CVS commit: pkgsrc/net/samba4

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/samba4
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 27 Nov 2023 17:08:25 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Nov 27 17:08:25 UTC 2023

Modified Files:
        pkgsrc/net/samba4: Makefile buildlink3.mk distinfo

Log Message:
samba4: updated to 4.19.3

Release Notes for Samba 4.19.3

This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html

Description of CVE-2018-14628
-----------------------------

All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.

When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an
information disclosure.

Action required in order to resolve CVE-2018-14628!
---------------------------------------------------

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.

Changes since 4.19.2
--------------------

o  Douglas Bagnall <douglas.bagnall%catalyst.net.nz@localhost>
   * BUG 15520: sid_strings test broken by unix epoch > 1700000000.

o  Ralph Boehme <slow%samba.org@localhost>
   * BUG 15487: smbd crashes if asked to return full information on close of a
     stream handle with delete on close disposition set.
   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
     smb_fname_fsp_destructor().

o  Pavel FilipenskĂ˝ <pfilipensky%samba.org@localhost>
   * BUG 15499: Improve logging for failover scenarios.

o  Björn Jacke <bj%sernet.de@localhost>
   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
     listed in directories.

o  Stefan Metzmacher <metze%samba.org@localhost>
   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
     AD LDAP to normal users.
   * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
     accounts.

o  Christof Schmitt <cs%samba.org@localhost>
   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.

o  Andreas Schneider <asn%samba.org@localhost>
   * BUG 15513: Samba doesn't build with Python 3.12.


To generate a diff of this commit:
cvs rdiff -u -r1.176 -r1.177 pkgsrc/net/samba4/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/samba4/buildlink3.mk
cvs rdiff -u -r1.99 -r1.100 pkgsrc/net/samba4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/samba4/Makefile
diff -u pkgsrc/net/samba4/Makefile:1.176 pkgsrc/net/samba4/Makefile:1.177
--- pkgsrc/net/samba4/Makefile:1.176    Wed Nov 15 18:54:43 2023
+++ pkgsrc/net/samba4/Makefile  Mon Nov 27 17:08:25 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.176 2023/11/15 18:54:43 wiz Exp $
+# $NetBSD: Makefile,v 1.177 2023/11/27 17:08:25 adam Exp $
 
-DISTNAME=      samba-4.19.2
+DISTNAME=      samba-4.19.3
 CATEGORIES=    net
 MASTER_SITES=  https://download.samba.org/pub/samba/stable/
 

Index: pkgsrc/net/samba4/buildlink3.mk
diff -u pkgsrc/net/samba4/buildlink3.mk:1.18 pkgsrc/net/samba4/buildlink3.mk:1.19
--- pkgsrc/net/samba4/buildlink3.mk:1.18        Wed Nov  8 13:20:35 2023
+++ pkgsrc/net/samba4/buildlink3.mk     Mon Nov 27 17:08:25 2023
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.18 2023/11/08 13:20:35 wiz Exp $
+# $NetBSD: buildlink3.mk,v 1.19 2023/11/27 17:08:25 adam Exp $
 
 BUILDLINK_TREE+=       samba
 
@@ -6,7 +6,7 @@ BUILDLINK_TREE+=        samba
 SAMBA_BUILDLINK3_MK:=
 
 BUILDLINK_API_DEPENDS.samba+=  samba>=4.9.4
-BUILDLINK_ABI_DEPENDS.samba?=  samba>=4.18.8nb4
+BUILDLINK_ABI_DEPENDS.samba+=  samba>=4.18.8nb4
 BUILDLINK_PKGSRCDIR.samba?=    ../../net/samba4
 
 .include "../../archivers/libarchive/buildlink3.mk"

Index: pkgsrc/net/samba4/distinfo
diff -u pkgsrc/net/samba4/distinfo:1.99 pkgsrc/net/samba4/distinfo:1.100
--- pkgsrc/net/samba4/distinfo:1.99     Wed Nov 15 18:54:43 2023
+++ pkgsrc/net/samba4/distinfo  Mon Nov 27 17:08:25 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.99 2023/11/15 18:54:43 wiz Exp $
+$NetBSD: distinfo,v 1.100 2023/11/27 17:08:25 adam Exp $
 
-BLAKE2s (samba-4.19.2.tar.gz) = 49ff9bc974e87a6a210897868132ea7523b6b000d80f29777d1e8dd00b1c52b2
-SHA512 (samba-4.19.2.tar.gz) = d2fb64013e77d138a52b100377a042951c132884936b2b6dbf60506355e3f6882d5f3008a6bb855dd19b8981f7dc14da4f91ddbea7458978c1c4ab009608faf5
-Size (samba-4.19.2.tar.gz) = 41817924 bytes
+BLAKE2s (samba-4.19.3.tar.gz) = a23d3f9698807486c7a68fd3e374b633406995fa6d28c08b9f436c1a5be25dc5
+SHA512 (samba-4.19.3.tar.gz) = 1eacc6be2866ecc7cbb13c5d17a32ad14cc8148e811db9c730a11065ac3ed84a82e406e750dc97fbc884377346c4538a38d8031e63db6b09acd78fbd2c02d702
+Size (samba-4.19.3.tar.gz) = 41829749 bytes
 SHA1 (patch-buildtools_wafsamba_samba__conftests.py) = d927db17124d2bb5b382885e70a41f84c3929926
 SHA1 (patch-buildtools_wafsamba_samba__install.py) = d801340617da325e3bb70a90350e45cc8e383c2d
 SHA1 (patch-buildtools_wafsamba_samba__pidl.py) = e4c0ed3dacfcf5613a5b397b3c6cf88509497da7

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/devel/py-pooch
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/devel/py-pooch
Indexes:

Home | Main Index | Thread Index | Old Index