr: correctly handle session_extract_session_key() failures
      s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
      CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
      CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
      CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
      CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
      CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
      CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
      CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
      CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
      CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
      CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
      CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
      CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
      CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
      CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
      CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
      CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
      CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
      CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
      CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
      CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
      CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
      CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
      CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
      CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
      CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
      CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
      CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
      CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
      CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
      CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
      CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
      CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
      CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
      CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
      CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
      CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
      CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
      CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
      CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
      CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
      CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
      CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
      CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
      CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
      CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
      CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
      CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
      CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
      CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
      CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
      CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
      CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
      CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
      CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
      CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
      CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
      CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
      CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
      CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
      CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
      CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
      CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
      CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
      CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
      CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
      CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
      CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
      CVE-2016-2113: selftest: use "tls verify peer = no_check"
      CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
      CVE-2016-2114: s4:smb2_server: fix session setup with required signing
      CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
      CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
      CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
      CVE-2016-2115: docs-xml: add "client ipc signing" option
      CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
      CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
      CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
      CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
      CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
      CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
      CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
      CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
      CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
      CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
      CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
      CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
      CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
      CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
      CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
      CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
      CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
      CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
      CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
      CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
      CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
      CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
      CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
      CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
      CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
      CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
      CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
      CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
      CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
      CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
      CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
      CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
      CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
      CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
      CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
      CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
      CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
      CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
      CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
      CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
      CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
      CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
      CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
      CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
      CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
      CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
      CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
      CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
      CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
      CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
      CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
      CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
      CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
      CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
      CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
      CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
      CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
      CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
      CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
      CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
      CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
      CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
      CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
      CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
      CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
      CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
      CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
      CVE-2015-5370: s4:rpc_server: check frag_length for requests
      CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
      CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
      CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
      CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
      CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
      CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
      CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
      CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
      CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
      CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
      CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
      CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
      CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
      CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
      CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
      CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
      CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
      CVE-2015-5370: s3:rpc_server: verify presentation context arrays
      CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
      CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
      CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
      CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
      CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
      CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
      CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
      CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
      CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
      CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
      CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
      CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
      CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
      CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
      CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
      CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
      CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
      CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
      CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
      CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
      CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
      WHATSNEW: Add release notes for Samba 4.2.10.
      VERSION: Disable git snapshots for the 4.2.10 release.
      VERSION: Bump version up to 4.2.11...
      s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
      WHATSNEW: Add release notes for Samba 4.2.11.
      VERSION: Disable git snapshots for the 4.2.11 release.
      Merge tag 'samba-4.2.11' into v4-2-test
      VERSION: Bump version up to 4.2.12
      tevent: version 0.9.26
      tevent: version 0.9.27
      tevent: version 0.9.28
      s3:wscript: pylibsmb depends on pycredentials
      s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
      s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
      auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
      auth/spnego: handle broken mechListMIC response from Windows 2000
      auth/ntlmssp: don't require any flags in the ccache_resume code
      auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
      s3:libsmb: use password = NULL for anonymous connections
      libcli/smb: add smb1cli_session_set_action() helper function
      libcli/smb: add SMB1 session setup action flags
      libcli/smb: add smbXcli_session_is_guest() helper function
      s3:libsmb: record the session setup action flags
      s3:libsmb: don't finish the gensec handshake for guest logins
      s3:libsmb: use anonymous authentication via spnego if possible
      auth/spnego: only try to verify the mechListMic if signing was negotiated.
      s4:auth_anonymous: anonymous authentication doesn't allow a password
      s3:auth_builtin: anonymous authentication doesn't allow a password
      libcli/security: implement SECURITY_GUEST
      s3:smbd: make use SMB_SETUP_GUEST constant
      s3:smbd: only mark real guest sessions with the GUEST flag
      auth/ntlmssp: do map to guest checking after the authentication
      auth/spnego: add spnego:simulate_w2k option for testing
      auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
      selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
      s3:test_smbclient_auth.sh: this script reqiures 5 arguments
      selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
      selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
      s3:selftest: add smbclient_ntlm tests
      libcli/auth: let msrpc_parse() return talloc'ed empty strings
      s3:ntlm_auth: make ntlm_auth_generate_session_info() more complete
      s3:smbd: fix anonymous authentication if signing is mandatory
      s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
      dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
      s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
      s4:rpc_server: use a variable for the max total reassembled request payload
      dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
      CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
      CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing
      CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing
      CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
      CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
      CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
      CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()

Uri Simchoni (10):
      libads: record session expiry for spnego sasl binds
      vfs_shadow_copy2: add shadow_copy2_do_convert()
      vfs_shadow_copy: handle non-existant files and wildcards
      vfs_shadow_copy2: fix crash in 4.2.x backport
      vfs_shadow_copy2: add a blackbox test suite
      s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes
      selftest: add content to files created during shadow_copy2 test
      selftest: check file readability in shadow_copy2 test
      selftest: test listing directories inside snapshots
      libads: Fix deadlock when re-joining a domain and updating keytab

Volker Lendecke (28):
      param: Fix str_list_v3 to accept ; again
      rpc_server: Fix CID 1035534 Uninitialized scalar variable
      rpc_server: Fix CID 1035535 Uninitialized scalar variable
      asn1: Remove an unused asn1 function
      asn1: Make asn1_peek_full_tag return 0/errno
      asn1: Add overflow check to asn1_write
      asn1: Add some early returns
      asn1: Make "struct nesting" private
      asn1: Add asn1_has_error()
      lib: Use asn1_has_error()
      asn1: Add asn1_set_error()
      lib: Use asn1_set_error()
      asn1: Add asn1_extract_blob()
      lib: Use asn1_extract_blob()
      asn1: Add asn1_has_nesting
      lib: Use asn1_has_nesting
      asn1: Add asn1_current_ofs()
      lib: Use asn1_current_ofs()
      libcli: Remove a reference to asn1->ofs
      asn1: Remove a reference to asn1_data internals
      asn1: Make 'struct asn1_data' private
      spnego: Correctly check asn1_tag_remaining retval
      libsmb: Fix CID 1356312 Explicit null dereferenced
      libads: Fix CID 1356316 Uninitialized pointer read
      vfs_catia: Fix bug 11827, memleak
      nwrap: Fix the build on Solaris
      smbd: Fix an assert
      CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

-----------------------------------------------------------------------

No new revisions were added by this update.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git




More information about the Pkg-samba-maint mailing list