---
- branch: MAIN
  date: Sat Sep 19 14:00:54 UTC 2020
  files:
  - new: '1.109'
    old: '1.108'
    path: pkgsrc/net/samba4/Makefile
    pathrev: pkgsrc/net/samba4/Makefile@1.109
    type: modified
  - new: '1.52'
    old: '1.51'
    path: pkgsrc/net/samba4/distinfo
    pathrev: pkgsrc/net/samba4/distinfo@1.52
    type: modified
  id: 20200919T140054Z.104845547e8f38a12432e1ac10a7ac6f20fe515d
  log: |
    net/samba4: update to 4.12.7

    Update samba4 package to 4.12.7.

                       ==============================
                       Release Notes for Samba 4.12.7
                             September 18, 2020
                       ==============================

    This is a security release in order to address the following defect:

    o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").

    The following applies to Samba used as domain controller only (most
    seriously the Active Directory DC, but also the classic/NT4-style DC).

    Installations running Samba as a file server only are not directly
    affected by this flaw, though they may need configuration changes to
    continue to talk to domain controllers (see "file servers and domain
    members" below).

    The netlogon protocol contains a flaw that allows an authentication
    bypass. This was reported and patched by Microsoft as CVE-2020-1472.
    Since the bug is a protocol level flaw, and Samba implements the
    protocol, Samba is also vulnerable.

    However, since version 4.8 (released in March 2018), the default
    behaviour of Samba has been to insist on a secure netlogon channel,
    which is a sufficient fix against the known exploits. This default is
    equivalent to having 'server schannel = yes' in the smb.conf.

    Therefore versions 4.8 and above are not vulnerable unless they have
    the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

    Samba versions 4.7 and below are vulnerable unless they have 'server
    schannel = yes' in the smb.conf.

    Note each domain controller needs the correct settings in its smb.conf.

    Vendors supporting Samba 4.7 and below are advised to patch their
    installations and packages to add this line to the [global] section if
    their smb.conf file.

    The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
    'FullSecureChannelProtection=1' registry key, the introduction of
    which we understand forms the core of Microsoft's fix.

    Some domains employ third-party software that will not work with a
    'server schannel = yes'. For these cases patches are available that
    allow specific machines to use insecure netlogon. For example, the
    following smb.conf:

       server schannel = yes
       server require schannel:triceratops$ = no
       server require schannel:greywacke$ = no

    will allow only "triceratops$" and "greywacke$" to avoid schannel.

    More details can be found here:
    https://www.samba.org/samba/security/CVE-2020-1472.html
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net/samba4'
  unixtime: '1600524054'
  user: taca