Now
pkgsrc-2023Q2 commitmail json YAML
Pullup ticket #6782 - requested by taca
net/samba4: security fix
Revisions pulled up:
- net/samba4/Makefile 1.166-1.167
- net/samba4/distinfo 1.94-1.95
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jul 19 15:33:28 UTC 2023
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
samba: update to 4.18.4.
Changes since 4.18.3
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15404: Backport --pidl-developer fixes.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14030: Named crashes on DLZ zone update.
o Bjæ—¦rn Jacke <bj@sernet.de>
* BUG 2312: smbcacls and smbcquotas do not check // before the server.
o Volker Lendecke <vl@samba.org>
* BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
* BUG 15391: smbclient leaks fds with showacls.
* BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem.
o Stefan Metzmacher <metze@samba.org>
* BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and
causes test timeouts.
o Noel Power <noel.power@suse.com>
* BUG 15384: net ads lookup (with unspecified realm) fails.
o Christof Schmitt <cs@samba.org>
* BUG 15381: Register Samba processes with GPFS.
o Andreas Schneider <asn@samba.org>
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15398: The winbind child segfaults when listing users with `winbind
scan trusted domains = yes`.
o Jones Syue <jonessyue@qnap.com>
* BUG 15383: Remove comments about deprecated 'write cache size'.
* BUG 15403: smbget memory leak if failed to download files recursively.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jul 20 01:28:34 UTC 2023
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
net/samba4: update to 4.18.5
==============================
Release Notes for Samba 4.18.5
July 19, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
Changes since 4.18.4
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15072: CVE-2022-2127.
* BUG 15340: CVE-2023-34966.
* BUG 15341: CVE-2023-34967.
* BUG 15388: CVE-2023-34968.
* BUG 15397: CVE-2023-3347.
o Volker Lendecke <vl@samba.org>
* BUG 15072: CVE-2022-2127.
o Stefan Metzmacher <metze@samba.org>
* BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
net/samba4: security fix
Revisions pulled up:
- net/samba4/Makefile 1.166-1.167
- net/samba4/distinfo 1.94-1.95
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Jul 19 15:33:28 UTC 2023
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
samba: update to 4.18.4.
Changes since 4.18.3
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15404: Backport --pidl-developer fixes.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14030: Named crashes on DLZ zone update.
o Bjæ—¦rn Jacke <bj@sernet.de>
* BUG 2312: smbcacls and smbcquotas do not check // before the server.
o Volker Lendecke <vl@samba.org>
* BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
* BUG 15391: smbclient leaks fds with showacls.
* BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem.
o Stefan Metzmacher <metze@samba.org>
* BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and
causes test timeouts.
o Noel Power <noel.power@suse.com>
* BUG 15384: net ads lookup (with unspecified realm) fails.
o Christof Schmitt <cs@samba.org>
* BUG 15381: Register Samba processes with GPFS.
o Andreas Schneider <asn@samba.org>
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15398: The winbind child segfaults when listing users with `winbind
scan trusted domains = yes`.
o Jones Syue <jonessyue@qnap.com>
* BUG 15383: Remove comments about deprecated 'write cache size'.
* BUG 15403: smbget memory leak if failed to download files recursively.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jul 20 01:28:34 UTC 2023
Modified Files:
pkgsrc/net/samba4: Makefile distinfo
Log Message:
net/samba4: update to 4.18.5
==============================
Release Notes for Samba 4.18.5
July 19, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
Changes since 4.18.4
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15072: CVE-2022-2127.
* BUG 15340: CVE-2023-34966.
* BUG 15341: CVE-2023-34967.
* BUG 15388: CVE-2023-34968.
* BUG 15397: CVE-2023-3347.
o Volker Lendecke <vl@samba.org>
* BUG 15072: CVE-2022-2127.
o Stefan Metzmacher <metze@samba.org>
* BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.