[SECURITY] samba-4.8.11

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] samba-4.8.11

Jeremie Courreges-Anglas-2

Hi,

samba-4.8.11 has just been released:

  https://www.samba.org/samba/history/samba-4.8.11.html

samba might be crippled right now, I'd prefer to put this in right now
for 6.5 (and backport the update to 6.4).

ok?


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.269
diff -u -p -r1.269 Makefile
--- Makefile 10 Mar 2019 18:08:05 -0000 1.269
+++ Makefile 8 Apr 2019 08:55:22 -0000
@@ -1,6 +1,6 @@
 # $OpenBSD: Makefile,v 1.269 2019/03/10 18:08:05 jca Exp $
 
-VERSION = 4.8.9
+VERSION = 4.8.11
 DISTNAME = samba-${VERSION}
 
 COMMENT-main = SMB and CIFS client and server for UNIX
@@ -17,11 +17,10 @@ PKGNAME-docs = samba-docs-${VERSION}
 
 PKG_ARCH-docs = *
 
-LDB_V = 1.3.6
+LDB_V = 1.3.8
 TEVENT_V = 0.9.36
 
-REVISION-ldb = 6
-REVISION-tevent = 5
+REVISION-tevent = 6
 
 SHARED_LIBS = asn1-samba4 0.0 \
  com_err-samba4 0.0 \
@@ -48,12 +47,12 @@ SHARED_LIBS = asn1-samba4 0.0 \
  samba-credentials 0.2 \
  samba-errors 1.0 \
  samba-hostconfig 4.0 \
- samba-passdb 2.0 \
+ samba-passdb 2.1 \
  samba-policy 0.0 \
  samba-util 3.2 \
  samdb 0.1 \
  smbclient 4.2 \
- smbconf 5.0 \
+ smbconf 5.1 \
  smbldap 0.1 \
  tevent 0.4 \
  tevent-util 1.0 \
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.74
diff -u -p -r1.74 distinfo
--- distinfo 10 Mar 2019 18:08:05 -0000 1.74
+++ distinfo 8 Apr 2019 08:55:22 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.8.9.tar.gz) = rSrPa+1DbBJTFKBU8FiTCOtmSsPZbPsC0F5lSkTgnIA=
-SIZE (samba-4.8.9.tar.gz) = 17750151
+SHA256 (samba-4.8.11.tar.gz) = 0pSo10VdfSUte6/JxHSFXqbg6+VZw7q80wOlwk5YcQo=
+SIZE (samba-4.8.11.tar.gz) = 17761896
Index: patches/patch-source3_wscript
===================================================================
RCS file: /cvs/ports/net/samba/patches/patch-source3_wscript,v
retrieving revision 1.7
diff -u -p -r1.7 patch-source3_wscript
--- patches/patch-source3_wscript 11 Jun 2018 11:59:51 -0000 1.7
+++ patches/patch-source3_wscript 8 Apr 2019 08:55:22 -0000
@@ -15,7 +15,7 @@ Index: source3/wscript
          conf.ADD_LDFLAGS("-Wl,--export-dynamic", testflags=True)
 
      # We crash without vfs_default
-@@ -1531,6 +1531,7 @@ main() {
+@@ -1534,6 +1534,7 @@ main() {
 
      conf.CHECK_CODE('void seekdir(DIR *d, long loc) { return; }',
                      'SEEKDIR_RETURNS_VOID',


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Stuart Henderson-6
On 2019/04/08 10:57, Jeremie Courreges-Anglas wrote:

>
> Hi,
>
> samba-4.8.11 has just been released:
>
>   https://www.samba.org/samba/history/samba-4.8.11.html
>
> samba might be crippled right now, I'd prefer to put this in right now
> for 6.5 (and backport the update to 6.4).
>
> ok?

I think we want this for release if possible.

I tried a "COMPILER=ports-gcc" build on amd64 but that didn't work, have
you had chance to test on !clang?


Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Christian Weisgerber
Stuart Henderson:

> >   https://www.samba.org/samba/history/samba-4.8.11.html
>
> I think we want this for release if possible.

I agree.

> have you had chance to test on !clang?

This must be confirmed.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Ian Mcwilliam-6
In reply to this post by Stuart Henderson-6
Did you build with ports-gcc and fail the same way or did it not build at all?

I was going to do some tests along this line but haven't had time.


-    if sys.platform != 'openbsd5':
+    if not sys.platform.startswith('openbsd'):
         conf.ADD_LDFLAGS("-Wl,--export-dynamic", testflags=True)

Maybe we do actually want to export-dynamic here.

Once I finish building and test the file server of 4.8.11, I'll remove the above and see
if there is any difference in behaviour.


Ian McWilliam

________________________________
From: [hidden email] <[hidden email]> on behalf of Stuart Henderson <[hidden email]>
Sent: Monday, 8 April 2019 10:49 PM
To: ports; Ian McWilliam; Christian Weisgerber
Subject: Re: [SECURITY] samba-4.8.11

On 2019/04/08 10:57, Jeremie Courreges-Anglas wrote:

>
> Hi,
>
> samba-4.8.11 has just been released:
>
>   https://www.samba.org/samba/history/samba-4.8.11.html
>
> samba might be crippled right now, I'd prefer to put this in right now
> for 6.5 (and backport the update to 6.4).
>
> ok?

I think we want this for release if possible.

I tried a "COMPILER=ports-gcc" build on amd64 but that didn't work, have
you had chance to test on !clang?


Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Ian Mcwilliam-6
In reply to this post by Jeremie Courreges-Anglas-2

Running as a file server Still Works For Me(tm)...

Apr  9 15:31:08 ianm-openbsd smbd[84744]: [2019/04/09 15:31:08.911995,  0] ../lib/util/become_daemon.c:136(daemon_ready)
Apr  9 15:31:08 ianm-openbsd smbd[84744]:   daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Apr  9 15:31:09 ianm-openbsd nmbd[90687]: [2019/04/09 15:31:09.425776,  0] ../lib/util/become_daemon.c:136(daemon_ready)
Apr  9 15:31:09 ianm-openbsd nmbd[90687]:   daemon_ready: daemon 'nmbd' finished starting up and ready to serve connections

Apr  9 15:31:42 ianm-openbsd nmbd[90687]:   Samba name server IANM-OPENBSD is now a local master browser for workgroup IANM-TEST on subnet 172.16.28.120
Apr  9 15:31:42 ianm-openbsd nmbd[90687]:
Apr  9 15:31:42 ianm-openbsd nmbd[90687]:   *****

[2019/04/09 15:35:23.160475,  3] ../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'ianm' using home directory: '/usr/home/ianm'
[2019/04/09 15:35:23.160666,  3] ../source3/param/loadparm.c:1568(lp_add_home)
  adding home's share [ianm] for user 'ianm' at '/usr/home/ianm'

Ian McWilliam

________________________________
From: [hidden email] <[hidden email]> on behalf of Jeremie Courreges-Anglas <[hidden email]>
Sent: Monday, 8 April 2019 6:57 PM
To: ports
Cc: Ian McWilliam; Christian Weisgerber; Stuart Henderson
Subject: [SECURITY] samba-4.8.11


Hi,

samba-4.8.11 has just been released:

  https://www.samba.org/samba/history/samba-4.8.11.html

samba might be crippled right now, I'd prefer to put this in right now
for 6.5 (and backport the update to 6.4).

ok?


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.269
diff -u -p -r1.269 Makefile
--- Makefile    10 Mar 2019 18:08:05 -0000      1.269
+++ Makefile    8 Apr 2019 08:55:22 -0000
@@ -1,6 +1,6 @@
 # $OpenBSD: Makefile,v 1.269 2019/03/10 18:08:05 jca Exp $

-VERSION =              4.8.9
+VERSION =              4.8.11
 DISTNAME =              samba-${VERSION}

 COMMENT-main =          SMB and CIFS client and server for UNIX
@@ -17,11 +17,10 @@ PKGNAME-docs =              samba-docs-${VERSION}

 PKG_ARCH-docs =         *

-LDB_V =                        1.3.6
+LDB_V =                        1.3.8
 TEVENT_V =              0.9.36

-REVISION-ldb =         6
-REVISION-tevent =      5
+REVISION-tevent =      6

 SHARED_LIBS =           asn1-samba4             0.0 \
                         com_err-samba4          0.0 \
@@ -48,12 +47,12 @@ SHARED_LIBS =               asn1-samba4             0.0 \
                         samba-credentials       0.2 \
                         samba-errors            1.0 \
                         samba-hostconfig        4.0 \
-                       samba-passdb            2.0 \
+                       samba-passdb            2.1 \
                         samba-policy            0.0 \
                         samba-util              3.2 \
                         samdb                   0.1 \
                         smbclient               4.2 \
-                       smbconf                 5.0 \
+                       smbconf                 5.1 \
                         smbldap                 0.1 \
                         tevent                  0.4 \
                         tevent-util             1.0 \
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.74
diff -u -p -r1.74 distinfo
--- distinfo    10 Mar 2019 18:08:05 -0000      1.74
+++ distinfo    8 Apr 2019 08:55:22 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.8.9.tar.gz) = rSrPa+1DbBJTFKBU8FiTCOtmSsPZbPsC0F5lSkTgnIA=
-SIZE (samba-4.8.9.tar.gz) = 17750151
+SHA256 (samba-4.8.11.tar.gz) = 0pSo10VdfSUte6/JxHSFXqbg6+VZw7q80wOlwk5YcQo=
+SIZE (samba-4.8.11.tar.gz) = 17761896
Index: patches/patch-source3_wscript
===================================================================
RCS file: /cvs/ports/net/samba/patches/patch-source3_wscript,v
retrieving revision 1.7
diff -u -p -r1.7 patch-source3_wscript
--- patches/patch-source3_wscript       11 Jun 2018 11:59:51 -0000      1.7
+++ patches/patch-source3_wscript       8 Apr 2019 08:55:22 -0000
@@ -15,7 +15,7 @@ Index: source3/wscript
          conf.ADD_LDFLAGS("-Wl,--export-dynamic", testflags=True)

      # We crash without vfs_default
-@@ -1531,6 +1531,7 @@ main() {
+@@ -1534,6 +1534,7 @@ main() {

      conf.CHECK_CODE('void seekdir(DIR *d, long loc) { return; }',
                      'SEEKDIR_RETURNS_VOID',


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Jeremie Courreges-Anglas-2
In reply to this post by Christian Weisgerber
On Mon, Apr 08 2019, Christian Weisgerber <[hidden email]> wrote:

> Stuart Henderson:
>
>> >   https://www.samba.org/samba/history/samba-4.8.11.html
>>
>> I think we want this for release if possible.
>
> I agree.
>
>> have you had chance to test on !clang?
>
> This must be confirmed.

Sorry for not making that clear: my sparc64 builder is running a bulk
with this samba update, poppler-0.75 and gcc-8, but samba hasn't been
hit yet.  So I haven't been able to test on a base-gcc arch yet
(base-gcc is the compiler used there).

I did however test a build on amd64 using base-gcc, it requires a change
in the jansson headers.  I think this test is sufficient, but YMMV.

ok?



--- /usr/local/include/jansson_config.h.orig Tue Apr  9 17:05:37 2019
+++ /usr/local/include/jansson_config.h Tue Apr  9 16:43:41 2019
@@ -61,7 +61,7 @@
 
 /* If __atomic builtins are available they will be used to manage
    reference counts of json_t. */
-#define JSON_HAVE_ATOMIC_BUILTINS 1
+//#define JSON_HAVE_ATOMIC_BUILTINS 1
 
 /* If __atomic builtins are not available we try using __sync builtins
    to manage reference counts of json_t. */


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Christian Weisgerber
In reply to this post by Jeremie Courreges-Anglas-2
Jeremie Courreges-Anglas:

> samba-4.8.11 has just been released:
>   https://www.samba.org/samba/history/samba-4.8.11.html

BTW, whatever happened to cherry-picking the relevant security fix
and only committing this before release (or in -stable), instead
of whole updates?

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Jeremie Courreges-Anglas-2
On Wed, Apr 10 2019, Christian Weisgerber <[hidden email]> wrote:
> Jeremie Courreges-Anglas:
>
>> samba-4.8.11 has just been released:
>>   https://www.samba.org/samba/history/samba-4.8.11.html
>
> BTW, whatever happened to cherry-picking the relevant security fix
> and only committing this before release (or in -stable), instead
> of whole updates?

I'm not doing that in net/samba land and I'm not interested.  It looks
like needless pain and an extra step for me to introduce bugs.

Upstream has a very clear developement process:

  https://wiki.samba.org/index.php/Samba_Release_Planning#General_information

I do the usual tarball diff + check_sym output + public headers diff
dance for each new release so I know their process is consistent wrt
ABI concerns.  When I was working for a former employer, I've relied on
them publishing no regression on stable releases for years*.

The approach I'm using isn't a problem in my experience. I'd rather
find extra time to fix issues like the crash in the AD DC server, or the
ld.so slowness.

* with only one known performance regression in the Bind DLZ DNS backend
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Ian Mcwilliam-6
In reply to this post by Christian Weisgerber
It became too difficult to maintain, especially the move from samba 3.x.x to 4.x.x that has
both samba3 and samba4 code to deal with effectively doubling the code size.

The Samba model is release eg 4.8.x and generally no new features are added.
Each point release after that is bug / security fixes till the next release eg 4.9.x is released
and then it becomes security only fixes and support ends entirely when the next release 4.10.x is released.
Rinse and repeat the cycle.

Keeping track of back ported fixes in the 3.x.x days was easier than trying to do it with the 4.x.x series.


Ian McWilliam

________________________________
From: [hidden email] <[hidden email]> on behalf of Christian Weisgerber <[hidden email]>
Sent: Wednesday, 10 April 2019 11:20 PM
To: ports; Ian McWilliam; Stuart Henderson
Subject: Re: [SECURITY] samba-4.8.11

Jeremie Courreges-Anglas:

> samba-4.8.11 has just been released:
>   https://www.samba.org/samba/history/samba-4.8.11.html

BTW, whatever happened to cherry-picking the relevant security fix
and only committing this before release (or in -stable), instead
of whole updates?

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Jeremie Courreges-Anglas-2
In reply to this post by Jeremie Courreges-Anglas-2
On Tue, Apr 09 2019, Jeremie Courreges-Anglas <[hidden email]> wrote:

> On Mon, Apr 08 2019, Christian Weisgerber <[hidden email]> wrote:
>> Stuart Henderson:
>>
>>> >   https://www.samba.org/samba/history/samba-4.8.11.html
>>>
>>> I think we want this for release if possible.
>>
>> I agree.
>>
>>> have you had chance to test on !clang?
>>
>> This must be confirmed.
>
> Sorry for not making that clear: my sparc64 builder is running a bulk
> with this samba update, poppler-0.75 and gcc-8, but samba hasn't been
> hit yet.  So I haven't been able to test on a base-gcc arch yet
> (base-gcc is the compiler used there).
>
> I did however test a build on amd64 using base-gcc, it requires a change
> in the jansson headers.  I think this test is sufficient, but YMMV.

I have since successfully built and packaged samba-4.8.11 on sparc64.
IIUC Kurt Mosiejczuk also did a runtime test with smbd.

> ok?

Still looking for oks before OPENBSD_6_5 is tagged.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] samba-4.8.11

Kurt Mosiejczuk-9
On Thu, Apr 11, 2019 at 03:02:42PM +0200, Jeremie Courreges-Anglas wrote:

> I have since successfully built and packaged samba-4.8.11 on sparc64.
> IIUC Kurt Mosiejczuk also did a runtime test with smbd.

That is correct. I tested a simple setup with samba-4.8.11 on sparc64.

I was able to open up the share, copy files, etc.

--Kurt