[update] samba-4.5.13

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[update] samba-4.5.13

Jeremie Courreges-Anglas-2

An update to the latest release on the 4.5 branch.  This should help
us handle future security issues in 6.2 and -current.  Post-6.2 we
should ideally move to samba-4.7.x

Build-tested only, now rebuilding consumers.  I'd like to commit this
soonish, feedback welcome.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.238
diff -u -p -r1.238 Makefile
--- Makefile 13 Jul 2017 00:52:29 -0000 1.238
+++ Makefile 15 Sep 2017 17:03:49 -0000
@@ -1,6 +1,6 @@
 # $OpenBSD: Makefile,v 1.238 2017/07/13 00:52:29 jca Exp $
 
-VERSION = 4.5.8
+VERSION = 4.5.13
 DISTNAME = samba-${VERSION}
 
 COMMENT-main = SMB and CIFS client and server for UNIX
@@ -15,8 +15,8 @@ PKGNAME-tevent = tevent-${TEVENT_V}
 PKGNAME-util = samba-util-${VERSION}
 PKGNAME-docs = samba-docs-${VERSION}
 
-REVISION-main = 1
-REVISION-tevent = 0
+REVISION-tevent = 1
+REVISION-ldb = 0
 
 PKG_ARCH-docs = *
 
@@ -41,7 +41,7 @@ SHARED_LIBS = asn1-samba4 0.0 \
  ndr 0.2 \
  ndr-krb5pac 0.1 \
  ndr-nbt 0.1 \
- ndr-standard 0.1 \
+ ndr-standard 1.0 \
  netapi 2.0 \
  pyldb-util 0.0 \
  roken-samba4 0.0 \
@@ -59,8 +59,8 @@ SHARED_LIBS = asn1-samba4 0.0 \
  tevent-util 0.1 \
  wbclient 3.1 \
  wind-samba4 0.0 \
- replace 0.0 \
- util-setid 0.0
+ replace 1.0 \
+ util-setid 1.0
 
 CATEGORIES = net sysutils security
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.59
diff -u -p -r1.59 distinfo
--- distinfo 1 Apr 2017 11:37:38 -0000 1.59
+++ distinfo 15 Sep 2017 17:03:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.5.8.tar.gz) = 9jtlbYgjooDFDJ29a2koFs16iK3+m0eZfOaX/XW/gfA=
-SIZE (samba-4.5.8.tar.gz) = 20979104
+SHA256 (samba-4.5.13.tar.gz) = X8R2LSJZRpv7AGfBD3c3jLcg8uva8vN7XKGRjb6E0E0=
+SIZE (samba-4.5.13.tar.gz) = 21013879
Index: patches/patch-lib_ldb_wscript
===================================================================
RCS file: /cvs/ports/net/samba/patches/patch-lib_ldb_wscript,v
retrieving revision 1.5
diff -u -p -r1.5 patch-lib_ldb_wscript
--- patches/patch-lib_ldb_wscript 22 Apr 2016 11:48:36 -0000 1.5
+++ patches/patch-lib_ldb_wscript 15 Sep 2017 17:03:49 -0000
@@ -4,8 +4,9 @@ $OpenBSD: patch-lib_ldb_wscript,v 1.5 20
 
 2. Use -Wl,no-undefined as on other platforms.
 
---- lib/ldb/wscript.orig Wed Apr 13 17:18:37 2016
-+++ lib/ldb/wscript Wed Apr 13 17:18:37 2016
+Index: lib/ldb/wscript
+--- lib/ldb/wscript.orig
++++ lib/ldb/wscript
 @@ -53,6 +53,7 @@ def configure(conf):
      conf.CONFIG_PATH('LDB_MODULESDIR', conf.SUBST_ENV_VAR('MODULESDIR') + '/ldb')
 
@@ -13,8 +14,8 @@ $OpenBSD: patch-lib_ldb_wscript,v 1.5 20
 +    conf.env.standalone_ldb = True
 
      if not conf.env.standalone_ldb:
-         if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
-@@ -73,8 +74,7 @@ def configure(conf):
+         #
+@@ -88,8 +89,7 @@ def configure(conf):
 
          # we don't want any libraries or modules to rely on runtime
          # resolution of symbols
Index: patches/patch-source3_rpc_server_srv_pipe_c
===================================================================
RCS file: patches/patch-source3_rpc_server_srv_pipe_c
diff -N patches/patch-source3_rpc_server_srv_pipe_c
--- patches/patch-source3_rpc_server_srv_pipe_c 24 May 2017 11:58:29 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,29 +0,0 @@
-$OpenBSD: patch-source3_rpc_server_srv_pipe_c,v 1.1 2017/05/24 11:58:29 jca Exp $
-
-From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <[hidden email]>
-Date: Mon, 8 May 2017 21:40:40 +0200
-Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
- inside
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
-
-Signed-off-by: Volker Lendecke <[hidden email]>
-Reviewed-by: Jeremy Allison <[hidden email]>
-Reviewed-by: Stefan Metzmacher <[hidden email]>
-
-Index: source3/rpc_server/srv_pipe.c
---- source3/rpc_server/srv_pipe.c.orig
-+++ source3/rpc_server/srv_pipe.c
-@@ -476,6 +476,11 @@ bool is_known_pipename(const char *pipename, struct nd
- {
- NTSTATUS status;
-
-+ if (strchr(pipename, '/')) {
-+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
-+ return false;
-+ }
-+
- if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
- DEBUG(10, ("refusing spoolss access\n"));
- return false;
Index: patches/patch-source4_heimdal_lib_krb5_ticket_c
===================================================================
RCS file: patches/patch-source4_heimdal_lib_krb5_ticket_c
diff -N patches/patch-source4_heimdal_lib_krb5_ticket_c
--- patches/patch-source4_heimdal_lib_krb5_ticket_c 13 Jul 2017 00:52:29 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,19 +0,0 @@
-$OpenBSD: patch-source4_heimdal_lib_krb5_ticket_c,v 1.1 2017/07/13 00:52:29 jca Exp $
-
-  CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
-  https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
-
-Index: source4/heimdal/lib/krb5/ticket.c
---- source4/heimdal/lib/krb5/ticket.c.orig
-+++ source4/heimdal/lib/krb5/ticket.c
-@@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context,
-     /* check server referral and save principal */
-     ret = _krb5_principalname2krb5_principal (context,
-      &tmp_principal,
--      rep->kdc_rep.ticket.sname,
--      rep->kdc_rep.ticket.realm);
-+      rep->enc_part.sname,
-+      rep->enc_part.srealm);
-     if (ret)
- goto out;
-     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: [update] samba-4.5.13

Ian McWilliam-7
On 16 September 2017 at 04:47, Jeremie Courreges-Anglas <[hidden email]>
wrote:

>
> An update to the latest release on the 4.5 branch.  This should help
> us handle future security issues in 6.2 and -current.  Post-6.2 we
> should ideally move to samba-4.7.x
>
> Build-tested only, now rebuilding consumers.  I'd like to commit this
> soonish, feedback welcome.
>
>
Look ok. Seems to run my little test setup.

Sep 18 15:19:15 ianm-openbsd62 smbd[21517]: [2017/09/18 15:19:15.448960,  0]
../lib/util/become_daemon.c:124(daemon_ready)

Sep 18 15:19:15 ianm-openbsd62 smbd[21517]:   STATUS=daemon 'smbd' finished
starting up and ready to serve connections

Sep 18 15:19:15 ianm-openbsd62 nmbd[35055]: [2017/09/18 15:19:15.566522,  0]
../lib/util/become_daemon.c:124(daemon_ready)

Sep 18 15:19:15 ianm-openbsd62 nmbd[35055]:   STATUS=daemon 'nmbd' finished
starting up and ready to serve connections

Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]: [2017/09/18 15:19:48.793520,  0]
../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)

Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:   *****

Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:

Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:   Samba name server
IANM-OPENBSD62 is now a local master browser for workgroup WORKGROUP on
subnet 172.16.28.150
Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:



--
-----------------------------
Ian McWilliam
Reply | Threaded
Open this post in threaded view
|

Re: [update] samba-4.5.13

Jeremie Courreges-Anglas-2
On Mon, Sep 18 2017, Ian McWilliam <[hidden email]> wrote:

> On 16 September 2017 at 04:47, Jeremie Courreges-Anglas <[hidden email]>
> wrote:
>
>>
>> An update to the latest release on the 4.5 branch.  This should help
>> us handle future security issues in 6.2 and -current.  Post-6.2 we
>> should ideally move to samba-4.7.x
>>
>> Build-tested only, now rebuilding consumers.  I'd like to commit this
>> soonish, feedback welcome.
>>
>>
> Look ok. Seems to run my little test setup.

Committed, thanks for confirming.

> Sep 18 15:19:15 ianm-openbsd62 smbd[21517]: [2017/09/18 15:19:15.448960,  0]
> ../lib/util/become_daemon.c:124(daemon_ready)
>
> Sep 18 15:19:15 ianm-openbsd62 smbd[21517]:   STATUS=daemon 'smbd' finished
> starting up and ready to serve connections
>
> Sep 18 15:19:15 ianm-openbsd62 nmbd[35055]: [2017/09/18 15:19:15.566522,  0]
> ../lib/util/become_daemon.c:124(daemon_ready)
>
> Sep 18 15:19:15 ianm-openbsd62 nmbd[35055]:   STATUS=daemon 'nmbd' finished
> starting up and ready to serve connections
>
> Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]: [2017/09/18 15:19:48.793520,  0]
> ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
>
> Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:   *****
>
> Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:
>
> Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:   Samba name server
> IANM-OPENBSD62 is now a local master browser for workgroup WORKGROUP on
> subnet 172.16.28.150
> Sep 18 15:19:48 ianm-openbsd62 nmbd[35055]:

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE