[ubuntu/hirsute-proposed] samba 2:4.13.2+dfsg-3ubuntu1 (Accepted)
Sergio Durigan Junior
sergio.durigan at canonical.com
Wed Nov 25 18:54:15 UTC 2020
samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable (LP: #1905048). Remaining changes:
- d/p/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
change nfs service name from nfs to nfs-kernel-server
(LP #722201)
- d/p/ctdb-config-enable-syslog-by-default.patch:
enable syslog and systemd journal by default
- debian/rules: Ubuntu i386 binary compatibility:
+ drop ceph support
+ disable the following binary packages:
- ctdb
- libnss-winbind
- libpam-winbind
- python3-samba
- samba
- samba-common-bin
- samba-testsuite
- winbind
- debian/control: Ubuntu i386 binary compatibility:
+ drop ceph support
- debian/rules: Ubuntu i386 binary compatibility:
+ re-enable the following binary packages:
- libnss-winbind
- samba-common-bin
- python3-samba
- winbind
- d/control: add a versioned libgnutls28-dev build-depends to reduce
the amount of in-tree crypto code that is built
* d/t/smbclient-anonymous-share-list: add set -x and set -e
* Factor out common DEP8 test code into d/t/util and change the tests
to source from it:
- d/t/util: added
- d/t/cifs-share-access, d/t/smbclient-share-access: source from
util, use random share name and add set -x and set -u
- d/t/smbclient-authenticated-share-list: source from util and add
set -x and set -u
* d/control: enable the liburing vfs module, except on i386 where
liburing is not available
* Add new DEP8 tests for the uring vfs module:
- d/t/control: add smbclient-share-access-uring and
cifs-share-access-uring tests
- d/t/smbclient-share-access-uring: new test
- d/t/cifs-share-access-uring: new test
* d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
guard uring tests with a kernel version check and skip if it's too old
* Dropped changes:
- SECURITY UPDATE: Unauthenticated domain controller compromise by
subverting Netlogon cryptography (ZeroLogon)
+ debian/patches/zerologon-*.patch: backport upstream patches:
+ For compatibility reasons, allow specifying an insecure netlogon
configuration per machine. See the following link for examples:
https://www.samba.org/samba/security/CVE-2020-1472.html
+ Add additional server checks for the protocol attack in the
client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results
when running the proof-of-concept exploit.
[ Incorporated by upstream. ]
- SECURITY UPDATE: Missing handle permissions check in ChangeNotify
+ debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
get set unless the directory handle is open for SEC_DIR_LIST in
source4/torture/smb2/notify.c, source3/smbd/notify.c.
+ CVE-2020-14318
- SECURITY UPDATE: Unprivileged user can crash winbind
+ debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
source3/winbindd/winbindd_lookupsids.c,
source4/torture/winbind/struct_based.c.
+ CVE-2020-14323
- SECURITY UPDATE: DNS server crash via invalid records
- debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
with NULL and do not crash when additional data not found in
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
+ CVE-2020-14383
[ Incorporated by upstream. ]
Date: Tue, 24 Nov 2020 22:12:00 -0500
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/samba/2:4.13.2+dfsg-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Nov 2020 22:12:00 -0500
Source: samba
Architecture: source
Version: 2:4.13.2+dfsg-3ubuntu1
Distribution: hirsute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Sergio Durigan Junior <sergio.durigan at canonical.com>
Launchpad-Bugs-Fixed: 1905048
Changes:
samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium
.
* Merge with Debian unstable (LP: #1905048). Remaining changes:
- d/p/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
change nfs service name from nfs to nfs-kernel-server
(LP #722201)
- d/p/ctdb-config-enable-syslog-by-default.patch:
enable syslog and systemd journal by default
- debian/rules: Ubuntu i386 binary compatibility:
+ drop ceph support
+ disable the following binary packages:
- ctdb
- libnss-winbind
- libpam-winbind
- python3-samba
- samba
- samba-common-bin
- samba-testsuite
- winbind
- debian/control: Ubuntu i386 binary compatibility:
+ drop ceph support
- debian/rules: Ubuntu i386 binary compatibility:
+ re-enable the following binary packages:
- libnss-winbind
- samba-common-bin
- python3-samba
- winbind
- d/control: add a versioned libgnutls28-dev build-depends to reduce
the amount of in-tree crypto code that is built
* d/t/smbclient-anonymous-share-list: add set -x and set -e
* Factor out common DEP8 test code into d/t/util and change the tests
to source from it:
- d/t/util: added
- d/t/cifs-share-access, d/t/smbclient-share-access: source from
util, use random share name and add set -x and set -u
- d/t/smbclient-authenticated-share-list: source from util and add
set -x and set -u
* d/control: enable the liburing vfs module, except on i386 where
liburing is not available
* Add new DEP8 tests for the uring vfs module:
- d/t/control: add smbclient-share-access-uring and
cifs-share-access-uring tests
- d/t/smbclient-share-access-uring: new test
- d/t/cifs-share-access-uring: new test
* d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
guard uring tests with a kernel version check and skip if it's too old
* Dropped changes:
- SECURITY UPDATE: Unauthenticated domain controller compromise by
subverting Netlogon cryptography (ZeroLogon)
+ debian/patches/zerologon-*.patch: backport upstream patches:
+ For compatibility reasons, allow specifying an insecure netlogon
configuration per machine. See the following link for examples:
https://www.samba.org/samba/security/CVE-2020-1472.html
+ Add additional server checks for the protocol attack in the
client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results
when running the proof-of-concept exploit.
[ Incorporated by upstream. ]
- SECURITY UPDATE: Missing handle permissions check in ChangeNotify
+ debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
get set unless the directory handle is open for SEC_DIR_LIST in
source4/torture/smb2/notify.c, source3/smbd/notify.c.
+ CVE-2020-14318
- SECURITY UPDATE: Unprivileged user can crash winbind
+ debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
source3/winbindd/winbindd_lookupsids.c,
source4/torture/winbind/struct_based.c.
+ CVE-2020-14323
- SECURITY UPDATE: DNS server crash via invalid records
- debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
with NULL and do not crash when additional data not found in
source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
+ CVE-2020-14383
[ Incorporated by upstream. ]
Checksums-Sha1:
4fde02189f287da3724a06aa3e7b4f3b484df572 4435 samba_4.13.2+dfsg-3ubuntu1.dsc
10d9d7c1710c26830a8861312386924a7f7b3c31 11677920 samba_4.13.2+dfsg.orig.tar.xz
9cf91725a658636e9d2dc9374ff8009d8dc03955 256412 samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
f68562335623f04f58dc6279bddc8b1afc86a194 8062 samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Checksums-Sha256:
ee4adf3f5adf38724cc37e771bdaf3a240a6d9932711ff5c6b88aada19c8b09f 4435 samba_4.13.2+dfsg-3ubuntu1.dsc
cf5d4c8ef5966cf806a6e94edc8a7acb05955bb05fc4ac8d52ad82bd16beec02 11677920 samba_4.13.2+dfsg.orig.tar.xz
9a9ab9049f869e1f5b43edfff2d1a438aacb73d728512d443455658d6157c935 256412 samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
b8d1b1f526809dbe802280ee76cf376352b1a4fdda349ffd89b0b6ad68f80b95 8062 samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Files:
f97b1b4ead9ccdf1069495aa1369d379 4435 net optional samba_4.13.2+dfsg-3ubuntu1.dsc
b0a948cd7e88c765baa4993f41729a64 11677920 net optional samba_4.13.2+dfsg.orig.tar.xz
200770ebb28a0c899d069c1ba2c9ae27 256412 net optional samba_4.13.2+dfsg-3ubuntu1.debian.tar.xz
6ab9b68425693a4be4a3844b1a4dd071 8062 net optional samba_4.13.2+dfsg-3ubuntu1_source.buildinfo
Original-Maintainer: Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQJRBAEBCgA7FiEE6S/Qs2sU8fTY4OsvEG2hyMPLvxQFAl++qB0dHHNlcmdpby5k
dXJpZ2FuQGNhbm9uaWNhbC5jb20ACgkQEG2hyMPLvxSNbw/+J3J5AMm7TG2lFQZJ
oNLMNkZBn6PlL+tGF3PU0PcPlTM5TV3HbAT7SXbMPX122saff4C9brRKfs5s4Rhx
xyVHmpAgmMYiTpD/Y1s7VVS7BEMN3u78kREPgns/JNRMhChwjKtxPSjHpWPAi9F3
/+6xGgSqjIHX0fvALMTTRVSHqPu+SQIGquS4Wejdr3Wg7zpifK7wsj7MGlmhl3j2
9XeKrH+akdaZhAQWmQ9njKy9l0FlSo8gj5hPzQgueBcG6RP7D/Ali3uHum9zrZ/r
aqI28rTbtVv0Dy+uwd1jOktD6seR4fz0RSVijvc0BENRLwpte2muQrkFV3vjB29m
yQPLeVfMplTGiy0tSAyQURjk/rFGrmhb4rAZM51VVDmOv/L/5EfXjhfT1nUPK/PD
/p1fgbEGrGvVcHtCj6LwPzGxKTbJe84fP4RhdQlcZKPfkMZ4DzxnlOVargO2bgc4
n+weHhcLS3Fgy6JVdlczI7+v0EVKT/XSqJbxQNZx8W81kMxOkCxeE8lpoxauAHUt
B8m4kIg2FfZdzv1JcDlWZvT8Pq7zMmo9FxWnF6VE34AaQm8xZ4o37UCjDSI5AXoQ
14zE4jzk65WBjXCG8Lw21Q3PFJ5UGdYvae+ZSRD68cf/H7wG3ZFd5Qqf7EHIhoP6
zXVXvPYoxfJ35xWk63YpoiVXFOo=
=oEIv
-----END PGP SIGNATURE-----
More information about the Hirsute-changes
mailing list