[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.22] 51 commits: VERSION: Bump version up to Samba 4.22.9...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Tue May 26 14:13:20 BST 2026
Michael Tokarev pushed to branch upstream_4.22 at Debian Samba Team / samba
Commits:
b4912756 by Björn Jacke at 2026-02-19T10:40:39+01:00
VERSION: Bump version up to Samba 4.22.9...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Jule Anger <janger at samba.org>
- - - - -
4146d3a9 by Ralph Boehme at 2026-04-08T16:43:16+00:00
selftest: mark "smb2.lease.rename_dir_openfile" as flapping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15978
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Feb 23 12:37:28 UTC 2026 on atb-devel-224
(cherry picked from commit 437436832fdddfda692fac01452ad7bc4a0b6e3d)
- - - - -
178c2130 by Noel Power at 2026-04-08T16:43:16+00:00
s3/librpc/crypto: Don't keep growing in memory keytab
When we have long living concurrent connections every rpc bind
ends up calling and subsequently adding keytab entries to the
memory keytab returned by 'gse_krb5_get_server_keytab(...)'. This is
happening because as long as there is a handle open for the
keytab named "MEMORY:cifs_srv_keytab" then we keep adding entries to
it.
Note: There is no leak of gensec_security nor the krb5_keytab
it contains. When rpc clients connected to the rpc worker process
exit the gensec_security and the krb5_keytab structures are
destructed as expected. However because we use a fixed name
"MEMORY:cifs_srv_keytab" clients end up with a handle to a
reference counted shared keytab. Destruction of the keytab results
in the associated reference count being decremented. When the
reference count reaches 0 the keytab is destroyed.
To avoid the keytab being extended the easiest solution is to ensure a
unique memory keytab is created for each client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16042
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Mar 30 09:36:45 UTC 2026 on atb-devel-224
(cherry picked from commit c28a86c45d9d9673de18f9c29ea80dff12c9e7dd)
- - - - -
6a1ff629 by Martin Schwenke at 2026-04-08T16:43:16+00:00
ctdb-tests: Update statd-callout unit test infrastructure
Don't cheat. Keep some state about what is happening, similar to what
statd_callout and statd_callout_helper are expected to keep. This
means hinting arguments to check_shared_storage_statd_state() and
check_statd_callout_smnotify() can be dropped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15939
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit 85afee0a83dd2f70b90cff4c1e21b865640261fb)
- - - - -
8603eb0b by Peter Schwenke at 2026-04-08T16:43:16+00:00
ctdb-scripts: Only send notifies for newly taken IPs
We no longer delete shared state (and send notifies) for
IPs previously held by the current node. The NFS lock manager
won't have released locks for these IPs, so won't generate
SM_MON on reclaim attempts. Therefore, there will be
no add-client to put them back.
We now record newly taken IP addresses in takeip,
and only send notifies for those during
ipreallocated. The extra notifies were also confusing
statd.
Update existing tests to always simulate taking all of a node's IPs.
This causes no output changes.
Test updates confirm the subtleties of the statd_callout_helper
behaviour change. These pretend to only take a single IP, so
SM_NOTIFY must not be sent for other IPs. Shared state should
remain for these other files.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15939
Signed-off-by: Peter Schwenke <pschwenke at ddn.com>
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit e4914e6a4f1cb77eebf86c5ab3f241c2a9e5bd05)
- - - - -
84cb6eb6 by Peter Schwenke at 2026-04-08T16:43:16+00:00
ctdb-failover: Add sm-notify to statd_callout
sm-notify is required when an NFS client reboots.
rpc-statd on the client will send an sm-notify to
rpc-statd on the NFS sever.
Add a test case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15938
Signed-off-by: Peter Schwenke <pschwenke at ddn.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Wed Feb 18 12:29:16 UTC 2026 on atb-devel-224
(cherry picked from commit 7c5ce115f2c11e5a2dd326238f08bc5e7c10641c)
- - - - -
c7adc833 by Noel Power at 2026-04-08T16:43:16+00:00
selftest: Update tests to use --use-kereros=desired|required no creds
Add tests to call smbclient without passing credentials to
demonstrate failure with --use-kereros=desired
Also add knownfail
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414)
- - - - -
b6d084e8 by Noel Power at 2026-04-08T16:43:16+00:00
auth/credentials: Fix regression with --use-kerberos=desired for smbclient
As part of the gse_krb5 processing the following call chain
gensec_gse_client_start()
---> gensec_kerberos_possible()
---> cli_credentials_authentication_requested()
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970)
- - - - -
2358c39d by Noel Power at 2026-04-08T16:43:16+00:00
s3/libsmb: cli_session_creds_init fails when kerberos is desired
There is a regression with code using cli_session_creds_init when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
Authentication succeeds when boolean fallback_after_kerberos is false
and fails when true.
There doesn't seem to be a good reason why the value of
fallback_after_kerberos should initialise the krb5 ccache or not.
It would seems that krb5 cache should be setup for creds
for *any* kerberos auth (whether fallback is enabled or not)
Partial patch from <will69 at gmx.de> (see bug referenced below)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca)
- - - - -
3d467f5b by Noel Power at 2026-04-08T16:43:16+00:00
s3/libsmb: block anon authentication fallback is use-kerberos = desired
When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f)
- - - - -
27dad685 by Volker Lendecke at 2026-04-08T17:40:49+00:00
rpc: Don't offer spoolss RPC with "disable spoolss = yes"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=16019
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Mar 13 09:00:05 UTC 2026 on atb-devel-224
(cherry picked from commit 8497fb05d8d9c082b7ba318844970f0b3227aff9)
Autobuild-User(v4-22-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-22-test): Wed Apr 8 17:40:49 UTC 2026 on atb-devel-224
- - - - -
ef25c3fc by Björn Jacke at 2026-04-09T10:46:04+02:00
WHATSNEW: Add release notes for Samba 4.22.9
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
ff3dd691 by Björn Jacke at 2026-04-09T10:51:27+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.22.10 release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
ef42f9cc by Björn Jacke at 2026-04-09T10:53:38+02:00
VERSION: Bump version up to Samba 4.22.10...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
ec7b13c0 by Michael Tokarev at 2026-04-10T19:51:09+03:00
New upstream version 4.22.9+dfsg
- - - - -
7e0bdc05 by Stefan Metzmacher at 2026-05-12T15:05:10+00:00
pam_winbind: only chown the home directory if it was created
Otherwise we may change the permission for '/'
if some systemuser (e.g. nobody) has no homedir and root
runs 'su - nobody'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16073
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Bjoern Jacke <bjacke at samba.org>
Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Sun May 10 23:22:27 UTC 2026 on atb-devel-224
(cherry picked from commit 79caa6ef08b9b333e17bb0762e95e18e250db463)
- - - - -
11dcdd6b by Björn Jacke at 2026-05-12T16:09:54+00:00
samba_cross.py: autobuild fails with trailing space at line endings
autobuild fails with trailing space at line endings, so we need to strip() only
at "\n" here strictly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16057
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Apr 10 21:20:52 UTC 2026 on atb-devel-224
(cherry picked from commit 2f8dfde1210395175e726455bdb63a7b97245a72)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Tue Apr 14 13:43:47 UTC 2026 on atb-devel-224
Autobuild-User(v4-22-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-22-test): Tue May 12 16:09:54 UTC 2026 on atb-devel-224
- - - - -
024c0f6e by Volker Lendecke at 2026-05-15T11:26:09+02:00
CVE-2026-1933: tests: Fix permissions used for creating reparse points
SEC_STD_ALL does not lead to fsp->access_mask to include the required
bits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15992
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
a0e66dbf by Stefan Metzmacher at 2026-05-15T11:26:20+02:00
CVE-2026-1933: smbd: Add access checks to reparse point operations
On a share marked "read only = yes" and on file handles opened R/O
users can set or delete the reparse point xattrs on files that the
user has write-access in the file system for. Add the required access
checks.
Thanks to Asim Viladi Oglu Manizada for reporting the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15992
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
97f86ccf by Douglas Bagnall at 2026-05-15T11:26:34+02:00
CVE-2026-2340: test whether vfs_worm allows overwrite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
76d10f44 by Pavel Kohout at 2026-05-15T11:26:34+02:00
CVE-2026-2340: vfs_worm: Check destination WORM status in rename
vfs_worm_renameat() only checked if the source file was WORM-protected,
but not the destination. This allowed overwriting immutable files via
SMB2 rename with ReplaceIfExists=1, bypassing WORM protection.
Add destination check using FSTATAT on the destination dirfsp, as
suggested by the maintainer.
CWE-284 (Improper Access Control)
Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997
To backport to 4.23 we change the name of dst_dirfsp and src_dirfsp to
dstfsp and srcfsp, respectively (accounting for
76796180cf3af3252db2c29d0e95282a498a8527 in 4.24/master).
Signed-off-by: Pavel Kohout <pavel.kohout at aisle.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
2ea79610 by Douglas Bagnall at 2026-05-15T11:26:34+02:00
CVE-2026-3012: gpo tests: fix test cleanup
These tests are going to fail soon but as currently written they do
not clean up after themselves, erroring instead of failing and causing
cascading errors in subsequent tests. For now we don't care to make
the other tests less fragile.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
- - - - -
f21f87e0 by Douglas Bagnall at 2026-05-15T11:26:34+02:00
CVE-2026-3012: do not fetch certificate over http
In the case where a certificate was found via HTTP, it was trusted
without verification and put in the global CA store.
There is no means to check the certificate other than by comparing it
to certificates we may have gathered via LDAP, but in that case there
is no advantage over just using the LDAP-derived certificates.
Using the LDAP certificates was already the fallback case if HTTP
failed, so we just make it the default.
The HTTP fetch depends on the NDES service, which is a variant of
Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
Samba implements none of that protocol other than the HTTP fetch. SCEP
is for clients that are not true domain members. Domain members can
access to certificates over LDAP. This patch is not reducing SCEP
client support because Samba never had it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
Reported-by: Arad Inbar, DREAM Security Research Team
Reported-by: Nir Somech, DREAM Security Research Team
Reported-by: Ben Grinberg, DREAM Security Research Team
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
- - - - -
7337d99e by Douglas Bagnall at 2026-05-15T11:26:34+02:00
CVE-2026-3012: gp_auto_enrol: skip CAs not found in LDAP
If a certificate is mentioned in a GPO but is not present as a
cACertificate attribute on a pKIEnrollmentService object, we have no way
of obtaining it, so we might as well forget it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
- - - - -
6bde7ce3 by Douglas Bagnall at 2026-05-15T11:26:34+02:00
CVE-2026-3012: gpo tests should use real certificates
Or at least, more real than a short arbitrary byte string, so that
the certificates can be parsed.
This shows that certificate enrolment works via LDAP in the situations
where we would have fetched them via HTTP.
This does not fix the advanced_gp_cert_auto_enroll_ext test which
wants to install certificates it has no access too. This will not be
fixed in the security release.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
- - - - -
4798eb7a by Volker Lendecke at 2026-05-15T11:26:34+02:00
CVE-2026-3238: winsserver4: Dissolve direct variable initialization
Checks are required before the packet is dereferenced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16012
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
4a53add0 by Volker Lendecke at 2026-05-15T11:26:45+02:00
CVE-2026-3238: winsserver4: Validate incoming packets
Avoid NULL pointer dereferences, leading to a crash in the nbt process
serving wins.
Thanks to Arad Inbar, Erez Cohen, Nir Somech and Ben Grinberg from
DREAM Security Research Team for pointing out this crash bug out to
the Samba team.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16012
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
26b64ec5 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: inline string_sub2() into string_sub() the only caller
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
76dcb309 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: remove unused talloc_strdup(insert) from talloc_string_sub2()
The insert string is not modified, so we do not need to copy it.
This will simplify further changes.
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
3032b7ef by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: factor out a mask_unsafe_character() helper function
This moves the logic into a single place and
makes if more flexible to be used with more
values than STRING_SUB_UNSAFE_CHARACTERS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
3f24236a by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: split out realloc_string_sub_raw()
This will allow realloc_string_sub2() to use it in order
to have the logic in one place only.
And it will also allow adjacted callers to be
more flexible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
113ba241 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: s3:lib: fix potential memory leak in talloc_sub_basic()
This makes the code easier to understand...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
c4a93471 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: s3:lib: let realloc_string_sub2() use realloc_string_sub_raw()
We don't need this logic more than once!
But we leave the strange calling convention of
realloc_string_sub2(), where the caller it
not allowed to use the passed pointer when
NULL is returned...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
003ff9b4 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: let mask_unsafe_character() check all control characters
There's no reason to mask only \r and \n.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
5551dd76 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add more unsafe characters to STRING_SUB_UNSAFE_CHARACTERS
|&<> are unsafe characters for shell processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
0cabcbd2 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: let log_escape() make use of iscntrl()
using iscntrl() also handles 0x7F (DEL).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
d291377a by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add talloc_string_sub_{mixed_quoting,unsafe}() helpers
This is the basic helper function for the security problems.
talloc_string_sub_mixed_quoting() checks for strange quoting
in smb.conf options.
And talloc_string_sub_unsafe() tries to autodetect how the unsafe
(client controlled value) and masked and single quote it,
as a fallback for strange quoting a fixed fallback string
is used and the caller should warn the admin and give
hints how to fix the configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Pair-Programmed-With: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
ebd4edda by Douglas Bagnall at 2026-05-15T11:27:03+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add test_string_sub unittests
This demonstrates the logic of talloc_string_sub_{mixed_quoting,unsafe}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
31449816 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480: s3:printing: mask and/or single quote jobname passed as %J to "print command"
Fix an unauthenticated remote code execution vulnerability with
printing set to anything *but* cups and iprint, for example "lprng",
so that "print command" is executed upon job submission. If the
client-controlled job name is handed to the "print command" via %J,
rpcd_spoolssd passes this to the shell without escaping critical
characters.
Using single quotes (directly) around %J, '%J' would avoid the
problem, we now try to autodetect if we can use '%J' implicitly
or we fallback to a fixed "__CVE-2026-4480_FallbackJobname__"
string instead of the client provided jobname.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
02356117 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480: s3:testparm: warn about 'print command' %J usage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
8ea1a94c by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4480: docs-xml/smbdotconf: clarify '%J' in 'print command'
Admins should use '%J'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
6dce1833 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4408: lib/util: introduce strstr_for_invalid_account_characters()
This splits out the logic from samaccountname_bad_chars_check()
in source4/dsdb/samdb/ldb_modules/samldb.c, this will be used
in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
8f28ca0b by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4408: s3:samr-server: only allow _samr_ValidatePassword as DC
This is only supported with 'rpc start on demand helpers = no',
as it needs ncacn_ip_tcp, but we better also restrict it to DCs.
Maybe only FreeIPA needs it as NT4 didn't support ncacn_ip_tcp.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
1c5146dd by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4408: s3:samr-server: deny, mask and/or single quote username to 'check password script'
We pass this on to the check password script, prevent remote command
execution.
We now try to autodetect if we could implicitly use '%u' for the
replacement and fallback to a fixed fallback username.
Admins should make use of SAMBA_CPS_ACCOUNT_NAME
instead of passing '%u' to 'check password script'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Pair-Programmed-With: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
67ad724e by Douglas Bagnall at 2026-05-15T11:27:03+02:00
CVE-2026-4408: s3:samr-server: make check_password_complexity_internal() non-static, for easier testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
266cd3dc by Douglas Bagnall at 2026-05-15T11:27:03+02:00
CVE-2026-4408: s3:torture: tests for password complexity scripts
This tries to demonstrate the new logic for %u in
'check password script'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
65a9ac41 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4408: s3:testparm: warn about 'check password script' %u usage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
640f18d1 by Stefan Metzmacher at 2026-05-15T11:27:03+02:00
CVE-2026-4408: docs-xml/smbdotconf: clarify '%u' in 'check password script'
Admins should use SAMBA_CPS_ACCOUNT_NAME.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
6b9cad82 by Björn Jacke at 2026-05-15T14:16:15+02:00
WHATSNEW: Add release notes for Samba 4.22.10.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
0abfaced by Björn Jacke at 2026-05-15T14:38:10+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.22.10 release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
6a9607d6 by Michael Tokarev at 2026-05-26T16:09:44+03:00
New upstream version 4.22.10+dfsg
- - - - -
53 changed files:
- VERSION
- WHATSNEW.txt
- auth/gensec/gensec_util.c
- buildtools/wafsamba/samba_cross.py
- ctdb/config/events/legacy/60.nfs.script
- ctdb/failover/statd_callout.c
- ctdb/tests/UNIT/eventscripts/scripts/statd-callout.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.001.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.002.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.004.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.005.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.006.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.008.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.050.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.108.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.150.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.208.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.250.sh
- ctdb/tools/statd_callout_helper
- docs-xml/smbdotconf/printing/printcommand.xml
- docs-xml/smbdotconf/security/checkpasswordscript.xml
- lib/util/samba_util.h
- lib/util/substitute.c
- lib/util/substitute.h
- + lib/util/tests/test_string_sub.c
- lib/util/util_str.c
- lib/util/util_str_escape.c
- lib/util/wscript_build
- nsswitch/pam_winbind.c
- python/samba/gp/gp_cert_auto_enroll_ext.py
- python/samba/tests/gpo.py
- python/samba/tests/smb3unix.py
- + selftest/flapping.d/smb2.lease
- + selftest/knownfail.d/gpo-auto-enrol
- selftest/tests.py
- source3/lib/substitute.c
- source3/lib/substitute_generic.c
- source3/librpc/crypto/gse_krb5.c
- source3/libsmb/cliconnect.c
- source3/libsmb/libsmb_server.c
- source3/modules/util_reparse.c
- source3/modules/vfs_worm.c
- source3/printing/print_generic.c
- source3/rpc_server/rpcd_spoolss.c
- source3/rpc_server/samr/srv_samr_chgpasswd.c
- source3/rpc_server/samr/srv_samr_nt.c
- source3/rpc_server/samr/srv_samr_util.h
- source3/script/tests/test_smbclient_kerberos.sh
- source3/script/tests/test_worm.sh
- + source3/torture/test_rpc_samr.c
- source3/torture/wscript_build
- source3/utils/testparm.c
- source4/nbt_server/wins/winsserver.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/62e99079e15e0b84d9418a089e303931a518a33e...6a9607d67877d83e82ece97b06c65492f2e46287
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/62e99079e15e0b84d9418a089e303931a518a33e...6a9607d67877d83e82ece97b06c65492f2e46287
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20260526/071cfcab/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list