Package Release Info


Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-2020-224
Available in Package Hub : 15 Subpackages Updates





Change Logs

* Tue Jan 14 2020
- CVE-2019-14902: Replication of ACLs down subtree on AD Directory
  is not automatic; (bso#12497); (bsc#1160850).
- CVE-2019-14907: server-side crash after charset conversion failure
  (eg during NTLMSSP processing); (bso#14208); (bsc#1160888).
Version: 4.7.11+git.202.6edee83fb34-4.34.1
* Mon Dec 02 2019
-  CVE-2019-14861: DNSServer RPC server crash, an authenticated user
  can crash the DCE/RPC DNS management server by creating records
  with matching the zone name; (bso#14138); (bsc#1158108).
-  CVE-2019-14870: DelegationNotAllowed not being enforced, the
  DelegationNotAllowed Kerberos feature restriction was not being
  applied when processing protocol transition requests (S4U2Self),
  in the AD DC KDC; (bso#14187); (bsc#1158109).
* Tue Mar 13 2018
- Disable samba-pidl package, due to the removal of dependency
  perl-Parse-Yapp; (bsc#1085150);
Version: 4.7.11+git.186.d75219614c3-4.30.1
* Tue Oct 22 2019
- CVE-2019-14847: User with "get changes" permission can
  crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598);
- CVE-2019-10218: Client code can return filenames containing path
  separators; (bso#14071); (bsc#1144902);
* Fri Oct 18 2019
- CVE-2019-14833: samba: Accent with "check script password"
  Samba AD DC check password script does not receive the full
  password; (bso#12438); (bsc#1154289).
* Wed May 08 2019
- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).
* Wed Apr 17 2019
- MacOS credit accounting breaks with async SESSION SETUP;
  (bsc#1125601); (bso#13796).
- Mac OS X SMB2 implmenetation sees Input/output error or Resource
  temporarily unavailable and drops connection; (bso#13698)
* Sun Apr 14 2019
- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).
* Mon Mar 04 2019
- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).
Version: 4.7.11+git.153.b36ceaf2235-4.27.1
* Fri Apr 05 2019
- Ensure we build against correct version of ldb; (bsc#1131686);
* Tue Apr 02 2019
- CVE-2019-3880: Save registry file outside share as unprivileged
  user; (bso#13851); (bsc#1131060 ).
* Fri Feb 22 2019
- Fix update-apparmor-samba-profile script after apparmor switched
  to using named profiles. The change is backwards compatible;
* Thu Feb 07 2019
- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);
Version: 4.7.11+git.140.6bd0e5b30d8-4.21.1
* Mon Nov 19 2018
- CVE-2018-14629: dns: CNAME loop prevention using counter;
  (bso#13600); (bsc#1116319);
- CVE-2018-16841: heimdal: Fix segfault on PKINIT with mis-matching principal;
  (bso#13628); (bsc#1116320);
- CVE-2018-16851: ldap_server: Check ret before manipulating blob;
  (bso#13674); (bsc#1116322);
- CVE-2018-16853: build: The Samba AD DC, when build with MIT Kerberos is
  experimental; (bso#13678); (bsc#1116324);
* Tue Nov 13 2018
- Update to 4.7.11;
  + s3: util: Do not take over stderr when there is no log file;
    (bso#13578); (bsc#1101499);
  + s3: smbd: Ensure get_real_filename() copes with empty pathnames;
  + s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test; (bso#13633);
  + Durable Reconnect fails because cookie.allow_reconnect is not set
    redundant for SMB2; (bso#13549);
  + krb5-samba: Interdomain trust uses different salt principal; (bso#13539);
  + Fix possible memory leak in the Samba process; (bso#13362);
  + vfs_fruit: Don't unlink the main file; (bso#13441);
  + smbd: Fix a memleak in async search ask sharemode; (bso#13602);
  + Fix Samba GPO issue when Trust is enabled; (bso#11517);
  + samba-tool: Add virtualKerberosSalt attribute to 'user
    getpassword/syncpasswords'; (bso#13539);
  + smb2_server: Set req->do_encryption = true earlier; (bso#13624);
  + s3:winbind: Fix regression: winbind normalize names doesn't work for
    users; (bso#12851);
* Mon Aug 20 2018
- Fix ctdb_mutex_ceph_rados_helper deadlock; (bso#13540); (bsc#1102230);
- Fix vfs_ceph flock stub; (bso#13506);
- Fix ntlm authentications with "winbind use default domain = yes";
  (bso#13126); bsc#(1068059);
- Allow idmap_rid to have primary group other than "Domain Users";
Version: 4.7.10+git.124.8d97fe90926-4.18.3
* Thu Oct 11 2018
- Update to 4.7.10; (bsc#1111528);
  + support the new v4 Performance Co-Pilot API; (bsc#1111374)
  + quotas don't work with SMB2; (bso#13553);
  + Build failure when quota support not detected; (bso#13563);
  + vfs_fruit can leave lock records when testing for netatalk share
    mode locks - causing panic; (bso#13584);
  + vfs_time_audit is failing FSCTL_SRV_REQUEST_RESUME_KEY requests;
  + g_lock conflict detection broken when processing stale entries;
  + deadlock with ctdb_mutex_ceph_rados_helper; (bso#13540);
  + NTLM authentications using default domain/workgroup stopped
    working; (bso#13126); (bsc#1068059);
  + vfs_ceph lies about flock support; (bso#13506);
  + Using sendfile = yes with SMB2 can cause CPU spin; (bso#13537);
  + Durable Handle reconnect fails in
    smbd_smb2_create_durable_lease_check(); (bso#13535);
  + cli_splice() fallback code reads wrong amount on termination
    case; (bso#13527);
  + LDB 1.4.0 breaks Samba < 4.9; (bso#13519);
  + samba-tool trust: support discovery via netr_GetDcName;
  + samba-tool domain trust: fix trust compatibility to Windows Server
    1709 and FreeIPA; (bso#13308);
  + conn->vuid is invalid after a SMB session reauth; (bso#13351);
  + Durable Handles reconnect fails in a cluster when the cluster fs
    uses different device ids; (bso#13318);
  + cli_splice() doesn't correctly return written bytes as it's
    uninitialized in libsmbclient code; (bso#13511);
  + Threading support in talloc_tos() crashes when enabled;
  + Incorrect talloc_stackframe handling in python ACL test code
    (make_simple_acl); (bso#13474);
  + Fail renaming file if that file has open streams; (bso#13451);
  + vfs_fruit: delete 0 byte size streams if AAPL is enabled;
  + Creating missing remote databases during recovery can fail;
  + CTDB_BROADCAST_VNNMAP should not be used; (bso#13499);
  + Fix building Samba with gcc 8.1; (bso#13437);
  + Uncaught exception at ldb_modules/password_hash.c:2241 during new
    domain provision; (bso#11573);
  + "net ads keytab add nfs" writes only one enctype with older
    kerberos libraries; (bso#13478);
  + VFS modules that implement pread/pwrite must also implement
    pread_send/pwrite_send; (bso#13425);
  + vfs_ceph is missing async fsync implementations; (bso#13412);
  + net ads keytab list fails with (smb_krb5_kt_open failed (Key table
    name malformed); (bso#13166);
  + s390 and s390 needs to run with 'use mmap = no' by default;
* Tue Aug 07 2018
- Disable NTLMv1 auth if smb.conf doesn't allow it; (bsc#1095048);
  (bso#13360); (CVE-2018-1139);
- ldbsearch '(distinguishedName=abc)' and DNS query with escapes
  crashes; (bsc#1095056); (bso#13374); (CVE-2018-1140);
- Confidential attribute disclosure via substring search;
  (bsc#1095057); (bso#13434); (CVE-2018-10919);
- smbc_urlencode helper function is a subject to buffer overflow;
  (bsc#1103411); (bso#13453); (CVE-2018-10858);
- Fix NULL ptr dereference in DsCrackNames on a user without a SPN;
  (bsc#1103414); (bso#13552); (CVE-2018-10918);
* Fri Jun 29 2018
- Update to 4.7.8; (bsc#1099702);
  + s3: smbd: Generic fix for incorrect reporting of stream dos attributes
    on a directory; (bso#13380);
  + ceph: VFS: Add asynchronous fsync to ceph module, fake using synchronous
    call; (bso#13412);
  + s3: libsmbclient: Fix hard-coded connection error return of ETIMEDOUT;
  + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428);
  + s3: smbd: printing: Re-implement delete-on-close semantics for print
    files missing since 3.5.x; (bso#13457);
  + python: Fix talloc frame use in make_simple_acl(); (bso#13474);
  + winbindd on the AD DC is slow for passdb queries; (bso#13430);
  + No Backtrace given by Samba's AD DC by default; (bso#13454);
  + winbindd doesn't recover loss of netlogon secure channel in case the peer
    DC is rebooted; (bso#13332);
  + s3:smbd: Fix interaction between chown and SD flags; (bso#13432);
  + s4-heimdal: Fix the format-truncation errors; (bso#13437);
  + vfs_ceph: Add fake async pwrite/pread send/recv hooks; (bso#13425);
  + printing: Return the same error code as Windows does on upload failures;
  + winbind: Improve child selection; (bso#13290);
  + winbind: Maintain a binding handle per domain and always go via
    wb_domain_request_send(); (bso#13292);
  + winbindd doesn't recover loss of netlogon secure channel in case the peer
    DC is rebooted; (bso#13332);
  + Looking up the user using the UPN results in user name with the REALM
    instead of the DOMAIN; (bso#13369);
  + rpc_server: Init local_server_* in make_internal_rpc_pipe_socketpair;
  + smbclient: Fix broken notify; (bso#13382);
  + libads: Fix the build --without-ads; (bso#13273);
  + winbindd: Don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids;
  + winbindd: initialize type = SID_NAME_UNKNOWN in
    wb_lookupsids_single_done(); (bso#13280);
  + s4:rpc_server: Fix call_id truncation in dcesrv_find_fragmented_call();
  + A disconnecting winbind client can cause a problem in the winbind parent
    child communication; (bso#13290);
  + winbind: Use one queue for all domain children;
  + Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state;
  + winbind should avoid using fstrcpy(domain->dcname,...) on a char *;
    (bso#13294); (bsc#1087303);
  + The winbind parent should find the dc of a foreign domain via the primary
    domain; (bso#13295);
  + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged
    pipe is not accessable; (bso#13400);
  + Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP
    NTLM2 packet check failed due to invalid signature!); (bso#13427);
  + s3: VFS: Fix memory leak in vfs_ceph; (bso#13424);
  + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407);
  + dfree cache returning incorrect data for sub directory mounts;
  + Looking up the user using the UPN results in user name with the REALM
    instead of the DOMAIN; (bso#13369);
  + s3:passdb: Do not return OK if we don't have pinfo set up;
  + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440);
  + s4:auth_sam: Allow logons with an empty domain name; (bso#13206);
  + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error,
    we don't own it here; (bso#13244);
  + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
    support fdopendir(); (bso#13270);
  + Round-tripping ACL get/set through vfs_fruit will increase the number
    of ACE entries without limit; (bso#13319);
  + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit
    issues; (bso#13347);
  + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without
    delete access; (bso#13358);
  + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372);
  + s3: smbd: Unix extensions attempts to change wrong field in fchown call;
  + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363);
  + build: Fix libceph-common detection; (bso#13277);
  + build: Fix ceph_statx check when configured with libcephfs_dir;
  + vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
  + ctdb-scripts: Drop 'net serverid wipe' from 50.samba event script;
  + s3: lib: messages: Don't use the result of sec_init() before calling
    sec_init(); (bso#13368);
  + smbd can panic if the client-supplied channel sequence number wraps;
  + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367);
  + s3:libsmb: Allow -U"\\administrator" to work; (bso#13206);
  + Windows 10 cannot logon on Samba NT4 domain; (bso#13328);
  + smbc_opendir should not return EEXIST with invalid login credentials;
  + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338);
  + libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310);
  + subnet: Avoid a segfault when renaming subnet objects; (bso#13031);
  + 'wbinfo --name-to-sid' returns misleading result on invalid query;
  + s3:smbd: Do not crash if we fail to init the session table; (bso#13315);
  + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);
* Fri Jun 01 2018
- Bump vendor-files
- Use new foreground execution flags for systemd samba daemons;
  (bsc#1088574); (bsc#1071090); (bsc#1065551); (bsc#1094881);
* Mon May 28 2018
- Add missing package descriptions; (bsc#1093864);
* Tue Mar 13 2018
- Disable samba-pidl package, due to the removal of dependency
  perl-Parse-Yapp; (bsc#1085150);
* Tue Mar 13 2018
- Update to 4.7.6;
  + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally;
    (bso#11343); (bsc#1081741);
  + CVE-2018-1057: Authenticated users can change other users' password;
    (bso#13272); (bsc#1081024).
* Mon Feb 26 2018
- Disable python until full python3 port is done; (bsc#1082139);
  + Remove contents of package samba-python
  + Remove contents of package libsamba-policy0
  + Remove contents of package libsamba-policy-devel
  + Remove library from samba-libs package
  + Remove library from samba-libs package
  + Remove smbtorture binary and manpage from samba-test
* Fri Feb 23 2018
- samba fails to build with glibc2.27; (bsc#1081042);
* Mon Feb 12 2018
- Update to 4.7.5; (bsc#1080545);
  + smbd tries to release not leased oplock during oplock II downgrade;
  + Fix copying file with empty FinderInfo from Windows client to Samba share
    with fruit; (bso#13181);
  + build: Deal with recent glibc sunrpc header removal; (bso#10976);
  + Make Samba work with tirpc and libnsl2; (bso#13238);
  + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208);
  + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
  + ctdb-recovery-helper: Deregister message handler in error paths;
  + samba: Only use async signal-safe functions in signal handler; (bso#13240);
  + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue;
  + repl_meta_data: Fix linked attribute corruption on databases
    with unsorted links on expunge. dbcheck: Add functionality to fix the
    corrupt database; (bso#13228);
  + Fix smbd panic when chdir returns error during exit; (bso#13189);
  + Make Samba work with tirpc and libnsl2; (bso#13238);
  + Fix POSIX ACL support on HPUX and possibly other big-endian OSs;
* Fri Feb 09 2018
- Update to 4.7.4; (bsc#1080545);
  + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140);
  + s3: libsmb: Fix valgrind read-after-free error in
    cli_smb2_close_fnum_recv(); (bso#13171);
  + s3: libsmb: Fix reversing of oldname/newname paths when creating a
    reparse point symlink on Windows from smbclient; (bso#13172);
  + Build man page for vfs_zfsacl.8 with Samba; (bso#12934);
  + repl_meta_data: Allow delete of an object with dangling backlinks;
  + s4:samba: Fix default to be running samba as a deamon; (bso#13129);
  + Performance regression in DNS server with introduction of DNS wildcard,
    ldb: Release 1.2.3; (bso#13191);
  + vfs_zfsacl: Fix compilation error; (bso#6133);
  + "smb encrypt" setting changes are not fully applied until full smbd
    restart; (bso#13051);
  + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052);
  + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155);
  + winbindd: Dependency on trusted-domain list in winbindd in critical auth
    codepath; (bso#13173);
  + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120);
  + ctdb: sock_daemon leaks memory; (bso#13153);
  + TCP tickles not getting synchronised on CTDB restart; (bso#13154);
  + winbindd: winbind parent and child share a ctdb connection; (bso#13150);
  + pthreadpool: Fix deadlock; (bso#13170);
  + pthreadpool: Fix starvation after fork; (bso#13179);
  + messaging: Always register the unique id; (bso#13180);
  + s4/smbd: set the process group; (bso#13129);
  + Fix broken linked attribute handling; (bso#13095);
  + The KDC on an RWDC doesn't send error replies in some situations;
  + libnet_join: Fix 'net rpc oldjoin'; (bso#13149);
  + g_lock conflict detection broken when processing stale entries;
  + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired
    sessions; (bso#13197);
  + s3:libads: net ads keytab list fails with "Key table name malformed";
    (bso#13166); (bsc#1067700);
  + Fix crash in pthreadpool thread after failure from pthread_create;
  + s4:samba: Allow samba daemon to run in foreground; (bso#13129);
  + third_party: Link the aesni-intel library with "-z noexecstack";
  + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I"
    options; (bso#13125);
* Wed Dec 06 2017
- Re-enable usage of libnsl (did got lost with glibc change)
- Use TI-RPC (sunrpc is deprecated and will be removed soon from
* Wed Nov 29 2017
- smbc_opendir should not return EEXIST with invalid login credentials;
* Tue Nov 28 2017
- Update to 4.7.3; (bsc#1069666);
  + Non-smbd processes using kernel oplocks can hang smbd;
  + python: use communicate to fix Popen deadlock; (bso#13127);
  + smbd on disk file corruption bug under heavy threaded load;
  + tevent: version 0.9.34; (bso#13130);
  + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118);
  + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug;
  + CVE-2017-15275: s3: smbd: Chain code can return uninitialized
    memory when talloc buffer is grown; (bsc#1063008); (bso#13077);
- Build with AD DC support only in openSUSE.
* Mon Nov 27 2017
- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)
* Wed Nov 15 2017
- samba-tool requires samba-python; (bnc#1067771).
* Tue Nov 07 2017
- Run all daemons in the foreground and let systemd handle it; (bsc#1065551).
- Update to 4.7.1;
  + Fix exporting subdirs with shadow_copy2; (bso#13091);
  + Currently if getwd() fails after a chdir(), we panic; (bso#13027);
  + Ensure default SMB_VFS_GETWD() call can't return a partially completed
    struct smb_filename; (bso#13068);
  + sys_getwd() can leak memory or possibly return the wrong errno on older
    systems; (bso#13069);
  + smbclient doesn't correctly canonicalize all local names before use;
  + Fix broken linked attribute handling; (bso#13095);
  + Missing LDAP query escapes in DNS rpc server; (bso#12994);
  + Link to -lbsd when building replace.c by hand; (bso#13087);
  + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem;
  + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module;
  + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module;
  + Missing assignment in sl_pack_float; (bso#12991);
  + Wrong Samba access checks when changing DOS attributes; (bso#12995);
  + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062);
  + groupmap cleanup should not delete BUILTIN mappings; (bso#13065);
  + Enabling vfs_fruit results in loss of Finder tags and other xattrs;
  + man pages: Properly ident lists; (bso#9613);
  + smb.conf.5: Sort parameters alphabetically; (bso#13081);
  + Fix GUID string format on GetPrinter info; (bso#12993);
  + Remote serverid check doesn't check for the unique id; (bso#13042);
  + CTDB starts consuming memory if there are dead nodes in the cluster;
  + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070);
  + libgpo doesn't sort the GPOs in the correct order; (bso#13046);
  + Remote serverid check doesn't check for the unique id; (bso#13042);
  + vfs_catia: Fix a potential memleak; (bso#13090);
  + Fix file change notification for renames; (bso#12903);
  + Samba DNS server does not honour wildcards; (bso#12952);
  + Can't change password in samba from a Windows client if Samba runs on
    IPv6 only interface; (bso#13079);
  + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086);
  + Apple client can't cope with SMB2 async replies when creating symlinks;
  + s4:rpc_server:backupkey: Move variable into scope; (bso#12959);
  + Fix ntstatus_gen.h generation on 32bit; (bso#13099);
  + Fix a double free in vfs_gluster_getwd(); (bso#13100);
  + Fix resouce leaks and pointer issues; (bso#13101);
  + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);
* Mon Oct 23 2017
- Add samba-kdc to baselibs.conf.
- Do not wrap samba-kdc's package definition into if/endif: the
  package won't be generated simply based on the fact that there is
  no files section for the package. Allows the source validator to
  ensure samba-kdc is a built package.
* Thu Sep 28 2017
- Update to 4.7.0;
  + Whole DB read locks: Improved LDAP and replication consistency;
  + Samba AD with MIT Kerberos
  + Dynamic RPC port range: Default range changed from "1024-1300" to
  + Authentication and Authorization audit support: New auth_audit debug
  + Multi-process LDAP Server: The LDAP server in the AD DC now honours
    the process model used for the rest of the 'samba' process.
  + Improved Read-Only Domain Controller (RODC) Support; (bso#12977).
  + Additional password hashes stored in supplementalCredentials.
  + Improvements to DNS during Active Directory domain join.
  + Significant AD performance and replication improvements.
  + Query record for open file or directory.
  + Removal of lpcfg_register_defaults_hook().
  + Change of loadable module interface.
  + SHA256 LDAPS Certificates: The self-signed certificate generated for use
    on LDAPS will now be generated with a SHA256 self-signature, not a SHA1
  + CTDB no longer allows mixed minor versions in a cluster.
  + CTDB now ignores hints from Samba about TDB flags when attaching to
  + New configuration variable CTDB_NFS_CHECKS_DIR.
  + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed.
  + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed.
  + The example NFS Ganesha call-out has been improved.
  + A new "replicated" database type is available.
* Thu Sep 14 2017
- CVE-2017-12163: Prevent client short SMB1 write from
  writing server memory to file; (bso#13020); (bsc#1058624).