Subject: CVS commit: [pkgsrc-2017Q1] pkgsrc/net/samba4
From: Benny Siegert
Date: 2017-05-27 21:01:15
Message id: 20170527190115.C3B11FBE4@cvs.NetBSD.org

Log Message:
Pullup ticket #5431 - requested by he
net/samba4: security fix

Revisions pulled up:
- net/samba4/Makefile                                           1.28-1.30
- net/samba4/PLIST                                              1.11-1.12
- net/samba4/distinfo                                           1.12-1.13
- net/samba4/options.mk                                         1.4
- net/samba4/patches/patch-lib_param_loadparm.h                 1.2
- net/samba4/patches/patch-source3_script_tests_test__smbclient__s3.sh 1.3

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Sat Apr  8 08:56:27 UTC 2017

   Modified Files:
   	pkgsrc/net/samba4: Makefile PLIST distinfo options.mk
   	pkgsrc/net/samba4/patches: patch-lib_param_loadparm.h
   	    patch-source3_script_tests_test__smbclient__s3.sh

   Log Message:
   Update to 4.6.2

   * Use internal heimdal

   Changelog:
   Changes since 4.6.1:
   --------------------

   o  Jeremy Allison <jra@samba.org>
      * BUG 12721: Fix regression with "follow symlinks = no".

   Changes since 4.6.0:
   --------------------

   o  Jeremy Allison <jra@samba.org>
      * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
        directory.

   o  Ralph Boehme <slow@samba.org>
      * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
        directory.

   CHANGES SINCE 4.6.0rc4
   ======================

   o  Jeremy Allison <jra@samba.org>
      * BUG 12592: Fix several issues found by covscan.
      * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send
        queue is drained.

   o  Ralph Boehme <slow@samba.org>
      * BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream.
      * BUG 12526: vfs_fruit: Only veto AppleDouble files if \ 
"fruit:resource" is
        set to "file".
      * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch.

   o  Volker Lendecke <vl@samba.org>
      * BUG 12612: Re-enable token groups fallback.

   o  Stefan Metzmacher <metze@samba.org>
      * BUG 9048: Samba4 ldap error codes.
      * BUG 12557: gensec:spnego: Add debug message for the failed principal.
      * BUG 12605: s3:winbindd: Fix endless forest trust scan.
      * BUG 12612: winbindd: Find the domain based on the sid within
        wb_lookupusergroups_send().

   o  Andreas Schneider <asn@samba.org>
      * BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token()
        correctly.
      * BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash
        manpage.
      * BUG 12592: Fix several issues found by covscan.

   o  Martin Schwenke <martin@meltin.net>
      * BUG 12592: ctdb-logging: CID 1396883 Dereference null return value
        (NULL_RETURNS).

   CHANGES SINCE 4.6.0rc3
   ======================

   o  Jeremy Allison <jra@samba.org>
      * BUG 12545: s3: rpc_server/mdssvc: Add attribute \ 
"kMDItemContentType".
      * BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution.

   o  Ralph Boehme <slow@samba.org>
      * BUG 12490: vfs_fruit: Correct Netatalk metadata xattr on FreeBSD.
      * BUG 12536: s3/smbd: Check for invalid access_mask
        smbd_calculate_access_mask().
      * BUG 12591: vfs_streams_xattr: use fsp, not base_fsp.

   o  Amitay Isaacs <amitay@gmail.com>
      * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler().
      * BUG 12595: build: Fix generation of CTDB manpages while creating tarball.

   o  Bryan Mason <bmason@redhat.com>
      * BUG 12575: Modify smbspool_krb5_wrapper to just fall through to smbspool if
        AUTH_INFO_REQUIRED is not set or is not "negotiate".

   o  Stefan Metzmacher <metze@samba.org>
      * BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over NCACN_NP
        against trusted domains.
      * BUG 12262: 'net ads testjoin' and smb access fails after winbindd changed the
        trust password.
      * BUG 12585: librpc/rpc: fix regression in
        NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping.
      * BUG 12586: netlogon_creds_cli_LogonSamLogon doesn't work without
        netr_LogonSamLogonEx.
      * BUG 12587: winbindd child segfaults on connect to an NT4 domain.
      * BUG 12588: s3:winbindd: Make sure cm_prepare_connection() only returns OK
        with a valid tree connect.
      * BUG 12598: winbindd (as member) requires kerberos against trusted ad domain,
        while it shouldn't.
      * BUG 12601: Backport pytalloc_GenericObject_reference() related changes to
        4.6.

   o  Garming Sam <garming@catalyst.net.nz>
      * BUG 12600: dbchecker: Stop ignoring linked cases where both objects are
        alive.

   o  Andreas Schneider <asn@samba.org>
      * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir().

   o  Martin Schwenke <martin@meltin.net>
      * BUG 12589: CTDB statd-callout does not cause grace period when
        CTDB_NFS_CALLOUT="".
      * BUG 12595: ctdb-build: Fix RPM build.

   CHANGES SINCE 4.6.0rc2
   ======================

   o  Jeremy Allison <jra@samba.org>
      * BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." \ 
correctly.
      * BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store
        the same path as streams_xattr_recheck().
      * BUG 12531: Make vfs_shadow_copy2 cope with server changing directories.

   o  Andrew Bartlett <abartlet@samba.org>
      * BUG 12543: samba-tool: Correct handling of default value for use_ntvfs and
        use_xattrs.
      * BUG 12573: Samba < 4.7 does not know about compatibleFeatures and
        requiredFeatures.
      * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a
        rename.

   o  Ralph Boehme <slow@samba.org>
      * BUG 12184: s3/rpc_server: Shared rpc modules loading.
      * BUG 12520: Ensure global "smb encrypt = off" is effective.
      * BUG 12524: s3/rpc_server: Move rpc_modules.c to its own subsystem.
      * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses
        readdirattr.

   o  Volker Lendecke <vl@samba.org>
      * BUG 12551: smbd: Fix "map acl inherit" = yes.

   o  Stefan Metzmacher <metze@samba.org>
      * BUG 12398: Replication with DRSUAPI_DRS_CRITICAL_ONLY and
        DRSUAPI_DRS_GET_ANC results in WERR_DS_DRA_MISSING_PARENT S
      * BUG 12540: s3:smbd: allow "server min protocol = SMB3_00" to \ 
go via "SMB
        2.???" negprot.

   o  John Mulligan <jmulligan@nasuni.com>
      * BUG 12542: docs: Improve description of "unix_primary_group" \ 
parameter in
        idmap_ad manpage.

   o  Andreas Schneider <asn@samba.org>
      * BUG 12552: waf: Do not install the unit test binary for krb5samba.

   o  Amitay Isaacs <amitay@gmail.com>
      * BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel.
      * BUG 12549: ctdb-common: ioctl(.. FIONREAD ..) returns an int value.

   o  Garming Sam <garming@catalyst.net.nz>
      * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a
        rename.

   o  Uri Simchoni <uri@samba.org>
      * BUG 12529: waf: Backport finding of pkg-config.

   CHANGES SINCE 4.6.0rc1
   ======================

   o  Amitay Isaacs <amitay@gmail.com>
      * BUG 12469: CTDB lock helper getting stuck trying to lock a record.
      * BUG 12500: ctdb-common: Fix a bug in packet reading code for generic socket
        I/O.
      * BUG 12510: sock_daemon_test 4 crashes with SEGV.
      * BUG 12513: ctdb-daemon: Remove stale eventd socket.

   o  Björn Jacke <bj@sernet.de>
      * BUG 12535: vfs_default: Unlock the right file in copy chunk.

   o  Volker Lendecke <vl@samba.org>
      * BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets.
      * BUG 12538: Backport winbind fixes.

   o  Stefan Metzmacher <metze@samba.org>
      * BUG 12501: s3:winbindd: talloc_steal the extra_data in
        winbindd_list_users_recv().

   o  Martin Schwenke <martin@meltin.net>
      * BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to
        send.
      * BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp".
      * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple
        'default' entries.

---
   Module Name:	pkgsrc
   Committed By:	jnemeth
   Date:		Mon Apr 10 15:27:22 UTC 2017

   Modified Files:
   	pkgsrc/net/samba4: Makefile

   Log Message:
   Add pkg-config to USE_TOOLS, which is needed to find gnutls.
   Problem found in a bulk build.  Not bumping PKGREVISION since it
   shouldn't change the binary package when it built.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Wed May 24 15:51:32 UTC 2017

   Modified Files:
           pkgsrc/net/samba4: Makefile PLIST distinfo

   Log Message:
   Update samba4 to version 4.6.4.

   Pkgsrc changes:
    * Adapt PLIST, new .so installed.

   Upstream changes:

   Changes since 4.6.3:
   ---------------------
   o  Volker Lendecke <vl@samba.org>
      * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
        share.

   Changes since 4.6.2:
   --------------------
   o  Michael Adam <obnox@samba.org>
      * BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
        from shares with GlusterFS backend.

   o  Jeremy Allison <jra@samba.org>
      * BUG 12559: Fix for Solaris C compiler.
      * BUG 12628: s3: locking: Update oplock optimization for the leases era.
      * BUG 12693: Make the Solaris C compiler happy.
      * BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the
        expected LDAP attributes.
      * BUG 12747: Fix buffer overflow caused by wrong use of getgroups.

   o  Hanno Boeck <hanno@hboeck.de>
      * BUG 12746: lib: debug: Avoid negative array access.
      * BUG 12748: cleanupdb: Fix a memory read error.

   o  Ralph Boehme <slow@samba.org>
      * BUG 7537: streams_xattr and kernel oplocks results in
        NT_STATUS_NETWORK_BUSY.
      * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from
        other backends.
      * BUG 12565: vfs_fruit: Resource fork open request with
        flags=O_CREAT|O_RDONLY.
      * BUG 12615: manpages/vfs_fruit: Document global options.
      * BUG 12624: lib/pthreadpool: Fix a memory leak.
      * BUG 12727: Lookup-domain for well-known SIDs on a DC.
      * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
      * BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.

   o  Alexander Bokovoy <ab@samba.org>
      * BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI
        use case.
      * BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.

   o  Amitay Isaacs <amitay@gmail.com>
      * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
        complete.
      * BUG 12723: ctdb_event monitor command crashes if event is not specified.
      * BUG 12733: ctdb-docs: Fix documentation of "-n" option to \ 
'ctdb tool'.

   o  Volker Lendecke <vl@samba.org>
      * BUG 12558: smbd: Fix smb1 findfirst with DFS.
      * BUG 12610: smbd: Do an early exit on negprot failure.
      * BUG 12699: winbindd: Fix substitution for 'template homedir'.

   o  Stefan Metzmacher <metze@samba.org>
      * BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
      * BUG 12613: idmap_autorid: Allocate new domain range if the callers knows
        the sid is valid.
      * BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
      * BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
        trusted domain.
      * BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again.

   o  Christof Schmitt <cs@samba.org>
      * BUG 12725: winbindd: Fix password policy for pam authentication.

   o  Andreas Schneider <asn@samba.org>
      * BUG 12554: s3:gse: Correctly handle external trusts with MIT.
      * BUG 12611: auth/credentials: Always set the realm if we set the principal
        from the ccache.
      * BUG 12686: replace: Include sysmacros.h.
      * BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
      * BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
      * BUG 12708: winbindd: Child process crashes when kerberos-authenticating
        a user with wrong password.

   o  Uri Simchoni <uri@samba.org>
      * BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to
        CNID semantics.
      * BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
        fragmented.

Files:
RevisionActionfile
1.27.2.1modifypkgsrc/net/samba4/Makefile
1.10.6.1modifypkgsrc/net/samba4/PLIST
1.11.6.1modifypkgsrc/net/samba4/distinfo
1.3.6.1modifypkgsrc/net/samba4/options.mk
1.1.12.1modifypkgsrc/net/samba4/patches/patch-lib_param_loadparm.h
1.2.12.1modifypkgsrc/net/samba4/patches/patch-source3_script_tests_test__smbclient__s3.sh