pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/net/samba4
Module Name: pkgsrc
Committed By: taca
Date: Thu Jul 7 16:44:14 UTC 2016
Modified Files:
pkgsrc/net/samba4: Makefile PLIST distinfo
Log Message:
Update samba4 to 4.3.11 (Samba 4.3.11), including security fix for
CVE-2016-2119.
Changes from 4.3.9 to 4.3.10 are too many to write here, please refer
WHATSNEW.txt file.
==============================
Release Notes for Samba 4.3.11
July 07, 2016
==============================
This is a security release in order to address the following defect:
o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
=======
Details
=======
o CVE-2016-2119:
It's possible for an attacker to downgrade the required signing for
an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
or SMB2_SESSION_FLAG_IS_NULL flags.
This means that the attacker can impersonate a server being connected to by
Samba, and return malicious results.
The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
to domain controllers as a member server, and trusted domains as a domain
controller. These DCE/RPC connections were intended to protected by the
combination of "client ipc signing" and
"client ipc max protocol" in their effective default settings
("mandatory" and "SMB3_11").
Additionally, management tools like net, samba-tool and rpcclient use DCERPC
over SMB2/3 connections.
By default, other tools in Samba are unprotected, but rarely they are
configured to use smb signing, via the "client signing" parameter (the default
is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
rather than the NT1 default.
If both these conditions are met, then this issue would also apply to these
other tools, including command line tools like smbcacls, smbcquota, smbclient,
smbget and applications using libsmbclient.
Changes since 4.3.10:
--------------------
o Stefan Metzmacher <metze%samba.org@localhost>
* BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
* BUG 11948: Total dcerpc response payload more than 0x400000.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/samba4/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/samba4/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/samba4/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/samba4/Makefile
diff -u pkgsrc/net/samba4/Makefile:1.18 pkgsrc/net/samba4/Makefile:1.19
--- pkgsrc/net/samba4/Makefile:1.18 Sat May 7 03:09:33 2016
+++ pkgsrc/net/samba4/Makefile Thu Jul 7 16:44:14 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.18 2016/05/07 03:09:33 taca Exp $
+# $NetBSD: Makefile,v 1.19 2016/07/07 16:44:14 taca Exp $
DISTNAME= samba-${VERSION}
CATEGORIES= net
@@ -11,7 +11,7 @@ LICENSE= gnu-gpl-v3
DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat
-VERSION= 4.3.9
+VERSION= 4.3.11
CONFLICTS+= ja-samba-[0-9]* pam-smbpass-[0-9]* tdb-[0-9]* winbind-[0-9]*
BUILD_DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat
Index: pkgsrc/net/samba4/PLIST
diff -u pkgsrc/net/samba4/PLIST:1.7 pkgsrc/net/samba4/PLIST:1.8
--- pkgsrc/net/samba4/PLIST:1.7 Sat May 7 03:09:33 2016
+++ pkgsrc/net/samba4/PLIST Thu Jul 7 16:44:14 2016
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.7 2016/05/07 03:09:33 taca Exp $
+@comment $NetBSD: PLIST,v 1.8 2016/07/07 16:44:14 taca Exp $
bin/cifsdd
bin/dbwrap_tool
bin/eventlogadm
@@ -431,6 +431,7 @@ ${PYSITELIB}/samba/tests/samba3.py
${PYSITELIB}/samba/tests/samba3sam.py
${PYSITELIB}/samba/tests/samba_tool/__init__.py
${PYSITELIB}/samba/tests/samba_tool/base.py
+${PYSITELIB}/samba/tests/samba_tool/fsmo.py
${PYSITELIB}/samba/tests/samba_tool/gpo.py
${PYSITELIB}/samba/tests/samba_tool/group.py
${PYSITELIB}/samba/tests/samba_tool/ntacl.py
Index: pkgsrc/net/samba4/distinfo
diff -u pkgsrc/net/samba4/distinfo:1.10 pkgsrc/net/samba4/distinfo:1.11
--- pkgsrc/net/samba4/distinfo:1.10 Sat May 7 03:09:33 2016
+++ pkgsrc/net/samba4/distinfo Thu Jul 7 16:44:14 2016
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.10 2016/05/07 03:09:33 taca Exp $
+$NetBSD: distinfo,v 1.11 2016/07/07 16:44:14 taca Exp $
-SHA1 (samba-4.3.9.tar.gz) = d31423f80918af52cd6d5b2005d76d02975dbfd5
-RMD160 (samba-4.3.9.tar.gz) = 8bfd170d9c14f75e728a051dea335d3365c2afea
-SHA512 (samba-4.3.9.tar.gz) = bc90c88d8defd3acec7c671e8ceacec31e3111540aabee7ec6f11cdeaf61bbd993525e2b765e3b50801c8079e1168cf496b3e5e6a56118d6493ae5da60d34c41
-Size (samba-4.3.9.tar.gz) = 20570849 bytes
+SHA1 (samba-4.3.11.tar.gz) = 44399fdcbcf5eba5f86548781e8aef490264de6b
+RMD160 (samba-4.3.11.tar.gz) = 641234bb6e4f1ef8d65ab3f0c9b90ede41dd2f89
+SHA512 (samba-4.3.11.tar.gz) = 7b9bcdf158c64a26c81e5a03a94a521f238a7573ab31c1252e90f2604ae0d1303c998d3bcda18c4feb9049a659371a3af2bdfcc546b5251314f19a500b6a0b7a
+Size (samba-4.3.11.tar.gz) = 20573432 bytes
SHA1 (patch-buildtools_wafsamba_wscript) = 5604936a825675647157331df2333f4237c611f5
SHA1 (patch-lib_nss__wrapper_nss__wrapper.c) = c692fa33ec17ed4f1dc1e40c1fadf7846d976824
SHA1 (patch-lib_param_loadparm.h) = d1c9df37bb9969d2788dd70e613067df6bb64f26
Home |
Main Index |
Thread Index |
Old Index