Received: by mail.netbsd.org (Postfix, from userid 605)
	id B1B7A84D52; Tue,  3 Jan 2023 15:27:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id E2B5284D08
	for <pkgsrc-changes@NetBSD.org>; Tue,  3 Jan 2023 15:27:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
	with ESMTP id 4Z13A9aJzfqx for <pkgsrc-changes@netbsd.org>;
	Tue,  3 Jan 2023 15:27:23 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id C803F84CEA
	for <pkgsrc-changes@NetBSD.org>; Tue,  3 Jan 2023 15:27:23 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id C18D2FA90; Tue,  3 Jan 2023 15:27:23 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1672759643133390"
MIME-Version: 1.0
Date: Tue, 3 Jan 2023 15:27:23 +0000
From: "Thomas Klausner" <wiz@netbsd.org>
Subject: CVS commit: pkgsrc/net/samba4
To: pkgsrc-changes@NetBSD.org
Reply-To: wiz@netbsd.org
X-Mailer: log_accum
Message-Id: <20230103152723.C18D2FA90@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1672759643133390
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	wiz
Date:		Tue Jan  3 15:27:23 UTC 2023

Modified Files:
	pkgsrc/net/samba4: Makefile PLIST distinfo options.mk

Log Message:
samba: update to 4.17.4.

This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:

o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
                  RC4-HMAC Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A Samba Active Directory DC will issue weak rc4-hmac
                  session keys for use between modern clients and servers
                  despite all modern Kerberos implementations supporting
                  the aes256-cts-hmac-sha1-96 cipher.

                  On Samba Active Directory DCs and members
                  'kerberos encryption types = legacy' would force
                  rc4-hmac as a client even if the server supports
                  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

                  https://www.samba.org/samba/security/CVE-2022-37966.html

o CVE-2022-37967: This is the Samba CVE for the Windows
                  Kerberos Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A service account with the special constrained
                  delegation permission could forge a more powerful
                  ticket than the one it was presented with.

                  https://www.samba.org/samba/security/CVE-2022-37967.html

o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
                  same algorithms as rc4-hmac cryptography in Kerberos,
                  and so must also be assumed to be weak.

                  https://www.samba.org/samba/security/CVE-2022-38023.html

Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!

samba-tool got a new 'domain trust modify' subcommand
-----------------------------------------------------

This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.

smb.conf changes
----------------

  Parameter Name                               Description             Default
  --------------                               -----------             -------
  allow nt4 crypto                             Deprecated              no
  allow nt4 crypto:COMPUTERACCOUNT             New
  kdc default domain supported enctypes        New (see manpage)
  kdc supported enctypes                       New (see manpage)
  kdc force enable rc4 weak session keys       New                     No
  reject md5 clients                           New Default, Deprecated Yes
  reject md5 servers                           New Default, Deprecated Yes
  server schannel                              Deprecated              Yes
  server schannel require seal                 New, Deprecated         Yes
  server schannel require seal:COMPUTERACCOUNT New
  winbind sealed pipes                         Deprecated              Yes

Changes since 4.17.3
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
     same size.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
     user-controlled pointer in FAST.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
   * BUG 15237: CVE-2022-37966.
   * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.

o  Ralph Boehme <slow@samba.org>
   * BUG 15240: CVE-2022-38023.
   * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
     Windows.
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
     atomically.
   * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
     vulnerability.
   * BUG 15206: libnet: change_password() doesn't work with
     dcerpc_samr_ChangePasswordUser4().
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
   * BUG 15230: Memory leak in snprintf replacement functions.
   * BUG 15237: CVE-2022-37966.
   * BUG 15240: CVE-2022-38023.
   * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
     (CVE-2021-20251 regression).

o  Noel Power <noel.power@suse.com>
   * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
     same size.

o  Anoop C S <anoopcs@samba.org>
   * BUG 15198: Prevent EBADF errors with vfs_glusterfs.

o  Andreas Schneider <asn@samba.org>
   * BUG 15237: CVE-2022-37966.
   * BUG 15243: %U for include directive doesn't work for share listing
     (netshareenum).
   * BUG 15257: Stack smashing in net offlinejoin requestodj.

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
   * BUG 15231: CVE-2022-37967.
   * BUG 15237: CVE-2022-37966.

o  Nicolas Williams <nico@twosigma.com>
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
     user-controlled pointer in FAST.


To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.155 pkgsrc/net/samba4/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/net/samba4/PLIST
cvs rdiff -u -r1.87 -r1.88 pkgsrc/net/samba4/distinfo
cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/samba4/options.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1672759643133390
Content-Disposition: inline
Content-Length: 4124
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/net/samba4/Makefile
diff -u pkgsrc/net/samba4/Makefile:1.154 pkgsrc/net/samba4/Makefile:1.155
--- pkgsrc/net/samba4/Makefile:1.154	Fri Nov 25 10:21:14 2022
+++ pkgsrc/net/samba4/Makefile	Tue Jan  3 15:27:23 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.154 2022/11/25 10:21:14 wiz Exp $
+# $NetBSD: Makefile,v 1.155 2023/01/03 15:27:23 wiz Exp $
 
-DISTNAME=	samba-4.17.3
+DISTNAME=	samba-4.17.4
 CATEGORIES=	net
 MASTER_SITES=	https://download.samba.org/pub/samba/stable/
 

Index: pkgsrc/net/samba4/PLIST
diff -u pkgsrc/net/samba4/PLIST:1.48 pkgsrc/net/samba4/PLIST:1.49
--- pkgsrc/net/samba4/PLIST:1.48	Tue Nov 29 13:20:23 2022
+++ pkgsrc/net/samba4/PLIST	Tue Jan  3 15:27:23 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.48 2022/11/29 13:20:23 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.49 2023/01/03 15:27:23 wiz Exp $
 bin/cifsdd
 bin/dbwrap_tool
 bin/dumpmscat
@@ -476,6 +476,7 @@ ${PYSITELIB}/samba/tests/krb5/alias_test
 ${PYSITELIB}/samba/tests/krb5/as_canonicalization_tests.py
 ${PYSITELIB}/samba/tests/krb5/as_req_tests.py
 ${PYSITELIB}/samba/tests/krb5/compatability_tests.py
+${PYSITELIB}/samba/tests/krb5/etype_tests.py
 ${PYSITELIB}/samba/tests/krb5/fast_tests.py
 ${PYSITELIB}/samba/tests/krb5/kcrypto.py
 ${PYSITELIB}/samba/tests/krb5/kdc_base_test.py
@@ -1078,6 +1079,3 @@ ${PLIST.ads}share/samba/setup/secrets_in
 ${PLIST.ads}share/samba/setup/share.ldif
 ${PLIST.ads}share/samba/setup/spn_update_list
 ${PLIST.ads}share/samba/setup/ypServ30.ldif
-@pkgdir var/db/samba4/private
-@pkgdir var/log
-@pkgdir var/run

Index: pkgsrc/net/samba4/distinfo
diff -u pkgsrc/net/samba4/distinfo:1.87 pkgsrc/net/samba4/distinfo:1.88
--- pkgsrc/net/samba4/distinfo:1.87	Tue Nov 29 13:20:23 2022
+++ pkgsrc/net/samba4/distinfo	Tue Jan  3 15:27:23 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.87 2022/11/29 13:20:23 jperkin Exp $
+$NetBSD: distinfo,v 1.88 2023/01/03 15:27:23 wiz Exp $
 
-BLAKE2s (samba-4.17.3.tar.gz) = c85427eb0dbd444f3e6b7478f70b45d874ce7dcdf2fbbe216c74a2ce73cbdb46
-SHA512 (samba-4.17.3.tar.gz) = a5482bfe66f7f34fdf855e69b7b0fc2a4f9e756947357201651af70f3b10e236474c1b4ae4d9367b122e2d4565601659c373d3b17717a3c5c66aa9258eb58ff0
-Size (samba-4.17.3.tar.gz) = 30805080 bytes
+BLAKE2s (samba-4.17.4.tar.gz) = 48f84916b249d40ae96aa31f48406470cab0923a3f297a35cbcb0bd6f0b8a1f7
+SHA512 (samba-4.17.4.tar.gz) = 3f8ec51e30b1a8ef947f9bf4666fe8b30463d8ea3fa8cab6ff9dc8cfe7e71e2116eaea68aec66f18c84a8726ab628f9ee320b56e3de9d537b96f2230286a64f7
+Size (samba-4.17.4.tar.gz) = 30838334 bytes
 SHA1 (patch-buildtools_wafsamba_samba__conftests.py) = d927db17124d2bb5b382885e70a41f84c3929926
 SHA1 (patch-buildtools_wafsamba_samba__install.py) = d801340617da325e3bb70a90350e45cc8e383c2d
 SHA1 (patch-buildtools_wafsamba_samba__pidl.py) = e4c0ed3dacfcf5613a5b397b3c6cf88509497da7

Index: pkgsrc/net/samba4/options.mk
diff -u pkgsrc/net/samba4/options.mk:1.17 pkgsrc/net/samba4/options.mk:1.18
--- pkgsrc/net/samba4/options.mk:1.17	Mon Mar  7 21:40:37 2022
+++ pkgsrc/net/samba4/options.mk	Tue Jan  3 15:27:23 2023
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.17 2022/03/07 21:40:37 thor Exp $
+# $NetBSD: options.mk,v 1.18 2023/01/03 15:27:23 wiz Exp $
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.samba4
-PKG_SUPPORTED_OPTIONS=	ads avahi fam ldap pam winbind cups # cups option is broken for me.
+PKG_SUPPORTED_OPTIONS=	ads avahi ldap pam winbind cups # cups option is broken for me.
 PKG_SUGGESTED_OPTIONS=	avahi ldap pam winbind
 
 .include "../../mk/bsd.fast.prefs.mk"
@@ -22,7 +22,7 @@ PKG_SUGGESTED_OPTIONS+=	snapper
 
 .include "../../mk/bsd.options.mk"
 
-PLIST_VARS+=		ads cups fam ldap pam snapper winbind
+PLIST_VARS+=		ads cups ldap pam snapper winbind
 
 ###
 ### Access Control List support.
@@ -57,17 +57,6 @@ CONFIGURE_ARGS+=	--disable-cups
 .endif
 
 ###
-### File Alteration Monitor support.
-###
-.if !empty(PKG_OPTIONS:Mfam)
-.  include "../../mk/fam.buildlink3.mk"
-CONFIGURE_ARGS+=	--with-fam
-PLIST.fam=		yes
-.else
-CONFIGURE_ARGS+=	--without-fam
-.endif
-
-###
 ### Support LDAP authentication and storage of Samba account information.
 ###
 # Active Directory requires ldap


--_----------=_1672759643133390--