* Tue Oct 22 2019 nopower@suse.com
- CVE-2019-14847: User with "get changes" permission can
crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598);
- CVE-2019-10218: Client code can return filenames containing path
separators; (bso#14071); (bsc#1144902);
* Fri Oct 18 2019 nopower@suse.com
- CVE-2019-14833: samba: Accent with "check script password"
Samba AD DC check password script does not receive the full
password; (bso#12438); (bsc#1154289).
* Wed May 08 2019 ddiss@suse.com
- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).
* Wed Apr 17 2019 nopower@suse.com
- MacOS credit accounting breaks with async SESSION SETUP;
(bsc#1125601); (bso#13796).
- Mac OS X SMB2 implmenetation sees Input/output error or Resource
temporarily unavailable and drops connection; (bso#13698)
* Sun Apr 14 2019 ddiss@suse.com
- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).
* Mon Mar 04 2019 ddiss@suse.com
- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).
Version: 4.7.11+git.153.b36ceaf2235-4.27.1
* Fri Apr 05 2019 nopower@suse.com
- Ensure we build against correct version of ldb; (bsc#1131686);
(bsc#1125410).
* Tue Apr 02 2019 nopower@suse.com
- CVE-2019-3880: Save registry file outside share as unprivileged
user; (bso#13851); (bsc#1131060 ).
* Fri Feb 22 2019 scabrero@suse.de
- Fix update-apparmor-samba-profile script after apparmor switched
to using named profiles. The change is backwards compatible;
(bsc#1126377);
* Thu Feb 07 2019 ddiss@suse.com
- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);
Version: 4.7.11+git.140.6bd0e5b30d8-4.21.1
* Mon Nov 19 2018 scabrero@suse.de
- CVE-2018-14629: dns: CNAME loop prevention using counter;
(bso#13600); (bsc#1116319);
- CVE-2018-16841: heimdal: Fix segfault on PKINIT with mis-matching principal;
(bso#13628); (bsc#1116320);
- CVE-2018-16851: ldap_server: Check ret before manipulating blob;
(bso#13674); (bsc#1116322);
- CVE-2018-16853: build: The Samba AD DC, when build with MIT Kerberos is
experimental; (bso#13678); (bsc#1116324);
* Tue Nov 13 2018 scabrero@suse.de
- Update to 4.7.11;
+ s3: util: Do not take over stderr when there is no log file;
(bso#13578); (bsc#1101499);
+ s3: smbd: Ensure get_real_filename() copes with empty pathnames;
(bso#13585);
+ s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test; (bso#13633);
+ Durable Reconnect fails because cookie.allow_reconnect is not set
redundant for SMB2; (bso#13549);
+ krb5-samba: Interdomain trust uses different salt principal; (bso#13539);
+ Fix possible memory leak in the Samba process; (bso#13362);
+ vfs_fruit: Don't unlink the main file; (bso#13441);
+ smbd: Fix a memleak in async search ask sharemode; (bso#13602);
+ Fix Samba GPO issue when Trust is enabled; (bso#11517);
+ samba-tool: Add virtualKerberosSalt attribute to 'user
getpassword/syncpasswords'; (bso#13539);
+ smb2_server: Set req->do_encryption = true earlier; (bso#13624);
+ s3:winbind: Fix regression: winbind normalize names doesn't work for
users; (bso#12851);
* Mon Aug 20 2018 ddiss@suse.com
- Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230);
- Fix vfs_ceph flock stub; (bso#13506);
- Fix ntlm authentications with "winbind use default domain = yes";
(bso#13126); bsc#(1068059);
- Allow idmap_rid to have primary group other than "Domain Users";
(bsc#1087931).
Version: 4.7.10+git.124.8d97fe90926-4.18.3
* Thu Oct 11 2018 aaptel@suse.com
- Update to 4.7.10; (bsc#1111528);
+ support the new v4 Performance Co-Pilot API; (bsc#1111374)
+ quotas don't work with SMB2; (bso#13553);
+ Build failure when quota support not detected; (bso#13563);
+ vfs_fruit can leave lock records when testing for netatalk share
mode locks - causing panic; (bso#13584);
+ vfs_time_audit is failing FSCTL_SRV_REQUEST_RESUME_KEY requests;
(bso#13568);
+ g_lock conflict detection broken when processing stale entries;
(bso#13195);
+ deadlock with ctdb_mutex_ceph_rados_helper; (bso#13540);
+ NTLM authentications using default domain/workgroup stopped
working; (bso#13126); (bsc#1068059);
+ vfs_ceph lies about flock support; (bso#13506);
+ Using sendfile = yes with SMB2 can cause CPU spin; (bso#13537);
+ Durable Handle reconnect fails in
smbd_smb2_create_durable_lease_check(); (bso#13535);
+ cli_splice() fallback code reads wrong amount on termination
case; (bso#13527);
+ LDB 1.4.0 breaks Samba < 4.9; (bso#13519);
+ samba-tool trust: support discovery via netr_GetDcName;
(bso#13538);
+ samba-tool domain trust: fix trust compatibility to Windows Server
1709 and FreeIPA; (bso#13308);
+ conn->vuid is invalid after a SMB session reauth; (bso#13351);
+ Durable Handles reconnect fails in a cluster when the cluster fs
uses different device ids; (bso#13318);
+ cli_splice() doesn't correctly return written bytes as it's
uninitialized in libsmbclient code; (bso#13511);
+ Threading support in talloc_tos() crashes when enabled;
(bso#13505);
+ Incorrect talloc_stackframe handling in python ACL test code
(make_simple_acl); (bso#13474);
+ Fail renaming file if that file has open streams; (bso#13451);
+ vfs_fruit: delete 0 byte size streams if AAPL is enabled;
(bso#13441);
+ Creating missing remote databases during recovery can fail;
(bso#13500);
+ CTDB_BROADCAST_VNNMAP should not be used; (bso#13499);
+ Fix building Samba with gcc 8.1; (bso#13437);
+ Uncaught exception at ldb_modules/password_hash.c:2241 during new
domain provision; (bso#11573);
+ "net ads keytab add nfs" writes only one enctype with older
kerberos libraries; (bso#13478);
+ VFS modules that implement pread/pwrite must also implement
pread_send/pwrite_send; (bso#13425);
+ vfs_ceph is missing async fsync implementations; (bso#13412);
+ net ads keytab list fails with (smb_krb5_kt_open failed (Key table
name malformed); (bso#13166);
+ s390 and s390 needs to run with 'use mmap = no' by default;
(bso#10765);
* Tue Aug 07 2018 aaptel@suse.com
- Disable NTLMv1 auth if smb.conf doesn't allow it; (bsc#1095048);
(bso#13360); (CVE-2018-1139);
- ldbsearch '(distinguishedName=abc)' and DNS query with escapes
crashes; (bsc#1095056); (bso#13374); (CVE-2018-1140);
- Confidential attribute disclosure via substring search;
(bsc#1095057); (bso#13434); (CVE-2018-10919);
- smbc_urlencode helper function is a subject to buffer overflow;
(bsc#1103411); (bso#13453); (CVE-2018-10858);
- Fix NULL ptr dereference in DsCrackNames on a user without a SPN;
(bsc#1103414); (bso#13552); (CVE-2018-10918);
* Fri Jun 29 2018 scabrero@suse.de
- Update to 4.7.8; (bsc#1099702);
+ s3: smbd: Generic fix for incorrect reporting of stream dos attributes
on a directory; (bso#13380);
+ ceph: VFS: Add asynchronous fsync to ceph module, fake using synchronous
call; (bso#13412);
+ s3: libsmbclient: Fix hard-coded connection error return of ETIMEDOUT;
(bso#13419);
+ s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428);
+ s3: smbd: printing: Re-implement delete-on-close semantics for print
files missing since 3.5.x; (bso#13457);
+ python: Fix talloc frame use in make_simple_acl(); (bso#13474);
+ winbindd on the AD DC is slow for passdb queries; (bso#13430);
+ No Backtrace given by Samba's AD DC by default; (bso#13454);
+ winbindd doesn't recover loss of netlogon secure channel in case the peer
DC is rebooted; (bso#13332);
+ s3:smbd: Fix interaction between chown and SD flags; (bso#13432);
+ s4-heimdal: Fix the format-truncation errors; (bso#13437);
+ vfs_ceph: Add fake async pwrite/pread send/recv hooks; (bso#13425);
+ printing: Return the same error code as Windows does on upload failures;
(bso#13395);
+ winbind: Improve child selection; (bso#13290);
+ winbind: Maintain a binding handle per domain and always go via
wb_domain_request_send(); (bso#13292);
+ winbindd doesn't recover loss of netlogon secure channel in case the peer
DC is rebooted; (bso#13332);
+ Looking up the user using the UPN results in user name with the REALM
instead of the DOMAIN; (bso#13369);
+ rpc_server: Init local_server_* in make_internal_rpc_pipe_socketpair;
(bso#13370);
+ smbclient: Fix broken notify; (bso#13382);
+ libads: Fix the build --without-ads; (bso#13273);
+ winbindd: Don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids;
(bso#13279);
+ winbindd: initialize type = SID_NAME_UNKNOWN in
wb_lookupsids_single_done(); (bso#13280);
+ s4:rpc_server: Fix call_id truncation in dcesrv_find_fragmented_call();
(bso#13289);
+ A disconnecting winbind client can cause a problem in the winbind parent
child communication; (bso#13290);
+ winbind: Use one queue for all domain children;
(bso#13292);
+ Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state;
(bso#13293);
+ winbind should avoid using fstrcpy(domain->dcname,...) on a char *;
(bso#13294); (bsc#1087303);
+ The winbind parent should find the dc of a foreign domain via the primary
domain; (bso#13295);
+ nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged
pipe is not accessable; (bso#13400);
+ Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP
NTLM2 packet check failed due to invalid signature!); (bso#13427);
+ s3: VFS: Fix memory leak in vfs_ceph; (bso#13424);
+ rpc_server: Fix NetSessEnum with stale sessions; (bso#13407);
+ dfree cache returning incorrect data for sub directory mounts;
(bso#13446);
+ Looking up the user using the UPN results in user name with the REALM
instead of the DOMAIN; (bso#13369);
+ s3:passdb: Do not return OK if we don't have pinfo set up;
(bso#13376);
+ s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440);
+ s4:auth_sam: Allow logons with an empty domain name; (bso#13206);
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error,
we don't own it here; (bso#13244);
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270);
+ Round-tripping ACL get/set through vfs_fruit will increase the number
of ACE entries without limit; (bso#13319);
+ s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit
issues; (bso#13347);
+ s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without
delete access; (bso#13358);
+ s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372);
+ s3: smbd: Unix extensions attempts to change wrong field in fchown call;
(bso#13375);
+ s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363);
+ build: Fix libceph-common detection; (bso#13277);
+ build: Fix ceph_statx check when configured with libcephfs_dir;
(bso#13250);
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
(bso#13297);
+ ctdb-scripts: Drop 'net serverid wipe' from 50.samba event script;
(bso#13359);
+ s3: lib: messages: Don't use the result of sec_init() before calling
sec_init(); (bso#13368);
+ smbd can panic if the client-supplied channel sequence number wraps;
(bso#13215);
+ dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367);
+ s3:libsmb: Allow -U"\\administrator" to work; (bso#13206);
+ Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
+ smbc_opendir should not return EEXIST with invalid login credentials;
(bso#13050);
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338);
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310);
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031);
+ 'wbinfo --name-to-sid' returns misleading result on invalid query;
(bso#13312);
+ s3:smbd: Do not crash if we fail to init the session table; (bso#13315);
+ Allow AESNI to be used on all processor supporting AESNI; (bso#13302);
* Fri Jun 01 2018 palcantara@suse.com
- Bump vendor-files
- Use new foreground execution flags for systemd samba daemons;
(bsc#1088574); (bsc#1071090); (bsc#1065551); (bsc#1094881);
* Mon May 28 2018 scabrero@suse.de
- Add missing package descriptions; (bsc#1093864);
* Wed Nov 15 2017 dmulder@suse.com
- samba-tool requires samba-python; (bnc#1067771).
* Tue Nov 07 2017 scabrero@suse.com
- Run all daemons in the foreground and let systemd handle it; (bsc#1065551).
- Update to 4.7.1;
+ Fix exporting subdirs with shadow_copy2; (bso#13091);
+ Currently if getwd() fails after a chdir(), we panic; (bso#13027);
+ Ensure default SMB_VFS_GETWD() call can't return a partially completed
struct smb_filename; (bso#13068);
+ sys_getwd() can leak memory or possibly return the wrong errno on older
systems; (bso#13069);
+ smbclient doesn't correctly canonicalize all local names before use;
(bso#13093);
+ Fix broken linked attribute handling; (bso#13095);
+ Missing LDAP query escapes in DNS rpc server; (bso#12994);
+ Link to -lbsd when building replace.c by hand; (bso#13087);
+ Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
(bso#6133);
+ Map SYNCHRONIZE acl permission statically in zfs_acl vfs module;
(bso#7909);
+ Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module;
(bso#7933);
+ Missing assignment in sl_pack_float; (bso#12991);
+ Wrong Samba access checks when changing DOS attributes; (bso#12995);
+ samba_runcmd_send() leaves zombie processes on timeout; (bso#13062);
+ groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
+ Enabling vfs_fruit results in loss of Finder tags and other xattrs;
(bso#13076);
+ man pages: Properly ident lists; (bso#9613);
+ smb.conf.5: Sort parameters alphabetically; (bso#13081);
+ Fix GUID string format on GetPrinter info; (bso#12993);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ CTDB starts consuming memory if there are dead nodes in the cluster;
(bso#13056);
+ ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070);
+ libgpo doesn't sort the GPOs in the correct order; (bso#13046);
+ Remote serverid check doesn't check for the unique id; (bso#13042);
+ vfs_catia: Fix a potential memleak; (bso#13090);
+ Fix file change notification for renames; (bso#12903);
+ Samba DNS server does not honour wildcards; (bso#12952);
+ Can't change password in samba from a Windows client if Samba runs on
IPv6 only interface; (bso#13079);
+ vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
+ Apple client can't cope with SMB2 async replies when creating symlinks;
(bso#13047);
+ s4:rpc_server:backupkey: Move variable into scope; (bso#12959);
+ Fix ntstatus_gen.h generation on 32bit; (bso#13099);
+ Fix a double free in vfs_gluster_getwd(); (bso#13100);
+ Fix resouce leaks and pointer issues; (bso#13101);
+ vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);
* Mon Oct 23 2017 dimstar@opensuse.org
- Add samba-kdc to baselibs.conf.
- Do not wrap samba-kdc's package definition into if/endif: the
package won't be generated simply based on the fact that there is
no files section for the package. Allows the source validator to
ensure samba-kdc is a built package.
* Thu Sep 28 2017 scabrero@suse.com
- Update to 4.7.0;
+ Whole DB read locks: Improved LDAP and replication consistency;
(bso#12858).
+ Samba AD with MIT Kerberos
+ Dynamic RPC port range: Default range changed from "1024-1300" to
"49152-65535".
+ Authentication and Authorization audit support: New auth_audit debug
class.
+ Multi-process LDAP Server: The LDAP server in the AD DC now honours
the process model used for the rest of the 'samba' process.
+ Improved Read-Only Domain Controller (RODC) Support; (bso#12977).
+ Additional password hashes stored in supplementalCredentials.
+ Improvements to DNS during Active Directory domain join.
+ Significant AD performance and replication improvements.
+ Query record for open file or directory.
+ Removal of lpcfg_register_defaults_hook().
+ Change of loadable module interface.
+ SHA256 LDAPS Certificates: The self-signed certificate generated for use
on LDAPS will now be generated with a SHA256 self-signature, not a SHA1
self-signature.
+ CTDB no longer allows mixed minor versions in a cluster.
+ CTDB now ignores hints from Samba about TDB flags when attaching to
databases.
+ New configuration variable CTDB_NFS_CHECKS_DIR.
+ The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed.
+ The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed.
+ The example NFS Ganesha call-out has been improved.
+ A new "replicated" database type is available.
* Thu Sep 14 2017 aaptel@suse.com
- CVE-2017-12163: Prevent client short SMB1 write from
writing server memory to file; (bso#13020); (bsc#1058624).