[ubuntu/hirsute-proposed] samba 2:4.13.2+dfsg-3ubuntu1 (Accepted)

Sergio Durigan Junior sergio.durigan at canonical.com
Wed Nov 25 18:54:15 UTC 2020


samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable (LP: #1905048). Remaining changes:
    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - d/control, d/rules: Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247
    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
      change nfs service name from nfs to nfs-kernel-server
      (LP #722201)
    - d/p/ctdb-config-enable-syslog-by-default.patch:
      enable syslog and systemd journal by default
    - debian/rules: Ubuntu i386 binary compatibility:
      + drop ceph support
      + disable the following binary packages:
        - ctdb
        - libnss-winbind
        - libpam-winbind
        - python3-samba
        - samba
        - samba-common-bin
        - samba-testsuite
        - winbind
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
    - debian/rules: Ubuntu i386 binary compatibility:
      + re-enable the following binary packages:
        - libnss-winbind
        - samba-common-bin
        - python3-samba
        - winbind
    - d/control: add a versioned libgnutls28-dev build-depends to reduce
      the amount of in-tree crypto code that is built
  * d/t/smbclient-anonymous-share-list: add set -x and set -e
  * Factor out common DEP8 test code into d/t/util and change the tests
    to source from it:
    - d/t/util: added
    - d/t/cifs-share-access, d/t/smbclient-share-access: source from
      util, use random share name and add set -x and set -u
    - d/t/smbclient-authenticated-share-list: source from util and add
      set -x and set -u
  * d/control: enable the liburing vfs module, except on i386 where
    liburing is not available
  * Add new DEP8 tests for the uring vfs module:
    - d/t/control: add smbclient-share-access-uring and
      cifs-share-access-uring tests
    - d/t/smbclient-share-access-uring: new test
    - d/t/cifs-share-access-uring: new test
  * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
    guard uring tests with a kernel version check and skip if it's too old
  * Dropped changes:
    - SECURITY UPDATE: Unauthenticated domain controller compromise by
      subverting Netlogon cryptography (ZeroLogon)
      + debian/patches/zerologon-*.patch: backport upstream patches:
        + For compatibility reasons, allow specifying an insecure netlogon
          configuration per machine. See the following link for examples:
          https://www.samba.org/samba/security/CVE-2020-1472.html
        + Add additional server checks for the protocol attack in the
          client-specified challenge to provide some protection when
          'server schannel = no/auto' and avoid the false-positive results
          when running the proof-of-concept exploit.
    [ Incorporated by upstream. ]
    - SECURITY UPDATE: Missing handle permissions check in ChangeNotify
      + debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
        get set unless the directory handle is open for SEC_DIR_LIST in
        source4/torture/smb2/notify.c, source3/smbd/notify.c.
      + CVE-2020-14318
    - SECURITY UPDATE: Unprivileged user can crash winbind
      + debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
        source3/winbindd/winbindd_lookupsids.c,
        source4/torture/winbind/struct_based.c.
      + CVE-2020-14323
    - SECURITY UPDATE: DNS server crash via invalid records
      - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
        with NULL  and do not crash when additional data not found in
        source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
      + CVE-2020-14383
    [ Incorporated by upstream. ]

Date: Tue, 24 Nov 2020 22:12:00 -0500
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/samba/2:4.13.2+dfsg-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Nov 2020 22:12:00 -0500
Source: samba
Architecture: source
Version: 2:4.13.2+dfsg-3ubuntu1
Distribution: hirsute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Launchpad-Bugs-Fixed: 1905048
Changes:
 samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium
 .
   * Merge with Debian unstable (LP: #1905048). Remaining changes:
     - d/p/VERSION.patch: Update vendor string to "Ubuntu".
     - debian/smb.conf;
       + Add "(Samba, Ubuntu)" to server string.
       + Comment out the default [homes] share, and add a comment about
         "valid users = %s" to show users how to restrict access to
         \\server\username to only username.
     - debian/samba-common.config:
       + Do not change priority to high if dhclient3 is installed.
     - d/control, d/rules: Disable glusterfs support because it's not in main.
       MIR bug is https://launchpad.net/bugs/1274247
     - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
       change nfs service name from nfs to nfs-kernel-server
       (LP #722201)
     - d/p/ctdb-config-enable-syslog-by-default.patch:
       enable syslog and systemd journal by default
     - debian/rules: Ubuntu i386 binary compatibility:
       + drop ceph support
       + disable the following binary packages:
         - ctdb
         - libnss-winbind
         - libpam-winbind
         - python3-samba
         - samba
         - samba-common-bin
         - samba-testsuite
         - winbind
     - debian/control: Ubuntu i386 binary compatibility:
       + drop ceph support
     - debian/rules: Ubuntu i386 binary compatibility:
       + re-enable the following binary packages:
         - libnss-winbind
         - samba-common-bin
         - python3-samba
         - winbind
     - d/control: add a versioned libgnutls28-dev build-depends to reduce
       the amount of in-tree crypto code that is built
   * d/t/smbclient-anonymous-share-list: add set -x and set -e
   * Factor out common DEP8 test code into d/t/util and change the tests
     to source from it:
     - d/t/util: added
     - d/t/cifs-share-access, d/t/smbclient-share-access: source from
       util, use random share name and add set -x and set -u
     - d/t/smbclient-authenticated-share-list: source from util and add
       set -x and set -u
   * d/control: enable the liburing vfs module, except on i386 where
     liburing is not available
   * Add new DEP8 tests for the uring vfs module:
     - d/t/control: add smbclient-share-access-uring and
       cifs-share-access-uring tests
     - d/t/smbclient-share-access-uring: new test
     - d/t/cifs-share-access-uring: new test
   * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
     guard uring tests with a kernel version check and skip if it's too old
   * Dropped changes:
     - SECURITY UPDATE: Unauthenticated domain controller compromise by
       subverting Netlogon cryptography (ZeroLogon)
       + debian/patches/zerologon-*.patch: backport upstream patches:
         + For compatibility reasons, allow specifying an insecure netlogon
           configuration per machine. See the following link for examples:
           https://www.samba.org/samba/security/CVE-2020-1472.html
         + Add additional server checks for the protocol attack in the
           client-specified challenge to provide some protection when
           'server schannel = no/auto' and avoid the false-positive results
           when running the proof-of-concept exploit.
     [ Incorporated by upstream. ]
     - SECURITY UPDATE: Missing handle permissions check in ChangeNotify
       + debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
         get set unless the directory handle is open for SEC_DIR_LIST in
         source4/torture/smb2/notify.c, source3/smbd/notify.c.
       + CVE-2020-14318
     - SECURITY UPDATE: Unprivileged user can crash winbind
       + debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
         source3/winbindd/winbindd_lookupsids.c,
         source4/torture/winbind/struct_based.c.
       + CVE-2020-14323
     - SECURITY UPDATE: DNS server crash via invalid records
       - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
         with NULL  and do not crash when additional data not found in
         source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
       + CVE-2020-14383
     [ Incorporated by upstream. ]
Checksums-Sha1:
 4fde02189f287da3724a06aa3e7b4f3b484df572 4435 samba_4.13.2+dfsg-3ubuntu1.dsc
 10d9d7c1710c26830a8861312386924a7f7b3c31 11677920 samba_4.13.2+dfsg.orig.tar.xz
 9cf91725a658636e9d2dc9374ff8009d8dc03955 256412 samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
 f68562335623f04f58dc6279bddc8b1afc86a194 8062 samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Checksums-Sha256:
 ee4adf3f5adf38724cc37e771bdaf3a240a6d9932711ff5c6b88aada19c8b09f 4435 samba_4.13.2+dfsg-3ubuntu1.dsc
 cf5d4c8ef5966cf806a6e94edc8a7acb05955bb05fc4ac8d52ad82bd16beec02 11677920 samba_4.13.2+dfsg.orig.tar.xz
 9a9ab9049f869e1f5b43edfff2d1a438aacb73d728512d443455658d6157c935 256412 samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
 b8d1b1f526809dbe802280ee76cf376352b1a4fdda349ffd89b0b6ad68f80b95 8062 samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Files:
 f97b1b4ead9ccdf1069495aa1369d379 4435 net optional samba_4.13.2+dfsg-3ubuntu1.dsc
 b0a948cd7e88c765baa4993f41729a64 11677920 net optional samba_4.13.2+dfsg.orig.tar.xz
 200770ebb28a0c899d069c1ba2c9ae27 256412 net optional samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
 6ab9b68425693a4be4a3844b1a4dd071 8062 net optional samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Original-Maintainer: Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7FiEE6S/Qs2sU8fTY4OsvEG2hyMPLvxQFAl++qB0dHHNlcmdpby5k
dXJpZ2FuQGNhbm9uaWNhbC5jb20ACgkQEG2hyMPLvxSNbw/+J3J5AMm7TG2lFQZJ
oNLMNkZBn6PlL+tGF3PU0PcPlTM5TV3HbAT7SXbMPX122saff4C9brRKfs5s4Rhx
xyVHmpAgmMYiTpD/Y1s7VVS7BEMN3u78kREPgns/JNRMhChwjKtxPSjHpWPAi9F3
/+6xGgSqjIHX0fvALMTTRVSHqPu+SQIGquS4Wejdr3Wg7zpifK7wsj7MGlmhl3j2
9XeKrH+akdaZhAQWmQ9njKy9l0FlSo8gj5hPzQgueBcG6RP7D/Ali3uHum9zrZ/r
aqI28rTbtVv0Dy+uwd1jOktD6seR4fz0RSVijvc0BENRLwpte2muQrkFV3vjB29m
yQPLeVfMplTGiy0tSAyQURjk/rFGrmhb4rAZM51VVDmOv/L/5EfXjhfT1nUPK/PD
/p1fgbEGrGvVcHtCj6LwPzGxKTbJe84fP4RhdQlcZKPfkMZ4DzxnlOVargO2bgc4
n+weHhcLS3Fgy6JVdlczI7+v0EVKT/XSqJbxQNZx8W81kMxOkCxeE8lpoxauAHUt
B8m4kIg2FfZdzv1JcDlWZvT8Pq7zMmo9FxWnF6VE34AaQm8xZ4o37UCjDSI5AXoQ
14zE4jzk65WBjXCG8Lw21Q3PFJ5UGdYvae+ZSRD68cf/H7wG3ZFd5Qqf7EHIhoP6
zXVXvPYoxfJ35xWk63YpoiVXFOo=
=oEIv
-----END PGP SIGNATURE-----


More information about the Hirsute-changes mailing list