Merge samba from Debian unstable for mantic
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| samba (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Bug Description
Upstream: 4.17.7
Debian: 2:4.17.7+dfsg-1 2:4.18.2+dfsg-1
Ubuntu: 2:4.17.
Debian new has 2:4.18.2+dfsg-1, which may be available for merge soon.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
### New Debian Changes ###
samba (2:4.17.7+dfsg-1) unstable; urgency=high
* upstream stable/
o CVE-2023-0225: An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to delete this
attribute from any object in the directory.
https:/
o CVE-2023-0922: The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https:/
o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was insufficient and
an attacker may be able to obtain confidential BitLocker recovery keys
from a Samba AD DC. Installations with such secrets in their Samba AD
should assume they have been obtained and need replacing.
https:/
Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614
* update libldb symbols and versions
-- Michael Tokarev <email address hidden> Wed, 29 Mar 2023 17:59:17 +0300
samba (2:4.17.6+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release 4.17.6:
* https:/
streams_xattr is creating unexpected locks on folders.
* https:/
Use of the Azure AD Connect cloud sync tool is now supported for password
hash synchronisation, allowing Samba AD Domains to synchronise passwords
with this popular cloud environment.
* https:/
Spotlight doesn't work with latest macOS Ventura.
* https:/
New samba-dcerpc architecture does not scale gracefully.
* https:/
vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_
in close and fstat.
* https:/
With clustering enabled samba-bgqd can core dump due to use after free.
* https:/
fd_load() function implicitly closes the fd where it should not.
* debian/po/ro.po update from Remus-Gabriel Chelu
* s3-smbd-
makes smbd a bit less spammy in logs
* d/control: clarify some package descriptions (Closes: #1031922)
-- Michael Tokarev <email address hidden> Thu, 09 Mar 2023 12:52:14 +0300
samba (2:4.17.5+dfsg-2) unstable; urgency=medium
* d/control: samba: depends on exact version of python3-samba
* d/control: fix typo
* more tweaks for foreign/cross build
* d/control: work around autodep8 #904999 again
* introduce upstream-like aliases for debian .service names,
add rationale
-- Michael Tokarev <email address hidden> Sat, 04 Feb 2023 17:15:40 +0300
samba (2:4.17.5+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release. From WHATSNEW.txt:
* BUG 14808: smbc_getxattr() return value is incorrect.
* BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX
are not handled correctly.
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
* BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs()
fails to find DC when there is only an AAAA record for the DC in DNS
(Closes: #1023606).
* BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
* BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
* BUG 15283: vfs_virusfilter segfault on access,
directory edgecase (accessing NULL value).
* BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
based SChannel on NETLOGON (additional changes).
* BUG 15243: %U for include directive doesn't work for share listing
(
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4
(the fix was in debian before).
* BUG 15269: ctdb: use-after-free in run_proc.
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15286: auth3_generate_
* BUG 15268: smbclient segfaults with use after free on an optimized build
* BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
* BUG 15164: Leak in wbcCtxPingDc2.
* BUG 15265: Access based share enum does not work in Samba 4.16+.
* BUG 15267: Crash during share enumeration.
* BUG 15271: rep_listxattr on FreeBSD does not properly check
for reads off end of returned buffer.
* BUG 15281: Avoid relying on C89 features in a few places.
* remove patches applied upstream:
- reload-
- rpc_server_
* d/control: Standards-Version: 4.6.2 (no changes)
* d/control: put all doc-generating build-deps into one line
* little prep for cross-compilation
- build-depend on python3:any and python3-dev:any
- build-depend on libpython3-dev for actual module building,
and use arch-specific python3-config from there
### Old Ubuntu Delta ###
samba (2:4.17.
* Merge with Debian unstable (LP: #2014052). Remaining changes:
- debian/control: Ubuntu i386 binary compatibility:
+ drop ceph support
+ enable the liburing vfs module, except on i386 where liburing is
not available
+ build-depend on libglusterfs-dev only on !i386 arches
- d/t/control, d/t/util,
samba AD DC provisioning and domain join tests with internal DNS
(LP #1977746, LP #2011745)
-- Andreas Hasenack <email address hidden> Fri, 31 Mar 2023 15:26:11 -0300
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 3381 lines (+3012/-6)5 files modifieddebian/changelog (+2493/-0)
debian/control (+6/-5)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+111/-1)
| Changed in samba (Ubuntu): | |
| milestone: | none → ubuntu-23.06 |
| Changed in samba (Ubuntu): | |
| assignee: | nobody → Andreas Hasenack (ahasenack) |
| Changed in samba (Ubuntu): | |
| status: | New → In Progress |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in samba (Ubuntu): | |
| status: | In Progress → Fix Released |
This bug was fixed in the package samba - 2:4.18.
---------------
samba (2:4.18.
* Merge with Debian unstable (LP: #2018054). Remaining changes:
- debian/control: Ubuntu i386 binary compatibility:
+ drop ceph support
+ enable the liburing vfs module, except on i386 where liburing is
not available
+ build-depend on libglusterfs-dev only on !i386 arches
- d/t/control, d/t/util,
samba AD DC provisioning and domain join tests with internal DNS
(LP #1977746, LP #2011745)
* Added changes:
- d/t/util: reload instead of restarting samba, as it's quicker and
has the same effect we want in this test
-- Andreas Hasenack <email address hidden> Thu, 22 Jun 2023 11:59:19 -0300