./net/samba4, SMB/CIFS protocol server suite

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 4.6.8, Package name: samba-4.6.8, Maintainer: pkgsrc-users

Samba is the standard Windows interoperability suite of programs
for Linux and Unix.

Samba is Free Software licensed under the GNU General Public License,
the Samba project is a member of the Software Freedom Conservancy.

Since 1992, Samba has provided secure, stable and fast file and
print services for all clients using the SMB/CIFS protocol, such
as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix
Servers and Desktops into Active Directory environments. It can
function both as a domain controller or as a regular domain member.

This package tracks 4.x branch release.

MESSAGE.rcd [+/-]

Required to run:
[textproc/py-expat] [converters/libiconv] [lang/perl5] [net/py-dns] [security/gnutls] [devel/popt] [devel/gettext-lib] [devel/readline] [lang/python27] [time/py-iso8601]

Required to build:
[textproc/py-expat] [pkgtools/cwrappers]

Package options: ads, ldap, pam, winbind

Master sites:

SHA1: 744fa10e3ad8ea7219e51c27f3792d99e25782be
RMD160: 3ecde1cfe97ce50d4864bf5c8e732127f13468bb
Filesize: 20644.406 KB

Version history: (Expand)

CVS history: (Expand)

   2017-09-20 17:14:30 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
net/samba4: update to 4.6.8, security fix

                   Release Notes for Samba 4.6.8
                         September 20, 2017

This is a security release in order to address the following defects:

o  CVE-2017-12150 (SMB1/2/3 connections may not require signing where they
o  CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
o  CVE-2017-12163 (Server memory information leak over SMB1)


o  CVE-2017-12150:
   A man in the middle attack may hijack client connections.

o  CVE-2017-12151:
   A man in the middle attack can read and may alter confidential
   documents transferred via a client connection, which are reached
   via DFS redirect when the original connection used SMB3.

o  CVE-2017-12163:
   Client with write access to a share can cause server memory contents to be
   written into a file or printer.

For more details and workarounds, please see the security advisories:

   o https://www.samba.org/samba/security/CV … 12150.html
   o https://www.samba.org/samba/security/CV … 12151.html
   o https://www.samba.org/samba/security/CV … 12163.html

Changes since 4.6.7:

o  Jeremy Allison <jra@samba.org>
   * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
   * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
     writing server memory to file.

o  Ralph Boehme <slow@samba.org>
   * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs
   * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing
     when they should.
   2017-09-18 08:41:46 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
net/samba4: update to 4.6.7

4.6.7 (2017/08/09): the latest stable release of the Samba 4.6 release series.

Changes since 4.6.6
o  Jeremy Allison <jra@samba.org>
   * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async.
o  Andrew Bartlett <abartlet@samba.org>
   * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
     NETLOGON_NT_VERSION_5 when version unspecified.
o  Ralph Boehme <slow@samba.org>
   * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly.
   * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
o  G√ľnther Deschner <gd@samba.org>
   * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option.
o  David Disseldorp <ddiss@samba.org>
   * BUG 12911: vfs_ceph: Fix cephwrap_chdir().
o  Dustin L. Howett
   * BUG 12720: idmap_ad: Retry query_user exactly once if we get
o  Thomas Jarosch <thomas.jarosch@intra2net.com>
   * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
o  Volker Lendecke <vl@samba.org>
   * BUG 12925: smbd: Fix a connection run-down race condition.
o  Stefan Metzmacher <metze@samba.org>
   * BUG 12782: winbindd changes the local password and gets
     NT_STATUS_WRONG_PASSWORD for the remote change.
   * BUG 12890: s3:smbd: consistently use talloc_tos() memory for
o  Noel Power <noel.power@suse.com>
   * BUG 12937: smbcacls: Don't fail against a directory on Windows using SMB2.
o  Arvid Requate <requate@univention.de>
   * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
o  Garming Sam <garming@catalyst.net.nz>
   * BUG 12813: dnsserver: Stop dns_name_equal doing OOB read.
o  Andreas Schneider <asn@samba.org>
   * BUG 12886: s3:client: The smbspool krb5 wrapper needs negotiate for
o  Martin Schwenke <martin@meltin.net>
   * BUG 12898: ctdb-common: Set close-on-exec when creating PID file.

4.6.6 (2017/07/12): security release in order to address the following defect:

o  CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass)

Changes since 4.6.5:

o  Jeffrey Altman <jaltman@secure-endpoints.com>
   * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

4.6.5 (2017/06/06): the latest stable release of the Samba 4.6 release series.

Changes since 4.6.4:

o  Jeremy Allison <jra@samba.org>
   * BUG 12804: s3: VFS: Catia: Ensure path name is also converted.
o  Christian Ambach <ambi@samba.org>
   * BUG 12765: s3:smbcacls add prompt for password.
o  Ralph Boehme <slow@samba.org>
   * BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if
     ignore_system_acls is set.
   * BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory.
   * BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool.
   * BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area.
   * BUG 12798: s3/smbd: Fix exclusive lease optimisation.
o  Alexander Bokovoy <ab@samba.org>
   * BUG 12751: Allow passing trusted domain password as plain-text to PASSDB
   * BUG 12764: systemd: Fix detection of libsystemd.
o  Amitay Isaacs <amitay@gmail.com>
   * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
   * BUG 12770: ctdb-logging: Initialize DEBUGLEVEL before changing the value.
o  Shilpa Krishnareddy <skrishnareddy@panzura.com>
   * BUG 12756: notify: Fix ordering of events in notifyd.
o  Volker Lendecke <vl@samba.org>
   * BUG 12757: idmap_rfc2307: Lookup of more than two SIDs fails.
o  Stefan Metzmacher <metze@samba.org>
   * BUG 12767: samba-tool: Let 'samba-tool user syncpasswords' report deletions
o  Doug Nazar <nazard@nazar.ca>
   * BUG 12760: s3: smbd: inotify_map_mask_to_filter incorrectly indexes an
o  Andreas Schneider <asn@samba.org>
   * BUG 12687: vfs_expand_msdfs tries to open the remote address as a file
o  Martin Schwenke <martin@meltin.net>
   * BUG 12802: 'ctdb nodestatus' incorrectly displays status for all nodes with
     wrong exit code.
   * BUG 12814: ctdb-common: Fix crash in logging initialisation.
   2017-06-27 15:37:16 by Filip Hajny | Files touched by this commit (3)
Log message:
Substitute SYSCONFDIR assumed by the embedded Heimdal code properly.
Fixes calls to e.g. krb5.keytab that were hardcoded to /etc. PKGREVISION++
   2017-06-11 07:26:45 by Tom Spindler | Files touched by this commit (1)
Log message:
if winbindd is enabled, install rc.d script.
   2017-06-01 15:30:26 by Johnny C. Lam | Files touched by this commit (21)
Log message:
Use public SHLIB_TYPE instead of private _OPSYS_SHLIB_TYPE.
   2017-05-29 02:24:19 by Sebastian Wiedenroth | Files touched by this commit (1)
Log message:
add workaround for https://bugzilla.samba.org/show_bug.cgi?id=12502
fixes build on sunos
   2017-05-24 17:51:32 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update samba4 to version 4.6.4.

Pkgsrc changes:
 * Adapt PLIST, new .so installed.

Upstream changes:

Changes since 4.6.3:
o  Volker Lendecke <vl@samba.org>
   * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable

Changes since 4.6.2:
o  Michael Adam <obnox@samba.org>
   * BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
     from shares with GlusterFS backend.

o  Jeremy Allison <jra@samba.org>
   * BUG 12559: Fix for Solaris C compiler.
   * BUG 12628: s3: locking: Update oplock optimization for the leases era.
   * BUG 12693: Make the Solaris C compiler happy.
   * BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the
     expected LDAP attributes.
   * BUG 12747: Fix buffer overflow caused by wrong use of getgroups.

o  Hanno Boeck <hanno@hboeck.de>
   * BUG 12746: lib: debug: Avoid negative array access.
   * BUG 12748: cleanupdb: Fix a memory read error.

o  Ralph Boehme <slow@samba.org>
   * BUG 7537: streams_xattr and kernel oplocks results in
   * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from
     other backends.
   * BUG 12565: vfs_fruit: Resource fork open request with
   * BUG 12615: manpages/vfs_fruit: Document global options.
   * BUG 12624: lib/pthreadpool: Fix a memory leak.
   * BUG 12727: Lookup-domain for well-known SIDs on a DC.
   * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
   * BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.

o  Alexander Bokovoy <ab@samba.org>
   * BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI
     use case.
   * BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
   * BUG 12723: ctdb_event monitor command crashes if event is not specified.
   * BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'.

o  Volker Lendecke <vl@samba.org>
   * BUG 12558: smbd: Fix smb1 findfirst with DFS.
   * BUG 12610: smbd: Do an early exit on negprot failure.
   * BUG 12699: winbindd: Fix substitution for 'template homedir'.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
   * BUG 12613: idmap_autorid: Allocate new domain range if the callers knows
     the sid is valid.
   * BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
   * BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
     trusted domain.
   * BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again.

o  Christof Schmitt <cs@samba.org>
   * BUG 12725: winbindd: Fix password policy for pam authentication.

o  Andreas Schneider <asn@samba.org>
   * BUG 12554: s3:gse: Correctly handle external trusts with MIT.
   * BUG 12611: auth/credentials: Always set the realm if we set the principal
     from the ccache.
   * BUG 12686: replace: Include sysmacros.h.
   * BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
   * BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
   * BUG 12708: winbindd: Child process crashes when kerberos-authenticating
     a user with wrong password.

o  Uri Simchoni <uri@samba.org>
   * BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to
     CNID semantics.
   * BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
   2017-04-10 17:27:22 by John Nemeth | Files touched by this commit (1)
Log message:
Add pkg-config to USE_TOOLS, which is needed to find gnutls.
Problem found in a bulk build.  Not bumping PKGREVISION since it
shouldn't change the binary package when it built.