CVS commit: pkgsrc/net/samba4

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/samba4
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sat, 19 Sep 2020 14:00:54 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Sep 19 14:00:54 UTC 2020

Modified Files:
        pkgsrc/net/samba4: Makefile distinfo

Log Message:
net/samba4: update to 4.12.7

Update samba4 package to 4.12.7.

                   ==============================
                   Release Notes for Samba 4.12.7
                         September 18, 2020
                   ==============================

This is a security release in order to address the following defect:

o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").

The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).

Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).

The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.

However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.

Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.

Note each domain controller needs the correct settings in its smb.conf.

Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.

The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.

Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:

   server schannel = yes
   server require schannel:triceratops$ = no
   server require schannel:greywacke$ = no

will allow only "triceratops$" and "greywacke$" to avoid schannel.

More details can be found here:
https://www.samba.org/samba/security/CVE-2020-1472.html


To generate a diff of this commit:
cvs rdiff -u -r1.108 -r1.109 pkgsrc/net/samba4/Makefile
cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/samba4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/samba4/Makefile
diff -u pkgsrc/net/samba4/Makefile:1.108 pkgsrc/net/samba4/Makefile:1.109
--- pkgsrc/net/samba4/Makefile:1.108    Fri Sep 11 17:18:09 2020
+++ pkgsrc/net/samba4/Makefile  Sat Sep 19 14:00:54 2020
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.108 2020/09/11 17:18:09 jperkin Exp $
+# $NetBSD: Makefile,v 1.109 2020/09/19 14:00:54 taca Exp $
 
-DISTNAME=      samba-4.12.6
-PKGREVISION=   2
+DISTNAME=      samba-4.12.7
 CATEGORIES=    net
 MASTER_SITES=  https://download.samba.org/pub/samba/stable/
 

Index: pkgsrc/net/samba4/distinfo
diff -u pkgsrc/net/samba4/distinfo:1.51 pkgsrc/net/samba4/distinfo:1.52
--- pkgsrc/net/samba4/distinfo:1.51     Tue Aug 18 07:39:31 2020
+++ pkgsrc/net/samba4/distinfo  Sat Sep 19 14:00:54 2020
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.51 2020/08/18 07:39:31 adam Exp $
+$NetBSD: distinfo,v 1.52 2020/09/19 14:00:54 taca Exp $
 
-SHA1 (samba-4.12.6.tar.gz) = 52b3da01a95ec7c12a2bbe5de872ba299d62bb58
-RMD160 (samba-4.12.6.tar.gz) = 842bbb9000a7d46d551f7b6ce5b35f0087221916
-SHA512 (samba-4.12.6.tar.gz) = 16a4ced3942bc6d51e80db257e8caeaa426980f66caf2aaf2324f091ec5063bc6b9029d90ff2f321b68be4cede7555d1ebf142405105468bd581e7a7bf9f0be5
-Size (samba-4.12.6.tar.gz) = 18224870 bytes
+SHA1 (samba-4.12.7.tar.gz) = b56b8390064572dd2024b23ca931fc82678ead2d
+RMD160 (samba-4.12.7.tar.gz) = 6947298acc9871f6c3245b1966b18ad490625c3e
+SHA512 (samba-4.12.7.tar.gz) = 5afb1f24b029e665bb4f6bd7b7cf915243476b09b304942b2105586fa99adc6a19b46b4753ca116e230e5bb7b82e011fbe296c62bc70a8a897e56aece55a7f0b
+Size (samba-4.12.7.tar.gz) = 18230157 bytes
 SHA1 (patch-buildtools_wafsamba_samba__conftests.py) = d927db17124d2bb5b382885e70a41f84c3929926
 SHA1 (patch-buildtools_wafsamba_samba__install.py) = d801340617da325e3bb70a90350e45cc8e383c2d
 SHA1 (patch-buildtools_wafsamba_samba__pidl.py) = e4c0ed3dacfcf5613a5b397b3c6cf88509497da7

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index