Up to [cvs.NetBSD.org] / pkgsrc / net / samba4
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
samba4: updated to 4.21.2 Changes since 4.21.1 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE dispositions. * BUG 15754: Panic in close_directory. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15752: winexe no longer works with samba 4.21. o Stefan Metzmacher <metze@samba.org> * BUG 14356: protocol error - Unclear debug message "pad length mismatch" for invalid bind packet. * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented. * BUG 15740: gss_accept_sec_context() from Heimdal does not imply GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. * BUG 15749: winbindd should call process_set_title() for locator child. o Martin Schwenke <mschwenke@ddn.com> * BUG 15320: Update CTDB to track all TCP connections to public IP addresses.
samba4: fix build on NetBSD-current with C23 memset_explicit() Add upstream merge request URL.
samba4: updated to 4.21.1 Changes since 4.21.0 o Ralph Boehme <slow@samba.org> * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream. o Alexander Bokovoy <ab@samba.org> * BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration. o Andréas Leroux <aleroux@tranquil.it> * BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS- ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool domain auth policy modify". o Stefan Metzmacher <metze@samba.org> * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15649: Durable handle is not granted when a previous OPEN exists with NoOplock. * BUG 15651: Durable handle is granted but reconnect fails. * BUG 15708: Disconnected durable handles with RH lease should not be purged by a new non conflicting open. * BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb in a cluster. * BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc 8009 etypes are used. o Christof Schmitt <cs@samba.org> * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2. o Andreas Schneider <asn@samba.org> * BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup. * BUG 15721: Cannot build libldb lmdb backend on a build without AD DC. o Jones Syue <jonessyue@qnap.com> * BUG 15706: Consistent log level for sighup handler. 4.21.0 https://www.samba.org/samba/history/samba-4.21.0.html
samba: update to 4.20.5. Changes since 4.20.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream. o David Disseldorp <ddiss@samba.org> * BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15698: samba-tool can not load the default configuration file. o Stefan Metzmacher <metze@samba.org> * BUG 15696: Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses MacOSX clients. o Anoop C S <anoopcs@samba.org> * BUG 15686: Add new vfs_ceph module (based on low level API). o Shachar Sharon <ssharon@redhat.com> * BUG 15686: Add new vfs_ceph module (based on low level API). * BUG 15700: Crash when readlinkat fails. o Jones Syue <jonessyue@qnap.com> * BUG 15677: ntlm_auth make logs more consistent with length check.
samba4: updated to 4.20.4 Changes since 4.20.3 -------------------- This only fixes a regression in library version strings in Samba 4.20.3, see: https://bugzilla.samba.org/show_bug.cgi?id=15673 If you compiled Samba from the sources and don't have other applications relying on Samba's public libraries, there's no reason to upgrade from 4.20.3 to 4.20.4. o Andreas Schneider <asn@samba.org> * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. o Stefan Metzmacher <metze@samba.org> * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters.
samba4: updated to 4.20.3 Release Notes for Samba 4.20.3 This is the latest stable release of the Samba 4.20 release series. LDAP TLS/SASL channel binding support ------------------------------------- The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- ldap server require strong auth new values Changes since 4.20.2 -------------------- o Andreas Schneider <asn@samba.org> * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. o Andrew Bartlett <abartlet@samba.org> * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15671: Invalid client warning about command line passwords. * BUG 15672: Version string is truncated in manpages. * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. * BUG 15674: cmdline_burn does not always burn secrets. * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf. o Jo Sutton <josutton@catalyst.net.nz> * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Pavel FilipenskĂ˝ <pfilipensky@samba.org> * BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL. o Ralph Boehme <slow@samba.org> * BUG 15676: Fix clock skew error message and memory cache clock skew recovery. o Stefan Metzmacher <metze@samba.org> * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual. * BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds. o Xavi Hernandez <xhernandez@redhat.com> * BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions.
samba4: updated to 4.20.2 Changes since 4.20.1 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 13213: Samba build is not reproducible. * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare function. * BUG 15625: Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances. o Andrew Bartlett <abartlet@samba.org> * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI bill. * BUG 15654: We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious. o Günther Deschner <gd@samba.org> * BUG 15665: CTDB RADOS mutex helper misses namespace support. o Stefan Metzmacher <metze@samba.org> * BUG 13019: Dynamic DNS updates with the internal DNS are not working. * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022). * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger. * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap. * BUG 15642: winbindd, net ads join and other things don't work on an ipv6 only host. * BUG 15659: Segmentation fault when deleting files in vfs_recycle. * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp(). * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the machine account. o Noel Power <noel.power@suse.com> * BUG 15435: Regression DFS not working with widelinks = true. o Andreas Schneider <asn@samba.org> * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response. * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups. * BUG 15660: The images don't build after the git security release and CentOS 8 Stream is EOL.
samba4: updated to 4.20.1 Changes since 4.20.0 * BUG 15630: dns update debug message is too noisy. * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag. * BUG 15611: http library doesn't support 'chunked transfer encoding'. * BUG 15600: Provide a systemd service file for the background queue daemon.
samba4: updated to 4.20.0 Samba 4.20.0 NEW FEATURES/CHANGES ==================== New Minimum MIT Krb5 version for Samba AD Domain Controller ----------------------------------------------------------- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -------------------------------------- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change ----------------------------------------------------------- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=50000" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features -------------------------------------------------- samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME" Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client ---------------------------------- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file -------------------------------------------- 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ---------------------------------------------------------------------- samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to. Finally, support is added for the creation and management of authentication silos, which are helpful in defining network boundaries by grouping users and the services they connect to. Please note: The command line syntax for these tools is not final, and may change before the next release, as we gain user feedback. The syntax will be locked in once Samba offers 2016 AD Functional Level as a default. AD DC support for Authentication Silos and Authentication Policies ------------------------------------------------------------------ The Samba AD DC now also honours any existing claims, authentication policy and authentication silo configuration previously created (eg from an import of a Microsoft AD), as well as new configurations created with samba-tool. The use of Microsoft's Powershell based client tools is not expected to work. To use this feature, the functional level must be set to 2012_R2 or later with: ad dc functional level = 2016 in the smb.conf. The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 This support is still new, so is not enabled by default in this release. The above instructions are set at 2016, which while not complete, matches what our testing environment validates. Conditional ACEs and Resource Attribute ACEs -------------------------------------------- Ordinary Access Control Entries (ACEs) unconditionally allow or deny access to a given user or group. Conditional ACEs have an additional section that describes conditions under which the ACE applies. If the conditional expression is true, the ACE works like an ordinary ACE, otherwise it is ignored. The condition terms can refer to claims, group memberships, and attributes on the object itself. These attributes are described in Resource Attribute ACEs that occur in the object's System Access Control List (SACL). Conditional ACEs are described in Microsoft documentation. Conditional ACE evaluation is controlled by the "acl claims evaluation" smb.conf option. The default value is "AD DC only" which enables them in AD DC settings. The other option is "never", which disables them altogether. There is currently no option to enable them on the file server (this is likely to change in future releases). The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba. Service Witness Protocol [MS-SWN] --------------------------------- In a ctdb cluster it is now possible to provide the SMB witness service that allows clients to monitor their current smb connection to cluster node A by asking cluster node B to notify the client if the ip address from node A or the whole node A becomes unavailable. For disk shares in a ctdb cluster SMB2_SHARE_CAP_SCALEOUT is now always returned for SMB3 tree connect responses. If the witness service is active SMB2_SHARE_CAP_CLUSTER is now also returned. In order to activate the witness service "rpc start on demand helpers = no" needs to be configured in the global section. At the same time the 'samba-dcerpcd' service needs to be started explicitly, typically with the '--libexec-rpcds' option in order to make all available services usable. One important aspect is that tcp ports 135 (for the endpoint mapper) and various ports in the 'rpc server dynamic port range' will be used to provide the witness service (rpcd_witness). ctdb provides a '47.samba-dcerpcd.script' in order to manage the samba-dcerpcd.service. Typically as systemd service, but that's up to the packager and/or admin. Please note that current windows client requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY in addition to SMB2_SHARE_CAP_CLUSTER in order to make use of the witness service. But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies the windows clients always ask for persistent handle (which are not implemented in samba yet), so that every open generates a warning in the windows smb client event log. That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY is not returned by default. An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' is needed. There are also new 'net witness' commands in order to let the admin list active client registrations or ask specific clients to move their smb connection to another cluster node. These are available: net witness list net witness client-move net witness share-move net witness force-unregister net witness force-response Consult 'man net' or 'net witness help' for further details.
samba4: updated to 4.19.5 Changes since 4.19.4 -------------------- * BUG 13688: Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot. * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before that). * BUG 12421: Fake directory create times has no effect. * BUG 15550: ctime mixed up with mtime by smbd. * BUG 15548: samba-gpupdate --rsop fails if machine is not in a site. * BUG 15557: gpupdate: The root cert import when NDES is not available is broken. * BUG 15552: samba-gpupdate should print a useful message if cepces-submit can't be found. * BUG 15558: samba-gpupdate logging doesn't work. * BUG 15555: smbpasswd reset permissions only if not 0600.
samba4: updated to 4.19.4 Changes since 4.19.3 * BUG 13577: net changesecretpw cannot set the machine account password if secrets.tdb is empty. * BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES. * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c. * BUG 15542: vfs_linux_xfs is incorrectly named. * BUG 15377: systemd stumbled over copyright-message at smbd startup. * BUG 15505: Following intermediate abolute share-local symlinks is broken. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15544: shadow_copy2 broken when current fileset's directories are removed. * BUG 15377: systemd stumbled over copyright-message at smbd startup. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel exclusion. * BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set. * BUG 15525: smbget debug logging doesn't work. * BUG 15532: smget: username in the smburl and interactive password entry doesn't work. * BUG 15538: smbget auth function doesn't set values for password prompt correctly. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15440: Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module. * BUG 15547: Multichannel refresh network information.
Pullup ticket #6825 - requested by taca net/samba4: security fix Update to 4.18.9 (via patch)
samba4: updated to 4.19.3 Release Notes for Samba 4.19.3 This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 ----------------------------- All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! --------------------------------------------------- The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15520: sid_strings test broken by unix epoch > 1700000000. o Ralph Boehme <slow@samba.org> * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). o Pavel FilipenskĂ˝ <pfilipensky@samba.org> * BUG 15499: Improve logging for failover scenarios. o Björn Jacke <bj@sernet.de> * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. o Stefan Metzmacher <metze@samba.org> * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal accounts. o Christof Schmitt <cs@samba.org> * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. o Andreas Schneider <asn@samba.org> * BUG 15513: Samba doesn't build with Python 3.12.
samba: update to 4.19.2. This is the first stable release of the Samba 4.19 release series.
Pullup ticket #6808 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.170-1.171 - net/samba4/PLIST 1.52 - net/samba4/distinfo 1.97-1.98 --- Module Name: pkgsrc Committed By: taca Date: Wed Sep 27 12:02:48 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.18.7 ============================== Release Notes for Samba 4.18.7 September 27, 2023 ============================== This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.6 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15419: Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(). * BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized pointer. o Andrew Bartlett <abartlet@samba.org> * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect. * BUG 15407: Samba replication logs show (null) DN. o Ralph Boehme <slow@samba.org> * BUG 15463: macOS mdfind returns only 50 results. o Remi Collet <rcollet@redhat.com> * BUG 14808: smbc_getxattr() return value is incorrect. o Volker Lendecke <vl@samba.org> * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher <metze@samba.org> * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o MikeLiu <mikeliu@qnap.com> * BUG 15453: File doesn't show when user doesn't have permission if aio_pthread is loaded. o Martin Schwenke <mschwenke@ddn.com> * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with empty claims pac blobs (from Samba 4.19 or Windows). * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use. --- Module Name: pkgsrc Committed By: taca Date: Tue Oct 10 16:05:01 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: net/samba4: update to 4.18.8 ============================== Release Notes for Samba 4.18.8 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html
net/samba4: update to 4.18.8 ============================== Release Notes for Samba 4.18.8 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html
net/samba4: update to 4.18.7 ============================== Release Notes for Samba 4.18.7 September 27, 2023 ============================== This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.6 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15419: Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(). * BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized pointer. o Andrew Bartlett <abartlet@samba.org> * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect. * BUG 15407: Samba replication logs show (null) DN. o Ralph Boehme <slow@samba.org> * BUG 15463: macOS mdfind returns only 50 results. o Remi Collet <rcollet@redhat.com> * BUG 14808: smbc_getxattr() return value is incorrect. o Volker Lendecke <vl@samba.org> * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher <metze@samba.org> * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o MikeLiu <mikeliu@qnap.com> * BUG 15453: File doesn't show when user doesn't have permission if aio_pthread is loaded. o Martin Schwenke <mschwenke@ddn.com> * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with empty claims pac blobs (from Samba 4.19 or Windows). * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use.
net/samba4: update to 4.18.5 Changes since 4.18.5 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp pointer. * BUG 15430: Missing return in reply_exit_done(). o Andrew Bartlett <abartlet@samba.org> * BUG 15289: post-exec password redaction for samba-tool is more reliable for fully random passwords as it no longer uses regular expressions containing the password value itself. * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Ralph Boehme <slow@samba.org> * BUG 15342: Spotlight sometimes returns no results on latest macOS. * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination. * BUG 15427: Spotlight results return wrong date in result list. o Günther Deschner <gd@samba.org> * BUG 15414: "net offlinejoin provision" does not work as non-root user. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15400: rpcserver no longer accepts double backslash in dfs pathname. * BUG 15433: cm_prepare_connection() calls close(fd) for the second time. o Stefan Metzmacher <metze@samba.org> * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2. * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed. o Noel Power <noel.power@suse.com> * BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation). * BUG 15435: Regression DFS not working with widelinks = true. o Arvid Requate <requate@univention.de> * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Jones Syue <jonessyue@qnap.com> * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
Pullup ticket #6782 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.166-1.167 - net/samba4/distinfo 1.94-1.95 --- Module Name: pkgsrc Committed By: wiz Date: Wed Jul 19 15:33:28 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: samba: update to 4.18.4. Changes since 4.18.3 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15404: Backport --pidl-developer fixes. o Samuel Cabrero <scabrero@samba.org> * BUG 14030: Named crashes on DLZ zone update. o Björn Jacke <bj@sernet.de> * BUG 2312: smbcacls and smbcquotas do not check // before the server. o Volker Lendecke <vl@samba.org> * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers. * BUG 15391: smbclient leaks fds with showacls. * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem. o Stefan Metzmacher <metze@samba.org> * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts. o Noel Power <noel.power@suse.com> * BUG 15384: net ads lookup (with unspecified realm) fails. o Christof Schmitt <cs@samba.org> * BUG 15381: Register Samba processes with GPFS. o Andreas Schneider <asn@samba.org> * BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation). * BUG 15398: The winbind child segfaults when listing users with `winbind scan trusted domains = yes`. o Jones Syue <jonessyue@qnap.com> * BUG 15383: Remove comments about deprecated 'write cache size'. * BUG 15403: smbget memory leak if failed to download files recursively. --- Module Name: pkgsrc Committed By: taca Date: Thu Jul 20 01:28:34 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.18.5 ============================== Release Notes for Samba 4.18.5 July 19, 2023 ============================== This is a security release in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes since 4.18.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. * BUG 15397: CVE-2023-3347. o Volker Lendecke <vl@samba.org> * BUG 15072: CVE-2022-2127. o Stefan Metzmacher <metze@samba.org> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
net/samba4: update to 4.18.5 ============================== Release Notes for Samba 4.18.5 July 19, 2023 ============================== This is a security release in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes since 4.18.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. * BUG 15397: CVE-2023-3347. o Volker Lendecke <vl@samba.org> * BUG 15072: CVE-2022-2127. o Stefan Metzmacher <metze@samba.org> * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
samba: update to 4.18.4. Changes since 4.18.3 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15404: Backport --pidl-developer fixes. o Samuel Cabrero <scabrero@samba.org> * BUG 14030: Named crashes on DLZ zone update. o Björn Jacke <bj@sernet.de> * BUG 2312: smbcacls and smbcquotas do not check // before the server. o Volker Lendecke <vl@samba.org> * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers. * BUG 15391: smbclient leaks fds with showacls. * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem. o Stefan Metzmacher <metze@samba.org> * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts. o Noel Power <noel.power@suse.com> * BUG 15384: net ads lookup (with unspecified realm) fails. o Christof Schmitt <cs@samba.org> * BUG 15381: Register Samba processes with GPFS. o Andreas Schneider <asn@samba.org> * BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation). * BUG 15398: The winbind child segfaults when listing users with `winbind scan trusted domains = yes`. o Jones Syue <jonessyue@qnap.com> * BUG 15383: Remove comments about deprecated 'write cache size'. * BUG 15403: smbget memory leak if failed to download files recursively.
samba: update to 4.18.3. Changes since 4.18.2 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15375: Symlinks to files can have random DOS mode information in a directory listing. * BUG 15378: vfs_fruit might cause a failing open for delete. o Volker Lendecke <vl@samba.org> * BUG 15361: winbind recurses into itself via rpcd_lsad. * BUG 15366: wbinfo -u fails on ad dc with >1000 users. o Stefan Metzmacher <metze@samba.org> * BUG 15338: DS ACEs might be inherited to unrelated object classes. * BUG 15362: a lot of messages: get_static_share_mode_data: get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND. * BUG 15374: aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(). o Andreas Schneider <asn@samba.org> * BUG 15360: Setting veto files = /.*/ break listing directories. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15363: "samba-tool domain provision" does not run interactive mode if no arguments are given. o Nathaniel W. Turner <nturner@exagrid.com> * BUG 15325: dsgetdcname: assumes local system uses IPv4.
samba: update to 4.18.2. 4.18.2 Changes since 4.18.1 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower. * BUG 15306: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c. o Andrew Bartlett <abartlet@samba.org> * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners. * BUG 15329: Reduce flapping of ridalloc test. * BUG 15351: large_ldap test is unreliable. o Ralph Boehme <slow@samba.org> * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. * BUG 15354: mdssvc may crash when initializing. o Volker Lendecke <vl@samba.org> * BUG 15313: large directory optimization broken for non-lcomp path elements. * BUG 15357: streams_depot fails to create streams. * BUG 15358: shadow_copy2 and streams_depot don't play well together. o Rob van der Linde <rob@catalyst.net.nz> * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. o Stefan Metzmacher <metze@samba.org> * BUG 15317: winbindd idmap child contacts the domain controller without a need. * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time. * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. * BUG 15323: net ads search -P doesn't work against servers in other domains. * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. * BUG 15343: Tests use depricated and removed methods like assertRegexpMatches. 4.18.1 This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Changes since 4.18.0 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15276: CVE-2023-0225. o Andrew Bartlett <abartlet@samba.org> * BUG 15270: CVE-2023-0614. * BUG 15331: ldb wildcard matching makes excessive allocations. * BUG 15332: large_ldap test is inefficient. o Rob van der Linde <rob@catalyst.net.nz> * BUG 15315: CVE-2023-0922. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15270: CVE-2023-0614. * BUG 15276: CVE-2023-0225. 4.18.0 This is the first stable release of the Samba 4.18 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== SMB Server performance improvements ----------------------------------- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads. While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again. More succinct samba-tool error messages --------------------------------------- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages ------------------------------------- This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color ------------------------------------- For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES ------------------------------------------------- The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable -------------------------------------------- With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at ------------------------------------ The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER> which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location ------------------------------------------------ Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchronisation improvements -------------------------------------------------------------- Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. REMOVED FEATURES ================ smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- acl_xattr:security_acl_name New security.NTACL server addresses New CHANGES SINCE 4.18.0rc4 ======================= o Jeremy Allison <jra@samba.org> * BUG 15314: streams_xattr is creating unexpected locks on folders. o Volker Lendecke <vl@samba.org> * BUG 15310: New samba-dcerpc architecture does not scale gracefully. CHANGES SINCE 4.18.0rc3 ======================= o Andreas Schneider <asn@samba.org> * BUG 15308: Avoid that tests fail because other tests didn't do cleanup on failure. o baixiangcpp <baixiangcpp@gmail.com> * BUG 15311: fd_load() function implicitly closes the fd where it should not. CHANGES SINCE 4.18.0rc2 ======================= o Jeremy Allison <jra@samba.org> * BUG 15301: Improve file_modtime() and issues around smb3 unix test. o Ralph Boehme <slow@samba.org> * BUG 15299: Spotlight doesn't work with latest macOS Ventura. o Stefan Metzmacher <metze@samba.org> * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0). (tevent 0.14.1 and ldb 2.7.1 are already released...) o John Mulligan <jmulligan@redhat.com> * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. o Andreas Schneider <asn@samba.org> * BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1. * BUG 15301: Improve file_modtime() and issues around smb3 unix test. CHANGES SINCE 4.18.0rc1 ======================= o Andrew Bartlett <abartlet@samba.org> * BUG 10635: Office365 azure Password Sync not working. o Stefan Metzmacher <metze@samba.org> * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Noel Power <noel.power@suse.com> * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free.
Pullup ticket #6744 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.161 - net/samba4/distinfo 1.91 --- Module Name: pkgsrc Committed By: taca Date: Sat Apr 1 08:49:05 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.17.7 ============================== Release Notes for Samba 4.17.7 March 29, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html
net/samba4: update to 4.17.7 ============================== Release Notes for Samba 4.17.7 March 29, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html
net/samba4: update to 4.17.6 ============================== Release Notes for Samba 4.17.6 March 09, 2023 ============================== This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.5 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15314: streams_xattr is creating unexpected locks on folders. o Andrew Bartlett <abartlet@samba.org> * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. o Ralph Boehme <slow@samba.org> * BUG 15299: Spotlight doesn't work with latest macOS Ventura. o Volker Lendecke <vl@samba.org> * BUG 15310: New samba-dcerpc architecture does not scale gracefully. o John Mulligan <jmulligan@redhat.com> * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. o Noel Power <noel.power@suse.com> * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free. o baixiangcpp <baixiangcpp@gmail.com> * BUG 15311: fd_load() function implicitly closes the fd where it should not.
Pullup ticket #6728 - requested by taca net/samba4: security update Revisions pulled up: - net/samba4/Makefile 1.155,1.157-1.159 - net/samba4/PLIST 1.49-1.50 - net/samba4/distinfo 1.88-1.89 - net/samba4/options.mk 1.18 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Tue Jan 3 15:27:23 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo options.mk Log Message: samba: update to 4.17.4. This is the latest stable release of the Samba 4.17 release series. It also contains security changes in order to address the following defects: o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-37967 and CVE-2022-38023 carefully! samba-tool got a new 'domain trust modify' subcommand ----------------------------------------------------- This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options). See 'samba-tool domain trust modify --help' for further details. smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- allow nt4 crypto Deprecated no allow nt4 crypto:COMPUTERACCOUNT New kdc default domain supported enctypes New (see manpage) kdc supported enctypes New (see manpage) kdc force enable rc4 weak session keys New No reject md5 clients New Default, Deprecated Yes reject md5 servers New Default, Deprecated Yes server schannel Deprecated Yes server schannel require seal New, Deprecated Yes server schannel require seal:COMPUTERACCOUNT New winbind sealed pipes Deprecated Yes Changes since 4.17.3 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Andrew Bartlett <abartlet@samba.org> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15237: CVE-2022-37966. * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. o Ralph Boehme <slow@samba.org> * BUG 15240: CVE-2022-38023. * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. o Stefan Metzmacher <metze@samba.org> * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows. * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability. * BUG 15206: libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(). * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15230: Memory leak in snprintf replacement functions. * BUG 15237: CVE-2022-37966. * BUG 15240: CVE-2022-38023. * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression). o Noel Power <noel.power@suse.com> * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Anoop C S <anoopcs@samba.org> * BUG 15198: Prevent EBADF errors with vfs_glusterfs. o Andreas Schneider <asn@samba.org> * BUG 15237: CVE-2022-37966. * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15257: Stack smashing in net offlinejoin requestodj. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15231: CVE-2022-37967. * BUG 15237: CVE-2022-37966. o Nicolas Williams <nico@twosigma.com> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. To generate a diff of this commit: cvs rdiff -u -r1.154 -r1.155 pkgsrc/net/samba4/Makefile cvs rdiff -u -r1.48 -r1.49 pkgsrc/net/samba4/PLIST cvs rdiff -u -r1.87 -r1.88 pkgsrc/net/samba4/distinfo cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/samba4/options.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tnn Date: Tue Jan 10 02:12:40 UTC 2023 Modified Files: pkgsrc/net/samba4: PLIST Log Message: samba4: fix PLIST error when option ads is off To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 pkgsrc/net/samba4/PLIST ------------------------------------------------------------------- Module Name: pkgsrc Committed By: hauke Date: Thu Jan 19 16:32:54 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile Log Message: Un-break FreeBSD build - it does not define ENODATA. See also this thread <https://mail-index.netbsd.org/tech-kern/2012/04/30/msg013090.html>. To generate a diff of this commit: cvs rdiff -u -r1.156 -r1.157 pkgsrc/net/samba4/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jan 23 09:13:52 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile Log Message: samba4: add upper bound for ldb and remove reference to non-existent file To generate a diff of this commit: cvs rdiff -u -r1.157 -r1.158 pkgsrc/net/samba4/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Sat Jan 28 13:52:03 UTC 2023 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.17.5 =============== Release Notes for Samba 4.17.5 January 26, 2023 =============== This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.4 -------------------- o Jeremy Allison <jra@samba.org> * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS. * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). o Samuel Cabrero <scabrero@samba.org> * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). o Volker Lendecke <vl@samba.org> * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15269: ctdb: use-after-free in run_proc. o Stefan Metzmacher <metze@samba.org> * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Andreas Schneider <asn@samba.org> * BUG 15268: smbclient segfaults with use after free on an optimized build. o Jones Syue <jonessyue@qnap.com> * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. o Andrew Walker <awalker@ixsystems.com> * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. o Florian Weimer <fweimer@redhat.com> * BUG 15281: Avoid relying on C89 features in a few places. To generate a diff of this commit: cvs rdiff -u -r1.158 -r1.159 pkgsrc/net/samba4/Makefile cvs rdiff -u -r1.88 -r1.89 pkgsrc/net/samba4/distinfo
net/samba4: update to 4.17.5 ============================== Release Notes for Samba 4.17.5 January 26, 2023 ============================== This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.4 -------------------- o Jeremy Allison <jra@samba.org> * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS. * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). o Samuel Cabrero <scabrero@samba.org> * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). o Volker Lendecke <vl@samba.org> * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15269: ctdb: use-after-free in run_proc. o Stefan Metzmacher <metze@samba.org> * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Andreas Schneider <asn@samba.org> * BUG 15268: smbclient segfaults with use after free on an optimized build. o Jones Syue <jonessyue@qnap.com> * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. o Andrew Walker <awalker@ixsystems.com> * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. o Florian Weimer <fweimer@redhat.com> * BUG 15281: Avoid relying on C89 features in a few places.
samba: update to 4.17.4. This is the latest stable release of the Samba 4.17 release series. It also contains security changes in order to address the following defects: o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-37967 and CVE-2022-38023 carefully! samba-tool got a new 'domain trust modify' subcommand ----------------------------------------------------- This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options). See 'samba-tool domain trust modify --help' for further details. smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- allow nt4 crypto Deprecated no allow nt4 crypto:COMPUTERACCOUNT New kdc default domain supported enctypes New (see manpage) kdc supported enctypes New (see manpage) kdc force enable rc4 weak session keys New No reject md5 clients New Default, Deprecated Yes reject md5 servers New Default, Deprecated Yes server schannel Deprecated Yes server schannel require seal New, Deprecated Yes server schannel require seal:COMPUTERACCOUNT New winbind sealed pipes Deprecated Yes Changes since 4.17.3 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Andrew Bartlett <abartlet@samba.org> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15237: CVE-2022-37966. * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. o Ralph Boehme <slow@samba.org> * BUG 15240: CVE-2022-38023. * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. o Stefan Metzmacher <metze@samba.org> * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows. * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability. * BUG 15206: libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(). * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15230: Memory leak in snprintf replacement functions. * BUG 15237: CVE-2022-37966. * BUG 15240: CVE-2022-38023. * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression). o Noel Power <noel.power@suse.com> * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Anoop C S <anoopcs@samba.org> * BUG 15198: Prevent EBADF errors with vfs_glusterfs. o Andreas Schneider <asn@samba.org> * BUG 15237: CVE-2022-37966. * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15257: Stack smashing in net offlinejoin requestodj. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15231: CVE-2022-37967. * BUG 15237: CVE-2022-37966. o Nicolas Williams <nico@twosigma.com> * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.
samba4: Build krb5.so module statically. Avoids issues when building on systems that have a native libkrb5.so. Samba libraries that try to link against krb5.so, which during the build phase is named libgensec_module_krb5.so, end up with incorrect library dependencies, likely due to wrapper interactions.
samba: update to 4.17.3. This is a security release in order to address the following defects: o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap. https://www.samba.org/samba/security/CVE-2022-42898.html Changes since 4.17.2 -------------------- o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15203: CVE-2022-42898 o Nicolas Williams <nico@twosigma.com> * BUG 15203: CVE-2022-42898
Pullup ticket #6694 - requested by taca devel/samba4: security fix via patch -- update to 4.16.6 --- Samba 4.16.6 fixes these security problems. 4.16.6 (2022-10-25) This is a security release in order to address the following defect: o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba). https://www.samba.org/samba/security/CVE-2022-3437.html Changes since 4.16.5 --------------------- o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15134: CVE-2022-3437.
net/samba4: update to 4.17.2 4.17.2 (2022/10-25) o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba). https://www.samba.org/samba/security/CVE-2022-3437.html o CVE-2022-3592: A malicious client can use a symlink to escape the exported directory. https://www.samba.org/samba/security/CVE-2022-3592.html Changes since 4.17.1 -------------------- o Volker Lendecke <vl@samba.org> * BUG 15207: CVE-2022-3592. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15134: CVE-2022-3437.
samba: update to 4.17.1. Changes since 4.17.0 -------------------- o Jeremy Allison <jra@samba.org> * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15174: smbXsrv_connection_shutdown_send result leaked. * BUG 15182: Flush on a named stream never completes. * BUG 15195: Permission denied calling SMBC_getatr when file not exists. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir. o Andrew Bartlett <abartlet@samba.org> * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later. over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. o Ralph Boehme <slow@samba.org> * BUG 15182: Flush on a named stream never completes. o Volker Lendecke <vl@samba.org> * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106. o Gary Lockyer <gary@catalyst.net.nz> * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. o Stefan Metzmacher <metze@samba.org> * BUG 15200: multi-channel socket passing may hit a race if one of the involved processes already existed. * BUG 15201: memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others). o Noel Power <noel.power@suse.com> * BUG 15205: Since popt1.19 various use after free errors using result of poptGetArg are now exposed. o Anoop C S <anoopcs@samba.org> * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs. o Andreas Schneider <asn@samba.org> * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. ============================== Release Notes for Samba 4.17.0 September 13, 2022 ============================== This is the first stable release of the Samba 4.17 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== SMB Server performance improvements ----------------------------------- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for meta data heavy workloads. With 4.17 the situation improved a lot again: - Pathnames given by a client are devided into dirname and basename. The amount of syscalls to validate dirnames is reduced to 2 syscalls (openat, close) per component. On modern Linux kernels (>= 5.6) smbd makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS, in order to just use 2 syscalls (openat2, close) for the whole dirname. - Contended path based operations used to generate a lot of unsolicited wakeup events causing thundering herd problems, which lead to masive latencies for some clients. These events are now avoided in order to provide stable latencies and much higher throughput of open/close operations. Configure without the SMB1 Server --------------------------------- It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options: --with-smb1-server --without-smb1-server By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows). None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file. This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support now also with MIT Kerberos 1.20 ---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze Bit’. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Note the default (Heimdal-based) KDC was already fixed in 2021, see https://bugzilla.samba.org/show_bug.cgi?id=14642 Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. samba-tool delegation got the 'add-principal' and 'del-principal' subcommands in order to manage RBCD. To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20. Note the default (Heimdal-based) KDC does not support RBCD yet. [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview Customizable DNS listening port ------------------------------- It is now possible to set a custom listening port for the builtin DNS service, making easy to host another DNS on the same system that would bind to the default port and forward the domain-specific queries to Samba using the custom port. This is the opposite configuration of setting a forwarder in Samba. It makes possible to use another DNS server as a front and forward to Samba. Dynamic DNS updates may not be proxied by the front DNS server when forwarding to Samba. Dynamic DNS update proxying depends on the features of the other DNS server used as a front. CTDB changes ------------ * When Samba is configured with both --with-cluster-support and --systemd-install-services then a systemd service file for CTDB will be installed. * ctdbd_wrapper has been removed. ctdbd is now started directly from a systemd service file or init script. * The syntax for the ctdb.tunables configuration file has been relaxed. However, trailing garbage after the value, including comments, is no longer permitted. Please see ctdb-tunables(7) for more details. Operation without the (unsalted) NT password hash ------------------------------------------------- When Samba is configured with 'nt hash store = never' then Samba will no longer store the (unsalted) NT password hash for users in Active Directory. (Trust accounts, like computers, domain controllers and inter-domain trusts are not impacted). In the next version of Samba the default for 'nt hash store' will change from 'always' to 'auto', where it will follow (behave as 'nt hash store = never' when 'ntlm auth = disabled' is set. Security-focused deployments of Samba that have eliminated NTLM from their networks will find setting 'ntlm auth = disabled' with 'nt hash store = always' as a useful way to improve compliance with best-practice guidance on password storage (which is to always use an interated hash). Note that when 'nt hash store = never' is set, then arcfour-hmac-md5 Kerberos keys will not be available for users who subsequently change their password, as these keys derive their values from NT hashes. AES keys are stored by default for all deployments of Samba with Domain Functional Level 2008 or later, are supported by all modern clients, and are much more secure. Finally, also note that password history in Active Directory is stored in nTPwdHistory using a series of NT hash values. Therefore the full password history feature is not available in this mode. To provide some protection against password re-use previous Kerberos hash values (the current, old and older values are already stored) are used, providing a history length of 3. There is one small limitation of this workaround: Changing the sAMAccountName, userAccountControl or userPrincipalName of an account can cause the Kerberos password salt to change. This means that after *both* an account rename and a password change, only the current password will be recognised for password history purposes. Python API for smbconf ---------------------- Samba's smbconf library provides a generic frontend to various configuration backends (plain text file, registry) as a C library. A new Python wrapper, importable as 'samba.smbconf' is available. An additional module, 'samba.samba3.smbconf', is also available to enable registry backend support. These libraries allow Python programs to read, and optionally write, Samba configuration natively. JSON support for smbstatus -------------------------- It is now possible to print detailed information in JSON format in the smbstatus program using the new option --json. The JSON output covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases. Protected Users security group ------------------------------ Samba AD DC now includes support for the Protected Users security group introduced in Windows Server 2012 R2. The feature reduces the attack surface of user accounts by preventing the use of weak encryption types. It also mitigates the effects of credential theft by limiting credential lifetime and scope. The protections are intended for user accounts only, and service or computer accounts should not be added to the Protected Users group. User accounts added to the group are granted the following security protections: * NTLM authentication is disabled. * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are not issued to or accepted from affected principals. Tickets encrypted with AES, and service tickets encrypted with RC4, are not affected by this restriction. * The lifetime of Kerberos TGTs is restricted to a maximum of four hours. * Kerberos constrained and unconstrained delegation is disabled. If the Protected Users group is not already present in the domain, it can be created with 'samba-tool group add'. The new '--special' parameter must be specified, with 'Protected Users' as the name of the group. An example command invocation is: samba-tool group add 'Protected Users' --special or against a remote server: samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator The Protected Users group is identified in the domain by its having a RID of 525. Thus, it should only be created with samba-tool and the '--special' parameter, as above, so that it has the required RID to function correctly. REMOVED FEATURES ================ LanMan Authentication and password storage removed from the AD DC ----------------------------------------------------------------- The storage and authentication with LanMan passwords has been entirely removed from the Samba AD DC, even when "lanman auth = yes" is set. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- dns port New default 53 fruit:zero_file_id New default yes nt hash store New parameter always smb1 unix extensions Replaces "unix extensions" volume serial number New parameter -1 winbind debug traceid New parameter no
samba4: updated to 4.16.5 Changes since 4.16.4 -------------------- * BUG 15128: Possible use after free of connection_struct when iterating smbd_server_connection->connections. * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is disabled on a share. * BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr. * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1. * BUG 15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197. * BUG 15148: Missing READ_LEASE break could cause data corruption. * BUG 15124: rpcclient can crash using setuserinfo(2). * BUG 15132: Samba fails to build with glibc 2.36 caused by including <sys/mount.h> in libreplace. * BUG 15152: SMB1 negotiation can fail to handle connection errors. * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
samba4: Remove gensec/krb5 patch. It doesn't appear to solve the problem, I must have had a stale install directory around when testing. Still none the wiser as to why the krb5 module isn't being built correctly, but apparently it seems to work for some folks, so it will have to be left broken on SunOS for a bit.
samba4: Various build fixes.
Pullup tickets #6664 #6669 - requested by taca net/samba4: security update databases/ldb: dependency update Update net/samba4 to 4.15.9 from samba-4.15.6 by patch, since HEAD is on a later minor. Update databases/ldb to 2.4.4 from 2.4.2 because samba-4.15.9 requires it.
samba4: updated to 4.16.4 Release Notes for Samba 4.16.4 This is a security release in order to address the following defects: o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords. https://www.samba.org/samba/security/CVE-2022-2031.html o CVE-2022-32744: Samba AD users can forge password change requests for any user. https://www.samba.org/samba/security/CVE-2022-32744.html o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32745.html o CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32746.html o CVE-2022-32742: Server memory information leak via SMB1. https://www.samba.org/samba/security/CVE-2022-32742.html
samba4: Add support for mit-krb5. The builtin heimdal no longer builds and it's unclear how it can possibly work as it uses functions that do not exist anywhere. Also fix some SunOS build issues. I'm not convinced this won't break builds that use heimdal but will keep an eye out for failures.
samba4: updated to 4.16.3 Changes since 4.16.2 -------------------- * BUG 15099: Using vfs_streams_xattr and deleting a file causes a panic. * BUG 14986: Add support for bind 9.18. * BUG 15076: logging dsdb audit to specific files does not work. * BUG 14979: Problem when winbind renews Kerberos. * BUG 15095: Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode. * BUG 15105: Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL. * BUG 15118: Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(). * BUG 15100: smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS. * BUG 15120: Fix check for chown when processing NFSv4 ACL. * BUG 15082: The pcap background queue process should not be stopped. * BUG 15097: testparm: Fix typo in idmap rangesize check. * BUG 15106: net ads info returns LDAP server and LDAP server name as null. * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link. * BUG 15090: CTDB child process logging does not work as expected. Changes since 4.16.1 -------------------- * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie. * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted. * BUG 15087: netgroups support removed. * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server. * BUG 15062: Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS. * BUG 15071: waf produces incorrect names for python extensions with Python 3.11. * BUG 15075: smbclient -E doesn't work as advertised. * BUG 15071: waf produces incorrect names for python extensions with Python 3.11. * BUG 15081: The samba background daemon doesn't refresh the printcap cache on startup. * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.. Changes since 4.16.0 -------------------- * BUG 14831: Share and server swapped in smbget password prompt. * BUG 15022: Durable handles won't reconnect if the leased file is written to. * BUG 15023: rmdir silently fails if directory contains unreadable files and hide unreadable is yes. * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle. * BUG 8731: Need to describe --builtin-libraries= better (compare with --bundled-libraries). * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback. * BUG 15035: shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes. * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew error. * BUG 15041: Username map - samba erroneously applies unix group memberships to user account entries. * BUG 14951: KVNO off by 100000. * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module. * BUG 15055: vfs_gpfs recalls=no option prevents listing files. * BUG 15054: smbd doesn't handle UPNs for looking up names.
samba4: Build fixes, primarily for SunOS.
Restore a SYSCONFDIR path substitution that had gone lost, probably as a result of running mkpatches after 'make configure'.
samba4: updated to 4.15.6 Changes since 4.15.5 -------------------- * BUG 14169: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND. * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key. * BUG 14938: NT error code is not set when overwriting a file during rename in libsmbclient. * BUG 14996: Fix ldap simple bind with TLS auditing. * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server. * BUG 14979: Problem when winbind renews Kerberos. * BUG 8691: pam_winbind will not allow gdm login if password about to expire. * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file. * BUG 13631: DFS fix for AIX broken. * BUG 14974: Solaris and AIX acl modules: wrong function arguments. * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump. * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam. * BUG 14989: Fix a use-after-free in SMB1 server. * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2. * BUG 14984: changing the machine password against an RODC likely destroys the domain join. * BUG 14993: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument. * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the id range only once.
net/samba4: security update to 4.15.5 This is a security release in order to address the following defects: o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists. https://www.samba.org/samba/security/CVE-2021-44141.html o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module. https://www.samba.org/samba/security/CVE-2021-44142.html o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks. https://www.samba.org/samba/security/CVE-2022-0336.html
net/samba4: version 4.15.4 This includes a patch (already posted upstream) to fix updated Samba on NetBSD's /proc, so the upgrade is not blocked anymore. Release notes for 4.15: EW FEATURES/CHANGES ==================== VFS --- The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the <https://wiki.samba.org/index.php/The_New_VFS>. Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --------------------------------------------------------------------------- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental ----------------------------------------------------- This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -------------------------------------- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience ------------------------------------- Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch: -e is still available as an alias for --editor, as it used to be. -s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'. ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user -> --quota-user nmbd: --log-stdout -> --debug-stdout smbd: --log-stdout -> --debug-stdout winbindd: --log-stdout -> --debug-stdout Scanning of trusted domains and enterprise principals ----------------------------------------------------- As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases. Support for Offline Domain Join (ODJ) ------------------------------------- The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage. 'samba-tool dns zoneoptions' for aging control ---------------------------------------------- The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records. To turn aging on for a zone, you can use something like this: samba-tool dns zoneoptions --aging=1 --refreshinterval=306600 which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command samba-tool dns zoneoptions --refreshinterval=168 will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal. Marking old records as static or dynamic with 'samba-tool' ---------------------------------------------------------- A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on. --mark-old-records-static --mark-records-dynamic-regex --mark-records-static-regex The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option: samba-tool dns zoneoptions --mark-old-records-static=2018-11-30 Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like: samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop' where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on. These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong. All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead. NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server. DNS tombstones are now deleted as appropriate --------------------------------------------- When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled. If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time. DNS tombstones use a consistent timestamp format ------------------------------------------------ DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used). samba-tool dns update and RPC changes ------------------------------------- The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows. 'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses. CVE-2021-3671: Crash in Heimdal KDC and updated security release policy ----------------------------------------------------------------------- An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See https://wiki.samba.org/index.php/Samba_Security_Proces samba-tool domain backup offline with the LMDB backend ------------------------------------------------------ samba-tool domain backup offline, when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups. REMOVED FEATURES ================ Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012. NIS support has been removed from this release. This is not available in Linux distributions anymore. The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- client use kerberos New desired client max protocol Values Removed client min protocol Values Removed client protection New default client smb3 signing algorithms New see man smb.conf client smb3 encryption algorithms New see man smb.conf preopen:posix-basic-regex New No preopen:nomatch_log_level New 5 preopen:match_log_level New 5 preopen:nodigits_log_level New 1 preopen:founddigits_log_level New 3 preopen:reset_log_level New 5 preopen:push_log_level New 3 preopen:queue_log_level New 10 server max protocol Values Removed server min protocol Values Removed server multi channel support Changed Yes (on Linux and FreeBSD) server smb3 signing algorithms New see man smb.conf server smb3 encryption algorithms New see man smb.conf winbind use krb5 enterprise principals Changed Yes winbind scan trusted domains Changed No Release notes for 4.14: NEW FEATURES/CHANGES ==================== Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt. -------------------------------------------------------------- A clarification of our GNU GPL License enforcement boundary within the Samba Virtual File System (VFS) layer. Samba is licensed under the GNU GPL. All code committed to the Samba project or that creates a "modified version" or software "based on" Samba must be either licensed under the GNU GPL or a compatible license. Samba has several plug-in interfaces where external code may be called from Samba GNU GPL licensed code. The most important of these is the Samba VFS layer. Samba VFS modules are intimately connected by header files and API definitions to the part of the Samba code that provides file services, and as such, code that implements a plug-in Samba VFS module must be licensed under the GNU GPL or a compatible license. However, Samba VFS modules may themselves call third-party external libraries that are not part of the Samba project and are externally developed and maintained. As long as these third-party external libraries do not use any of the Samba internal structure, APIs or interface definitions created by the Samba project (to the extent that they would be considered subject to the GNU GPL), then the Samba Team will not consider such third-party external libraries called from Samba VFS modules as "based on" and/or creating a "modified version" of the Samba code for the purposes of GNU GPL. Accordingly, we do not require such libraries be licensed under the GNU GPL or a GNU GPL compatible license. VFS --- The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the <https://wiki.samba.org/index.php/The_New_VFS>. Printing -------- Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture. Client Group Policy ------------------- This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly. To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes. Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command. Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed. Python 3.6 or later required
Pullup ticket #6577 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.136-1.137 - net/samba4/distinfo 1.72 --- Module Name: pkgsrc Committed By: gdt Date: Tue Jan 25 19:25:01 UTC 2022 Modified Files: pkgsrc/net/samba4: Makefile Log Message: net/samba4: Add upstream bug report URL --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 31 13:45:12 UTC 2022 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: udpate to 4.13.17 =============================== Release Notes for Samba 4.13.17 January 31, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module. https://www.samba.org/samba/security/CVE-2021-44142.html o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks. https://www.samba.org/samba/security/CVE-2022-0336.html Changes since 4.13.16 --------------------- o Ralph Boehme <slow@samba.org> * BUG 14914: CVE-2021-44142 o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14950: CVE-2022-0336
net/samba4: udpate to 4.13.17 =============================== Release Notes for Samba 4.13.17 January 31, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module. https://www.samba.org/samba/security/CVE-2021-44142.html o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks. https://www.samba.org/samba/security/CVE-2022-0336.html Changes since 4.13.16 --------------------- o Ralph Boehme <slow@samba.org> * BUG 14914: CVE-2021-44142 o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14950: CVE-2022-0336
Pullup ticket #6572 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.135 - net/samba4/distinfo 1.71 --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 10 14:11:16 UTC 2022 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.13.16 =============================== Release Notes for Samba 4.13.16 January 10, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x. https://www.samba.org/samba/security/CVE-2021-43566.html ======= Details ======= o CVE-2021-43566: All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild. Changes since 4.13.15 --------------------- o Jeremy Allison <jra@samba.org> * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
net/samba4: update to 4.13.16 =============================== Release Notes for Samba 4.13.16 January 10, 2022 =============================== This is a security release in order to address the following defects: o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x. https://www.samba.org/samba/security/CVE-2021-43566.html ======= Details ======= o CVE-2021-43566: All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild. Changes since 4.13.15 --------------------- o Jeremy Allison <jra@samba.org> * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
net/samba4: update to 4.13.15 This release contain security fixes. =============================== Release Notes for Samba 4.13.15 December 15, 2021 =============================== This is the latest stable release of the Samba 4.13 release series. Important Notes =============== There have been a few regressions in the security release 4.13.14: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds initially adviced for 4.13.14 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. Changes since 4.13.14 --------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 14656: Spaces incorrectly collapsed in ldb attributes. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become un- deletable. o Ralph Boehme <slow@samba.org> * BUG 14922: Kerberos authentication on standalone server in MIT realm broken. o Alexander Bokovoy <ab@samba.org> * BUG 14903: Support for ROLE_IPA_DC is incomplete. o Stefan Metzmacher <metze@samba.org> * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
Pullup ticket #6537 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.130-1.132 - net/samba4/PLIST 1.39-1.40 - net/samba4/distinfo 1.67,1.69 --- Module Name: pkgsrc Committed By: adam Date: Wed Sep 29 19:01:31 UTC 2021 Modified Files: pkgsrc/archivers/ark: Makefile pkgsrc/archivers/innoextract: Makefile pkgsrc/archivers/libcomprex: Makefile buildlink3.mk pkgsrc/archivers/libzip: Makefile buildlink3.mk pkgsrc/archivers/php-pecl-zip: Makefile pkgsrc/archivers/php-zip: Makefile pkgsrc/audio/ardour: Makefile pkgsrc/audio/ario: Makefile pkgsrc/audio/audacious-plugins: Makefile pkgsrc/audio/bmp-scrobbler: Makefile pkgsrc/audio/cmusfm: Makefile pkgsrc/audio/csound6: Makefile pkgsrc/audio/din: Makefile pkgsrc/audio/flactag: Makefile pkgsrc/audio/forked-daapd: Makefile pkgsrc/audio/gbemol: Makefile pkgsrc/audio/glyr: Makefile buildlink3.mk pkgsrc/audio/grip: Makefile pkgsrc/audio/herrie: Makefile pkgsrc/audio/hydrogen: Makefile pkgsrc/audio/icecast: Makefile pkgsrc/audio/jack-rack: Makefile pkgsrc/audio/libmusicbrainz: Makefile buildlink3.mk pkgsrc/audio/libmusicbrainz5: Makefile buildlink3.mk pkgsrc/audio/libofa: Makefile pkgsrc/audio/mad123: Makefile pkgsrc/audio/moc: Makefile pkgsrc/audio/mp3diags: Makefile pkgsrc/audio/mpdas: Makefile pkgsrc/audio/musicpd: Makefile pkgsrc/audio/ncmpcpp: Makefile pkgsrc/audio/pianobar: Makefile pkgsrc/audio/pragha: Makefile pkgsrc/audio/qmmp: Makefile pkgsrc/audio/sound-juicer: Makefile pkgsrc/audio/strawberry: Makefile pkgsrc/audio/streamtuner: Makefile buildlink3.mk pkgsrc/audio/terminatorx: Makefile pkgsrc/audio/tremor-tools: Makefile pkgsrc/audio/vimpc: Makefile pkgsrc/audio/vorbis-tools: Makefile pkgsrc/biology/canu: Makefile pkgsrc/biology/coordgenlibs: Makefile buildlink3.mk pkgsrc/biology/htslib: Makefile pkgsrc/biology/maeparser: Makefile buildlink3.mk pkgsrc/biology/ncbi-blast+: Makefile pkgsrc/biology/openbabel: Makefile pkgsrc/cad/kicad: Makefile pkgsrc/cad/librecad: Makefile pkgsrc/cad/openscad: Makefile pkgsrc/chat/anope: Makefile pkgsrc/chat/bitlbee: Makefile pkgsrc/chat/centerim: Makefile pkgsrc/chat/ctrlproxy: Makefile pkgsrc/chat/ekg: Makefile pkgsrc/chat/farstream: Makefile pkgsrc/chat/gloox: Makefile pkgsrc/chat/ircd-hybrid: Makefile pkgsrc/chat/konversation: Makefile pkgsrc/chat/ktp-accounts-kcm: Makefile pkgsrc/chat/ktp-approver: Makefile pkgsrc/chat/ktp-auth-handler: Makefile pkgsrc/chat/ktp-common-internals: Makefile buildlink3.mk pkgsrc/chat/ktp-contact-list: Makefile pkgsrc/chat/ktp-contact-runner: Makefile pkgsrc/chat/ktp-desktop-applets: Makefile pkgsrc/chat/ktp-filetransfer-handler: Makefile pkgsrc/chat/ktp-kded-integration-module: Makefile pkgsrc/chat/ktp-send-file: Makefile pkgsrc/chat/ktp-text-ui: Makefile pkgsrc/chat/libgadu: Makefile buildlink3.mk pkgsrc/chat/libpurple: Makefile pkgsrc/chat/mumble: Makefile pkgsrc/chat/profanity: Makefile pkgsrc/chat/scrollz: Makefile pkgsrc/chat/spectrum: Makefile pkgsrc/chat/swift: Makefile pkgsrc/chat/telepathy-gabble: Makefile pkgsrc/chat/unrealircd: Makefile pkgsrc/chat/weechat: Makefile pkgsrc/chat/znc: Makefile pkgsrc/comms/asterisk13: Makefile pkgsrc/comms/asterisk16: Makefile pkgsrc/comms/asterisk18: Makefile pkgsrc/comms/gammu: Makefile pkgsrc/converters/libabw: Makefile buildlink3.mk pkgsrc/converters/libcdr: Makefile buildlink3.mk pkgsrc/converters/libe-book: Makefile buildlink3.mk pkgsrc/converters/libepubgen: Makefile buildlink3.mk pkgsrc/converters/libetonyek: Makefile buildlink3.mk pkgsrc/converters/libfreehand: Makefile buildlink3.mk pkgsrc/converters/libmspub: Makefile buildlink3.mk pkgsrc/converters/libmwaw: Makefile buildlink3.mk pkgsrc/converters/libpagemaker: Makefile buildlink3.mk pkgsrc/converters/libqxp: Makefile buildlink3.mk pkgsrc/converters/librevenge: Makefile buildlink3.mk pkgsrc/converters/libstaroffice: Makefile pkgsrc/converters/libvisio: Makefile buildlink3.mk pkgsrc/converters/libwpd: Makefile buildlink3.mk pkgsrc/converters/libwpg: Makefile buildlink3.mk pkgsrc/converters/libwps: Makefile buildlink3.mk pkgsrc/converters/libzmf: Makefile pkgsrc/converters/orcus: Makefile pkgsrc/converters/rss2html: Makefile pkgsrc/databases/couchdb: Makefile pkgsrc/databases/freetds: Makefile buildlink3.mk pkgsrc/databases/libcassandra: Makefile pkgsrc/databases/mariadb104-client: Makefile pkgsrc/databases/mariadb104-server: Makefile pkgsrc/databases/mariadb105-client: Makefile pkgsrc/databases/mariadb105-server: Makefile pkgsrc/databases/mariadb106-client: Makefile pkgsrc/databases/mariadb106-server: Makefile pkgsrc/databases/mongodb: Makefile pkgsrc/databases/mongodb3: Makefile pkgsrc/databases/mysql-workbench: Makefile pkgsrc/databases/mysql57-client: Makefile pkgsrc/databases/mysql57-server: Makefile pkgsrc/databases/p5-DBD-Sybase: Makefile pkgsrc/databases/p5-sqlrelay: Makefile pkgsrc/databases/p5-sybperl: Makefile pkgsrc/databases/php-mssql: Makefile pkgsrc/databases/php-pdo_dblib: Makefile pkgsrc/databases/php-sqlrelay: Makefile pkgsrc/databases/postgresql-postgis2: Makefile pkgsrc/databases/py-mssql: Makefile pkgsrc/databases/py-sqlrelay: Makefile pkgsrc/databases/py-sybase: Makefile pkgsrc/databases/qore-freetds-module: Makefile pkgsrc/databases/ruby-sqlrelay: Makefile pkgsrc/databases/ruby-tiny_tds: Makefile pkgsrc/databases/soci: Makefile pkgsrc/databases/sqlrelay: Makefile buildlink3.mk pkgsrc/databases/sqlrelay-freetds: Makefile pkgsrc/databases/sqlrelay-mysql: Makefile pkgsrc/databases/sqlrelay-nodejs: Makefile pkgsrc/databases/sqlrelay-odbc: Makefile pkgsrc/databases/sqlrelay-pgsql: Makefile pkgsrc/databases/sqlrelay-sqlite: Makefile pkgsrc/databases/sqsh: Makefile pkgsrc/databases/virtuoso: Makefile pkgsrc/devel/aegis: Makefile pkgsrc/devel/cfitsio: Makefile pkgsrc/devel/cmake: Makefile pkgsrc/devel/cmake-gui: Makefile pkgsrc/devel/darcs: Makefile pkgsrc/devel/ecore: Makefile buildlink3.mk pkgsrc/devel/eio: Makefile buildlink3.mk pkgsrc/devel/exempi: Makefile pkgsrc/devel/fifengine: Makefile pkgsrc/devel/gearmand: Makefile buildlink3.mk pkgsrc/devel/git-base: Makefile pkgsrc/devel/gnustep-base: Makefile pkgsrc/devel/kdesdk-kioslaves: Makefile pkgsrc/devel/kdesdk-strigi-analyzers: Makefile pkgsrc/devel/kdesdk-thumbnailers: Makefile pkgsrc/devel/kdevelop4: Makefile pkgsrc/devel/kdevplatform: Makefile pkgsrc/devel/kio-extras: Makefile pkgsrc/devel/libcutl: Makefile pkgsrc/devel/libftdi1: Makefile pkgsrc/devel/libgit2: Makefile pkgsrc/devel/libkgapi: Makefile pkgsrc/devel/librelp: Makefile buildlink3.mk pkgsrc/devel/libthrift: Makefile pkgsrc/devel/libxenserver: Makefile buildlink3.mk pkgsrc/devel/mad-flute: Makefile pkgsrc/devel/mdds: Makefile pkgsrc/devel/mdds1.2: Makefile pkgsrc/devel/netcdf: Makefile buildlink3.mk pkgsrc/devel/netcdf-cxx: Makefile buildlink3.mk pkgsrc/devel/netcdf-fortran: Makefile buildlink3.mk pkgsrc/devel/okteta: Makefile pkgsrc/devel/php-gearman: Makefile pkgsrc/devel/radare2: Makefile buildlink3.mk pkgsrc/devel/radare2-cutter: Makefile pkgsrc/devel/rudiments: Makefile buildlink3.mk pkgsrc/devel/sdcc3: Makefile pkgsrc/devel/ucommon: Makefile buildlink3.mk pkgsrc/devel/vera++: Makefile pkgsrc/editors/Sigil: Makefile pkgsrc/editors/TeXmacs: Makefile pkgsrc/editors/abiword: Makefile buildlink3.mk pkgsrc/editors/abiword-plugins: Makefile pkgsrc/editors/codelite: Makefile pkgsrc/editors/emacs25: Makefile pkgsrc/editors/emacs26: Makefile pkgsrc/editors/emacs27: Makefile pkgsrc/editors/gobby: Makefile pkgsrc/editors/lyx: Makefile pkgsrc/editors/obby: Makefile buildlink3.mk pkgsrc/editors/poedit: Makefile pkgsrc/editors/xournalpp: Makefile pkgsrc/emulators/cannonball: Makefile pkgsrc/emulators/ckmame: Makefile pkgsrc/emulators/dolphin-emu: Makefile pkgsrc/emulators/emulationstation: Makefile pkgsrc/emulators/libretro-dolphin: Makefile pkgsrc/emulators/mgba: Makefile pkgsrc/emulators/qemu: Makefile pkgsrc/emulators/wine: Makefile pkgsrc/filesystems/cloudfuse: Makefile pkgsrc/filesystems/fuse-curlftpfs: Makefile pkgsrc/filesystems/fuse-wdfs: Makefile pkgsrc/finance/QuantLib: Makefile pkgsrc/finance/bitcoin: Makefile pkgsrc/finance/cpuminer: Makefile pkgsrc/finance/gnucash: Makefile pkgsrc/finance/ledger: Makefile pkgsrc/finance/libofx: Makefile pkgsrc/fonts/ghostscript-cidfonts-ryumin: Makefile pkgsrc/games/7kaa: Makefile pkgsrc/games/amor: Makefile pkgsrc/games/asc: Makefile pkgsrc/games/assaultcube: Makefile pkgsrc/games/bastet: Makefile pkgsrc/games/bzflag: Makefile pkgsrc/games/criticalmass: Makefile pkgsrc/games/crossfire-client: Makefile pkgsrc/games/crossfire-server: Makefile pkgsrc/games/dhewm3: Makefile pkgsrc/games/dopewars: Makefile pkgsrc/games/enigma: Makefile pkgsrc/games/etlegacy: Makefile pkgsrc/games/etlegacy-server: Makefile pkgsrc/games/flightgear: Makefile pkgsrc/games/freeciv-client: Makefile pkgsrc/games/freeciv-server: Makefile pkgsrc/games/freeciv-share: Makefile pkgsrc/games/ggz-client-libs: Makefile buildlink3.mk pkgsrc/games/holtz: Makefile pkgsrc/games/ioquake3: Makefile pkgsrc/games/iortcw: Makefile pkgsrc/games/klavaro: Makefile pkgsrc/games/lgogdownloader: Makefile pkgsrc/games/libggz: Makefile buildlink3.mk pkgsrc/games/manaplus: Makefile pkgsrc/games/megaglest: Makefile pkgsrc/games/minetest: Makefile pkgsrc/games/naev: Makefile pkgsrc/games/openmw: Makefile pkgsrc/games/openrct2: Makefile pkgsrc/games/pingus: Makefile pkgsrc/games/powder-toy: Makefile pkgsrc/games/quakeforge: Makefile pkgsrc/games/scummvm: Makefile pkgsrc/games/scummvm-tools: Makefile pkgsrc/games/simgear: Makefile buildlink3.mk pkgsrc/games/supertux: Makefile pkgsrc/games/supertuxkart: Makefile pkgsrc/games/taisei: Makefile pkgsrc/games/ufoai: Makefile pkgsrc/games/violetland: Makefile pkgsrc/games/warmux: Makefile pkgsrc/games/warzone2100: Makefile pkgsrc/games/wesnoth: Makefile pkgsrc/games/widelands: Makefile pkgsrc/games/yquake2: Makefile pkgsrc/geography/R-rgdal: Makefile pkgsrc/geography/R-sf: Makefile pkgsrc/geography/gdal-lib: Makefile buildlink3.mk pkgsrc/geography/mapserver: Makefile pkgsrc/geography/merkaartor: Makefile pkgsrc/geography/opencpn: Makefile pkgsrc/geography/osm2pgsql: Makefile pkgsrc/geography/pdal-lib: Makefile buildlink3.mk pkgsrc/geography/py-gdal: Makefile pkgsrc/geography/qgis: Makefile pkgsrc/geography/qlandkartegt: Makefile pkgsrc/geography/qlandkartem: Makefile pkgsrc/geography/viking: Makefile pkgsrc/graphics/GMT: Makefile pkgsrc/graphics/GraphicsMagick: Makefile buildlink3.mk pkgsrc/graphics/ImageMagick: Makefile buildlink3.mk pkgsrc/graphics/ImageMagick6: Makefile buildlink3.mk pkgsrc/graphics/aqsis: Makefile pkgsrc/graphics/autotrace: Makefile pkgsrc/graphics/blender: Makefile pkgsrc/graphics/blender-lts: Makefile pkgsrc/graphics/camlimages: Makefile pkgsrc/graphics/darktable: Makefile pkgsrc/graphics/digikam: Makefile pkgsrc/graphics/drawpile: Makefile pkgsrc/graphics/dx: Makefile pkgsrc/graphics/edje: Makefile buildlink3.mk pkgsrc/graphics/enblend-enfuse: Makefile pkgsrc/graphics/feh: Makefile pkgsrc/graphics/gimmage: Makefile pkgsrc/graphics/gmic: Makefile pkgsrc/graphics/gource: Makefile pkgsrc/graphics/gpick: Makefile pkgsrc/graphics/graphviz: Makefile pkgsrc/graphics/gri: Makefile pkgsrc/graphics/hugin: Makefile pkgsrc/graphics/jp2a: Makefile pkgsrc/graphics/kde-base-artwork: Makefile pkgsrc/graphics/kdegraphics-strigi-analyzer: Makefile pkgsrc/graphics/kgamma: Makefile pkgsrc/graphics/koverartist: Makefile pkgsrc/graphics/kqtquickcharts4: Makefile pkgsrc/graphics/krita: Makefile pkgsrc/graphics/libgltf: Makefile pkgsrc/graphics/libkexiv2-kde4: Makefile pkgsrc/graphics/libsixel: Makefile pkgsrc/graphics/lsix: Makefile pkgsrc/graphics/luminance-hdr: Makefile pkgsrc/graphics/ncview: Makefile pkgsrc/graphics/openimageio: Makefile buildlink3.mk pkgsrc/graphics/osg: Makefile buildlink3.mk pkgsrc/graphics/p5-GraphicsMagick: Makefile pkgsrc/graphics/p5-PerlMagick: Makefile pkgsrc/graphics/pcl: Makefile buildlink3.mk pkgsrc/graphics/pfstools: Makefile pkgsrc/graphics/php-imagick: Makefile pkgsrc/graphics/pstoedit: Makefile pkgsrc/graphics/ruby-RMagick: Makefile pkgsrc/graphics/sane-airscan: Makefile pkgsrc/graphics/shotwell: Makefile pkgsrc/graphics/tango-icon-theme: Makefile pkgsrc/graphics/vtk: Makefile buildlink3.mk pkgsrc/graphics/zbar: Makefile pkgsrc/graphics/zphoto: Makefile pkgsrc/ham/fldigi: Makefile pkgsrc/ham/gnuradio-channels: Makefile pkgsrc/ham/gnuradio-companion: Makefile pkgsrc/ham/gnuradio-core: Makefile pkgsrc/ham/gnuradio-ctrlport: Makefile pkgsrc/ham/gnuradio-digital: Makefile pkgsrc/ham/gnuradio-doxygen: Makefile pkgsrc/ham/gnuradio-dtv: Makefile pkgsrc/ham/gnuradio-fec: Makefile pkgsrc/ham/gnuradio-network: Makefile pkgsrc/ham/gnuradio-qtgui: Makefile pkgsrc/ham/gnuradio-soapy-sdr: Makefile pkgsrc/ham/gnuradio-trellis: Makefile pkgsrc/ham/gnuradio-uhd: Makefile pkgsrc/ham/gnuradio-utils: Makefile pkgsrc/ham/gnuradio-video-sdl: Makefile pkgsrc/ham/gnuradio-vocoder: Makefile pkgsrc/ham/gnuradio-wavelet: Makefile pkgsrc/ham/gnuradio-zeromq: Makefile pkgsrc/ham/gpredict: Makefile pkgsrc/ham/gr-fcdproplus: Makefile pkgsrc/ham/gr-osmosdr: Makefile pkgsrc/ham/trustedQSL: Makefile pkgsrc/ham/uhd: Makefile pkgsrc/inputmethod/fcitx5-chinese-addons: Makefile pkgsrc/inputmethod/fcitx5-mozc: Makefile pkgsrc/inputmethod/fcitx5-table-extra: Makefile pkgsrc/inputmethod/fcitx5-table-other: Makefile pkgsrc/inputmethod/ibus-mozc: Makefile pkgsrc/inputmethod/libime: Makefile pkgsrc/inputmethod/librime: Makefile pkgsrc/inputmethod/mozc-elisp: Makefile pkgsrc/inputmethod/mozc-renderer: Makefile pkgsrc/inputmethod/mozc-server: Makefile pkgsrc/inputmethod/mozc-tool: Makefile pkgsrc/inputmethod/uim-mozc: Makefile pkgsrc/lang/konoha: Makefile pkgsrc/lang/nodejs10: Makefile buildlink3.mk pkgsrc/lang/nodejs12: Makefile buildlink3.mk pkgsrc/lang/openjdk11: Makefile pkgsrc/lang/openjdk8: Makefile pkgsrc/lang/rust: Makefile pkgsrc/mail/akonadi: Makefile pkgsrc/mail/balsa: Makefile pkgsrc/mail/claws-mail: Makefile pkgsrc/mail/claws-mail-archive: Makefile pkgsrc/mail/claws-mail-attachwarner: Makefile pkgsrc/mail/claws-mail-attremover: Makefile pkgsrc/mail/claws-mail-bogofilter: Makefile pkgsrc/mail/claws-mail-dillo: Makefile pkgsrc/mail/claws-mail-fetchinfo: Makefile pkgsrc/mail/claws-mail-libravatar: Makefile pkgsrc/mail/claws-mail-mailmbox: Makefile pkgsrc/mail/claws-mail-managesieve: Makefile pkgsrc/mail/claws-mail-newmail: Makefile pkgsrc/mail/claws-mail-notification: Makefile pkgsrc/mail/claws-mail-pgpcore: Makefile pkgsrc/mail/claws-mail-pgpinline: Makefile pkgsrc/mail/claws-mail-pgpmime: Makefile pkgsrc/mail/claws-mail-rssyl: Makefile pkgsrc/mail/claws-mail-smime: Makefile pkgsrc/mail/claws-mail-spamassassin: Makefile pkgsrc/mail/claws-mail-spamreport: Makefile pkgsrc/mail/claws-mail-tnef: Makefile pkgsrc/mail/claws-mail-vcalendar: Makefile pkgsrc/mail/cone: Makefile pkgsrc/mail/evolution-data-server: Makefile pkgsrc/mail/libetpan: Makefile buildlink3.mk pkgsrc/mail/mailfront: Makefile pkgsrc/mail/milter-greylist: Makefile pkgsrc/mail/mpop: Makefile pkgsrc/mail/msmtp: Makefile pkgsrc/mail/mutt: Makefile pkgsrc/mail/nmh: Makefile pkgsrc/mail/nullmailer: Makefile pkgsrc/mail/wmbiff: Makefile pkgsrc/mail/xfce4-mailwatch-plugin: Makefile pkgsrc/math/R: Makefile pkgsrc/math/R-CGIwithR: Makefile pkgsrc/math/R-RNetCDF: Makefile pkgsrc/math/R-ncdf: Makefile pkgsrc/math/R-ncdf4: Makefile pkgsrc/math/cantor: Makefile pkgsrc/math/cgal: Makefile buildlink3.mk pkgsrc/math/grace: Makefile pkgsrc/math/libixion: Makefile pkgsrc/math/octave: Makefile pkgsrc/math/py-Scientific: Makefile pkgsrc/math/py-libixion: Makefile pkgsrc/math/py-netCDF4: Makefile pkgsrc/math/qalculate: Makefile buildlink3.mk pkgsrc/math/qalculate-gtk: Makefile pkgsrc/math/sc-im: Makefile pkgsrc/math/volk: Makefile pkgsrc/math/vowpal_wabbit: Makefile pkgsrc/math/xmgr: Makefile pkgsrc/misc/bibletime: Makefile pkgsrc/misc/esniper: Makefile pkgsrc/misc/fbreader: Makefile pkgsrc/misc/gwaei: Makefile pkgsrc/misc/kaccessible: Makefile pkgsrc/misc/kchmviewer: Makefile pkgsrc/misc/kde-wallpapers4: Makefile pkgsrc/misc/kdeartwork4: Makefile pkgsrc/misc/kdepim-runtime4: Makefile pkgsrc/misc/kdepim4: Makefile pkgsrc/misc/kdepimlibs4: Makefile buildlink3.mk pkgsrc/misc/kdeplasma-addons4: Makefile pkgsrc/misc/kremotecontrol: Makefile pkgsrc/misc/kstars: Makefile pkgsrc/misc/ktux: Makefile pkgsrc/misc/libcarddav: Makefile pkgsrc/misc/libkdeedu: Makefile buildlink3.mk pkgsrc/misc/libreoffice: Makefile pkgsrc/misc/ocaml-opam: Makefile pkgsrc/misc/parley: Makefile pkgsrc/misc/rocs: Makefile pkgsrc/misc/step: Makefile pkgsrc/misc/superkaramba: Makefile pkgsrc/misc/sweeper: Makefile pkgsrc/misc/sword: Makefile buildlink3.mk pkgsrc/misc/usbprog: Makefile pkgsrc/misc/wandio: Makefile buildlink3.mk pkgsrc/multimedia/audiocd-kio: Makefile pkgsrc/multimedia/dvdauthor: Makefile pkgsrc/multimedia/ffmpeg2: Makefile pkgsrc/multimedia/ffmpeg3: Makefile pkgsrc/multimedia/ffmpeg4: Makefile pkgsrc/multimedia/ffmpegthumbs: Makefile pkgsrc/multimedia/gnome-mplayer: Makefile pkgsrc/multimedia/gpac: Makefile pkgsrc/multimedia/kscd: Makefile pkgsrc/multimedia/libkcddb: Makefile buildlink3.mk pkgsrc/multimedia/lightspark: Makefile pkgsrc/multimedia/mediatomb: Makefile pkgsrc/multimedia/mkvtoolnix: Makefile pkgsrc/multimedia/mkvtoolnix-old: Makefile pkgsrc/multimedia/mplayerthumbs: Makefile pkgsrc/multimedia/nostt: Makefile pkgsrc/multimedia/obs-studio: Makefile pkgsrc/multimedia/omxplayer: Makefile pkgsrc/multimedia/totem: Makefile pkgsrc/multimedia/transcode: Makefile pkgsrc/multimedia/vlc: Makefile pkgsrc/multimedia/xine-lib: Makefile pkgsrc/multimedia/xine-ui: Makefile pkgsrc/net/aiccu: Makefile pkgsrc/net/bbk_cli: Makefile pkgsrc/net/btget: Makefile pkgsrc/net/cclive: Makefile pkgsrc/net/ccrtp: Makefile buildlink3.mk pkgsrc/net/choqok: Makefile pkgsrc/net/chrony: Makefile pkgsrc/net/dc_gui2: Makefile pkgsrc/net/deforaos-vncviewer: Makefile pkgsrc/net/doh: Makefile pkgsrc/net/ettercap: Makefile pkgsrc/net/ettercap-gtk: Makefile pkgsrc/net/filezilla: Makefile pkgsrc/net/flickcurl: Makefile pkgsrc/net/freeDiameter: Makefile pkgsrc/net/freeradius-freetds: Makefile pkgsrc/net/freeradius-rest: Makefile pkgsrc/net/glib-networking: Makefile pkgsrc/net/grilo: Makefile buildlink3.mk pkgsrc/net/grilo-plugins: Makefile pkgsrc/net/grive2: Makefile pkgsrc/net/gst-plugins0.10-rtmp: Makefile pkgsrc/net/gst-plugins1-rtmp: Makefile pkgsrc/net/gtk-gnutella: Makefile pkgsrc/net/gtk-vnc: Makefile buildlink3.mk pkgsrc/net/guacamole-server: Makefile pkgsrc/net/icinga2: Makefile pkgsrc/net/jigdo: Makefile pkgsrc/net/kdenetwork-filesharing: Makefile pkgsrc/net/kdenetwork-strigi-analyzers: Makefile pkgsrc/net/kget: Makefile pkgsrc/net/kmldonkey: Makefile pkgsrc/net/knot: Makefile pkgsrc/net/kopete: Makefile pkgsrc/net/kppp: Makefile pkgsrc/net/krdc: Makefile pkgsrc/net/krfb: Makefile pkgsrc/net/ktorrent: Makefile pkgsrc/net/lftp: Makefile pkgsrc/net/libcmis: Makefile pkgsrc/net/libfilezilla: Makefile pkgsrc/net/libgdata: Makefile buildlink3.mk pkgsrc/net/libktorrent: Makefile buildlink3.mk pkgsrc/net/libquvi: Makefile pkgsrc/net/libtorrent-rasterbar: Makefile buildlink3.mk pkgsrc/net/libtrace: Makefile pkgsrc/net/libvncserver: Makefile buildlink3.mk pkgsrc/net/libzrtpcpp: Makefile buildlink3.mk pkgsrc/net/megatools: Makefile pkgsrc/net/nanotodon: Makefile pkgsrc/net/ncdc: Makefile pkgsrc/net/net6: Makefile buildlink3.mk pkgsrc/net/netatalk22: Makefile pkgsrc/net/netatalk3: Makefile pkgsrc/net/ntopng: Makefile pkgsrc/net/ocamlnet: Makefile pkgsrc/net/ocsync: Makefile buildlink3.mk pkgsrc/net/openvpn: Makefile pkgsrc/net/podcastdl: Makefile pkgsrc/net/powerdns: Makefile pkgsrc/net/py-smbc: Makefile pkgsrc/net/qbittorrent: Makefile pkgsrc/net/quvi: Makefile pkgsrc/net/rdesktop: Makefile pkgsrc/net/remmina: Makefile pkgsrc/net/rtmpdump: Makefile buildlink3.mk pkgsrc/net/rtorrent: Makefile pkgsrc/net/samba: Makefile pkgsrc/net/samba4: Makefile buildlink3.mk pkgsrc/net/snort: Makefile pkgsrc/net/synergy: Makefile pkgsrc/net/taskserver: Makefile pkgsrc/net/tcpflow: Makefile pkgsrc/net/tigervnc: Makefile pkgsrc/net/transmission: Makefile pkgsrc/net/transmission-gtk: Makefile pkgsrc/net/transmission-qt: Makefile pkgsrc/net/unbound: Makefile buildlink3.mk pkgsrc/net/urlgfe: Makefile pkgsrc/net/vinagre: Makefile pkgsrc/net/vino: Makefile pkgsrc/net/wget: Makefile pkgsrc/net/wireshark: Makefile pkgsrc/net/wmget: Makefile pkgsrc/net/zeroconf-ioslave: Makefile pkgsrc/news/neix: Makefile pkgsrc/news/newsbeuter: Makefile pkgsrc/news/pan: Makefile pkgsrc/parallel/slurm-wlm: Makefile pkgsrc/print/auctex: Makefile pkgsrc/print/brlaser: Makefile pkgsrc/print/cups: Makefile pkgsrc/print/cups-base: Makefile buildlink3.mk pkgsrc/print/cups-drivers-Magicolor5440DL: Makefile pkgsrc/print/cups-filters: Makefile buildlink3.mk pkgsrc/print/cups-pdf: Makefile pkgsrc/print/dspdfviewer: Makefile pkgsrc/print/epdfview: Makefile pkgsrc/print/ghostscript: Makefile buildlink3.mk pkgsrc/print/ghostscript-gpl: Makefile buildlink3.mk pkgsrc/print/gtklp: Makefile pkgsrc/print/gutenprint-lib: Makefile pkgsrc/print/hplip: Makefile pkgsrc/print/libcups: Makefile buildlink3.mk pkgsrc/print/mupdf: Makefile buildlink3.mk pkgsrc/print/okular: Makefile pkgsrc/print/p5-Net-CUPS: Makefile pkgsrc/print/pdf2djvu: Makefile pkgsrc/print/py-cups: Makefile pkgsrc/print/qpdfview: Makefile pkgsrc/print/scribus-qt4: Makefile pkgsrc/print/scribus-qt5: Makefile pkgsrc/print/xpdf4: Makefile pkgsrc/print/xpp: Makefile pkgsrc/print/zathura-pdf-mupdf: Makefile pkgsrc/security/ap-modsecurity2: Makefile pkgsrc/security/botan-devel: Makefile buildlink3.mk pkgsrc/security/clamav: Makefile pkgsrc/security/dirb: Makefile pkgsrc/security/gnupg: Makefile pkgsrc/security/gnupg-pkcs11-scd: Makefile pkgsrc/security/gnupg2: Makefile pkgsrc/security/gnutls: Makefile buildlink3.mk pkgsrc/security/gsasl: Makefile pkgsrc/security/kgpg: Makefile pkgsrc/security/lastpass-cli: Makefile pkgsrc/security/libfprint: Makefile pkgsrc/security/liboauth: Makefile buildlink3.mk pkgsrc/security/libprelude: Makefile buildlink3.mk pkgsrc/security/libprelude-lua: Makefile pkgsrc/security/libprelude-perl: Makefile pkgsrc/security/libprelude-python: Makefile pkgsrc/security/libpreludedb: Makefile buildlink3.mk pkgsrc/security/libpreludedb-mysql: Makefile pkgsrc/security/libpreludedb-perl: Makefile pkgsrc/security/libpreludedb-pgsql: Makefile pkgsrc/security/libpreludedb-python: Makefile pkgsrc/security/libpreludedb-sqlite3: Makefile pkgsrc/security/libykneomgr: Makefile pkgsrc/security/opendnssec2: Makefile pkgsrc/security/opensaml: Makefile pkgsrc/security/openvas-libnasl: Makefile pkgsrc/security/openvas-libraries: Makefile pkgsrc/security/openvas-plugins: Makefile pkgsrc/security/openvas-server: Makefile pkgsrc/security/pam-yubico: Makefile pkgsrc/security/php-oauth: Makefile pkgsrc/security/php-oauth1: Makefile pkgsrc/security/pkcs11-helper: Makefile buildlink3.mk pkgsrc/security/prelude-lml: Makefile pkgsrc/security/prelude-manager: Makefile pkgsrc/security/prelude-pflogger: Makefile pkgsrc/security/rvault: Makefile pkgsrc/security/softhsm2: Makefile buildlink3.mk pkgsrc/security/ykclient: Makefile buildlink3.mk pkgsrc/sysutils/baloo: Makefile pkgsrc/sysutils/cfengine3: Makefile pkgsrc/sysutils/collectd-curl: Makefile pkgsrc/sysutils/collectd-riemann: Makefile pkgsrc/sysutils/collectd-virt: Makefile pkgsrc/sysutils/collectd-write_prometheus: Makefile pkgsrc/sysutils/conky: Makefile pkgsrc/sysutils/edbus: Makefile buildlink3.mk pkgsrc/sysutils/efreet: Makefile buildlink3.mk pkgsrc/sysutils/gkrellm: Makefile pkgsrc/sysutils/gnome-control-center: Makefile pkgsrc/sysutils/gnome-settings-daemon: Makefile pkgsrc/sysutils/gvfs: Makefile pkgsrc/sysutils/k3b: Makefile pkgsrc/sysutils/kcron: Makefile pkgsrc/sysutils/kfilemetadata: Makefile pkgsrc/sysutils/kfilemetadata5: Makefile pkgsrc/sysutils/kuser: Makefile pkgsrc/sysutils/libbaloo4: Makefile pkgsrc/sysutils/mc: Makefile pkgsrc/sysutils/openxenmanager: Makefile pkgsrc/sysutils/riemann-client: Makefile buildlink3.mk pkgsrc/sysutils/rsyslog: Makefile pkgsrc/sysutils/rsyslog-dbi: Makefile pkgsrc/sysutils/rsyslog-elasticsearch: Makefile pkgsrc/sysutils/rsyslog-gnutls: Makefile pkgsrc/sysutils/rsyslog-gssapi: Makefile pkgsrc/sysutils/rsyslog-kafka: Makefile pkgsrc/sysutils/rsyslog-libgcrypt: Makefile pkgsrc/sysutils/rsyslog-mysql: Makefile pkgsrc/sysutils/rsyslog-omprog: Makefile pkgsrc/sysutils/rsyslog-pgsql: Makefile pkgsrc/sysutils/rsyslog-rabbitmq: Makefile pkgsrc/sysutils/rsyslog-relp: Makefile pkgsrc/sysutils/rsyslog-snmp: Makefile pkgsrc/sysutils/strigi: Makefile buildlink3.mk pkgsrc/sysutils/syslog-ng-curl: Makefile pkgsrc/sysutils/virt-viewer: Makefile pkgsrc/sysutils/zabbix: Makefile pkgsrc/sysutils/zabbix50-agent: Makefile pkgsrc/sysutils/zabbix50-proxy: Makefile pkgsrc/sysutils/zabbix50-server: Makefile pkgsrc/textproc/FlightCrew: Makefile pkgsrc/textproc/dikt: Makefile pkgsrc/textproc/ebook-tools: Makefile buildlink3.mk pkgsrc/textproc/iksemel: Makefile pkgsrc/textproc/libclucene: Makefile buildlink3.mk pkgsrc/textproc/libkolabxml: Makefile buildlink3.mk pkgsrc/textproc/liblrdf: Makefile buildlink3.mk pkgsrc/textproc/libnxml: Makefile buildlink3.mk pkgsrc/textproc/libodfgen: Makefile buildlink3.mk pkgsrc/textproc/lucene++: Makefile pkgsrc/textproc/multimarkdown: Makefile pkgsrc/textproc/odt2tex: Makefile pkgsrc/textproc/p5-Syntax-SourceHighlight: Makefile pkgsrc/textproc/raptor: Makefile buildlink3.mk pkgsrc/textproc/raptor2: Makefile buildlink3.mk pkgsrc/textproc/rasqal: Makefile buildlink3.mk pkgsrc/textproc/redland: Makefile buildlink3.mk pkgsrc/textproc/soprano: Makefile buildlink3.mk pkgsrc/textproc/source-highlight: Makefile buildlink3.mk pkgsrc/textproc/translate-shell: Makefile pkgsrc/textproc/xmlrpc-c: Makefile buildlink3.mk pkgsrc/textproc/xmltooling: Makefile pkgsrc/time/taskwarrior: Makefile pkgsrc/wm/compiz: Makefile pkgsrc/www/R-RCurl: Makefile pkgsrc/www/R-curl: Makefile pkgsrc/www/SOGo: Makefile pkgsrc/www/SOGo4: Makefile pkgsrc/www/ap-auth-openidc: Makefile pkgsrc/www/ap-authnz-crowd: Makefile pkgsrc/www/ap2-auth-mellon: Makefile pkgsrc/www/ap2-passenger: Makefile pkgsrc/www/apache24: Makefile pkgsrc/www/aws: Makefile pkgsrc/www/aws-demos: Makefile pkgsrc/www/cadaver: Makefile pkgsrc/www/curl: Makefile buildlink3.mk pkgsrc/www/elinks: Makefile pkgsrc/www/felinks: Makefile pkgsrc/www/htdavlock: Makefile pkgsrc/www/htmldoc: Makefile pkgsrc/www/kore: Makefile pkgsrc/www/libmicrohttpd: Makefile buildlink3.mk pkgsrc/www/libmrss: Makefile buildlink3.mk pkgsrc/www/lighttpd: Makefile pkgsrc/www/litmus: Makefile pkgsrc/www/lua-curl: Makefile pkgsrc/www/lynx: Makefile pkgsrc/www/neon: Makefile buildlink3.mk pkgsrc/www/netsurf: Makefile pkgsrc/www/nghttp2: buildlink3.mk pkgsrc/www/nspluginwrapper: Makefile pkgsrc/www/ocaml-curl: Makefile pkgsrc/www/p5-Net-Curl: Makefile pkgsrc/www/passenger: Makefile pkgsrc/www/php-curl: Makefile pkgsrc/www/php-http: Makefile pkgsrc/www/php-http3: Makefile pkgsrc/www/py-curl: Makefile pkgsrc/www/rekonq: Makefile pkgsrc/www/ruby-patron: Makefile pkgsrc/www/shibboleth-sp: Makefile pkgsrc/www/sitecopy: Makefile pkgsrc/www/snownews: Makefile pkgsrc/www/squid4: Makefile pkgsrc/www/wwwoffle: Makefile pkgsrc/www/yahttp: Makefile pkgsrc/x11/elementary: Makefile buildlink3.mk pkgsrc/x11/enlightenment: Makefile buildlink3.mk pkgsrc/x11/gtk2: Makefile pkgsrc/x11/gtk3: Makefile pkgsrc/x11/gtk4: Makefile pkgsrc/x11/kactivities: Makefile buildlink3.mk pkgsrc/x11/kactivities-stats: Makefile pkgsrc/x11/kactivities5: Makefile pkgsrc/x11/kde-baseapps4: Makefile pkgsrc/x11/kde-runtime4: Makefile buildlink3.mk pkgsrc/x11/kde-workspace4: Makefile buildlink3.mk pkgsrc/x11/kdelibs4: Makefile buildlink3.mk pkgsrc/x11/libkactivities4: Makefile buildlink3.mk pkgsrc/x11/qt4-libs: Makefile pkgsrc/x11/qt5-qtbase: Makefile pkgsrc/x11/qt5-qtwebengine: Makefile pkgsrc/x11/vte3: Makefile pkgsrc/x11/wmweather: Makefile pkgsrc/x11/x11vnc: Makefile pkgsrc/x11/x2go-client: Makefile pkgsrc/x11/xfce4-tumbler: Makefile pkgsrc/x11/xlockmore: Makefile Log Message: revbump for boost-libs --- Module Name: pkgsrc Committed By: adam Date: Fri Oct 8 13:20:34 UTC 2021 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.13.12 Changes since 4.13.11 --------------------- * BUG 14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12. * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14818: Address flapping samba_tool_drs_showrepl test. * BUG 14819: Address flapping dsdb_schema_attributes test. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14784: Fix CTDB flag/status update race conditions. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. --- Module Name: pkgsrc Committed By: adam Date: Wed Nov 10 13:33:20 UTC 2021 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.13.14 Changes since 4.13.13 --------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * CVE-2020-25722 o Andrew Bartlett <abartlet@samba.org> * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 o Ralph Boehme <slow@samba.org> * CVE-2020-25717 o Alexander Bokovoy <ab@samba.org> * CVE-2020-25717 o Samuel Cabrero <scabrero@samba.org> * CVE-2020-25717 o Nadezhda Ivanova <nivanova@symas.com> * CVE-2020-25722 o Stefan Metzmacher <metze@samba.org> * CVE-2016-2124 * CVE-2020-25717 * CVE-2020-25719 * CVE-2020-25722 * CVE-2021-23192 * CVE-2021-3738 * ldb: version 2.2.3 o Andreas Schneider <asn@samba.org> * CVE-2020-25719 o Joseph Sutton <josephsutton@catalyst.net.nz> * CVE-2020-17049 * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 * MS CVE-2020-17049 Changes since 4.13.12 --------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 14868: rodc_rwdc test flaps. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andrew Bartlett <abartlet@samba.org> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Isaac Boukris <iboukris@gmail.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Viktor Dukhovni <viktor@twosigma.com> * BUG 12998: Fix transit path validation. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Luke Howard <lukeh@padl.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Stefan Metzmacher <metze@samba.org> * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o David Mulder <dmulder@suse.com> * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andreas Schneider <asn@samba.org> * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Nicolas Williams <nico@twosigma.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
samba4: updated to 4.13.14 Changes since 4.13.13 --------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * CVE-2020-25722 o Andrew Bartlett <abartlet@samba.org> * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 o Ralph Boehme <slow@samba.org> * CVE-2020-25717 o Alexander Bokovoy <ab@samba.org> * CVE-2020-25717 o Samuel Cabrero <scabrero@samba.org> * CVE-2020-25717 o Nadezhda Ivanova <nivanova@symas.com> * CVE-2020-25722 o Stefan Metzmacher <metze@samba.org> * CVE-2016-2124 * CVE-2020-25717 * CVE-2020-25719 * CVE-2020-25722 * CVE-2021-23192 * CVE-2021-3738 * ldb: version 2.2.3 o Andreas Schneider <asn@samba.org> * CVE-2020-25719 o Joseph Sutton <josephsutton@catalyst.net.nz> * CVE-2020-17049 * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 * MS CVE-2020-17049 Changes since 4.13.12 --------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 14868: rodc_rwdc test flaps. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andrew Bartlett <abartlet@samba.org> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Isaac Boukris <iboukris@gmail.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Viktor Dukhovni <viktor@twosigma.com> * BUG 12998: Fix transit path validation. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Luke Howard <lukeh@padl.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Stefan Metzmacher <metze@samba.org> * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o David Mulder <dmulder@suse.com> * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andreas Schneider <asn@samba.org> * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Nicolas Williams <nico@twosigma.com> * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch
samba4: updated to 4.13.12 Changes since 4.13.11 --------------------- * BUG 14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12. * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14818: Address flapping samba_tool_drs_showrepl test. * BUG 14819: Address flapping dsdb_schema_attributes test. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14784: Fix CTDB flag/status update race conditions. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
net: Remove SHA1 hashes for distfiles
samba4: updated to 4.3.11 Changes since 4.13.10 * BUG 14769: smbd panic on force-close share during offload write. * BUG 14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS. * BUG 14783: smbd "deadtime" parameter doesn't work anymore. * BUG 14787: net conf list crashes when run as normal user. * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7. * BUG 14793: Start the SMB encryption as soon as possible. * BUG 14792: Winbind should not start if the socket path for the privileged pipe is too long.
net/samba4: update to 4.3.10 Changes since 4.13.9 -------------------- o Jeremy Allison <jra@samba.org> * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles. * BUG 14721: Take a copy to make sure we don't reference free'd memory. * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname(). * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path. o Andrew Bartlett <abartlet@samba.org> * BUG 14575: samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID. o Ralph Boehme <slow@samba.org> * BUG 14714: smbd: Correctly initialize close timestamp fields. * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs. o Volker Lendecke <vl@samba.org> * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler(). o Stefan Metzmacher <metze@samba.org> * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd. * BUG 14752: smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ backend. * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup.
samba4: downgrade to 4.13.9, as discussed on netbsd-users@
samba4: updated to 4.14.5 Changes since 4.14.4 -------------------- * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles. * BUG 14721: s3: smbd: Fix uninitialized memory read in process_symlink_open() when used with vfs_shadow_copy2(). * BUG 14689: docs: Expand the "log level" docs on audit logging. * BUG 14714: smbd: Correctly initialize close timestamp fields. * BUG 14699: Fix gcc11 compiler issues. * BUG 14718: docs-xml: Update smbcacls manpage. * BUG 14719: docs: Update list of available commands in rpcclient. * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler(). * BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be set. * BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
net/samba4: update to 4.14.4 pkgsrc changes: remove extra spaces in some patch files. ============================== Release Notes for Samba 4.14.4 April 29, 2021 ============================== This is a security release in order to address the following defect: o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token. ======= Details ======= o CVE-2021-20254: The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson, IT Department, Linköping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to. Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution. Changes since 4.14.3 -------------------- o Volker Lendecke <vl@samba.org> * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
samba4: updated to 4.14.3 Changes since 4.14.2 -------------------- * BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break vfs_virusfilter_openat. * BUG 14586: build: Notice if flex is missing at configure time. * BUG 14672: Fix smbd panic when two clients open same file. * BUG 14675: Fix memory leak in the RPC server. * BUG 14679: s3: smbd: fix deferred renames. * BUG 14675: s3-iremotewinspool: Set the per-request memory context. * BUG 14675: Fix memory leak in the RPC server. * BUG 11899: third_party: Update socket_wrapper to version 1.3.2. * BUG 14640: third_party: Update socket_wrapper to version 1.3.3. * BUG 14665: samba-gpupdate: Test that sysvol paths download in case-insensitive way. * BUG 14662: smbd: Ensure errno is preserved across fsp destructor. * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict. * BUG 14288: build: Only add -Wl,--as-needed when supported.
samba4: updated to 4.14.2 Samba 4.14.2 This is a follow-up release to depend on the correct ldb version. This is only needed when building against a system ldb library. This is a security release in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. Samba 4.14.1 This is a security release in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. Samba 4.14.0 This is the first stable release of the Samba 4.14 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt. -------------------------------------------------------------- A clarification of our GNU GPL License enforcement boundary within the Samba Virtual File System (VFS) layer. Samba is licensed under the GNU GPL. All code committed to the Samba project or that creates a "modified version" or software "based on" Samba must be either licensed under the GNU GPL or a compatible license. Samba has several plug-in interfaces where external code may be called from Samba GNU GPL licensed code. The most important of these is the Samba VFS layer. Samba VFS modules are intimately connected by header files and API definitions to the part of the Samba code that provides file services, and as such, code that implements a plug-in Samba VFS module must be licensed under the GNU GPL or a compatible license. However, Samba VFS modules may themselves call third-party external libraries that are not part of the Samba project and are externally developed and maintained. As long as these third-party external libraries do not use any of the Samba internal structure, APIs or interface definitions created by the Samba project (to the extent that they would be considered subject to the GNU GPL), then the Samba Team will not consider such third-party external libraries called from Samba VFS modules as "based on" and/or creating a "modified version" of the Samba code for the purposes of GNU GPL. Accordingly, we do not require such libraries be licensed under the GNU GPL or a GNU GPL compatible license. VFS --- The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the <https://wiki.samba.org/index.php/The_New_VFS>. Printing -------- Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture. Client Group Policy ------------------- This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly. To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes. Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command. Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed. Python 3.6 or later required
ldb: updated to 2.2.1; samba: updated to 4.13.7 ============================== Release Notes for Samba 4.13.7 March 24, 2021 ============================== This is a follow-up release to depend on the correct ldb version. This is only needed when building against a system ldb library. This is a security release in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. ======= Details ======= o CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible. o CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server. For more details, please refer to the security advisories. Changes since 4.13.6 -------------------- o Release with dependency on ldb version 2.2.1.
samba4: updated to 4.13.5 Changes since 4.13.4 -------------------- * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure. * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection. * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services. * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones. * BUG 14503: s3: Fix fcntl waf configure check. * BUG 14602: s3/auth: Implement "winbind:ignore domains". * BUG 14617: smbd: Use fsp->conn->session_info for the initial delete-on-close token. * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path. * BUG 14624: classicupgrade: Treat old never expires value right. * BUG 14636: g_lock: Fix uninitalized variable reads. * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file(). * BUG 14625: lib:util: Avoid free'ing our own pointer. * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
samba4: updated to 4.13.4 Changes 4.13.4 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7. * BUG 14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does. * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging functions. * BUG 14579: Do not create an empty DB when accessing a sam.ldb. * BUG 14596: vfs_fruit may close wrong backend fd. * BUG 14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does. * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*. * BUG 14596: vfs_fruit may close wrong backend fd. * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7. * BUG 14601: The cache directory for the user gencache should be created recursively. * BUG 14594: Be more flexible with repository names in CentOS 8 test environments.
samba4: updated to 4.13.3 Changes since 4.13.2 * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob. * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function. * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(). * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match all other uses. * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown share. * BUG 14248: samba process does not honor max log size. * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE. * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms. * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator. * BUG 14517: smbclient: Fix recursive mget. * BUG 14581: clitar: Use do_list()'s recursion in clitar.c. * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind translator. * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS. * BUG 14514: interface: Fix if_index is not parsed correctly.
samba4: updated to 4.13.2 Changes since 4.13.1 -------------------- * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return. * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special. * BUG 14538: smb.conf.5: Add clarification how configuration changes reflected by Samba. * BUG 14552: daemons: Report status to systemd even when running in foreground. * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0. * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present. * BUG 14487: provision: Add support for BIND 9.16.x. * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization. * BUG 14541: libndr: Avoid assigning duplicate versions to symbols. * BUG 14522: docs: Fix default value of spoolss:architecture. * BUG 14388: winbind: Fix a memleak. * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature. * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs. * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice. * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7. * BUG 14550: examples:auth: Do not install example plugin. * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code. * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special. Changes since 4.13.0 -------------------- * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using 'samba-tool'. * BUG 14472: CVE-2020-14383: Remote crash after adding MX records. * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS. 4.31.0: NEW FEATURES/CHANGES ==================== Python 3.6 or later required
Pullup ticket #6361 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.110 - net/samba4/distinfo 1.53 --- Module Name: pkgsrc Committed By: taca Date: Fri Oct 30 07:17:16 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.12.9 Summary from NEWS files: Samba 4.12.9 (2020-10-29) o CVE-2020-14318: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only. o CVE-2020-14323: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller. Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash. o CVE-2020-14383: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. Samba 4.12.8 (2020-10-07) Changes since 4.12.7 -------------------- o Guenther Deschner <gd@samba.org> * BUG 14318: docs: Add missing winexe manpage. o Volker Lendecke <vl@samba.org> * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. o Laurent Menase <laurent.menase@hpe.com> * BUG 14388: winbind: Fix a memleak. o Stefan Metzmacher <metze@samba.org> * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. * BUG 14482: Compilation of heimdal tree fails if libbsd is not installed. o Christof Schmitt <cs@samba.org> * BUG 14166: util: Allow symlinks in directory_create_or_exist. o Andreas Schneider <asn@samba.org> * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14. * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name. o Martin Schwenke <martin@meltin.net> * BUG 14466: ctdb disable/enable can fail due to race condition.
net/samba4: update to 4.12.9 Summary from NEWS files: Samba 4.12.9 (2020-10-29) o CVE-2020-14318: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only. o CVE-2020-14323: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller. Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash. o CVE-2020-14383: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. Samba 4.12.8 (2020-10-07) Changes since 4.12.7 -------------------- o Gnther Deschner <gd@samba.org> * BUG 14318: docs: Add missing winexe manpage. o Volker Lendecke <vl@samba.org> * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. o Laurent Menase <laurent.menase@hpe.com> * BUG 14388: winbind: Fix a memleak. o Stefan Metzmacher <metze@samba.org> * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. * BUG 14482: Compilation of heimdal tree fails if libbsd is not installed. o Christof Schmitt <cs@samba.org> * BUG 14166: util: Allow symlinks in directory_create_or_exist. o Andreas Schneider <asn@samba.org> * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14. * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name. o Martin Schwenke <martin@meltin.net> * BUG 14466: ctdb disable/enable can fail due to race condition.
net/samba4: update to 4.12.7 Update samba4 package to 4.12.7. ============================== Release Notes for Samba 4.12.7 September 18, 2020 ============================== This is a security release in order to address the following defect: o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon"). The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC). Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below). The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable. However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf. Note each domain controller needs the correct settings in its smb.conf. Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file. The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix. Some domains employ third-party software that will not work with a 'server schannel = yes'. For these cases patches are available that allow specific machines to use insecure netlogon. For example, the following smb.conf: server schannel = yes server require schannel:triceratops$ = no server require schannel:greywacke$ = no will allow only "triceratops$" and "greywacke$" to avoid schannel. More details can be found here: https://www.samba.org/samba/security/CVE-2020-1472.html
samba4: updated to 4.12.6 Changes since 4.12.5 * BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server. * BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7. * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs. * BUG 14426: lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL. * BUG 14428: PANIC: Assert failed in get_lease_type(). * BUG 14422: util: Fix build on AIX by fixing the order of replace.h include. * BUG 14355: srvsvc_NetFileEnum asserts with open files. * BUG 14354: KDC breaks with DES keys still in the database and msDS-SupportedEncryptionTypes 31 indicating support for it. * BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets conn->cwd_fsp->fh->fd = AT_FDCWD. * BUG 14428: PANIC: Assert failed in get_lease_type(). * BUG 14358: docs: Fix documentation for require_membership_of of pam_winbind.conf. * BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB NFS scripts. * BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal.
Pullup ticket #6276 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.102 - net/samba4/PLIST 1.31 - net/samba4/distinfo 1.49 - net/samba4/patches/patch-lib_replace_system_passwd.h 1.1 --- Module Name: pkgsrc Committed By: adam Date: Mon Jul 6 14:38:06 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Added Files: pkgsrc/net/samba4/patches: patch-lib_replace_system_passwd.h Log Message: samba4: updated to 4.12.5 Changes since 4.12.4 -------------------- * BUG 14301: Fix smbd panic on force-close share during async io. * BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name. * BUG 14391: Fix DFS links. * BUG 14310: Can't use DNS functionality after a Windows DC has been in domain. * BUG 14413: ldapi search to FreeIPA crashes. * BUG 14396: Add net-ads-join dnshostname=fqdn option. * BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC. * BUG 14386: docs-xml: Update list of posible VFS operations for vfs_full_audit. * BUG 14382: winbindd: Fix a use-after-free when winbind clients exit. * BUG 14370: Client tools are not able to read gencache anymore. Samba 4.12.4 ============ o CVE-2020-10730: A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba's AD DC LDAP server. o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU. o CVE-2020-10760: The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free. o CVE-2020-14303: The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives an empty (zero-length) UDP packet to port 137. For more details, please refer to the security advisories. Changes since 4.12.3 -------------------- * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use several seconds of CPU each. * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined. * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV. * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to AD DC nbt_server. * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined, ldb: Bump version to 2.1.4.
Fix arguments to getgroupmembership
samba4: updated to 4.12.5 Changes since 4.12.4 -------------------- * BUG 14301: Fix smbd panic on force-close share during async io. * BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name. * BUG 14391: Fix DFS links. * BUG 14310: Can't use DNS functionality after a Windows DC has been in domain. * BUG 14413: ldapi search to FreeIPA crashes. * BUG 14396: Add net-ads-join dnshostname=fqdn option. * BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC. * BUG 14386: docs-xml: Update list of posible VFS operations for vfs_full_audit. * BUG 14382: winbindd: Fix a use-after-free when winbind clients exit. * BUG 14370: Client tools are not able to read gencache anymore. Samba 4.12.4 ============ o CVE-2020-10730: A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba's AD DC LDAP server. o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU. o CVE-2020-10760: The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free. o CVE-2020-14303: The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives an empty (zero-length) UDP packet to port 137. For more details, please refer to the security advisories. Changes since 4.12.3 -------------------- * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use several seconds of CPU each. * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined. * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV. * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to AD DC nbt_server. * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined, ldb: Bump version to 2.1.4.
samba4: Avoid conflict with host s_addr.
net/samba4 databases/ldb: updated to 4.12.3 2.1.3 Changes 4.12.3: * BUG 14301: Fix smbd panic on force-close share during async io. * BUG 14343: s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[] array. * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients. * BUG 14372: Fix smbd crashes when MacOS Catalina connects if iconv initialization fails. * BUG 14150: Exporting from macOS Adobe Illustrator creates multiple copies. * BUG 14256: smbd does a chdir() twice per request. * BUG 14320: smbd mistakenly updates a file's write-time on close. * BUG 14350: vfs_shadow_copy2: implement case canonicalisation in shadow_copy2_get_real_filename(). * BUG 14375: Fix Windows 7 clients problem after upgrading samba file server. * BUG 14359: s3: Pass DCE RPC handle type to create_policy_hnd. * BUG 14155: Fix uxsuccess test with new MIT krb5 library 1.18. * BUG 14342: mit-kdc: Explicitly reject S4U requests. * BUG 14352: dbwrap_watch: Set rec->value_valid while returning nested share_mode_do_locked(). * BUG 14345: lib:util: Fix smbclient -l basename dir. * BUG 14336: s3:libads: Fix ads_get_upn(). * BUG 14348: ctdb: Fix a memleak. * BUG 14366: Malicous SMB1 server can crash libsmbclient. * BUG 14330: ldb: Bump version to 2.1.3, LMDB databases can grow without bounds * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients. * BUG 14344: s3/librpc/crypto: Fix double free with unresolved credential cache. * BUG 14358: docs-xml: Fix usernames in pam_winbind manpages.
The smb.conf(5) man page builds fine on netbsd-9, so re-add it. This is probably the most important of the Samba man pages, and it should not have been excluded from the build without a detailed explanation, "just to make the pkg build".
samba4: updated to 4.12.2 Samba 4.12.2 This is a security release in order to address the following defects: o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
samba4: updated to 4.12.1 Samba 4.12.1 * BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs(). * BUG 14296: samba-tool group: Handle group names with special chars correctly. * BUG 14293: Add missing check for DMAPI offline status in async DOS attributes. * BUG 14295: Starting ctdb node that was powered off hard before results in recovery loop. * BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs. * BUG 14316: vfs_recycle: Prevent flooding the log if we're called on non-existant paths. * BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW. * BUG 14327: nsswitch: Fix use-after-free causing segfault in _pam_delete_cred. * BUG 13622: fruit:time machine max size is broken on arm. * BUG 14294: CTDB recovery corner cases can cause record resurrection and node banning. * BUG 14332: s3/utils: Fix double free error with smbtree. * BUG 14294: CTDB recovery corner cases can cause record resurrection and node banning. * BUG 14295: Starting ctdb node that was powered off hard before results in recovery loop. * BUG 14324: CTDB recovery daemon can crash due to dereference of NULL pointer.
samba4: updated to 4.12.0 samba 4.12.0: NEW FEATURES/CHANGES ==================== Python 3.5 Required ------------------- Samba's minimum runtime requirement for python was raised to Python 3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python 3.5 both to access new features and because this is the oldest version we test with in our CI infrastructure. (Build time support for the file server with Python 2.6 has not changed) Removing in-tree cryptography: GnuTLS 3.4.7 required ---------------------------------------------------- Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider. Samba now requires GnuTLS 3.4.7 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC. Thanks to this work Samba no longer ships an in-tree DES implementation and on GnuTLS 3.6.5 or later Samba will include no in-tree cryptography other than the MD4 hash and that implemented in our copy of Heimdal. Using GnuTLS for SMB3 encryption you will notice huge performance and copy speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3 show a 3x speed improvement for writing and a 2.5x speed improvement for reads! NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography. A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies. zlib library is now required to build Samba ------------------------------------------- Samba no longer includes a local copy of zlib in our source tarball. By removing this we do not need to ship (even where we did not build) the old, broken zip encryption code found there. New Spotlight backend for Elasticsearch --------------------------------------- Support for the macOS specific Spotlight search protocol has been enhanced significantly. Starting with 4.12 Samba supports using Elasticsearch as search backend. Various new parameters have been added to configure this: spotlight backend = noindex | elasticsearch | tracker elasticsearch:address = ADDRESS elasticsearch:port = PORT elasticsearch:use tls = BOOLEAN elasticsearch:index = INDEXNAME elasticsearch:mappings = PATH elasticsearch:max results = NUMBER Samba also ships a Spotlight client command "mdfind" which can be used to search any SMB server that runs the Spotlight RPC service. See the manpage of mdfind for details. Note that when upgrading existing installations that are using the previous default Spotlight backend Gnome Tracker must explicitly set "spotlight backend = tracker" as the new default is "noindex". 'net ads kerberos pac save' and 'net eventlog export' ----------------------------------------------------- The 'net ads kerberos pac save' and 'net eventlog export' tools will no longer silently overwrite an existing file during data export. If the filename given exits, an error will be shown. Fuzzing ------- A large number of fuzz targets have been added to Samba, and Samba has been registered in Google's oss-fuzz cloud fuzzing service. In particular, we now have good fuzzing coverage of our generated NDR parsing code. A large number of issues have been found and fixed thanks to this effort. 'samba-tool' improvements add contacts as member to groups ---------------------------------------------------------- Previously 'samba-tool group addmemers' can just add users, groups and computers as members to groups. But also contacts can be members of groups. Samba 4.12 adds the functionality to add contacts to groups. Since contacts have no sAMAccountName, it's possible that there are more than one contact with the same name in different organizational units. Therefore it's necessary to have an option to handle group members by their DN. To get the DN of an object there is now the "--full-dn" option available for all necessary commands. The MS Windows UI allows to search for specific types of group members when searching for new members for a group. This feature is included here with the new samba-tool group addmembers "--object-type=OBJECTYPE" option. The different types are selected accordingly to the Windows UI. The default samba-toole behaviour shouldn't be changed. Allow filtering by OU or subtree in samba-tool ---------------------------------------------- A new "--base-dn" and "--member-base-dn" option is added to relevant samba-tool user, group and ou management commands to allow operation on just one part of the AD tree, such as a single OU. VFS === SMB_VFS_NTIMES -------------- Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function. VFS modules can check whether any of the time values inside a struct smb_file_time is to be ignored by calling is_omit_timespec() on the value. 'io_uring' vfs module --------------------- The module makes use of the new io_uring infrastructure (intruduced in Linux 5.1), see https://lwn.net/Articles/776703/ Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV and avoids the overhead of the userspace threadpool in the default vfs backend. See also vfs_io_uring(8). In order to build the module you need the liburing userspace library and its developement headers installed, see https://git.kernel.dk/cgit/liburing/ At runtime you'll need a Linux kernel with version 5.1 or higher. Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba module! The regression was fixed in Linux 5.4.16 again. MS-DFS changes in the VFS ------------------------- This release changes set getting and setting of MS-DFS redirects on the filesystem to go through two new VFS functions: SMB_VFS_CREATE_DFS_PATHAT() SMB_VFS_READ_DFS_PATHAT() instead of smbd explicitly storing MS-DFS redirects inside symbolic links on the filesystem. The underlying default implementations of this has not changed, the redirects are still stored inside symbolic links on the filesystem, but moving the creation and reading of these links into the VFS as first-class functions now allows alternate methods of storing them (maybe in extended attributes) for OEMs who don't want to mis-use filesystem symbolic links in this way. CTDB changes ============ * The ctdb_mutex_fcntl_helper periodically re-checks the lock file The re-check period is specified using a 2nd argument to this helper. The default re-check period is 5s. If the file no longer exists or the inode number changes then the helper exits. This triggers an election. REMOVED FEATURES ================ The smb.conf parameter "write cache size" has been removed. Since the in-memory write caching code was written, our write path has changed significantly. In particular we have gained very flexible support for async I/O, with the new linux io_uring interface in development. The old write cache concept which cached data in main memory followed by a blocking pwrite no longer gives any improvement on modern systems, and may make performance worse on memory-contrained systems, so this functionality should not be enabled in core smbd code. In addition, it complicated the write code, which is a performance critical code path. If required for specialist purposes, it can be recreated as a VFS module. Retiring DES encryption types in Kerberos. ------------------------------------------ With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649). Samba-DC: DES keys no longer saved in DB. ----------------------------------------- When a new password is set for an account, Samba DC will store random keys in DB instead of DES keys derived from the password. If the account is being migrated to Windbows or to an older version of Samba in order to use DES keys, the password must be reset to make it work. Heimdal-DC: removal of weak-crypto. ----------------------------------- Following removal of DES encryption types from Samba, the embedded Heimdal build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO). vfs_netatalk: The netatalk VFS module has been removed. ------------------------------------------------------- The netatalk VFS module has been removed. It was unmaintained and is not needed any more. BIND9_FLATFILE deprecated ------------------------- The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision. This release removes the 'rndc command' smb.conf parameter, which supported this configuration by writing out a list of DCs permitted to make changes to the DNS Zone and nudging the 'named' server if a new DC was added to the domain. Administrators using BIND9_FLATFILE will need to maintain this manually from now on.
Pullup ticket #6125 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.86-1.89 - net/samba4/PLIST 1.25 - net/samba4/distinfo 1.39-1.41 - net/samba4/patches/patch-source4_utils_oLschema2ldif_wscript__build 1.1 --- Module Name: pkgsrc Committed By: adam Date: Mon Dec 30 13:58:35 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.11.4 Changes since 4.11.3: * BUG 14161: s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an inode number. * BUG 14174: s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum() on an SMB1 connection. * BUG 14176: NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx. * BUG 14189: s3: smbd: SMB2 - Ensure we use the correct session_id if encrypting an interim response. * BUG 14205: Prevent smbd crash after invalid SMB1 negprot. * BUG 13745: s3:printing: Fix %J substition. * BUG 13925: s3: Remove now unneeded call to cmdline_messaging_context(). * BUG 14069: Incomplete conversion of former parametric options. * BUG 14070: Fix sync dosmode fallback in async dosmode codepath. * BUG 14171: vfs_fruit returns capped resource fork length. * BUG 14116: libnet_join: Add SPNs for additional-dns-hostnames entries. * BUG 14211: smbd: Increase a debug level. * BUG 14153: Prevent azure ad connect from reporting discovery errors: reference-value-not-ldap-conformant. * BUG 14179: krb5_plugin: Fix developer build with newer heimdal system library. * BUG 14168: replace: Only link libnsl and libsocket if requrired. * BUG 14175: ctdb: Incoming queue can be orphaned causing communication breakdown. * BUG 13846: ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute. * BUG 13856: heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code. --- Module Name: pkgsrc Committed By: jperkin Date: Wed Jan 8 10:40:03 UTC 2020 Modified Files: pkgsrc/net/samba4: distinfo Added Files: pkgsrc/net/samba4/patches: patch-source4_utils_oLschema2ldif_wscript__build Log Message: samba4: Disable more fmemopen utilities on SunOS. --- Module Name: pkgsrc Committed By: jperkin Date: Sat Jan 18 21:51:16 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile Log Message: *: Recursive revision bump for openssl 1.1.1. --- Module Name: pkgsrc Committed By: taca Date: Tue Jan 21 14:12:36 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.11.5 Update samba4 to 4.11.5. ============================== Release Notes for Samba 4.11.5 January 21, 2020 ============================== This is a security release in order to address the following defects: o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. ======= Details ======= o CVE-2019-14902: The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers. o CVE-2019-14907: When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs. o CVE-2019-19344: During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed. --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 27 14:04:13 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile Log Message: net/samba4: update depdendency Update dependency for daabases/ldb and devel/talloc. Bump PKGREVISION.
samba4: updated to 4.11.6 Changes since 4.11.5: * BUG 14209: pygpo: Use correct method flags. * BUG 14216: vfs_ceph_snapshots: Fix root relative path handling. * BUG 14209: Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero. * BUG 14218: source4/utils/oLschema2ldif: Include stdint.h before cmocka.h. * BUG 14122: docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc. * BUG 14251: smbd: Fix the build with clang. * BUG 14199: upgradedns: Ensure lmdb lock files linked. * BUG 14182: s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir. * BUG 14101: smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file. * BUG 14219: librpc: Fix string length checking in ndr_pull_charset_to_null(). * BUG 14227: ctdb-scripts: Strip square brackets when gathering connection info.
net/samba4: update to 4.11.5 Update samba4 to 4.11.5. ============================== Release Notes for Samba 4.11.5 January 21, 2020 ============================== This is a security release in order to address the following defects: o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. ======= Details ======= o CVE-2019-14902: The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers. o CVE-2019-14907: When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs. o CVE-2019-19344: During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed.
samba4: Disable more fmemopen utilities on SunOS.
samba4: updated to 4.11.4 Changes since 4.11.3: * BUG 14161: s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an inode number. * BUG 14174: s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum() on an SMB1 connection. * BUG 14176: NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx. * BUG 14189: s3: smbd: SMB2 - Ensure we use the correct session_id if encrypting an interim response. * BUG 14205: Prevent smbd crash after invalid SMB1 negprot. * BUG 13745: s3:printing: Fix %J substition. * BUG 13925: s3: Remove now unneeded call to cmdline_messaging_context(). * BUG 14069: Incomplete conversion of former parametric options. * BUG 14070: Fix sync dosmode fallback in async dosmode codepath. * BUG 14171: vfs_fruit returns capped resource fork length. * BUG 14116: libnet_join: Add SPNs for additional-dns-hostnames entries. * BUG 14211: smbd: Increase a debug level. * BUG 14153: Prevent azure ad connect from reporting discovery errors: reference-value-not-ldap-conformant. * BUG 14179: krb5_plugin: Fix developer build with newer heimdal system library. * BUG 14168: replace: Only link libnsl and libsocket if requrired. * BUG 14175: ctdb: Incoming queue can be orphaned causing communication breakdown. * BUG 13846: ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute. * BUG 13856: heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code.
samba4: updated to 4.11.3 Samba 4.11.3 This is a security release in order to address the following defects: o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS management server (dnsserver). o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition on Samba AD DC.
samba4: updated to 4.11.2 4.11.2: This is a security release in order to address the following defects: o CVE-2019-10218: Client code can return filenames containing path separators. o CVE-2019-14833: Samba AD DC check password script does not receive the full password. o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync. 4.11.1: This is the latest stable release of the Samba 4.11 release series. Changes since 4.11.0: * BUG 14141: getpwnam and getpwuid need to return data for ID_TYPE_BOTH group. * BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(). * BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls. * BUG 14137: Fix stale file handle error when using mkstemp on a share. * BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server. * BUG 14140: Overlinking libreplace against librt and pthread against every binary or library causes issues. * BUG 14130: s3-winbindd: Fix forest trusts with additional trust attributes. * BUG 14134: auth/gensec: Fix non-AES schannel seal. * BUG 14147: Deleted records can be resurrected during recovery. * BUG 14136: Fix uncaught exception in classicupgrade. * BUG 14139: fault.c: Improve fault_report message text pointing to our wiki. * BUG 14128: s3:client: Use DEVICE_URI, instead of argv[0], for Device URI. * BUG 14124: pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests. * BUG 14131: Remove 'pod2man' as it is no longer needed. * BUG 13884: Joining Active Directory should not use SAMR to set the password. * BUG 14140: Overlinking libreplace against librt and pthread against every binary or library causes issues. * BUG 14155: 'kpasswd' fails when built with MIT Kerberos. * BUG 14129: Exit code of ctdb nodestatus should not be influenced by deleted nodes. 4.11.0: * BUG 14049: ldb: Don't try to save a value that isn't there. * ldb_dn: Free dn components on explode failure. * ldb: Do not allow adding a DN as a base to itself. * ldb: Release ldb 2.0.7. * BUG 13695: ldb: Correct Pigeonhole principle validation in ldb_filter_attrs(). * BUG 14049: Fix ldb dn crash. * BUG 14117: Deprecate "lanman auth = yes" and "encrypt passwords = no". * BUG 14038: Fix compiling ctdb on older systems lacking POSIX robust mutexes. * BUG 14121: smbd returns bad File-ID on filehandle used to create a file or directory. * BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations. * BUG 14055: Add the target server name of SMB 3.1.1 connections as a hint to load balancers or servers with "multi-tenancy" support. * BUG 14113: Fix byte range locking bugs/regressions. * ldb: Fix mem-leak if talloc_realloc fails. * BUG 14007: Fix join with don't exists machine account. * BUG 14085: ctdb-recoverd: Only check for LMASTER nodes in the VNN map. CHANGES SINCE 4.11.0rc2 * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data loss in CTDB cluster. * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape from the share. * BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what is happening). * BUG 14092: docs: Deprecate "rndc command" for Samba 4.11. * BUG 14059: ldb: Free memory when repacking database. * BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id. * BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and st_ex_iflags. * BUG 14093: vfs_glusterfs: Enable profiling for file system operations. * BUG 14059: Backport sambadowngradedatabase for v4.11. * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape from the share. * BUG 14032: vfs_gpfs: Implement special case for denying owner access to ACL. * BUG 14084: Avoid marking a node as connected before it can receive packets. * BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7. * BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing databases.
Pullup ticket #6047 - requested by taca databases/ldb: dependent update net/samba4: security fix Revisions pulled up: - databases/ldb/Makefile 1.6 - databases/ldb/buildlink3.mk 1.2 - databases/ldb/distinfo 1.3 - net/samba4/Makefile 1.75,1.77-1.78 - net/samba4/PLIST 1.23 - net/samba4/distinfo 1.33-1.35 --- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 20 22:46:59 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile buildlink3.mk Log Message: *: recursive bump for nettle 3.5.1 --- Module Name: pkgsrc Committed By: wiz Date: Sun Jul 21 22:26:08 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile Log Message: *: recursive bump for gdk-pixbuf2-2.38.1 --- Module Name: pkgsrc Committed By: adam Date: Sat Aug 3 06:54:39 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.10.6 Changes 4.10.6: * BUG 13956: s3: winbind: Fix crash when invoking winbind idmap scripts. * BUG 13964: smbd does not correctly parse arguments passed to dfree and quota scripts. * BUG 13965: samba-tool dns: use bytes for inet_ntop. * BUG 13828: samba-tool domain provision: Fix --interactive module in python3. * BUG 13893: ldb_kv: Skip @ records early in a search full scan. * BUG 13981: docs: Improve documentation of "lanman auth" and "ntlm auth" connection. * BUG 14002: python/ntacls: Use correct "state directory" smb.conf option instead of "state dir". * BUG 13840: registry: Add a missing include. * BUG 13944: Fix SMB guest authentication. * BUG 13958: AppleDouble conversion breaks Resourceforks. * BUG 13968: vfs_fruit makes direct use of syscalls like mmap() and pread(). * BUG 13987: s3:mdssvc: Fix flex compilation error. * BUG 13872: s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly: * BUG 13799: dsdb:samdb: schemainfo update with relax control. * BUG 13964: s3:util: Move static file_pload() function to lib/util. * BUG 13957: smbd: Fix a panic. * BUG 12478: ldap server: Generate correct referral schemes. * BUG 13941: s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value. * BUG 13942: s4 dsdb: Fix use after free in samldb_rename_search_base_callback. * BUG 12204: dsdb/repl: we need to replicate the whole schema before we can apply it. * BUG 12478: ldb: Release ldb 1.5.5 * BUG 13713: Schema replication fails if link crosses chunk boundary backwards. * BUG 13799: 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision. * BUG 13916: dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..." * BUG 13917: python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL. * BUG 13947: s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary. * BUG 13939: Using Kerberos credentials to print using spoolss doesn't work. * BUG 13998: wafsamba: Use native waf timer. * BUG 13984: ctdb-scripts: Fix tcp_tw_recycle existence check. --- Module Name: pkgsrc Committed By: wiz Date: Sun Aug 11 13:25:21 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile Log Message: Bump PKGREVISIONs for perl 5.30.0 --- Module Name: pkgsrc Committed By: adam Date: Fri Aug 23 10:52:41 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: samba4: updated to 4.10.7 Samba 4.10.7 * BUG 14010: Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module. * BUG 13844: build: Allow build when '--disable-gnutls' is set. * BUG 13973: samba-tool: Add 'import samba.drs_utils' to fsmo.py. * BUG 14008: Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade. * BUG 14021: s4/libnet: Fix joining a Windows pre-2008R2 DC. * BUG 14046: join: Use a specific attribute order for the DsAddEntry nTDSDSA object. * BUG 14015: vfs_catia: Pass stat info to synthetic_smb_fname(). * BUG 14091: lookup_name: Allow own domain lookup when flags == 0. * BUG 13932: s4 librpc rpc pyrpc: Ensure tevent_context deleted last. * BUG 13915: DEBUGC and DEBUGADDC doesn't print into a class specific log file. * BUG 13949: Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto". * BUG 13967: dbcheck: Fallback to the default tombstoneLifetime of 180 days. * BUG 13969: dnsProperty fails to decode values from older Windows versions. * BUG 13973: samba-tool: Use only one LDAP modify for dns partition fsmo role transfer. * BUG 13960: third_party: Update waf to version 2.0.17. * BUG 14051: netcmd: Allow 'drs replicate --local' to create partitions. * BUG 14017: ctdb-config: Depend on /etc/ctdb/nodes file. --- Module Name: pkgsrc Committed By: adam Date: Tue Sep 3 19:11:58 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: samba4: updated to 4.10.8 Samba 4.10.8: This is a security release in order to address the following defect: o CVE-2019-10197: Combination of parameters and permissions can allow user to escape from the share path definition. --- Module Name: pkgsrc Committed By: adam Date: Sat Aug 3 06:52:32 UTC 2019 Modified Files: pkgsrc/databases/ldb: Makefile buildlink3.mk distinfo Log Message: ldb: updated to 1.5.5 1.5.5: Unknown changes
Solarish pthreads expect mutex datastructures to be properly zeroed out, unlike the Linux implementation, which upstream mainly targets. This leads to "tdb_open_ex: tdb_mutex_init failed for /var/samba/lock/gencache.tdb: Device busy" errors, described in <https://illumos.topicbox.com/groups/developer/T28dcabf2f69cac04>. Illumos kernel code attempted to mitigate the problem as of <https://www.illumos.org/issues/9959>, but the changes have yet to show up in releases. The patches originate from <https://github.com/oposs/pkg.oetiker.ch-build/blob/master/build/samba4/patches/pthread_mutex_init>, modified appropriately. Tested on omniosce r151030.
samba4: updated to 4.10.8 Samba 4.10.8: This is a security release in order to address the following defect: o CVE-2019-10197: Combination of parameters and permissions can allow user to escape from the share path definition.
samba4: updated to 4.10.7 Samba 4.10.7 * BUG 14010: Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module. * BUG 13844: build: Allow build when '--disable-gnutls' is set. * BUG 13973: samba-tool: Add 'import samba.drs_utils' to fsmo.py. * BUG 14008: Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade. * BUG 14021: s4/libnet: Fix joining a Windows pre-2008R2 DC. * BUG 14046: join: Use a specific attribute order for the DsAddEntry nTDSDSA object. * BUG 14015: vfs_catia: Pass stat info to synthetic_smb_fname(). * BUG 14091: lookup_name: Allow own domain lookup when flags == 0. * BUG 13932: s4 librpc rpc pyrpc: Ensure tevent_context deleted last. * BUG 13915: DEBUGC and DEBUGADDC doesn't print into a class specific log file. * BUG 13949: Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto". * BUG 13967: dbcheck: Fallback to the default tombstoneLifetime of 180 days. * BUG 13969: dnsProperty fails to decode values from older Windows versions. * BUG 13973: samba-tool: Use only one LDAP modify for dns partition fsmo role transfer. * BUG 13960: third_party: Update waf to version 2.0.17. * BUG 14051: netcmd: Allow 'drs replicate --local' to create partitions. * BUG 14017: ctdb-config: Depend on /etc/ctdb/nodes file.
samba4: updated to 4.10.6 Changes 4.10.6: * BUG 13956: s3: winbind: Fix crash when invoking winbind idmap scripts. * BUG 13964: smbd does not correctly parse arguments passed to dfree and quota scripts. * BUG 13965: samba-tool dns: use bytes for inet_ntop. * BUG 13828: samba-tool domain provision: Fix --interactive module in python3. * BUG 13893: ldb_kv: Skip @ records early in a search full scan. * BUG 13981: docs: Improve documentation of "lanman auth" and "ntlm auth" connection. * BUG 14002: python/ntacls: Use correct "state directory" smb.conf option instead of "state dir". * BUG 13840: registry: Add a missing include. * BUG 13944: Fix SMB guest authentication. * BUG 13958: AppleDouble conversion breaks Resourceforks. * BUG 13968: vfs_fruit makes direct use of syscalls like mmap() and pread(). * BUG 13987: s3:mdssvc: Fix flex compilation error. * BUG 13872: s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly: * BUG 13799: dsdb:samdb: schemainfo update with relax control. * BUG 13964: s3:util: Move static file_pload() function to lib/util. * BUG 13957: smbd: Fix a panic. * BUG 12478: ldap server: Generate correct referral schemes. * BUG 13941: s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value. * BUG 13942: s4 dsdb: Fix use after free in samldb_rename_search_base_callback. * BUG 12204: dsdb/repl: we need to replicate the whole schema before we can apply it. * BUG 12478: ldb: Release ldb 1.5.5 * BUG 13713: Schema replication fails if link crosses chunk boundary backwards. * BUG 13799: 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision. * BUG 13916: dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..." * BUG 13917: python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL. * BUG 13947: s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary. * BUG 13939: Using Kerberos credentials to print using spoolss doesn't work. * BUG 13998: wafsamba: Use native waf timer. * BUG 13984: ctdb-scripts: Fix tcp_tw_recycle existence check.
samba4: Build fixes for SunOS.
Fixes a build failure when the letter 'j' appears in MAKEFLAGS.
samba4: updated to 4.10.5 Release Notes for Samba 4.10.5 This is a security release in order to address the following defects: o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server (dnsserver)) o CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches)) Details ======= o CVE-2019-12435: An authenticated user can crash the Samba AD DC's RPC server process via a NULL pointer dereference. o CVE-2019-12436: An user with read access to the directory can cause a NULL pointer dereference using the paged search control. For more details and workarounds, please refer to the security advisories.
Pullup ticket #5972 - requested by taca net/samba4: security update Revisions pulled up: - net/samba4/Makefile 1.67 - net/samba4/PLIST.Linux 1.2 - net/samba4/distinfo 1.28 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: maya Date: Tue Apr 23 07:42:53 UTC 2019 Modified Files: pkgsrc/net/samba4: PLIST.Linux Log Message: samba4: update Linux-specific PLIST entries from mmoll in https://github.com/NetBSD/pkgsrc/pull/46 I am not adding the SunOS part because the files are in the non-OS specific PLIST, now (the SunOS entries seem to be duplicated) To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/samba4/PLIST.Linux ------------------------------------------------------------------- Module Name: pkgsrc Committed By: maya Date: Thu Apr 25 07:33:32 UTC 2019 Modified Files: pkgsrc/archivers/bmap-tools: Makefile pkgsrc/archivers/engrampa: Makefile pkgsrc/archivers/rox-archive: Makefile pkgsrc/audio/aeneas: Makefile pkgsrc/audio/amaroc: Makefile pkgsrc/audio/ardour: Makefile pkgsrc/audio/aubio: Makefile pkgsrc/audio/cplay: Makefile pkgsrc/audio/csound5: Makefile pkgsrc/audio/csound6: Makefile pkgsrc/audio/csound6-manual: Makefile pkgsrc/audio/exaile: Makefile pkgsrc/audio/eyeD3: Makefile pkgsrc/audio/gtkpod: Makefile pkgsrc/audio/icecast1: Makefile pkgsrc/audio/ices-mp3: Makefile pkgsrc/audio/libmatemixer: Makefile pkgsrc/audio/lilv: Makefile pkgsrc/audio/lv2: Makefile pkgsrc/audio/moss: Makefile pkgsrc/audio/picard: Makefile pkgsrc/audio/playitslowly: Makefile pkgsrc/audio/pocketsphinx: Makefile pkgsrc/audio/pulseaudio: Makefile pkgsrc/audio/py-beets: Makefile pkgsrc/audio/quodlibet2: Makefile pkgsrc/audio/rhythmbox: Makefile pkgsrc/audio/solfege: Makefile pkgsrc/audio/sonata: Makefile pkgsrc/audio/sphinxtrain: Makefile pkgsrc/audio/suil: Makefile pkgsrc/audio/tunapie: Makefile pkgsrc/benchmarks/fio: Makefile pkgsrc/benchmarks/glmark2: Makefile pkgsrc/biology/bcftools: Makefile pkgsrc/biology/hisat2: Makefile pkgsrc/biology/ncbi-blast+: Makefile pkgsrc/biology/samtools: Makefile pkgsrc/biology/stacks: Makefile pkgsrc/cad/geda: Makefile pkgsrc/cad/klayout: Makefile pkgsrc/cad/openscad: Makefile pkgsrc/chat/bitlbee: Makefile pkgsrc/chat/centerim: Makefile pkgsrc/chat/centerim5: Makefile pkgsrc/chat/empathy: Makefile pkgsrc/chat/gajim: Makefile pkgsrc/chat/gajim-plugin-omemo: Makefile pkgsrc/chat/hexchat: Makefile pkgsrc/chat/konversation: Makefile pkgsrc/chat/libpurple: Makefile pkgsrc/chat/libtelepathy: Makefile pkgsrc/chat/spectrum: Makefile pkgsrc/chat/swift: Makefile pkgsrc/chat/telepathy-farsight: Makefile pkgsrc/chat/telepathy-gabble: Makefile pkgsrc/chat/telepathy-glib: Makefile pkgsrc/chat/telepathy-idle: Makefile pkgsrc/chat/telepathy-logger: Makefile pkgsrc/chat/telepathy-mission-control: Makefile pkgsrc/chat/telepathy-mission-control5: Makefile pkgsrc/chat/telepathy-qt: Makefile pkgsrc/chat/tootstream: Makefile pkgsrc/comms/multisync-gui: Makefile pkgsrc/converters/libkkc: Makefile pkgsrc/converters/sratom: Makefile pkgsrc/converters/unoconv: Makefile pkgsrc/converters/wkhtmltopdf: Makefile pkgsrc/databases/apache-cassandra: Makefile pkgsrc/databases/apache-cassandra2: Makefile pkgsrc/databases/gourmet: Makefile pkgsrc/databases/gramps3: Makefile pkgsrc/databases/ldb: Makefile pkgsrc/databases/libpqxx: Makefile pkgsrc/databases/luma: Makefile pkgsrc/databases/mongodb: Makefile pkgsrc/databases/mysql-cluster: Makefile pkgsrc/databases/mysql-workbench: Makefile pkgsrc/databases/oraedit: Makefile pkgsrc/databases/postgresql10-plpython: Makefile pkgsrc/databases/postgresql11-plpython: Makefile pkgsrc/databases/postgresql93-plpython: Makefile pkgsrc/databases/postgresql94-plpython: Makefile pkgsrc/databases/postgresql95-plpython: Makefile pkgsrc/databases/postgresql96-plpython: Makefile pkgsrc/databases/skytools: Makefile pkgsrc/databases/sqlrelay-nodejs: Makefile pkgsrc/databases/tdb: Makefile pkgsrc/devel/ExmanIDE: Makefile pkgsrc/devel/GConf: Makefile pkgsrc/devel/RBTools: Makefile pkgsrc/devel/accerciser: Makefile pkgsrc/devel/accerciser3: Makefile pkgsrc/devel/anjuta: Makefile pkgsrc/devel/appdata-tools: Makefile pkgsrc/devel/arcanist: Makefile pkgsrc/devel/boa-constructor: Makefile pkgsrc/devel/bpython: Makefile pkgsrc/devel/bzr: Makefile pkgsrc/devel/bzr-explorer: Makefile pkgsrc/devel/bzr-gtk: Makefile pkgsrc/devel/bzr-svn: Makefile pkgsrc/devel/bzrtools: Makefile pkgsrc/devel/clion-bin: Makefile pkgsrc/devel/coccinelle: Makefile pkgsrc/devel/codeville: Makefile pkgsrc/devel/cppcheck: Makefile pkgsrc/devel/ctemplate: Makefile pkgsrc/devel/cvs-fast-export: Makefile pkgsrc/devel/cvs2svn: Makefile pkgsrc/devel/dconf: Makefile pkgsrc/devel/diffuse: Makefile pkgsrc/devel/distcc-pump: Makefile pkgsrc/devel/doxygen: Makefile pkgsrc/devel/epydoc: Makefile pkgsrc/devel/eric4: Makefile pkgsrc/devel/etrace: Makefile pkgsrc/devel/fromcvs: Makefile pkgsrc/devel/gdb: Makefile pkgsrc/devel/gdb7: Makefile pkgsrc/devel/gdbus-codegen: Makefile pkgsrc/devel/git-remote-hg: Makefile pkgsrc/devel/glib2: Makefile pkgsrc/devel/glib2-tools: Makefile pkgsrc/devel/global: Makefile pkgsrc/devel/gnatpython: Makefile pkgsrc/devel/go-cli: Makefile pkgsrc/devel/go-termbox: Makefile pkgsrc/devel/gobject-introspection: Makefile pkgsrc/devel/gps: Makefile pkgsrc/devel/hyperscan: Makefile pkgsrc/devel/include-what-you-use: Makefile pkgsrc/devel/intellij-ce-bin: Makefile pkgsrc/devel/intellij-ue-bin: Makefile pkgsrc/devel/kcachegrind: Makefile pkgsrc/devel/kde-dev-scripts: Makefile pkgsrc/devel/ko-po-check: Makefile pkgsrc/devel/kpackage: Makefile pkgsrc/devel/kpeople: Makefile pkgsrc/devel/kpty: Makefile pkgsrc/devel/kservice: Makefile pkgsrc/devel/lettuce: Makefile pkgsrc/devel/libdbusmenu-tools: Makefile pkgsrc/devel/libftdi1: Makefile pkgsrc/devel/libgit2: Makefile pkgsrc/devel/libhid: Makefile pkgsrc/devel/libpeas: Makefile pkgsrc/devel/librdkafka: Makefile pkgsrc/devel/lld: Makefile pkgsrc/devel/lldb: Makefile pkgsrc/devel/lokalize: Makefile pkgsrc/devel/mate-common: Makefile pkgsrc/devel/meld: Makefile pkgsrc/devel/mercurial: Makefile pkgsrc/devel/ncc: Makefile pkgsrc/devel/netbeans-ide: Makefile pkgsrc/devel/ninja-build: Makefile pkgsrc/devel/phpstorm-bin: Makefile pkgsrc/devel/ply: Makefile pkgsrc/devel/py-gobject-shared: Makefile pkgsrc/devel/py-proteus: Makefile pkgsrc/devel/pycharm-bin: Makefile pkgsrc/devel/pythontidy: Makefile pkgsrc/devel/qbzr: Makefile pkgsrc/devel/radare2-cutter: Makefile pkgsrc/devel/reposurgeon: Makefile pkgsrc/devel/ropper: Makefile pkgsrc/devel/roundup: Makefile pkgsrc/devel/rox-lib: Makefile pkgsrc/devel/rubymine-bin: Makefile pkgsrc/devel/sdcc3: Makefile pkgsrc/devel/stgit: Makefile pkgsrc/devel/subversion: Makefile pkgsrc/devel/swig2: Makefile pkgsrc/devel/tailor: Makefile pkgsrc/devel/talloc: Makefile pkgsrc/devel/tevent: Makefile pkgsrc/devel/umbrello: Makefile pkgsrc/devel/undebt: Makefile pkgsrc/devel/waf: Makefile pkgsrc/editors/Sigil: Makefile pkgsrc/editors/TeXmacs: Makefile pkgsrc/editors/cooledit: Makefile pkgsrc/editors/gedit-python: Makefile pkgsrc/editors/gedit3: Makefile pkgsrc/editors/kate: Makefile pkgsrc/editors/lyx: Makefile pkgsrc/editors/medit: Makefile pkgsrc/editors/nts: Makefile pkgsrc/editors/pluma: Makefile pkgsrc/editors/retext: Makefile pkgsrc/editors/rox-edit: Makefile pkgsrc/emulators/dynagen: Makefile pkgsrc/emulators/fs-uae-arcade: Makefile pkgsrc/emulators/fs-uae-launcher: Makefile pkgsrc/emulators/gns3: Makefile pkgsrc/emulators/hatari: Makefile pkgsrc/emulators/keystone: Makefile pkgsrc/emulators/libretro-dolphin: Makefile pkgsrc/emulators/mame: Makefile pkgsrc/emulators/openmsx: Makefile pkgsrc/emulators/qemu: Makefile pkgsrc/emulators/simulavr: Makefile pkgsrc/emulators/snes9x-gtk: Makefile pkgsrc/emulators/unicorn: Makefile pkgsrc/filesystems/fuse-gmailfs: Makefile pkgsrc/filesystems/fuse-pcachefs: Makefile pkgsrc/filesystems/fuse-wikipediafs: Makefile pkgsrc/filesystems/glusterfs: Makefile pkgsrc/filesystems/tahoe-lafs: Makefile pkgsrc/finance/gnucash: Makefile pkgsrc/finance/ledger: Makefile pkgsrc/finance/moneyguru: Makefile pkgsrc/fonts/fontforge: Makefile pkgsrc/fonts/mftrace: Makefile pkgsrc/fonts/mkfontalias: Makefile pkgsrc/games/4stAttack: Makefile pkgsrc/games/accelerator3d: Makefile pkgsrc/games/blindmine: Makefile pkgsrc/games/crossfire-server: Makefile pkgsrc/games/duckmaze: Makefile pkgsrc/games/flare-engine: Makefile pkgsrc/games/flare-game: Makefile pkgsrc/games/gcompris: Makefile pkgsrc/games/gnome-games: Makefile pkgsrc/games/jools: Makefile pkgsrc/games/kajongg: Makefile pkgsrc/games/kye: Makefile pkgsrc/games/monsterz: Makefile pkgsrc/games/pysolfc: Makefile pkgsrc/games/pytraffic: Makefile pkgsrc/games/quakeforge: Makefile pkgsrc/games/scid: Makefile pkgsrc/games/singularity: Makefile pkgsrc/games/stegavorto: Makefile pkgsrc/games/teeworlds: Makefile pkgsrc/games/wesnoth: Makefile pkgsrc/geography/gpsd: Makefile pkgsrc/geography/proj-swig: Makefile pkgsrc/geography/qgis: Makefile pkgsrc/graphics/MesaLib: Makefile pkgsrc/graphics/MesaLib18: Makefile pkgsrc/graphics/MesaLib7: Makefile pkgsrc/graphics/aqsis: Makefile pkgsrc/graphics/asymptote: Makefile pkgsrc/graphics/blender: Makefile pkgsrc/graphics/cinepaint: Makefile pkgsrc/graphics/comix: Makefile pkgsrc/graphics/dia-python: Makefile pkgsrc/graphics/edje: Makefile pkgsrc/graphics/eog: Makefile pkgsrc/graphics/gif2png: Makefile pkgsrc/graphics/graphite2: Makefile pkgsrc/graphics/hugin: Makefile pkgsrc/graphics/inkscape: Makefile pkgsrc/graphics/jbig2dec: Makefile pkgsrc/graphics/kiconthemes: Makefile pkgsrc/graphics/krita: Makefile pkgsrc/graphics/lensfun: Makefile pkgsrc/graphics/libepoxy: Makefile pkgsrc/graphics/libscigraphica: Makefile pkgsrc/graphics/mate-backgrounds: Makefile pkgsrc/graphics/mate-icon-theme: Makefile pkgsrc/graphics/mate-icon-theme-faenza: Makefile pkgsrc/graphics/mate-themes: Makefile pkgsrc/graphics/mypaint: Makefile pkgsrc/graphics/opencv: Makefile pkgsrc/graphics/opencv-contrib-face: Makefile pkgsrc/graphics/opencv2: Makefile pkgsrc/graphics/scidavis: Makefile pkgsrc/graphics/scigraphica: Makefile pkgsrc/graphics/skencil: Makefile pkgsrc/graphics/veusz: Makefile pkgsrc/graphics/xdot: Makefile pkgsrc/ham/chirp: Makefile pkgsrc/ham/cwtext: Makefile pkgsrc/ham/gr-fcdproplus: Makefile pkgsrc/ham/gr-osmosdr: Makefile pkgsrc/ham/hackrf: Makefile pkgsrc/ham/uhd: Makefile pkgsrc/inputmethod/ibus: Makefile pkgsrc/inputmethod/ibus-anthy: Makefile pkgsrc/inputmethod/ibus-array: Makefile pkgsrc/inputmethod/ibus-hangul: Makefile pkgsrc/inputmethod/ibus-libpinyin: Makefile pkgsrc/inputmethod/ibus-pinyin: Makefile pkgsrc/inputmethod/ibus-table: Makefile pkgsrc/inputmethod/ibus-table-others: Makefile pkgsrc/inputmethod/ibus-tegaki: Makefile pkgsrc/inputmethod/tegaki-pygtk: Makefile pkgsrc/inputmethod/tegaki-python: Makefile pkgsrc/inputmethod/tegaki-recognize: Makefile pkgsrc/inputmethod/tegaki-tools: Makefile pkgsrc/inputmethod/tegaki-train: Makefile pkgsrc/inputmethod/tegaki-wagomu: Makefile pkgsrc/lang/clang: Makefile pkgsrc/lang/clang-static-analyzer: Makefile pkgsrc/lang/clang-tools-extra: Makefile pkgsrc/lang/compiler-rt: Makefile pkgsrc/lang/coq: Makefile pkgsrc/lang/coreclr: Makefile pkgsrc/lang/gcc8: Makefile pkgsrc/lang/libLLVM: Makefile pkgsrc/lang/libLLVM34: Makefile pkgsrc/lang/libLLVM4: Makefile pkgsrc/lang/likepython: Makefile pkgsrc/lang/llvm: Makefile pkgsrc/lang/micropython: Makefile pkgsrc/lang/mono: Makefile pkgsrc/lang/mono2: Makefile pkgsrc/lang/npm: Makefile pkgsrc/lang/nuitka: Makefile pkgsrc/lang/pfe: Makefile pkgsrc/lang/rust: Makefile pkgsrc/lang/spidermonkey185: Makefile pkgsrc/lang/spidermonkey52: Makefile pkgsrc/mail/archivemail: Makefile pkgsrc/mail/evolution-data-server: Makefile pkgsrc/mail/fetchmailconf: Makefile pkgsrc/mail/getmail: Makefile pkgsrc/mail/mailman: Makefile pkgsrc/mail/newspipe: Makefile pkgsrc/mail/notmuch: Makefile pkgsrc/mail/offlineimap: Makefile pkgsrc/mail/pymsgauth: Makefile pkgsrc/mail/queue-repair: Makefile pkgsrc/mail/roundcube-plugin-enigma: Makefile pkgsrc/mail/roundcube-plugin-password: Makefile pkgsrc/mail/roundcube-plugin-zipdownload: Makefile pkgsrc/mail/rss2email: Makefile pkgsrc/mail/tmda: Makefile pkgsrc/math/cantor: Makefile pkgsrc/math/crfsuite: Makefile pkgsrc/math/djbsort: Makefile pkgsrc/math/gnumeric112: Makefile pkgsrc/math/libshorttext: Makefile pkgsrc/math/libsvm: Makefile pkgsrc/math/maxima: Makefile pkgsrc/math/sundials: Makefile pkgsrc/math/units: Makefile pkgsrc/math/z3: Makefile pkgsrc/meta-pkgs/boost: Makefile pkgsrc/meta-pkgs/bulk-large: Makefile pkgsrc/meta-pkgs/bulk-medium: Makefile pkgsrc/meta-pkgs/bulk-small: Makefile pkgsrc/meta-pkgs/gnome: Makefile pkgsrc/meta-pkgs/py-gnome-bindings: Makefile pkgsrc/meta-pkgs/qmail-server: Makefile pkgsrc/misc/byobu: Makefile pkgsrc/misc/calibre: Makefile pkgsrc/misc/deskbar-applet: Makefile pkgsrc/misc/gaupol: Makefile pkgsrc/misc/khard: Makefile pkgsrc/misc/kig: Makefile pkgsrc/misc/kunitconversion: Makefile pkgsrc/misc/labelnation: Makefile pkgsrc/misc/libkkc-data: Makefile pkgsrc/misc/libmateweather: Makefile pkgsrc/misc/libreoffice: Makefile pkgsrc/misc/mate-calc: Makefile pkgsrc/misc/mate-utils: Makefile pkgsrc/misc/mnemosyne: Makefile pkgsrc/misc/mtail: Makefile pkgsrc/misc/orca: Makefile pkgsrc/misc/rlwrap: Makefile pkgsrc/misc/routeplanner-cli: Makefile pkgsrc/misc/rox-memo: Makefile pkgsrc/misc/superkaramba: Makefile pkgsrc/misc/tellico: Makefile pkgsrc/misc/todoman: Makefile pkgsrc/multimedia/farsight2: Makefile pkgsrc/multimedia/kodi: Makefile pkgsrc/multimedia/mate-media: Makefile pkgsrc/multimedia/mpv: Makefile pkgsrc/multimedia/pitivi: Makefile pkgsrc/multimedia/streamlink: Makefile pkgsrc/net/Radicale: Makefile pkgsrc/net/Radicale2: Makefile pkgsrc/net/bittornado: Makefile pkgsrc/net/bittornado-gui: Makefile pkgsrc/net/bittorrent: Makefile pkgsrc/net/bittorrent-gui: Makefile pkgsrc/net/calypso: Makefile pkgsrc/net/coda: Makefile pkgsrc/net/coherence: Makefile pkgsrc/net/coursera-dl: Makefile pkgsrc/net/exabgp: Makefile pkgsrc/net/flow-tools: Makefile pkgsrc/net/freeradius-python: Makefile pkgsrc/net/gallery-dl: Makefile pkgsrc/net/gitso: Makefile pkgsrc/net/glib-networking: Makefile pkgsrc/net/gupnp: Makefile pkgsrc/net/httpstat: Makefile pkgsrc/net/ipcheck: Makefile pkgsrc/net/knot: Makefile pkgsrc/net/mate-user-share: Makefile pkgsrc/net/mimms: Makefile pkgsrc/net/mitmproxy: Makefile pkgsrc/net/nagstamon: Makefile pkgsrc/net/ndiff: Makefile pkgsrc/net/netatalk3: Makefile pkgsrc/net/netatalk30: Makefile pkgsrc/net/nicotine: Makefile pkgsrc/net/nicovideo-dl: Makefile pkgsrc/net/ntop: Makefile pkgsrc/net/nyx: Makefile pkgsrc/net/omniORB: Makefile pkgsrc/net/onionbalance: Makefile pkgsrc/net/openconnect: Makefile pkgsrc/net/pygopherd: Makefile pkgsrc/net/rabbitmq: Makefile pkgsrc/net/ruby-recog: Makefile pkgsrc/net/samba4: Makefile pkgsrc/net/scapy: Makefile pkgsrc/net/speedtest-cli: Makefile pkgsrc/net/syncthing-gtk: Makefile pkgsrc/net/upnpinspector: Makefile pkgsrc/net/wireshark: Makefile pkgsrc/net/youtube-dl: Makefile pkgsrc/net/zenmap: Makefile pkgsrc/news/hellanzb: Makefile pkgsrc/news/lottanzb: Makefile pkgsrc/parallel/ganglia-monitor-core: Makefile pkgsrc/parallel/slurm-wlm: Makefile pkgsrc/pkgtools/gnome-packagekit: Makefile pkgsrc/pkgtools/packagekit: Makefile pkgsrc/print/atril: Makefile pkgsrc/print/bg5pdf: Makefile pkgsrc/print/bg5ps: Makefile pkgsrc/print/electrix: Makefile pkgsrc/print/hplip: Makefile pkgsrc/print/lilypond: Makefile pkgsrc/print/pdf-redact-tools: Makefile pkgsrc/print/pdfshuffler: Makefile pkgsrc/print/poppler-glib: Makefile pkgsrc/print/scribus-qt4: Makefile pkgsrc/print/tex-changes: Makefile pkgsrc/print/tex-minted: Makefile pkgsrc/security/PACK: Makefile pkgsrc/security/botan: Makefile pkgsrc/security/botan-devel: Makefile pkgsrc/security/fail2ban: Makefile pkgsrc/security/flawfinder: Makefile pkgsrc/security/fsh: Makefile pkgsrc/security/hitch: Makefile pkgsrc/security/kwallet: Makefile pkgsrc/security/libprelude-python: Makefile pkgsrc/security/libpreludedb-python: Makefile pkgsrc/security/mate-polkit: Makefile pkgsrc/security/mbedtls: Makefile pkgsrc/security/mixminion: Makefile pkgsrc/security/pcsc-lite: Makefile pkgsrc/security/prelude-correlator: Makefile pkgsrc/security/pyca: Makefile pkgsrc/security/sqlmap: Makefile pkgsrc/security/sshfp: Makefile pkgsrc/security/volatility: Makefile pkgsrc/shells/autojump: Makefile pkgsrc/shells/fish: Makefile pkgsrc/shells/lshell: Makefile pkgsrc/shells/xonsh: Makefile pkgsrc/sysutils/ansible2: Makefile pkgsrc/sysutils/binwalk: Makefile pkgsrc/sysutils/bup: Makefile pkgsrc/sysutils/caja: Makefile pkgsrc/sysutils/caja-dropbox: Makefile pkgsrc/sysutils/caja-extensions: Makefile pkgsrc/sysutils/cuisine: Makefile pkgsrc/sysutils/dbus-python-common: Makefile pkgsrc/sysutils/dupeguru: Makefile pkgsrc/sysutils/duplicity: Makefile pkgsrc/sysutils/fabric: Makefile pkgsrc/sysutils/gnome-commander: Makefile pkgsrc/sysutils/htop: Makefile pkgsrc/sysutils/kfilemetadata5: Makefile pkgsrc/sysutils/libvirt: Makefile pkgsrc/sysutils/lnav: Makefile pkgsrc/sysutils/logfinder: Makefile pkgsrc/sysutils/manifold: Makefile pkgsrc/sysutils/mate-notification-daemon: Makefile pkgsrc/sysutils/mate-power-manager: Makefile pkgsrc/sysutils/mate-sensors-applet: Makefile pkgsrc/sysutils/monitoring: Makefile pkgsrc/sysutils/munin-doc: Makefile pkgsrc/sysutils/munin-node: Makefile pkgsrc/sysutils/openstack_init: Makefile pkgsrc/sysutils/openxenmanager: Makefile pkgsrc/sysutils/ovmf: Makefile pkgsrc/sysutils/polysh: Makefile pkgsrc/sysutils/rdiff-backup: Makefile pkgsrc/sysutils/rsyslog: Makefile pkgsrc/sysutils/rsyslog-dbi: Makefile pkgsrc/sysutils/rsyslog-elasticsearch: Makefile pkgsrc/sysutils/rsyslog-gnutls: Makefile pkgsrc/sysutils/rsyslog-gssapi: Makefile pkgsrc/sysutils/rsyslog-kafka: Makefile pkgsrc/sysutils/rsyslog-libgcrypt: Makefile pkgsrc/sysutils/rsyslog-mysql: Makefile pkgsrc/sysutils/rsyslog-omprog: Makefile pkgsrc/sysutils/rsyslog-pgsql: Makefile pkgsrc/sysutils/rsyslog-rabbitmq: Makefile pkgsrc/sysutils/rsyslog-relp: Makefile pkgsrc/sysutils/rsyslog-snmp: Makefile pkgsrc/sysutils/salt: Makefile pkgsrc/sysutils/salt-docs: Makefile pkgsrc/sysutils/tdir: Makefile pkgsrc/sysutils/virt-manager: Makefile pkgsrc/sysutils/virtinst: Makefile pkgsrc/sysutils/vxargs: Makefile pkgsrc/sysutils/xenkernel411: Makefile pkgsrc/sysutils/xenkernel42: Makefile pkgsrc/sysutils/xenkernel45: Makefile pkgsrc/sysutils/xenkernel46: Makefile pkgsrc/sysutils/xenkernel48: Makefile pkgsrc/sysutils/xenstoretools: Makefile pkgsrc/sysutils/xentools411: Makefile pkgsrc/sysutils/xentools42: Makefile pkgsrc/sysutils/xentools45: Makefile pkgsrc/sysutils/xentools46: Makefile pkgsrc/sysutils/xentools48: Makefile pkgsrc/textproc/asciidoc: Makefile pkgsrc/textproc/cmark: Makefile pkgsrc/textproc/coccigrep: Makefile pkgsrc/textproc/csvkit: Makefile pkgsrc/textproc/csvtomd: Makefile pkgsrc/textproc/dblatex: Makefile pkgsrc/textproc/doclifter: Makefile pkgsrc/textproc/gnome-doc-utils: Makefile pkgsrc/textproc/gtk-doc: Makefile pkgsrc/textproc/icu: Makefile pkgsrc/textproc/iso-codes: Makefile pkgsrc/textproc/ispell-lt: Makefile pkgsrc/textproc/itstool: Makefile pkgsrc/textproc/kapidox: Makefile pkgsrc/textproc/libplist: Makefile pkgsrc/textproc/libxlsxwriter: Makefile pkgsrc/textproc/queequeg: Makefile pkgsrc/textproc/rubber: Makefile pkgsrc/textproc/serd: Makefile pkgsrc/textproc/sord: Makefile pkgsrc/textproc/subliminal: Makefile pkgsrc/textproc/translate-toolkit: Makefile pkgsrc/textproc/xmlada: Makefile pkgsrc/textproc/xxdiff-scripts: Makefile pkgsrc/textproc/yelp-tools: Makefile pkgsrc/textproc/yelp-xsl: Makefile pkgsrc/textproc/yodl: Makefile pkgsrc/time/etm: Makefile pkgsrc/time/hamster-applet: Makefile pkgsrc/time/khal: Makefile pkgsrc/time/ntpsec: Makefile pkgsrc/time/wxRemind: Makefile pkgsrc/wm/bmpanel2: Makefile pkgsrc/wm/ccsm: Makefile pkgsrc/wm/marco: Makefile pkgsrc/wm/mate-netbook: Makefile pkgsrc/wm/openbox: Makefile pkgsrc/wm/oroborox: Makefile pkgsrc/www/aws: Makefile pkgsrc/www/bluefish: Makefile pkgsrc/www/browser-bookmarks-menu: Makefile pkgsrc/www/cherokee: Makefile pkgsrc/www/clearsilver: Makefile pkgsrc/www/cliqz: Makefile pkgsrc/www/cppcms: Makefile pkgsrc/www/ies4linux: Makefile pkgsrc/www/ikiwiki: Makefile pkgsrc/www/libpsl: Makefile pkgsrc/www/loggerhead: Makefile pkgsrc/www/nghttp2: Makefile pkgsrc/www/php-concrete5: Makefile pkgsrc/www/php-nextcloud: Makefile pkgsrc/www/php-owncloud: Makefile pkgsrc/www/py-flask-restplus: Makefile pkgsrc/www/ruby-pygments.rb: Makefile pkgsrc/www/trac: Makefile pkgsrc/www/trafficserver: Makefile pkgsrc/www/urlgrabber: Makefile pkgsrc/www/varnish: Makefile pkgsrc/www/viewvc: Makefile pkgsrc/www/webkit-gtk: Makefile pkgsrc/www/zopeedit: Makefile pkgsrc/x11/alacarte: Makefile pkgsrc/x11/arandr: Makefile pkgsrc/x11/avant-window-navigator: Makefile pkgsrc/x11/caribou: Makefile pkgsrc/x11/driconf: Makefile pkgsrc/x11/gnome-applets: Makefile pkgsrc/x11/gnome-desktop: Makefile pkgsrc/x11/gnome-mag: Makefile pkgsrc/x11/gnome-terminal: Makefile pkgsrc/x11/gtk2: Makefile pkgsrc/x11/gtkada: Makefile pkgsrc/x11/kconfigwidgets: Makefile pkgsrc/x11/kde-runtime4: Makefile pkgsrc/x11/kde-workspace4: Makefile pkgsrc/x11/kde4-l10n-sr: Makefile pkgsrc/x11/kitty: Makefile pkgsrc/x11/ktextwidgets: Makefile pkgsrc/x11/kxmlgui: Makefile pkgsrc/x11/libdesktop-agnostic: Makefile pkgsrc/x11/libmatekbd: Makefile pkgsrc/x11/libxcb: Makefile pkgsrc/x11/mate-applets: Makefile pkgsrc/x11/mate-control-center: Makefile pkgsrc/x11/mate-desktop: Makefile pkgsrc/x11/mate-indicator-applet: Makefile pkgsrc/x11/mate-menus: Makefile pkgsrc/x11/mate-panel: Makefile pkgsrc/x11/mate-screensaver: Makefile pkgsrc/x11/mate-session-manager: Makefile pkgsrc/x11/mate-settings-daemon: Makefile pkgsrc/x11/mate-terminal: Makefile pkgsrc/x11/mozo: Makefile pkgsrc/x11/qt5-qtdeclarative: Makefile pkgsrc/x11/qt5-qtwebkit: Makefile pkgsrc/x11/rox-session: Makefile pkgsrc/x11/rox-wallpaper: Makefile pkgsrc/x11/xcb-proto: Makefile Log Message: PKGREVISION bump for anything using python without a PYPKGPREFIX. This is a semi-manual PKGREVISION bump. To generate a diff of this commit: cvs rdiff -u -r1.65 -r1.66 pkgsrc/net/samba4/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: adam Date: Wed May 15 09:07:21 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: samba4: updated to 4.10.3 Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available These are security releases in order to address CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum). To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.67 pkgsrc/net/samba4/Makefile cvs rdiff -u -r1.27 -r1.28 pkgsrc/net/samba4/distinfo
samba4: updated to 4.10.4 Changes since 4.10.3: * BUG 13938: s3: SMB1: Don't allow recvfile on stream fsp's. * BUG 13882: py/provision: Fix for Python 2.6. * BUG 13873: netcmd: Fix 'passwordsettings --max-pwd-age' command. * BUG 13938: s3:smbd: Don't use recvfile on streams. * BUG 13861: s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot". * BUG 13896: vfs_ceph: Explicitly enable libcephfs POSIX ACL support. * BUG 13940: vfs_ceph: Fix cephwrap_flistxattr() debug message. * BUG 13895: ctdb-common: Avoid race between fd and signal events. * BUG 13943: ctdb-common: Fix memory leak in run_proc. * BUG 13892: lib: Initialize getline() arguments. * BUG 13903: winbind: Fix overlapping id ranges. * BUG 13902: lib util debug: Increase format buffer to 4KiB. * BUG 13927: nsswitch pam_winbind: Fix Asan use after free. * BUG 13929: s4 lib socket: Ensure address string owned by parent struct. * BUG 13936: s3 rpc_client: Fix Asan stack use after scope. * BUG 10097: s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO. * BUG 10344: smb2_tcon: Avoid STATUS_PENDING completely on tdis. * BUG 12845: smb2_sesssetup: avoid STATUS_PENDING responses for session setup. * BUG 13698: smb2_tcon: Avoid STATUS_PENDING completely on tdis. * BUG 13796: smb2_sesssetup: avoid STATUS_PENDING responses for session setup. * BUG 13843: dbcheck: Fix the err_empty_attribute() check. * BUG 13858: vfs_snapper: Drop unneeded fstat handler. * BUG 13862: vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check. * BUG 13863: smb2_server: Grant all 8192 credits to clients. * BUG 13919: smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling. * BUG 13872: s3/vfs_glusterfs: Dynamically determine NAME_MAX. * BUG 13918: s3: modules: ceph: Use current working directory instead of share path. * BUG 13831: winbind: Use domain name from lsa query for sid_to_name cache entry. * BUG 13865: memcache: Increase size of default memcache to 512k. * BUG 13857: docs: Update smbclient manpage for "--max-protocol". * BUG 13861: 'net ads join' to child domain fails when using "-U admin@forestroot". * BUG 13937: s3:utils: If share is NULL in smbcacls, don't print it. * BUG 13939: s3:smbspool: Fix regression printing with Kerberos credentials. * BUG 13860: ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd. * BUG 13888: ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake". * BUG 13930: ctdb-daemon: Never use 0 as a client ID. * BUG 13943: ctdb-common: Fix memory leak. * BUG 13904: s3:debug: Enable logging for early startup failures.
samba4: updated to 4.10.3 Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available These are security releases in order to address CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum).
Pullup ticket #5933 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.64-1.65 - net/samba4/PLIST 1.22 - net/samba4/distinfo 1.26-1.27 --- Module Name: pkgsrc Committed By: adam Date: Wed Apr 3 14:23:06 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: samba4: updated to 4.10.1 Changes since 4.10.0: * BUG 13837: py/kcc_utils: py2.6 compatibility. * BUG 13869: libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response. * BUG 13840: regfio: Improve handling of malformed registry hive files. * BUG 13789: ctdb-version: Simplify version string usage. * BUG 13859: lib: Make fd_load work for non-regular files. * BUG 13816: dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option. * BUG 13818: ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(). * BUG 13854: s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so. * BUG 13836: acl_read: Fix regression for empty lists. * BUG 13841: s4:dlz make b9_has_soa check dc=@ node. * BUG 13832: s3:client: Fix printing via smbspool backend with kerberos auth. * BUG 13847: s4:librpc: Fix installation of Samba. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13793: s3:utils: Add 'smbstatus -L --resolve-uids' to show username. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13853: s3:waf: Fix the detection of makdev() macro on Linux. * BUG 13789: ctdb-build: Drop creation of .distversion in tarball. * BUG 13838: ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory. --- Module Name: pkgsrc Committed By: adam Date: Mon Apr 8 18:35:59 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.10.2 Release Notes for Samba 4.10.2 This is a security release in order to address the following defects: o CVE-2019-3870 (World writable files in Samba AD DC private/ dir) o CVE-2019-3880 (Save registry file outside share as unprivileged user) Details o CVE-2019-3870: During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. o CVE-2019-3880: Authenticated users with write permission can trigger a symlink traversal to write or detect files outside the Samba share. For more details and workarounds, please refer to the security advisories. Changes since 4.10.1: * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for smbd.mkdir(). * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of SaveKey/RestoreKey.
samba4: updated to 4.10.2 Release Notes for Samba 4.10.2 This is a security release in order to address the following defects: o CVE-2019-3870 (World writable files in Samba AD DC private/ dir) o CVE-2019-3880 (Save registry file outside share as unprivileged user) Details o CVE-2019-3870: During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. o CVE-2019-3880: Authenticated users with write permission can trigger a symlink traversal to write or detect files outside the Samba share. For more details and workarounds, please refer to the security advisories. Changes since 4.10.1: * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for smbd.mkdir(). * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of SaveKey/RestoreKey.
samba4: updated to 4.10.1 Changes since 4.10.0: * BUG 13837: py/kcc_utils: py2.6 compatibility. * BUG 13869: libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response. * BUG 13840: regfio: Improve handling of malformed registry hive files. * BUG 13789: ctdb-version: Simplify version string usage. * BUG 13859: lib: Make fd_load work for non-regular files. * BUG 13816: dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option. * BUG 13818: ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(). * BUG 13854: s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so. * BUG 13836: acl_read: Fix regression for empty lists. * BUG 13841: s4:dlz make b9_has_soa check dc=@ node. * BUG 13832: s3:client: Fix printing via smbspool backend with kerberos auth. * BUG 13847: s4:librpc: Fix installation of Samba. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13793: s3:utils: Add 'smbstatus -L --resolve-uids' to show username. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13853: s3:waf: Fix the detection of makdev() macro on Linux. * BUG 13789: ctdb-build: Drop creation of .distversion in tarball. * BUG 13838: ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory.
samba4: updated to 4.10.0 Release Notes for Samba 4.10.0 This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== GPO Improvements ---------------- A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format. A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain). KDC prefork ----------- The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba. Prefork 'prefork children' -------------------------- The default value for this smdb.conf parameter has been increased from 1 to 4. Netlogon prefork ---------------- DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba. Offline domain backups ---------------------- The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command. Group membership statistics --------------------------- A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group. Paged results LDAP control -------------------------- The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database. Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression. For further details see https://wiki.samba.org/index.php/Paged_Results Prefork process restart ----------------------- The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff". Using the default sequence the restart delays (in seconds) are: 0, 10, 20, ..., 120, 120, ... Standard process model ---------------------- When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately. python3 support --------------- This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3. To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e. 'PYTHON=python2 ./configure' 'PYTHON=python2 make' This will override the python3 default. Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case. Note that Samba 4.10 supports Python 3.4 onwards. Future Python support --------------------- Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term. Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now. If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3. Also note that Samba 4.11 will most likely only support Python 3.6 onwards. JSON logging ------------ Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are: Event codes: 4624 Successful logon 4625 Unsuccessful logon Logon Types: 2 Interactive 3 Network 8 NetworkCleartext The version number for Authentication messages is now 1.1, changed from 1.0 Password change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4723 Password changed 4724 Password reset The version number for PasswordChange messages is now 1.1, changed from 1.0 Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4728 A member was added to a security enabled global group 4729 A member was removed from a security enabled global group 4732 A member was added to a security enabled local group 4733 A member was removed from a security enabled local group 4746 A member was added to a security disabled local group 4747 A member was removed from a security disabled local group 4751 A member was added to a security disabled global group 4752 A member was removed from a security disabled global group 4756 A member was added to a security enabled universal group 4757 A member was removed from a security enabled universal group 4761 A member was added to a security disabled universal group 4762 A member was removed from a security disabled universal group The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group. The leading "JSON <message type>:" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {" SMBv2 samba-tool support ------------------------ On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. New glusterfs_fuse VFS module ----------------------------- The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume. REMOVED FEATURES ================ MIT Kerberos build of the AD DC ------------------------------- While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc For further details see https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC samba_backup ------------ The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command. SMB client Python bindings -------------------------- The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'.
py-twine: updated to 1.13.0 Twine is a utility for publishing Python packages on PyPI. It provides build system independent uploads of source and binary distribution artifacts for both new and existing projects.
Add a patch taken from upstream to allow smbd to work when winbindd has been started but not configured.
samba4: buidling fixes PkgSrc changes: * fix building on Darwin and probably other systems as well * install manpages * use correct install_name on Darwin * does not collide with p5-Parse-Yapp anymore * use cmocka and libgcrypt * clean-ups
samba4: updated to 4.9.4 Release Notes for Samba 4.9.4 Major bug fixes include: o dns: Fix CNAME loop prevention using counter regression. Changes since 4.9.3: * BUG 9175: libcli/smb: Don't overwrite status code. * BUG 12164: wbinfo --group-info 'NT AUTHORITY\System' does not work. * BUG 13661: Session setup reauth fails to sign response. * BUG 13677: vfs_fruit: Validation of writes on AFP_AfpInfo stream. * BUG 13688: vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing. * BUG 13455: Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name. * BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build. * BUG 13708: s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs. * PEP8: fix E231: missing whitespace after ','. * BUG 13629: winbindd: Fix crash when taking profiles. * BUG 13600: CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression. * BUG 13686: 'samba-tool user syscpasswords' fails on a domain with many DCs. * BUG 13571: CVE-2018-16853: Do not segfault if client is not set. * BUG 13679: lib:util: Fix DEBUGCLASS pointer initializiation. * BUG 13696: ctdb-daemon: Exit with error if a database directory does not exist. * BUG 13498: s3:libads: Add net ads leave keep-account option.
net/samba4: update to 4.9.3 ============================= Release Notes for Samba 4.9.3 November 27, 2018 ============================= This is a security release in order to address the following defects: o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) ======= Details ======= o CVE-2018-14629: All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. o CVE-2018-16841: When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16851: During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16852: During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service. o CVE-2018-16853: A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory we clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this configuration. o CVE-2018-16857: AD DC Configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. For more details and workarounds, please refer to the security advisories.
Update to 4.9.2 Changelog: * Many bugfixes * Update some bundled libraries
samba4: fix PLIST error if building while pkg is already installed
Fixes PR # 52711. Allows installation of package in /usr/local LOCALBASE.
net/samba4: update to 4.6.8, security fix ============================= Release Notes for Samba 4.6.8 September 20, 2017 ============================= This is a security release in order to address the following defects: o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should) o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) o CVE-2017-12163 (Server memory information leak over SMB1) ======= Details ======= o CVE-2017-12150: A man in the middle attack may hijack client connections. o CVE-2017-12151: A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3. o CVE-2017-12163: Client with write access to a share can cause server memory contents to be written into a file or printer. For more details and workarounds, please see the security advisories: o https://www.samba.org/samba/security/CVE-2017-12150.html o https://www.samba.org/samba/security/CVE-2017-12151.html o https://www.samba.org/samba/security/CVE-2017-12163.html Changes since 4.6.7: -------------------- o Jeremy Allison <jra@samba.org> * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async. * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. o Ralph Boehme <slow@samba.org> * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly. o Stefan Metzmacher <metze@samba.org> * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs redirects. * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing when they should.
net/samba4: update to 4.6.7 4.6.7 (2017/08/09): the latest stable release of the Samba 4.6 release series. Changes since 4.6.6 --------------------- o Jeremy Allison <jra@samba.org> * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async. o Andrew Bartlett <abartlet@samba.org> * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified. o Ralph Boehme <slow@samba.org> * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly. * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from smbd_notifyd_init. o Günther Deschner <gd@samba.org> * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option. o David Disseldorp <ddiss@samba.org> * BUG 12911: vfs_ceph: Fix cephwrap_chdir(). o Dustin L. Howett * BUG 12720: idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN. o Thomas Jarosch <thomas.jarosch@intra2net.com> * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p. o Volker Lendecke <vl@samba.org> * BUG 12925: smbd: Fix a connection run-down race condition. o Stefan Metzmacher <metze@samba.org> * BUG 12782: winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change. * BUG 12890: s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface(). o Noel Power <noel.power@suse.com> * BUG 12937: smbcacls: Don't fail against a directory on Windows using SMB2. o Arvid Requate <requate@univention.de> * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping. o Garming Sam <garming@catalyst.net.nz> * BUG 12813: dnsserver: Stop dns_name_equal doing OOB read. o Andreas Schneider <asn@samba.org> * BUG 12886: s3:client: The smbspool krb5 wrapper needs negotiate for authentication. o Martin Schwenke <martin@meltin.net> * BUG 12898: ctdb-common: Set close-on-exec when creating PID file. 4.6.6 (2017/07/12): security release in order to address the following defect: o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) Changes since 4.6.5: --------------------- o Jeffrey Altman <jaltman@secure-endpoints.com> * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation 4.6.5 (2017/06/06): the latest stable release of the Samba 4.6 release series. Changes since 4.6.4: --------------------- o Jeremy Allison <jra@samba.org> * BUG 12804: s3: VFS: Catia: Ensure path name is also converted. o Christian Ambach <ambi@samba.org> * BUG 12765: s3:smbcacls add prompt for password. o Ralph Boehme <slow@samba.org> * BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if ignore_system_acls is set. * BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory. * BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool. * BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area. * BUG 12798: s3/smbd: Fix exclusive lease optimisation. o Alexander Bokovoy <ab@samba.org> * BUG 12751: Allow passing trusted domain password as plain-text to PASSDB layer. * BUG 12764: systemd: Fix detection of libsystemd. o Amitay Isaacs <amitay@gmail.com> * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to complete. * BUG 12770: ctdb-logging: Initialize DEBUGLEVEL before changing the value. o Shilpa Krishnareddy <skrishnareddy@panzura.com> * BUG 12756: notify: Fix ordering of events in notifyd. o Volker Lendecke <vl@samba.org> * BUG 12757: idmap_rfc2307: Lookup of more than two SIDs fails. o Stefan Metzmacher <metze@samba.org> * BUG 12767: samba-tool: Let 'samba-tool user syncpasswords' report deletions immediately. o Doug Nazar <nazard@nazar.ca> * BUG 12760: s3: smbd: inotify_map_mask_to_filter incorrectly indexes an array. o Andreas Schneider <asn@samba.org> * BUG 12687: vfs_expand_msdfs tries to open the remote address as a file path. o Martin Schwenke <martin@meltin.net> * BUG 12802: 'ctdb nodestatus' incorrectly displays status for all nodes with wrong exit code. * BUG 12814: ctdb-common: Fix crash in logging initialisation.
Substitute SYSCONFDIR assumed by the embedded Heimdal code properly. Fixes calls to e.g. krb5.keytab that were hardcoded to /etc. PKGREVISION++
Pullup ticket #5431 - requested by he net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.28-1.30 - net/samba4/PLIST 1.11-1.12 - net/samba4/distinfo 1.12-1.13 - net/samba4/options.mk 1.4 - net/samba4/patches/patch-lib_param_loadparm.h 1.2 - net/samba4/patches/patch-source3_script_tests_test__smbclient__s3.sh 1.3 --- Module Name: pkgsrc Committed By: ryoon Date: Sat Apr 8 08:56:27 UTC 2017 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo options.mk pkgsrc/net/samba4/patches: patch-lib_param_loadparm.h patch-source3_script_tests_test__smbclient__s3.sh Log Message: Update to 4.6.2 * Use internal heimdal Changelog: Changes since 4.6.1: -------------------- o Jeremy Allison <jra@samba.org> * BUG 12721: Fix regression with "follow symlinks = no". Changes since 4.6.0: -------------------- o Jeremy Allison <jra@samba.org> * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. o Ralph Boehme <slow@samba.org> * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. CHANGES SINCE 4.6.0rc4 ====================== o Jeremy Allison <jra@samba.org> * BUG 12592: Fix several issues found by covscan. * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained. o Ralph Boehme <slow@samba.org> * BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream. * BUG 12526: vfs_fruit: Only veto AppleDouble files if "fruit:resource" is set to "file". * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch. o Volker Lendecke <vl@samba.org> * BUG 12612: Re-enable token groups fallback. o Stefan Metzmacher <metze@samba.org> * BUG 9048: Samba4 ldap error codes. * BUG 12557: gensec:spnego: Add debug message for the failed principal. * BUG 12605: s3:winbindd: Fix endless forest trust scan. * BUG 12612: winbindd: Find the domain based on the sid within wb_lookupusergroups_send(). o Andreas Schneider <asn@samba.org> * BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly. * BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash manpage. * BUG 12592: Fix several issues found by covscan. o Martin Schwenke <martin@meltin.net> * BUG 12592: ctdb-logging: CID 1396883 Dereference null return value (NULL_RETURNS). CHANGES SINCE 4.6.0rc3 ====================== o Jeremy Allison <jra@samba.org> * BUG 12545: s3: rpc_server/mdssvc: Add attribute "kMDItemContentType". * BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution. o Ralph Boehme <slow@samba.org> * BUG 12490: vfs_fruit: Correct Netatalk metadata xattr on FreeBSD. * BUG 12536: s3/smbd: Check for invalid access_mask smbd_calculate_access_mask(). * BUG 12591: vfs_streams_xattr: use fsp, not base_fsp. o Amitay Isaacs <amitay@gmail.com> * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler(). * BUG 12595: build: Fix generation of CTDB manpages while creating tarball. o Bryan Mason <bmason@redhat.com> * BUG 12575: Modify smbspool_krb5_wrapper to just fall through to smbspool if AUTH_INFO_REQUIRED is not set or is not "negotiate". o Stefan Metzmacher <metze@samba.org> * BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over NCACN_NP against trusted domains. * BUG 12262: 'net ads testjoin' and smb access fails after winbindd changed the trust password. * BUG 12585: librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping. * BUG 12586: netlogon_creds_cli_LogonSamLogon doesn't work without netr_LogonSamLogonEx. * BUG 12587: winbindd child segfaults on connect to an NT4 domain. * BUG 12588: s3:winbindd: Make sure cm_prepare_connection() only returns OK with a valid tree connect. * BUG 12598: winbindd (as member) requires kerberos against trusted ad domain, while it shouldn't. * BUG 12601: Backport pytalloc_GenericObject_reference() related changes to 4.6. o Garming Sam <garming@catalyst.net.nz> * BUG 12600: dbchecker: Stop ignoring linked cases where both objects are alive. o Andreas Schneider <asn@samba.org> * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir(). o Martin Schwenke <martin@meltin.net> * BUG 12589: CTDB statd-callout does not cause grace period when CTDB_NFS_CALLOUT="". * BUG 12595: ctdb-build: Fix RPM build. CHANGES SINCE 4.6.0rc2 ====================== o Jeremy Allison <jra@samba.org> * BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." correctly. * BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). * BUG 12531: Make vfs_shadow_copy2 cope with server changing directories. o Andrew Bartlett <abartlet@samba.org> * BUG 12543: samba-tool: Correct handling of default value for use_ntvfs and use_xattrs. * BUG 12573: Samba < 4.7 does not know about compatibleFeatures and requiredFeatures. * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a rename. o Ralph Boehme <slow@samba.org> * BUG 12184: s3/rpc_server: Shared rpc modules loading. * BUG 12520: Ensure global "smb encrypt = off" is effective. * BUG 12524: s3/rpc_server: Move rpc_modules.c to its own subsystem. * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses readdirattr. o Volker Lendecke <vl@samba.org> * BUG 12551: smbd: Fix "map acl inherit" = yes. o Stefan Metzmacher <metze@samba.org> * BUG 12398: Replication with DRSUAPI_DRS_CRITICAL_ONLY and DRSUAPI_DRS_GET_ANC results in WERR_DS_DRA_MISSING_PARENT S * BUG 12540: s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot. o John Mulligan <jmulligan@nasuni.com> * BUG 12542: docs: Improve description of "unix_primary_group" parameter in idmap_ad manpage. o Andreas Schneider <asn@samba.org> * BUG 12552: waf: Do not install the unit test binary for krb5samba. o Amitay Isaacs <amitay@gmail.com> * BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel. * BUG 12549: ctdb-common: ioctl(.. FIONREAD ..) returns an int value. o Garming Sam <garming@catalyst.net.nz> * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a rename. o Uri Simchoni <uri@samba.org> * BUG 12529: waf: Backport finding of pkg-config. CHANGES SINCE 4.6.0rc1 ====================== o Amitay Isaacs <amitay@gmail.com> * BUG 12469: CTDB lock helper getting stuck trying to lock a record. * BUG 12500: ctdb-common: Fix a bug in packet reading code for generic socket I/O. * BUG 12510: sock_daemon_test 4 crashes with SEGV. * BUG 12513: ctdb-daemon: Remove stale eventd socket. o Björn Jacke <bj@sernet.de> * BUG 12535: vfs_default: Unlock the right file in copy chunk. o Volker Lendecke <vl@samba.org> * BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets. * BUG 12538: Backport winbind fixes. o Stefan Metzmacher <metze@samba.org> * BUG 12501: s3:winbindd: talloc_steal the extra_data in winbindd_list_users_recv(). o Martin Schwenke <martin@meltin.net> * BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to send. * BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp". * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple 'default' entries. --- Module Name: pkgsrc Committed By: jnemeth Date: Mon Apr 10 15:27:22 UTC 2017 Modified Files: pkgsrc/net/samba4: Makefile Log Message: Add pkg-config to USE_TOOLS, which is needed to find gnutls. Problem found in a bulk build. Not bumping PKGREVISION since it shouldn't change the binary package when it built. --- Module Name: pkgsrc Committed By: he Date: Wed May 24 15:51:32 UTC 2017 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: Update samba4 to version 4.6.4. Pkgsrc changes: * Adapt PLIST, new .so installed. Upstream changes: Changes since 4.6.3: --------------------- o Volker Lendecke <vl@samba.org> * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable share. Changes since 4.6.2: -------------------- o Michael Adam <obnox@samba.org> * BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend. o Jeremy Allison <jra@samba.org> * BUG 12559: Fix for Solaris C compiler. * BUG 12628: s3: locking: Update oplock optimization for the leases era. * BUG 12693: Make the Solaris C compiler happy. * BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes. * BUG 12747: Fix buffer overflow caused by wrong use of getgroups. o Hanno Boeck <hanno@hboeck.de> * BUG 12746: lib: debug: Avoid negative array access. * BUG 12748: cleanupdb: Fix a memory read error. o Ralph Boehme <slow@samba.org> * BUG 7537: streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY. * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other backends. * BUG 12565: vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY. * BUG 12615: manpages/vfs_fruit: Document global options. * BUG 12624: lib/pthreadpool: Fix a memory leak. * BUG 12727: Lookup-domain for well-known SIDs on a DC. * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids(). * BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation. o Alexander Bokovoy <ab@samba.org> * BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case. * BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4. o Amitay Isaacs <amitay@gmail.com> * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to complete. * BUG 12723: ctdb_event monitor command crashes if event is not specified. * BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'. o Volker Lendecke <vl@samba.org> * BUG 12558: smbd: Fix smb1 findfirst with DFS. * BUG 12610: smbd: Do an early exit on negprot failure. * BUG 12699: winbindd: Fix substitution for 'template homedir'. o Stefan Metzmacher <metze@samba.org> * BUG 12554: s4:kdc: Disable principal based autodetected referral detection. * BUG 12613: idmap_autorid: Allocate new domain range if the callers knows the sid is valid. * BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path. * BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain. * BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again. o Christof Schmitt <cs@samba.org> * BUG 12725: winbindd: Fix password policy for pam authentication. o Andreas Schneider <asn@samba.org> * BUG 12554: s3:gse: Correctly handle external trusts with MIT. * BUG 12611: auth/credentials: Always set the realm if we set the principal from the ccache. * BUG 12686: replace: Include sysmacros.h. * BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file. * BUG 12704: s3:libsmb: Only print error message if kerberos use is forced. * BUG 12708: winbindd: Child process crashes when kerberos-authenticating a user with wrong password. o Uri Simchoni <uri@samba.org> * BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to CNID semantics. * BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented.
Update samba4 to version 4.6.4. Pkgsrc changes: * Adapt PLIST, new .so installed. Upstream changes: Changes since 4.6.3: --------------------- o Volker Lendecke <vl@samba.org> * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable share. Changes since 4.6.2: -------------------- o Michael Adam <obnox@samba.org> * BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend. o Jeremy Allison <jra@samba.org> * BUG 12559: Fix for Solaris C compiler. * BUG 12628: s3: locking: Update oplock optimization for the leases era. * BUG 12693: Make the Solaris C compiler happy. * BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes. * BUG 12747: Fix buffer overflow caused by wrong use of getgroups. o Hanno Boeck <hanno@hboeck.de> * BUG 12746: lib: debug: Avoid negative array access. * BUG 12748: cleanupdb: Fix a memory read error. o Ralph Boehme <slow@samba.org> * BUG 7537: streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY. * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other backends. * BUG 12565: vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY. * BUG 12615: manpages/vfs_fruit: Document global options. * BUG 12624: lib/pthreadpool: Fix a memory leak. * BUG 12727: Lookup-domain for well-known SIDs on a DC. * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids(). * BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation. o Alexander Bokovoy <ab@samba.org> * BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case. * BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4. o Amitay Isaacs <amitay@gmail.com> * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to complete. * BUG 12723: ctdb_event monitor command crashes if event is not specified. * BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'. o Volker Lendecke <vl@samba.org> * BUG 12558: smbd: Fix smb1 findfirst with DFS. * BUG 12610: smbd: Do an early exit on negprot failure. * BUG 12699: winbindd: Fix substitution for 'template homedir'. o Stefan Metzmacher <metze@samba.org> * BUG 12554: s4:kdc: Disable principal based autodetected referral detection. * BUG 12613: idmap_autorid: Allocate new domain range if the callers knows the sid is valid. * BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path. * BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain. * BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again. o Christof Schmitt <cs@samba.org> * BUG 12725: winbindd: Fix password policy for pam authentication. o Andreas Schneider <asn@samba.org> * BUG 12554: s3:gse: Correctly handle external trusts with MIT. * BUG 12611: auth/credentials: Always set the realm if we set the principal from the ccache. * BUG 12686: replace: Include sysmacros.h. * BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file. * BUG 12704: s3:libsmb: Only print error message if kerberos use is forced. * BUG 12708: winbindd: Child process crashes when kerberos-authenticating a user with wrong password. o Uri Simchoni <uri@samba.org> * BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to CNID semantics. * BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented.
Update to 4.6.2 * Use internal heimdal Changelog: Changes since 4.6.1: -------------------- o Jeremy Allison <jra@samba.org> * BUG 12721: Fix regression with "follow symlinks = no". Changes since 4.6.0: -------------------- o Jeremy Allison <jra@samba.org> * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. o Ralph Boehme <slow@samba.org> * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. CHANGES SINCE 4.6.0rc4 ====================== o Jeremy Allison <jra@samba.org> * BUG 12592: Fix several issues found by covscan. * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained. o Ralph Boehme <slow@samba.org> * BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream. * BUG 12526: vfs_fruit: Only veto AppleDouble files if "fruit:resource" is set to "file". * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch. o Volker Lendecke <vl@samba.org> * BUG 12612: Re-enable token groups fallback. o Stefan Metzmacher <metze@samba.org> * BUG 9048: Samba4 ldap error codes. * BUG 12557: gensec:spnego: Add debug message for the failed principal. * BUG 12605: s3:winbindd: Fix endless forest trust scan. * BUG 12612: winbindd: Find the domain based on the sid within wb_lookupusergroups_send(). o Andreas Schneider <asn@samba.org> * BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly. * BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash manpage. * BUG 12592: Fix several issues found by covscan. o Martin Schwenke <martin@meltin.net> * BUG 12592: ctdb-logging: CID 1396883 Dereference null return value (NULL_RETURNS). CHANGES SINCE 4.6.0rc3 ====================== o Jeremy Allison <jra@samba.org> * BUG 12545: s3: rpc_server/mdssvc: Add attribute "kMDItemContentType". * BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution. o Ralph Boehme <slow@samba.org> * BUG 12490: vfs_fruit: Correct Netatalk metadata xattr on FreeBSD. * BUG 12536: s3/smbd: Check for invalid access_mask smbd_calculate_access_mask(). * BUG 12591: vfs_streams_xattr: use fsp, not base_fsp. o Amitay Isaacs <amitay@gmail.com> * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler(). * BUG 12595: build: Fix generation of CTDB manpages while creating tarball. o Bryan Mason <bmason@redhat.com> * BUG 12575: Modify smbspool_krb5_wrapper to just fall through to smbspool if AUTH_INFO_REQUIRED is not set or is not "negotiate". o Stefan Metzmacher <metze@samba.org> * BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over NCACN_NP against trusted domains. * BUG 12262: 'net ads testjoin' and smb access fails after winbindd changed the trust password. * BUG 12585: librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping. * BUG 12586: netlogon_creds_cli_LogonSamLogon doesn't work without netr_LogonSamLogonEx. * BUG 12587: winbindd child segfaults on connect to an NT4 domain. * BUG 12588: s3:winbindd: Make sure cm_prepare_connection() only returns OK with a valid tree connect. * BUG 12598: winbindd (as member) requires kerberos against trusted ad domain, while it shouldn't. * BUG 12601: Backport pytalloc_GenericObject_reference() related changes to 4.6. o Garming Sam <garming@catalyst.net.nz> * BUG 12600: dbchecker: Stop ignoring linked cases where both objects are alive. o Andreas Schneider <asn@samba.org> * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir(). o Martin Schwenke <martin@meltin.net> * BUG 12589: CTDB statd-callout does not cause grace period when CTDB_NFS_CALLOUT="". * BUG 12595: ctdb-build: Fix RPM build. CHANGES SINCE 4.6.0rc2 ====================== o Jeremy Allison <jra@samba.org> * BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." correctly. * BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). * BUG 12531: Make vfs_shadow_copy2 cope with server changing directories. o Andrew Bartlett <abartlet@samba.org> * BUG 12543: samba-tool: Correct handling of default value for use_ntvfs and use_xattrs. * BUG 12573: Samba < 4.7 does not know about compatibleFeatures and requiredFeatures. * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a rename. o Ralph Boehme <slow@samba.org> * BUG 12184: s3/rpc_server: Shared rpc modules loading. * BUG 12520: Ensure global "smb encrypt = off" is effective. * BUG 12524: s3/rpc_server: Move rpc_modules.c to its own subsystem. * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses readdirattr. o Volker Lendecke <vl@samba.org> * BUG 12551: smbd: Fix "map acl inherit" = yes. o Stefan Metzmacher <metze@samba.org> * BUG 12398: Replication with DRSUAPI_DRS_CRITICAL_ONLY and DRSUAPI_DRS_GET_ANC results in WERR_DS_DRA_MISSING_PARENT S * BUG 12540: s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot. o John Mulligan <jmulligan@nasuni.com> * BUG 12542: docs: Improve description of "unix_primary_group" parameter in idmap_ad manpage. o Andreas Schneider <asn@samba.org> * BUG 12552: waf: Do not install the unit test binary for krb5samba. o Amitay Isaacs <amitay@gmail.com> * BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel. * BUG 12549: ctdb-common: ioctl(.. FIONREAD ..) returns an int value. o Garming Sam <garming@catalyst.net.nz> * BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a rename. o Uri Simchoni <uri@samba.org> * BUG 12529: waf: Backport finding of pkg-config. CHANGES SINCE 4.6.0rc1 ====================== o Amitay Isaacs <amitay@gmail.com> * BUG 12469: CTDB lock helper getting stuck trying to lock a record. * BUG 12500: ctdb-common: Fix a bug in packet reading code for generic socket I/O. * BUG 12510: sock_daemon_test 4 crashes with SEGV. * BUG 12513: ctdb-daemon: Remove stale eventd socket. o Björn Jacke <bj@sernet.de> * BUG 12535: vfs_default: Unlock the right file in copy chunk. o Volker Lendecke <vl@samba.org> * BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets. * BUG 12538: Backport winbind fixes. o Stefan Metzmacher <metze@samba.org> * BUG 12501: s3:winbindd: talloc_steal the extra_data in winbindd_list_users_recv(). o Martin Schwenke <martin@meltin.net> * BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to send. * BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp". * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple 'default' entries.
Pullup ticket #5060 - requested by taca net/samba4: security update Revisions pulled up: - net/samba4/Makefile 1.19-1.22 - net/samba4/PLIST 1.8-1.9 - net/samba4/distinfo 1.11 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Jul 7 16:44:14 UTC 2016 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: Update samba4 to 4.3.11 (Samba 4.3.11), including security fix for CVE-2016-2119. Changes from 4.3.9 to 4.3.10 are too many to write here, please refer WHATSNEW.txt file. ============================== Release Notes for Samba 4.3.11 July 07, 2016 ============================== This is a security release in order to address the following defect: o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded) ======= Details ======= o CVE-2016-2119: It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking to domain controllers as a member server, and trusted domains as a domain controller. These DCE/RPC connections were intended to protected by the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11"). Additionally, management tools like net, samba-tool and rpcclient use DCERPC over SMB2/3 connections. By default, other tools in Samba are unprotected, but rarely they are configured to use smb signing, via the "client signing" parameter (the default is "if_required"). Even more rarely the "client max protocol" is set to SMB2, rather than the NT1 default. If both these conditions are met, then this issue would also apply to these other tools, including command line tools like smbcacls, smbcquota, smbclient, smbget and applications using libsmbclient. Changes since 4.3.10: -------------------- o Stefan Metzmacher <metze@samba.org> * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade. * BUG 11948: Total dcerpc response payload more than 0x400000. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/samba4/Makefile cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/samba4/PLIST cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/samba4/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 9 06:39:18 UTC 2016 Modified Files: pkgsrc/archivers/dar: Makefile pkgsrc/archivers/file-roller: Makefile pkgsrc/archivers/libzip: Makefile pkgsrc/archivers/upx: Makefile pkgsrc/audio/abcde: Makefile pkgsrc/audio/amarok: Makefile pkgsrc/audio/ardour: Makefile pkgsrc/audio/arts: Makefile pkgsrc/audio/disc-cover: Makefile pkgsrc/audio/distmp3: Makefile pkgsrc/audio/festival: Makefile pkgsrc/audio/flac2mp3: Makefile pkgsrc/audio/gtkpod: Makefile pkgsrc/audio/jack: Makefile pkgsrc/audio/kid3: Makefile pkgsrc/audio/libgroove: Makefile pkgsrc/audio/liteamp: Makefile pkgsrc/audio/lmms: Makefile pkgsrc/audio/mkcdtoc: Makefile pkgsrc/audio/mp32ogg: Makefile pkgsrc/audio/mp3cut: Makefile pkgsrc/audio/mserv: Makefile pkgsrc/audio/mserv-devel: Makefile pkgsrc/audio/mserv-irman: Makefile pkgsrc/audio/mstream: Makefile pkgsrc/audio/nas-auscope: Makefile pkgsrc/audio/normalize: Makefile pkgsrc/audio/oggasm: Makefile pkgsrc/audio/paprefs: Makefile pkgsrc/audio/pavucontrol: Makefile pkgsrc/audio/pavumeter: Makefile pkgsrc/audio/rip: Makefile pkgsrc/audio/sphinxbase: Makefile pkgsrc/audio/sphinxtrain: Makefile pkgsrc/benchmarks/bonnie++: Makefile pkgsrc/benchmarks/bytebench: Makefile pkgsrc/benchmarks/hbench: Makefile pkgsrc/benchmarks/iozone: Makefile pkgsrc/benchmarks/lmbench: Makefile pkgsrc/biology/bioperl: Makefile pkgsrc/biology/bodr: Makefile pkgsrc/biology/bwa: Makefile pkgsrc/biology/cdhit: Makefile pkgsrc/biology/gnome-chemistry-utils: Makefile pkgsrc/biology/gromacs: Makefile pkgsrc/biology/mpqc: Makefile pkgsrc/biology/mummer: Makefile pkgsrc/cad/dinotrace: Makefile pkgsrc/cad/freehdl: Makefile pkgsrc/cad/geda: Makefile pkgsrc/cad/gwave: Makefile pkgsrc/cad/spiceprm: Makefile pkgsrc/chat/anope: Makefile pkgsrc/chat/bitchbot: Makefile pkgsrc/chat/centerim: Makefile pkgsrc/chat/cgiirc: Makefile pkgsrc/chat/dccserver: Makefile pkgsrc/chat/dircproxy: Makefile pkgsrc/chat/finch: Makefile pkgsrc/chat/inspircd: Makefile pkgsrc/chat/inspircd12: Makefile pkgsrc/chat/ircd-hybrid: Makefile pkgsrc/chat/ircservices: Makefile pkgsrc/chat/jabberd2: Makefile pkgsrc/chat/kgb-bot: Makefile pkgsrc/chat/kmess: Makefile pkgsrc/chat/konversation: Makefile pkgsrc/chat/konversation-kde3: Makefile pkgsrc/chat/libpurple: Makefile pkgsrc/chat/pidgin-libnotify: Makefile pkgsrc/chat/pidgin-otr: Makefile pkgsrc/chat/pidgin-sametime: Makefile pkgsrc/chat/pidgin-silc: Makefile pkgsrc/chat/sirc: Makefile pkgsrc/chat/vicq: Makefile pkgsrc/chat/xchat: Makefile pkgsrc/chat/xchat-python: Makefile pkgsrc/comms/asterisk: Makefile pkgsrc/comms/asterisk13: Makefile pkgsrc/comms/asterisk18: Makefile pkgsrc/comms/fidogate: Makefile pkgsrc/comms/gnome-pilot: Makefile pkgsrc/comms/mgetty+sendfax: Makefile pkgsrc/comms/op_panel: Makefile pkgsrc/comms/p5-Asterisk: Makefile pkgsrc/comms/pilot-link: Makefile pkgsrc/comms/pilotmgr: Makefile pkgsrc/converters/2vcard: Makefile pkgsrc/converters/bibtex2html: Makefile pkgsrc/converters/code2html: Makefile pkgsrc/converters/convmv: Makefile pkgsrc/converters/doc2html: Makefile pkgsrc/converters/docx2txt: Makefile pkgsrc/converters/dos2unix: Makefile pkgsrc/converters/help2man: Makefile pkgsrc/converters/jcode-perl: Makefile pkgsrc/converters/libabw: Makefile pkgsrc/converters/libfreehand: Makefile pkgsrc/converters/libvisio: Makefile pkgsrc/converters/libwpg: Makefile pkgsrc/converters/nkf: Makefile pkgsrc/converters/rpm2cpio: Makefile pkgsrc/converters/skf: Makefile pkgsrc/converters/smbchartool: Makefile pkgsrc/converters/txt2html: Makefile pkgsrc/converters/txt2pdbdoc: Makefile pkgsrc/cross/avr-binutils: Makefile pkgsrc/cross/avr-gcc: Makefile pkgsrc/cross/avr-libc: Makefile pkgsrc/cross/binutils-mips-current: Makefile pkgsrc/cross/cc65: Makefile pkgsrc/cross/cross-binutils: Makefile pkgsrc/cross/cross-libtool-base: Makefile pkgsrc/cross/gcc-mips-current: Makefile pkgsrc/cross/nios2-gcc: Makefile pkgsrc/cross/nios2-gcc3: Makefile pkgsrc/cross/nios2-gcc41: Makefile pkgsrc/databases/couchdb: Makefile pkgsrc/databases/cstore: Makefile pkgsrc/databases/gnome-mime-data: Makefile pkgsrc/databases/gq: Makefile pkgsrc/databases/idzebra: Makefile pkgsrc/databases/innotop: Makefile pkgsrc/databases/krecipes: Makefile pkgsrc/databases/lbdb: Makefile pkgsrc/databases/libcassandra: Makefile pkgsrc/databases/maatkit: Makefile pkgsrc/databases/mariadb55-client: Makefile pkgsrc/databases/mysql-cluster: Makefile pkgsrc/databases/mysql51-client: Makefile pkgsrc/databases/mysql55-client: Makefile pkgsrc/databases/mysql56-client: Makefile pkgsrc/databases/mysqltuner: Makefile pkgsrc/databases/mytop: Makefile pkgsrc/databases/p5-DBI: Makefile pkgsrc/databases/p5-DBIWrapper: Makefile pkgsrc/databases/p5-perl-ldap: Makefile pkgsrc/databases/p5-postgresql: Makefile pkgsrc/databases/p5-sybperl: Makefile pkgsrc/databases/p5-tokyocabinet: Makefile pkgsrc/databases/p5-tokyotyrant: Makefile pkgsrc/databases/percona-toolkit: Makefile pkgsrc/databases/pgbuildfarm: Makefile pkgsrc/databases/postgresql-postgis2: Makefile pkgsrc/databases/postgresql91: Makefile pkgsrc/databases/postgresql91-docs: Makefile pkgsrc/databases/postgresql91-plperl: Makefile pkgsrc/databases/postgresql92: Makefile pkgsrc/databases/postgresql92-docs: Makefile pkgsrc/databases/postgresql92-plperl: Makefile pkgsrc/databases/postgresql93: Makefile pkgsrc/databases/postgresql93-docs: Makefile pkgsrc/databases/postgresql93-plperl: Makefile pkgsrc/databases/postgresql94: Makefile pkgsrc/databases/postgresql94-docs: Makefile pkgsrc/databases/postgresql94-plperl: Makefile pkgsrc/databases/postgresql95: Makefile pkgsrc/databases/postgresql95-docs: Makefile pkgsrc/databases/postgresql95-plperl: Makefile pkgsrc/databases/rdb: Makefile pkgsrc/databases/rrdtool: Makefile pkgsrc/databases/rrdtool12: Makefile pkgsrc/databases/sqlrelay: Makefile pkgsrc/databases/yasql: Makefile pkgsrc/devel/GConf: Makefile pkgsrc/devel/MoarVM: Makefile pkgsrc/devel/RTx-RightsMatrix: Makefile pkgsrc/devel/adocman: Makefile pkgsrc/devel/aegis: Makefile pkgsrc/devel/anjuta: Makefile pkgsrc/devel/atkmm: Makefile pkgsrc/devel/autoconf: Makefile pkgsrc/devel/autoconf213: Makefile pkgsrc/devel/autogen: Makefile pkgsrc/devel/automake: Makefile pkgsrc/devel/automake14: Makefile pkgsrc/devel/bglibs: Makefile pkgsrc/devel/binutils: Makefile pkgsrc/devel/bison: Makefile pkgsrc/devel/bugzilla: Makefile pkgsrc/devel/bugzilla3: Makefile pkgsrc/devel/cogito: Makefile pkgsrc/devel/colordiff: Makefile pkgsrc/devel/commit-patch: Makefile pkgsrc/devel/cook: Makefile pkgsrc/devel/cqual: Makefile pkgsrc/devel/ctemplate: Makefile pkgsrc/devel/cvs2cl: Makefile pkgsrc/devel/cvs2html: Makefile pkgsrc/devel/cvsd: Makefile pkgsrc/devel/cvsutils: Makefile pkgsrc/devel/darcs: Makefile pkgsrc/devel/delta: Makefile pkgsrc/devel/devhelp: Makefile pkgsrc/devel/doxygen: Makefile pkgsrc/devel/easygit: Makefile pkgsrc/devel/etrace: Makefile pkgsrc/devel/gconfmm: Makefile pkgsrc/devel/gcvs: Makefile pkgsrc/devel/gdb: Makefile pkgsrc/devel/gdbus-codegen: Makefile pkgsrc/devel/gdl: Makefile pkgsrc/devel/geany: Makefile pkgsrc/devel/git-base: Makefile pkgsrc/devel/git-docs: Makefile pkgsrc/devel/gitolite: Makefile pkgsrc/devel/glib2: Makefile pkgsrc/devel/glibmm: Makefile pkgsrc/devel/global: Makefile pkgsrc/devel/gmake: Makefile pkgsrc/devel/gperftools: Makefile pkgsrc/devel/gps: Makefile pkgsrc/devel/jemalloc: Makefile pkgsrc/devel/kdbg: Makefile pkgsrc/devel/kdesdk-kioslaves: Makefile pkgsrc/devel/kdesdk3: Makefile pkgsrc/devel/kdevelop-base: Makefile pkgsrc/devel/kdevelop4: Makefile pkgsrc/devel/kdevplatform: Makefile pkgsrc/devel/kdoctools: Makefile pkgsrc/devel/ktexteditor: Makefile pkgsrc/devel/lcov: Makefile pkgsrc/devel/ldapsdk: Makefile pkgsrc/devel/libbonobo: Makefile pkgsrc/devel/libcerf: Makefile pkgsrc/devel/libcompizconfig: Makefile pkgsrc/devel/libgnomeui: Makefile pkgsrc/devel/libidn: Makefile pkgsrc/devel/libpgm: Makefile pkgsrc/devel/libsigc++: Makefile pkgsrc/devel/libstatgrab: Makefile pkgsrc/devel/libthrift: Makefile pkgsrc/devel/libtool: Makefile pkgsrc/devel/libtool-base: Makefile pkgsrc/devel/libtool-fortran: Makefile pkgsrc/devel/libwhisker2: Makefile pkgsrc/devel/lua-posix: Makefile pkgsrc/devel/memcached: Makefile pkgsrc/devel/monodevelop: Makefile pkgsrc/devel/monotone: Makefile pkgsrc/devel/mr: Makefile pkgsrc/devel/nasm: Makefile pkgsrc/devel/ncurses: Makefile pkgsrc/devel/netbeans-ide: Makefile pkgsrc/devel/nspr: Makefile pkgsrc/devel/nss: Makefile pkgsrc/devel/ossp-uuid: Makefile pkgsrc/devel/p5-App-perlbrew: Makefile pkgsrc/devel/p5-B-Hooks-OP-Annotation: Makefile pkgsrc/devel/p5-EV: Makefile pkgsrc/devel/p5-Event: Makefile pkgsrc/devel/p5-LDAP: Makefile pkgsrc/devel/p5-Log-Any-Adapter-Log4perl: Makefile pkgsrc/devel/p5-Log-Log4perl: Makefile pkgsrc/devel/p5-Test-Log4perl: Makefile pkgsrc/devel/pangomm: Makefile pkgsrc/devel/papaya: Makefile pkgsrc/devel/patchutils: Makefile pkgsrc/devel/prcs: Makefile pkgsrc/devel/pstreams: Makefile pkgsrc/devel/quilt: Makefile pkgsrc/devel/refinecvs: Makefile pkgsrc/devel/rpc2: Makefile pkgsrc/devel/rt-mysql: Makefile pkgsrc/devel/rt4: Makefile pkgsrc/devel/sdcc: Makefile pkgsrc/devel/sdcc3: Makefile pkgsrc/devel/sparse: Makefile pkgsrc/devel/startbug1: Makefile pkgsrc/devel/stfl: Makefile pkgsrc/devel/stgit: Makefile pkgsrc/devel/subversion: Makefile pkgsrc/devel/sunifdef: Makefile pkgsrc/devel/svk: Makefile pkgsrc/devel/tet3: Makefile pkgsrc/devel/tmake: Makefile pkgsrc/devel/valgrind: Makefile pkgsrc/devel/xfce4-conf: Makefile pkgsrc/devel/xulrunner10: Makefile pkgsrc/devel/xulrunner17: Makefile pkgsrc/devel/xulrunner192: Makefile pkgsrc/editors/TeXmacs: Makefile pkgsrc/editors/conglomerate: Makefile pkgsrc/editors/emacs20: Makefile pkgsrc/editors/emacs21: Makefile pkgsrc/editors/emacs22: Makefile pkgsrc/editors/gedit: Makefile pkgsrc/editors/gedit-python: Makefile pkgsrc/editors/gedit3: Makefile pkgsrc/editors/kile: Makefile pkgsrc/editors/kile-kde3: Makefile pkgsrc/editors/lyx: Makefile pkgsrc/editors/nvi-m17n: Makefile pkgsrc/editors/vigor: Makefile pkgsrc/editors/xemacs-packages: Makefile pkgsrc/emulators/darwin_lib: Makefile pkgsrc/emulators/freebsd_lib: Makefile pkgsrc/emulators/fuse-emulator: Makefile pkgsrc/emulators/hercules: Makefile pkgsrc/emulators/kegs: Makefile pkgsrc/emulators/libspectrum: Makefile pkgsrc/emulators/osf1_lib: Makefile pkgsrc/emulators/palmosemulator: Makefile pkgsrc/emulators/qemu: Makefile pkgsrc/emulators/qemu0: Makefile pkgsrc/emulators/raine: Makefile pkgsrc/emulators/shoebill: Makefile pkgsrc/emulators/snes9x-gtk: Makefile pkgsrc/emulators/suse100_base: Makefile pkgsrc/emulators/suse121_base: Makefile pkgsrc/emulators/suse131_base: Makefile pkgsrc/emulators/tme: Makefile pkgsrc/emulators/z26: Makefile pkgsrc/filesystems/fuse-svnfs: Makefile pkgsrc/finance/gkrellm-stock: Makefile pkgsrc/finance/gnucash: Makefile pkgsrc/finance/kmymoney2: Makefile pkgsrc/fonts/fntsample: Makefile pkgsrc/fonts/ja-shinonome: Makefile pkgsrc/fonts/monafonts: Makefile pkgsrc/fonts/terminus-font: Makefile pkgsrc/fonts/tex-accfonts: Makefile pkgsrc/fonts/tex-dosepsbin: Makefile pkgsrc/fonts/tex-fontools: Makefile pkgsrc/fonts/tex-mf2pt1: Makefile pkgsrc/fonts/ttf2pt1: Makefile pkgsrc/fonts/type1inst: Makefile pkgsrc/fonts/unifont: Makefile pkgsrc/games/asc: Makefile pkgsrc/games/asciiquarium: Makefile pkgsrc/games/bzflag: Makefile pkgsrc/games/crossfire-client: Makefile pkgsrc/games/crossfire-server: Makefile pkgsrc/games/eboard: Makefile pkgsrc/games/frozen-bubble: Makefile pkgsrc/games/minami: Makefile pkgsrc/games/netmaj: Makefile pkgsrc/games/wesnoth: Makefile pkgsrc/games/xboard: Makefile pkgsrc/games/xracer: Makefile pkgsrc/games/xscorch: Makefile pkgsrc/games/zoom: Makefile pkgsrc/geography/gpsdrive: Makefile pkgsrc/geography/proj-swig: Makefile pkgsrc/geography/qgis: Makefile pkgsrc/graphics/GraphicsMagick: Makefile pkgsrc/graphics/ImageMagick: Makefile pkgsrc/graphics/ImageMagick6: Makefile pkgsrc/graphics/OpenRM: Makefile pkgsrc/graphics/asymptote: Makefile pkgsrc/graphics/cairomm: Makefile pkgsrc/graphics/cdlabelgen: Makefile pkgsrc/graphics/cheese: Makefile pkgsrc/graphics/circos: Makefile pkgsrc/graphics/claraocr: Makefile pkgsrc/graphics/compface: Makefile pkgsrc/graphics/digikam: Makefile pkgsrc/graphics/digikam-doc-kde3: Makefile pkgsrc/graphics/digikam-kde3: Makefile pkgsrc/graphics/enblend-enfuse: Makefile pkgsrc/graphics/fly: Makefile pkgsrc/graphics/g2: Makefile pkgsrc/graphics/gd: Makefile pkgsrc/graphics/get_ds7: Makefile pkgsrc/graphics/gimp: Makefile pkgsrc/graphics/gimp-docs-en: Makefile pkgsrc/graphics/gimp-ufraw: Makefile pkgsrc/graphics/gnome-icon-theme: Makefile pkgsrc/graphics/goocanvasmm: Makefile pkgsrc/graphics/graphviz: Makefile pkgsrc/graphics/gri: Makefile pkgsrc/graphics/gtkam: Makefile pkgsrc/graphics/gtkglext: Makefile pkgsrc/graphics/gwenview-kde3: Makefile pkgsrc/graphics/icon-naming-utils: Makefile pkgsrc/graphics/inkscape: Makefile pkgsrc/graphics/kbarcode: Makefile pkgsrc/graphics/kipi-plugins-calendar-kde3: Makefile pkgsrc/graphics/kipi-plugins-kde3: Makefile pkgsrc/graphics/koverartist: Makefile pkgsrc/graphics/magicpoint: Makefile pkgsrc/graphics/netpbm: Makefile pkgsrc/graphics/pfstools: Makefile pkgsrc/graphics/ps2eps: Makefile pkgsrc/graphics/ristretto: Makefile pkgsrc/graphics/showimg: Makefile pkgsrc/graphics/tex-a2ping: Makefile pkgsrc/graphics/tex-epstopdf: Makefile pkgsrc/graphics/tex-pdfcrop: Makefile pkgsrc/graphics/ucview: Makefile pkgsrc/graphics/unicap: Makefile pkgsrc/graphics/xplot: Makefile pkgsrc/graphics/xplot-devel: Makefile pkgsrc/graphics/zphoto: Makefile pkgsrc/ham/fldigi: Makefile pkgsrc/ham/gnuradio-core: Makefile pkgsrc/ham/hamlib: Makefile pkgsrc/ham/linpsk: Makefile pkgsrc/ham/osmo-sdr: Makefile pkgsrc/ham/trustedQSL: Makefile pkgsrc/inputmethod/scim: Makefile pkgsrc/inputmethod/xcin: Makefile pkgsrc/lang/asn1c: Makefile pkgsrc/lang/cim: Makefile pkgsrc/lang/clang-static-analyzer: Makefile pkgsrc/lang/erlang: Makefile pkgsrc/lang/fort77: Makefile pkgsrc/lang/g95: Makefile pkgsrc/lang/gcc-aux: Makefile pkgsrc/lang/gcc44: Makefile pkgsrc/lang/gcc45: Makefile pkgsrc/lang/gcc46: Makefile pkgsrc/lang/gcc47: Makefile pkgsrc/lang/gcc48: Makefile pkgsrc/lang/gcc49: Makefile pkgsrc/lang/gcc5: Makefile pkgsrc/lang/gforth: Makefile pkgsrc/lang/ghc: Makefile pkgsrc/lang/ghc-bootstrap: Makefile pkgsrc/lang/ghc7: Makefile pkgsrc/lang/go: Makefile pkgsrc/lang/go14: Makefile pkgsrc/lang/guile: Makefile pkgsrc/lang/gwydion-dylan: Makefile pkgsrc/lang/libLLVM: Makefile pkgsrc/lang/llvm: Makefile pkgsrc/lang/mercury: Makefile pkgsrc/lang/mono: Makefile pkgsrc/lang/mono2: Makefile pkgsrc/lang/moscow_ml: Makefile pkgsrc/lang/nqp: Makefile pkgsrc/lang/oo2c: Makefile pkgsrc/lang/ossp-js: Makefile pkgsrc/lang/parrot: Makefile pkgsrc/lang/pfe: Makefile pkgsrc/lang/rakudo-star: Makefile pkgsrc/lang/sather: Makefile pkgsrc/lang/see: Makefile pkgsrc/lang/spidermonkey17: Makefile pkgsrc/mail/YoSucker: Makefile pkgsrc/mail/amavis-perl: Makefile pkgsrc/mail/amavisd-new: Makefile pkgsrc/mail/anomy-sanitizer: Makefile pkgsrc/mail/avenger: Makefile pkgsrc/mail/balsa: Makefile pkgsrc/mail/bogofilter: Makefile pkgsrc/mail/claws-mail: Makefile pkgsrc/mail/claws-mail-vcalendar: Makefile pkgsrc/mail/clawsker: Makefile pkgsrc/mail/cone: Makefile pkgsrc/mail/courier-analog: Makefile pkgsrc/mail/courier-imap: Makefile pkgsrc/mail/courier-maildir: Makefile pkgsrc/mail/cyrus-imapd: Makefile pkgsrc/mail/cyrus-imapd23: Makefile pkgsrc/mail/cyrus-imapd24: Makefile pkgsrc/mail/dcc: Makefile pkgsrc/mail/demime: Makefile pkgsrc/mail/distribute: Makefile pkgsrc/mail/dspam: Makefile pkgsrc/mail/elmo: Makefile pkgsrc/mail/etpan: Makefile pkgsrc/mail/exim: Makefile pkgsrc/mail/exim3: Makefile pkgsrc/mail/faces: Makefile pkgsrc/mail/fetchyahoo: Makefile pkgsrc/mail/fix-mime-charset: Makefile pkgsrc/mail/fml: Makefile pkgsrc/mail/fromto: Makefile pkgsrc/mail/grepmail: Makefile pkgsrc/mail/imapsync: Makefile pkgsrc/mail/kbiff: Makefile pkgsrc/mail/mailagent: Makefile pkgsrc/mail/maildrop: Makefile pkgsrc/mail/mailgraph: Makefile pkgsrc/mail/mailhops: Makefile pkgsrc/mail/mailserv: Makefile pkgsrc/mail/mailsort: Makefile pkgsrc/mail/majordomo: Makefile pkgsrc/mail/mb2md: Makefile pkgsrc/mail/mdfrm: Makefile pkgsrc/mail/mhonarc: Makefile pkgsrc/mail/mime-construct: Makefile pkgsrc/mail/minimalist: Makefile pkgsrc/mail/mutt: Makefile pkgsrc/mail/opendkim: Makefile pkgsrc/mail/opendmarc: Makefile pkgsrc/mail/policyd-weight: Makefile pkgsrc/mail/poppy: Makefile pkgsrc/mail/postfix: Makefile pkgsrc/mail/postgrey: Makefile pkgsrc/mail/prayer: Makefile pkgsrc/mail/qgreylist: Makefile pkgsrc/mail/qmHandle: Makefile pkgsrc/mail/qmail-lint: Makefile pkgsrc/mail/qmqtool: Makefile pkgsrc/mail/rspamd: Makefile pkgsrc/mail/sendmail-qtool: Makefile pkgsrc/mail/sendymail: Makefile pkgsrc/mail/spamassassin: Makefile pkgsrc/mail/squirrelmail: Makefile pkgsrc/mail/sqwebmail: Makefile pkgsrc/mail/teapop: Makefile pkgsrc/mail/thunderbird-enigmail: Makefile pkgsrc/mail/turba: Makefile pkgsrc/math/R: Makefile pkgsrc/math/R-gdata: Makefile pkgsrc/math/R-genetics: Makefile pkgsrc/math/antixls: Makefile pkgsrc/math/ess: Makefile pkgsrc/math/fftw: Makefile pkgsrc/math/fftwf: Makefile pkgsrc/math/genius: Makefile pkgsrc/math/maxima: Makefile pkgsrc/math/ntl: Makefile pkgsrc/math/ocaml-zarith: Makefile pkgsrc/math/octave: Makefile pkgsrc/math/pari: Makefile pkgsrc/math/pari23: Makefile pkgsrc/math/ppl: Makefile pkgsrc/math/pspp: Makefile pkgsrc/math/qalculate-kde: Makefile pkgsrc/math/superlu: Makefile pkgsrc/math/udunits: Makefile pkgsrc/math/xmgr: Makefile pkgsrc/math/yacas: Makefile pkgsrc/mbone/beacon: Makefile pkgsrc/meta-pkgs/bulk-medium: Makefile pkgsrc/meta-pkgs/bulk-small: Makefile pkgsrc/meta-pkgs/kde3: Makefile pkgsrc/meta-pkgs/kde4: Makefile pkgsrc/meta-pkgs/netbsd-www: Makefile pkgsrc/meta-pkgs/texlive-collection-bibtexextra: Makefile pkgsrc/meta-pkgs/texlive-collection-latexextra: Makefile pkgsrc/meta-pkgs/texlive-collection-pstricks: Makefile pkgsrc/meta-pkgs/xfce4: Makefile pkgsrc/misc/bbweather: Makefile pkgsrc/misc/byobu: Makefile pkgsrc/misc/colorize: Makefile pkgsrc/misc/cowsay: Makefile pkgsrc/misc/dpkg: Makefile pkgsrc/misc/gkrellm-weather: Makefile pkgsrc/misc/gnome-utils: Makefile pkgsrc/misc/gwaei: Makefile pkgsrc/misc/ipbt: Makefile pkgsrc/misc/kanjipad: Makefile pkgsrc/misc/kdepim3: Makefile pkgsrc/misc/kdepim4: Makefile pkgsrc/misc/koffice: Makefile pkgsrc/misc/libcdio: Makefile pkgsrc/misc/libcdio-paranoia: Makefile pkgsrc/misc/libreoffice: Makefile pkgsrc/misc/libreoffice4: Makefile pkgsrc/misc/libreoffice43: Makefile pkgsrc/misc/loco: Makefile pkgsrc/misc/mirmon: Makefile pkgsrc/misc/nxtvepg: Makefile pkgsrc/misc/openoffice3: Makefile pkgsrc/misc/p5-Locale-libintl: Makefile pkgsrc/misc/pdmenu: Makefile pkgsrc/misc/reed: Makefile pkgsrc/misc/rlwrap: Makefile pkgsrc/misc/rpm: Makefile pkgsrc/misc/stellarium: Makefile pkgsrc/misc/taskjuggler: Makefile pkgsrc/misc/tds: Makefile pkgsrc/misc/tellico-kde3: Makefile pkgsrc/misc/teseq: Makefile pkgsrc/misc/topless: Makefile pkgsrc/misc/vfu: Makefile pkgsrc/misc/vym: Makefile pkgsrc/misc/whohas: Makefile pkgsrc/multimedia/acidrip: Makefile pkgsrc/multimedia/dirac: Makefile pkgsrc/multimedia/dvb-apps: Makefile pkgsrc/multimedia/dvdrip: Makefile pkgsrc/multimedia/ffmpeg2: Makefile pkgsrc/multimedia/ffmpeg3: Makefile pkgsrc/multimedia/gmediaserver: Makefile pkgsrc/multimedia/gnome-media: Makefile pkgsrc/multimedia/gst-plugins0.10-base: Makefile pkgsrc/multimedia/gst-plugins0.10-ffmpeg: Makefile pkgsrc/multimedia/gst-plugins1-base: Makefile pkgsrc/multimedia/gst-plugins1-libav: Makefile pkgsrc/multimedia/gst-plugins1-omx: Makefile pkgsrc/multimedia/gstreamer0.10: Makefile pkgsrc/multimedia/gstreamer1: Makefile pkgsrc/multimedia/gxine: Makefile pkgsrc/multimedia/handbrake: Makefile pkgsrc/multimedia/kdenlive: Makefile pkgsrc/multimedia/kmplayer: Makefile pkgsrc/multimedia/kmplayer-kde3: Makefile pkgsrc/multimedia/libvpx: Makefile pkgsrc/multimedia/ming: Makefile pkgsrc/multimedia/mpv: Makefile pkgsrc/multimedia/vlc: Makefile pkgsrc/multimedia/vlc20: Makefile pkgsrc/multimedia/x264-devel: Makefile pkgsrc/multimedia/xawtv: Makefile pkgsrc/multimedia/xine-lib: Makefile pkgsrc/net/amule: Makefile pkgsrc/net/argus: Makefile pkgsrc/net/arp-scan: Makefile pkgsrc/net/bind910: Makefile pkgsrc/net/bind99: Makefile pkgsrc/net/choqok: Makefile pkgsrc/net/clive: Makefile pkgsrc/net/coda: Makefile pkgsrc/net/dctc: Makefile pkgsrc/net/ddclient: Makefile pkgsrc/net/dhcpd-pools: Makefile pkgsrc/net/dlint: Makefile pkgsrc/net/dnscheck: Makefile pkgsrc/net/dnstracer: Makefile pkgsrc/net/exabgp: Makefile pkgsrc/net/fpdns: Makefile pkgsrc/net/freeradius: Makefile pkgsrc/net/get-flash-videos: Makefile pkgsrc/net/gift: Makefile pkgsrc/net/gnapfetch: Makefile pkgsrc/net/ipcalc: Makefile pkgsrc/net/irrd: Makefile pkgsrc/net/kftpgrabber: Makefile pkgsrc/net/kismet: Makefile pkgsrc/net/kmldonkey-kde3: Makefile pkgsrc/net/ktorrent: Makefile pkgsrc/net/ktorrent-kde3: Makefile pkgsrc/net/ldns: Makefile pkgsrc/net/lftp: Makefile pkgsrc/net/libktorrent: Makefile pkgsrc/net/libquic: Makefile pkgsrc/net/librsync: Makefile pkgsrc/net/logjam: Makefile pkgsrc/net/md-whois: Makefile pkgsrc/net/mirror: Makefile pkgsrc/net/mldonkey: Makefile pkgsrc/net/monsoon: Makefile pkgsrc/net/mrtg: Makefile pkgsrc/net/nagios-nrpe: Makefile pkgsrc/net/nagios-nsca: Makefile pkgsrc/net/nagios-plugin-snmp: Makefile pkgsrc/net/nagios-plugin-spamd: Makefile pkgsrc/net/nagios-plugins: Makefile pkgsrc/net/nasd: Makefile pkgsrc/net/net-snmp: Makefile pkgsrc/net/netatalk22: Makefile pkgsrc/net/netatalk30: Makefile pkgsrc/net/netdisco: Makefile pkgsrc/net/nocol: Makefile pkgsrc/net/ns: Makefile pkgsrc/net/ntp4: Makefile pkgsrc/net/ocsinventory-agent: Makefile pkgsrc/net/oinkmaster: Makefile pkgsrc/net/openwbem: Makefile pkgsrc/net/perlbal: Makefile pkgsrc/net/pfnet: Makefile pkgsrc/net/proftpd: Makefile pkgsrc/net/quagga: Makefile pkgsrc/net/radiusd-cistron: Makefile pkgsrc/net/rancid: Makefile pkgsrc/net/remmina: Makefile pkgsrc/net/remmina-plugins: Makefile pkgsrc/net/samba: Makefile pkgsrc/net/samba4: Makefile pkgsrc/net/sitescooper: Makefile pkgsrc/net/smokeping: Makefile pkgsrc/net/snmptt: Makefile pkgsrc/net/spread: Makefile pkgsrc/net/stripes: Makefile pkgsrc/net/tacacs: Makefile pkgsrc/net/tacacs-shrubbery: Makefile pkgsrc/net/tigervnc: Makefile pkgsrc/net/tightvnc: Makefile pkgsrc/net/torrentutils: Makefile pkgsrc/net/tsclient: Makefile pkgsrc/net/udpcast: Makefile pkgsrc/net/vcheck: Makefile pkgsrc/net/vino: Makefile pkgsrc/net/vnc: Makefile pkgsrc/net/vpnc: Makefile pkgsrc/net/walker: Makefile pkgsrc/net/wget: Makefile pkgsrc/net/whois3: Makefile pkgsrc/net/wireshark: Makefile pkgsrc/net/wireshark1: Makefile pkgsrc/net/wol: Makefile pkgsrc/news/cleanscore: Makefile pkgsrc/news/newsbeuter: Makefile pkgsrc/news/nntpcache: Makefile pkgsrc/news/tin: Makefile pkgsrc/news/trn: Makefile pkgsrc/parallel/gridscheduler: Makefile pkgsrc/parallel/mpi-ch: Makefile pkgsrc/parallel/openmpi: Makefile pkgsrc/parallel/parallel: Makefile pkgsrc/parallel/pdsh: Makefile pkgsrc/parallel/sge: Makefile pkgsrc/parallel/slurm: Makefile pkgsrc/pkgtools/gnome-packagekit: Makefile pkgsrc/pkgtools/lintpkgsrc: Makefile pkgsrc/pkgtools/pkg_distinst: Makefile pkgsrc/pkgtools/pkg_filecheck: Makefile pkgsrc/pkgtools/pkg_notify: Makefile pkgsrc/pkgtools/pkg_p5up2date: Makefile pkgsrc/pkgtools/pkgdep: Makefile pkgsrc/pkgtools/pkgdepgraph: Makefile pkgsrc/pkgtools/pkgdiff: Makefile pkgsrc/pkgtools/pkglint4: Makefile pkgsrc/pkgtools/pkgse: Makefile pkgsrc/pkgtools/pkgsrc-todo: Makefile pkgsrc/pkgtools/port2pkg: Makefile pkgsrc/pkgtools/revbump: Makefile pkgsrc/pkgtools/texlive2pkg: Makefile pkgsrc/pkgtools/url2pkg: Makefile pkgsrc/print/a2ps: Makefile pkgsrc/print/bibtool: Makefile pkgsrc/print/chktex: Makefile pkgsrc/print/cups: Makefile pkgsrc/print/cups-pdf: Makefile pkgsrc/print/cups15: Makefile pkgsrc/print/enscript: Makefile pkgsrc/print/foomatic-filters: Makefile pkgsrc/print/foomatic4-db-engine: Makefile pkgsrc/print/foomatic4-filters: Makefile pkgsrc/print/ghostscript-agpl: Makefile pkgsrc/print/ghostscript-gpl: Makefile pkgsrc/print/gutenprint-lib: Makefile pkgsrc/print/gv: Makefile pkgsrc/print/hplip: Makefile pkgsrc/print/html2ps: Makefile pkgsrc/print/if-psprint: Makefile pkgsrc/print/ja-a2ps: Makefile pkgsrc/print/kbibtex: Makefile pkgsrc/print/kbibtex-kde3: Makefile pkgsrc/print/latexmk: Makefile pkgsrc/print/lilypond: Makefile pkgsrc/print/luatex: Makefile pkgsrc/print/pdflib: Makefile pkgsrc/print/pdflib-lite: Makefile pkgsrc/print/psjoin: Makefile pkgsrc/print/pslib: Makefile pkgsrc/print/psutils: Makefile pkgsrc/print/qpdf: Makefile pkgsrc/print/scribus: Makefile pkgsrc/print/scribus-qt4: Makefile pkgsrc/print/tex-cjk-gs-integrate: Makefile pkgsrc/print/tex-glossaries: Makefile pkgsrc/print/tex-kotex-utils: Makefile pkgsrc/print/tex-oberdiek: Makefile pkgsrc/print/tex-pdftex-doc: Makefile pkgsrc/print/tex-pdftools: Makefile pkgsrc/print/tex-pkfix: Makefile pkgsrc/print/tex-tetex: Makefile pkgsrc/print/tex-texlive.infra: Makefile pkgsrc/print/tex-thumbpdf: Makefile pkgsrc/print/tex-xetex: Makefile pkgsrc/print/tex4ht: Makefile pkgsrc/print/xetex: Makefile pkgsrc/print/yup: Makefile pkgsrc/security/Bastille: Makefile pkgsrc/security/CSP: Makefile pkgsrc/security/antonym: Makefile pkgsrc/security/apg: Makefile pkgsrc/security/base: Makefile pkgsrc/security/boringssl: Makefile pkgsrc/security/caff: Makefile pkgsrc/security/ccid: Makefile pkgsrc/security/clusterssh: Makefile pkgsrc/security/courier-authlib: Makefile pkgsrc/security/dnssec-tools: Makefile pkgsrc/security/egd: Makefile pkgsrc/security/f-prot-antivirus6-ms-bin: Makefile pkgsrc/security/gnutls: Makefile pkgsrc/security/gpg2dot: Makefile pkgsrc/security/hackbot: Makefile pkgsrc/security/lasso: Makefile pkgsrc/security/libprelude: Makefile pkgsrc/security/libprelude-perl: Makefile pkgsrc/security/libpreludedb: Makefile pkgsrc/security/libpreludedb-mysql: Makefile pkgsrc/security/libpreludedb-perl: Makefile pkgsrc/security/libpreludedb-pgsql: Makefile pkgsrc/security/libpreludedb-python: Makefile pkgsrc/security/libpreludedb-sqlite3: Makefile pkgsrc/security/log2timeline: Makefile pkgsrc/security/mbedtls: Makefile pkgsrc/security/mbedtls1: Makefile pkgsrc/security/mhash: Makefile pkgsrc/security/mit-krb5: Makefile pkgsrc/security/munge: Makefile pkgsrc/security/nikto: Makefile pkgsrc/security/openpam: Makefile pkgsrc/security/openssh: Makefile pkgsrc/security/openssl: Makefile pkgsrc/security/p5-pcsc: Makefile pkgsrc/security/pcsc-tools: Makefile pkgsrc/security/pgp5: Makefile pkgsrc/security/pgpenvelope: Makefile pkgsrc/security/policykit: Makefile pkgsrc/security/policykit-gnome: Makefile pkgsrc/security/polkit: Makefile pkgsrc/security/py-lasso: Makefile pkgsrc/security/racoon2: Makefile pkgsrc/security/sfs: Makefile pkgsrc/security/skey: Makefile pkgsrc/security/sks: Makefile pkgsrc/security/sleuthkit: Makefile pkgsrc/security/snortsnarf: Makefile pkgsrc/security/stunnel: Makefile pkgsrc/security/tct: Makefile pkgsrc/security/validns: Makefile pkgsrc/security/zebedee: Makefile pkgsrc/security/zoneminder: Makefile pkgsrc/shells/mksh: Makefile pkgsrc/shells/perlsh: Makefile pkgsrc/shells/xsh: Makefile pkgsrc/sysutils/amanda-common: Makefile pkgsrc/sysutils/amtterm: Makefile pkgsrc/sysutils/backuppc: Makefile pkgsrc/sysutils/bacula: Makefile pkgsrc/sysutils/boxbackup-client: Makefile pkgsrc/sysutils/boxbackup-server: Makefile pkgsrc/sysutils/bup: Makefile pkgsrc/sysutils/cdbkup: Makefile pkgsrc/sysutils/cdrkit: Makefile pkgsrc/sysutils/cfengine2: Makefile pkgsrc/sysutils/collectd: Makefile pkgsrc/sysutils/consolekit: Makefile pkgsrc/sysutils/coreutils: Makefile pkgsrc/sysutils/cpogm: Makefile pkgsrc/sysutils/cvsreport: Makefile pkgsrc/sysutils/dirvish: Makefile pkgsrc/sysutils/diskscrub: Makefile pkgsrc/sysutils/dmassage: Makefile pkgsrc/sysutils/dmesg2gif: Makefile pkgsrc/sysutils/etckeeper: Makefile pkgsrc/sysutils/etcmanage: Makefile pkgsrc/sysutils/filelight-kde3: Makefile pkgsrc/sysutils/gdmap: Makefile pkgsrc/sysutils/gio-fam: Makefile pkgsrc/sysutils/gnome-commander: Makefile pkgsrc/sysutils/gnome-device-manager: Makefile pkgsrc/sysutils/gnome-mount: Makefile pkgsrc/sysutils/gnome-power-manager: Makefile pkgsrc/sysutils/gnome-system-tools: Makefile pkgsrc/sysutils/gnome-volume-manager: Makefile pkgsrc/sysutils/hal: Makefile pkgsrc/sysutils/hal-info: Makefile pkgsrc/sysutils/k3b: Makefile pkgsrc/sysutils/k3b-kde3: Makefile pkgsrc/sysutils/k4dirstat: Makefile pkgsrc/sysutils/krusader: Makefile pkgsrc/sysutils/lavaps: Makefile pkgsrc/sysutils/libgtop: Makefile pkgsrc/sysutils/liboobs: Makefile pkgsrc/sysutils/libvirt: Makefile pkgsrc/sysutils/lilo: Makefile pkgsrc/sysutils/lsof: Makefile pkgsrc/sysutils/lxpanel: Makefile pkgsrc/sysutils/magicrescue: Makefile pkgsrc/sysutils/mc: Makefile pkgsrc/sysutils/mc46: Makefile pkgsrc/sysutils/memconf: Makefile pkgsrc/sysutils/mgm: Makefile pkgsrc/sysutils/munin-doc: Makefile pkgsrc/sysutils/munin-node: Makefile pkgsrc/sysutils/munin-server: Makefile pkgsrc/sysutils/pflogsumm: Makefile pkgsrc/sysutils/rconfig: Makefile pkgsrc/sysutils/roller: Makefile pkgsrc/sysutils/rsnapshot: Makefile pkgsrc/sysutils/safetynet: Makefile pkgsrc/sysutils/sarah: Makefile pkgsrc/sysutils/shelldap: Makefile pkgsrc/sysutils/smbldap-tools: Makefile pkgsrc/sysutils/stow: Makefile pkgsrc/sysutils/strace: Makefile pkgsrc/sysutils/strigi: Makefile pkgsrc/sysutils/swatch: Makefile pkgsrc/sysutils/tenshi: Makefile pkgsrc/sysutils/vifm: Makefile pkgsrc/sysutils/webmin: Makefile pkgsrc/sysutils/xentools3: Makefile pkgsrc/sysutils/xentools3-hvm: Makefile pkgsrc/sysutils/xentools33: Makefile pkgsrc/sysutils/xentools41: Makefile pkgsrc/sysutils/xentools42: Makefile pkgsrc/sysutils/xentools45: Makefile pkgsrc/sysutils/xentools46: Makefile pkgsrc/sysutils/xps: Makefile pkgsrc/sysutils/znapzend: Makefile pkgsrc/textproc/Markdown: Makefile pkgsrc/textproc/aspell: Makefile pkgsrc/textproc/aspell-da: Makefile pkgsrc/textproc/aspell-fo: Makefile pkgsrc/textproc/btparse: Makefile pkgsrc/textproc/c2html: Makefile pkgsrc/textproc/cdif: Makefile pkgsrc/textproc/cmigemo: Makefile pkgsrc/textproc/crush-tools: Makefile pkgsrc/textproc/dict-mueller7: Makefile pkgsrc/textproc/diffsplit: Makefile pkgsrc/textproc/docbook-xsl: Makefile pkgsrc/textproc/dsssl-docbook-modular: Makefile pkgsrc/textproc/dtdparse: Makefile pkgsrc/textproc/eb: Makefile pkgsrc/textproc/freepwing: Makefile pkgsrc/textproc/grep: Makefile pkgsrc/textproc/groff: Makefile pkgsrc/textproc/gtk-doc: Makefile pkgsrc/textproc/halibut: Makefile pkgsrc/textproc/html2wml: Makefile pkgsrc/textproc/hunspell: Makefile pkgsrc/textproc/hunspell-de: Makefile pkgsrc/textproc/hyphen: Makefile pkgsrc/textproc/intltool: Makefile pkgsrc/textproc/ispell-de: Makefile pkgsrc/textproc/ja-groff: Makefile pkgsrc/textproc/kdoc: Makefile pkgsrc/textproc/latex2html: Makefile pkgsrc/textproc/libxml++: Makefile pkgsrc/textproc/libxslt: Makefile pkgsrc/textproc/mdoclint: Makefile pkgsrc/textproc/multimarkdown: Makefile pkgsrc/textproc/mythes: Makefile pkgsrc/textproc/namazu: Makefile pkgsrc/textproc/ndtpd: Makefile pkgsrc/textproc/openjade: Makefile pkgsrc/textproc/opensp: Makefile pkgsrc/textproc/p5-libxml: Makefile pkgsrc/textproc/p5-mecab: Makefile pkgsrc/textproc/p5-mobiperl: Makefile pkgsrc/textproc/po4a: Makefile pkgsrc/textproc/pod2mdoc: Makefile pkgsrc/textproc/postgresql-autodoc: Makefile pkgsrc/textproc/redland: Makefile pkgsrc/textproc/rfcutil: Makefile pkgsrc/textproc/sablotron: Makefile pkgsrc/textproc/sub2srt: Makefile pkgsrc/textproc/tex-latexdiff: Makefile pkgsrc/textproc/tex-latexdiff-doc: Makefile pkgsrc/textproc/texi2html: Makefile pkgsrc/textproc/troffcvt: Makefile pkgsrc/textproc/xapian-omega: Makefile pkgsrc/textproc/xmltoman: Makefile pkgsrc/textproc/yamcha: Makefile pkgsrc/time/hebcal: Makefile pkgsrc/time/ical2rem: Makefile pkgsrc/time/libical: Makefile pkgsrc/time/rem2ics: Makefile pkgsrc/time/remind: Makefile pkgsrc/time/rsibreak: Makefile pkgsrc/time/rsibreak-kde3: Makefile pkgsrc/time/titrax: Makefile pkgsrc/wm/afterstep: Makefile pkgsrc/wm/bbkeys: Makefile pkgsrc/wm/bbkeys09: Makefile pkgsrc/wm/compiz-fusion-plugins-extra: Makefile pkgsrc/wm/enlightenment: Makefile pkgsrc/wm/fvwm: Makefile pkgsrc/wm/fvwm-devel: Makefile pkgsrc/wm/fvwm-themes: Makefile pkgsrc/wm/i3: Makefile pkgsrc/wm/ratpoison: Makefile pkgsrc/wm/waimea: Makefile pkgsrc/wm/windowmaker: Makefile pkgsrc/wm/wmakerconf: Makefile pkgsrc/www/SpeedyCGI: Makefile pkgsrc/www/adzap: Makefile pkgsrc/www/album: Makefile pkgsrc/www/album_themes: Makefile pkgsrc/www/amaya: Makefile pkgsrc/www/ap2-perl: Makefile pkgsrc/www/apache22: Makefile pkgsrc/www/apache24: Makefile pkgsrc/www/awstats: Makefile pkgsrc/www/bannerfilter: Makefile pkgsrc/www/bins: Makefile pkgsrc/www/bluefish: Makefile pkgsrc/www/calamaris: Makefile pkgsrc/www/checkbot: Makefile pkgsrc/www/clearsilver: Makefile pkgsrc/www/cronolog: Makefile pkgsrc/www/curl: Makefile pkgsrc/www/cvsweb: Makefile pkgsrc/www/dansguardian: Makefile pkgsrc/www/davical: Makefile pkgsrc/www/dillo: Makefile pkgsrc/www/drraw: Makefile pkgsrc/www/firefox: Makefile pkgsrc/www/firefox24: Makefile pkgsrc/www/firefox31: Makefile pkgsrc/www/firefox38: Makefile pkgsrc/www/firefox45: Makefile pkgsrc/www/gallery: Makefile pkgsrc/www/gitweb: Makefile pkgsrc/www/h2o: Makefile pkgsrc/www/htmlfix: Makefile pkgsrc/www/htmllint: Makefile pkgsrc/www/icedtea-web: Makefile pkgsrc/www/ikiwiki: Makefile pkgsrc/www/kannel: Makefile pkgsrc/www/kdewebdev3: Makefile pkgsrc/www/libwww: Makefile pkgsrc/www/liferea: Makefile pkgsrc/www/llgal: Makefile pkgsrc/www/make_album: Makefile pkgsrc/www/mknmz-wwwoffle: Makefile pkgsrc/www/moodle: Makefile pkgsrc/www/neon: Makefile pkgsrc/www/netsurf: Makefile pkgsrc/www/nvu: Makefile pkgsrc/www/p5-HTMLObject: Makefile pkgsrc/www/p5-libwww: Makefile pkgsrc/www/php-owncloud: Makefile pkgsrc/www/privoxy: Makefile pkgsrc/www/py-moin: Makefile pkgsrc/www/screws: Makefile pkgsrc/www/snownews: Makefile pkgsrc/www/squid3: Makefile pkgsrc/www/squidGuard: Makefile pkgsrc/www/squidanalyzer: Makefile pkgsrc/www/squidclamav: Makefile pkgsrc/www/surfraw: Makefile pkgsrc/www/swish-e: Makefile pkgsrc/www/w3m: Makefile pkgsrc/www/wApua: Makefile pkgsrc/www/wdg-validate: Makefile pkgsrc/www/webkit-gtk: Makefile pkgsrc/www/webkit24-gtk: Makefile pkgsrc/www/weblint: Makefile pkgsrc/www/webnew: Makefile pkgsrc/www/whisker: Makefile pkgsrc/www/wml: Makefile pkgsrc/www/wwwoffle: Makefile pkgsrc/www/yaws: Makefile pkgsrc/x11/alacarte: Makefile pkgsrc/x11/eterm: Makefile pkgsrc/x11/gcolor2: Makefile pkgsrc/x11/gnome-desktop: Makefile pkgsrc/x11/gnome-panel: Makefile pkgsrc/x11/gnome-session: Makefile pkgsrc/x11/gnome-terminal: Makefile pkgsrc/x11/gtk: Makefile pkgsrc/x11/gtk-sharp: Makefile pkgsrc/x11/gtk2: Makefile pkgsrc/x11/gtk2-chtheme: Makefile pkgsrc/x11/gtk3: Makefile pkgsrc/x11/gtkada: Makefile pkgsrc/x11/gtkmm: Makefile pkgsrc/x11/gtkmm3: Makefile pkgsrc/x11/gtksourceview: Makefile pkgsrc/x11/gtksourceview2: Makefile pkgsrc/x11/gtksourceviewmm: Makefile pkgsrc/x11/kconfigwidgets: Makefile pkgsrc/x11/kdebindings-ruby: Makefile pkgsrc/x11/kdelibs3: Makefile pkgsrc/x11/p5-Wx: Makefile pkgsrc/x11/pixman: Makefile pkgsrc/x11/py-wxWidgets: Makefile pkgsrc/x11/qt5-qtbase: Makefile pkgsrc/x11/wxGTK30: Makefile pkgsrc/x11/xephem: Makefile pkgsrc/x11/xfce4-exo: Makefile pkgsrc/x11/xfce4-whiskermenu-plugin: Makefile pkgsrc/x11/xkbset: Makefile pkgsrc/x11/xplanet: Makefile pkgsrc/x11/xscreensaver: Makefile Log Message: Bump PKGREVISION for perl-5.24.0 for everything mentioning perl. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 pkgsrc/net/samba4/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 9 13:04:18 UTC 2016 Modified Files: pkgsrc/audio/ardour: Makefile pkgsrc/audio/aubio: Makefile pkgsrc/audio/csound5: Makefile pkgsrc/audio/csound6: Makefile pkgsrc/audio/csound6-manual: Makefile pkgsrc/audio/exaile: Makefile pkgsrc/audio/eyeD3: Makefile pkgsrc/audio/moss: Makefile pkgsrc/audio/mutagen-tools: Makefile pkgsrc/audio/picard: Makefile pkgsrc/audio/py-acoustid: Makefile pkgsrc/audio/py-ao: Makefile pkgsrc/audio/py-beets: Makefile pkgsrc/audio/py-cddb: Makefile pkgsrc/audio/py-daap: Makefile pkgsrc/audio/py-discogs_client: Makefile pkgsrc/audio/py-id3: Makefile pkgsrc/audio/py-id3lib: Makefile pkgsrc/audio/py-karaoke: Makefile pkgsrc/audio/py-libmtag: Makefile pkgsrc/audio/py-mad: Makefile pkgsrc/audio/py-musicbrainz: Makefile pkgsrc/audio/py-musique: Makefile pkgsrc/audio/py-ogg: Makefile pkgsrc/audio/py-vorbis: Makefile pkgsrc/audio/quodlibet2: Makefile pkgsrc/audio/rhythmbox: Makefile pkgsrc/audio/solfege: Makefile pkgsrc/audio/sonata: Makefile pkgsrc/audio/streamtuner: options.mk pkgsrc/audio/tunapie: Makefile pkgsrc/benchmarks/glmark2: Makefile pkgsrc/biology/py-mol: Makefile pkgsrc/cad/py-MyHDL: Makefile pkgsrc/chat/empathy: Makefile pkgsrc/chat/gajim: Makefile options.mk pkgsrc/chat/libtelepathy: Makefile pkgsrc/chat/py-xmpppy: Makefile pkgsrc/chat/spectrum: Makefile pkgsrc/chat/telepathy-farsight: Makefile pkgsrc/chat/telepathy-gabble: Makefile pkgsrc/chat/telepathy-glib: Makefile pkgsrc/chat/telepathy-haze: Makefile pkgsrc/chat/telepathy-idle: Makefile pkgsrc/chat/telepathy-logger: Makefile pkgsrc/chat/telepathy-mission-control5: Makefile pkgsrc/chat/telepathy-qt: Makefile pkgsrc/chat/xchat-python: Makefile pkgsrc/comms/multisync-gui: Makefile pkgsrc/comms/py-gammu: Makefile pkgsrc/converters/py-jpCodecs: Makefile pkgsrc/converters/py-yenc: Makefile pkgsrc/converters/py-zbase32: Makefile pkgsrc/converters/py-zfec: Makefile pkgsrc/converters/py-zhCodecs: Makefile pkgsrc/databases/gourmet: Makefile pkgsrc/databases/gramps3: Makefile options.mk pkgsrc/databases/libpqxx: Makefile pkgsrc/databases/luma: Makefile pkgsrc/databases/mongodb: Makefile pkgsrc/databases/py-PgSQL: Makefile pkgsrc/databases/py-bdb-xml: Makefile pkgsrc/databases/py-carbon: Makefile options.mk pkgsrc/databases/py-cassa: Makefile pkgsrc/databases/py-cdb: Makefile pkgsrc/databases/py-ckanclient: Makefile pkgsrc/databases/py-couchdb: Makefile pkgsrc/databases/py-datapkg: Makefile pkgsrc/databases/py-elixir: Makefile pkgsrc/databases/py-ldap: Makefile pkgsrc/databases/py-metakit: Makefile pkgsrc/databases/py-mssql: Makefile pkgsrc/databases/py-mysqldb: Makefile pkgsrc/databases/py-python-rrdtool: Makefile pkgsrc/databases/py-sqlalchemy-migrate: Makefile pkgsrc/databases/py-sqlite: Makefile pkgsrc/databases/py-sqlite2: Makefile pkgsrc/databases/py-sqlrelay: Makefile pkgsrc/databases/py-sybase: Makefile pkgsrc/databases/py-table: Makefile pkgsrc/databases/py-tokyocabinet: Makefile pkgsrc/databases/py-whisper: Makefile pkgsrc/databases/skytools: Makefile pkgsrc/databases/tdb: Makefile pkgsrc/devel/ExmanIDE: Makefile pkgsrc/devel/GConf: Makefile pkgsrc/devel/RBTools: Makefile pkgsrc/devel/accerciser: Makefile pkgsrc/devel/boa-constructor: Makefile pkgsrc/devel/bokken: Makefile pkgsrc/devel/bpython: Makefile pkgsrc/devel/bugs-everywhere: Makefile pkgsrc/devel/bzr: Makefile pkgsrc/devel/bzr-explorer: Makefile pkgsrc/devel/bzr-gtk: Makefile pkgsrc/devel/bzr-svn: Makefile pkgsrc/devel/bzrtools: Makefile pkgsrc/devel/codeville: Makefile pkgsrc/devel/cvs2svn: Makefile pkgsrc/devel/diffuse: Makefile pkgsrc/devel/distcc-pump: Makefile pkgsrc/devel/doxygen: Makefile pkgsrc/devel/epydoc: Makefile pkgsrc/devel/eric4: Makefile pkgsrc/devel/gdb: options.mk pkgsrc/devel/gnatpython: Makefile pkgsrc/devel/googletest: Makefile pkgsrc/devel/gps: options.mk pkgsrc/devel/gyp: Makefile pkgsrc/devel/kdesdk3: Makefile pkgsrc/devel/ko-po-check: Makefile pkgsrc/devel/lettuce: Makefile pkgsrc/devel/libappindicator: Makefile pkgsrc/devel/libappindicator3: Makefile pkgsrc/devel/libftdi1: Makefile pkgsrc/devel/libgit2: Makefile pkgsrc/devel/libhid: Makefile pkgsrc/devel/meld: Makefile pkgsrc/devel/py-InlineEgg: Makefile pkgsrc/devel/py-Optik: Makefile pkgsrc/devel/py-astroid: Makefile pkgsrc/devel/py-at-spi: Makefile pkgsrc/devel/py-buildbot: Makefile pkgsrc/devel/py-buildbot-slave: Makefile pkgsrc/devel/py-cached-property: Makefile pkgsrc/devel/py-checker: Makefile pkgsrc/devel/py-cheetah: Makefile pkgsrc/devel/py-compizconfig: Makefile pkgsrc/devel/py-daemon: Makefile pkgsrc/devel/py-darcsver: Makefile pkgsrc/devel/py-dialog2: Makefile pkgsrc/devel/py-distorm3: Makefile pkgsrc/devel/py-doctor: Makefile pkgsrc/devel/py-enum34: Makefile pkgsrc/devel/py-expect: Makefile pkgsrc/devel/py-fastimport: Makefile pkgsrc/devel/py-futures: Makefile pkgsrc/devel/py-gflags: Makefile pkgsrc/devel/py-gobject: Makefile pkgsrc/devel/py-google-apputils: Makefile pkgsrc/devel/py-hg-fastimport: Makefile pkgsrc/devel/py-hg-git: Makefile pkgsrc/devel/py-hglib: Makefile pkgsrc/devel/py-hglist: Makefile pkgsrc/devel/py-hgnested: Makefile pkgsrc/devel/py-hgview: Makefile pkgsrc/devel/py-ipaddr: Makefile pkgsrc/devel/py-ipython010: Makefile pkgsrc/devel/py-ipython013: Makefile pkgsrc/devel/py-jersey: Makefile pkgsrc/devel/py-kjbuckets: Makefile pkgsrc/devel/py-kqueue: Makefile pkgsrc/devel/py-logilab-astng: Makefile pkgsrc/devel/py-logilab-common: Makefile pkgsrc/devel/py-memcached: Makefile pkgsrc/devel/py-mercurial: Makefile.version pkgsrc/devel/py-multiprocessing: Makefile pkgsrc/devel/py-newt: Makefile pkgsrc/devel/py-open-vcdiff: Makefile pkgsrc/devel/py-pqueue: Makefile pkgsrc/devel/py-proteus: options.mk pkgsrc/devel/py-protobuf: Makefile pkgsrc/devel/py-pylint: Makefile pkgsrc/devel/py-pytemplate: Makefile pkgsrc/devel/py-pyutil: Makefile pkgsrc/devel/py-quixote: Makefile pkgsrc/devel/py-rope: Makefile pkgsrc/devel/py-ruamel-ordereddict: Makefile pkgsrc/devel/py-setuptools_trial: Makefile pkgsrc/devel/py-singledispatch: Makefile pkgsrc/devel/py-stompclient: Makefile pkgsrc/devel/py-subprocess32: Makefile pkgsrc/devel/py-subvertpy: Makefile pkgsrc/devel/py-tabular: Makefile pkgsrc/devel/py-tortoisehg: Makefile pkgsrc/devel/py-tryton: options.mk pkgsrc/devel/py-trytond: Makefile.common options.mk pkgsrc/devel/py-unit: Makefile pkgsrc/devel/py-unitgui: Makefile pkgsrc/devel/py-usb: Makefile pkgsrc/devel/py-windbg: Makefile pkgsrc/devel/py-zanata-python-client: Makefile pkgsrc/devel/py-zconfig: Makefile pkgsrc/devel/qbzr: Makefile pkgsrc/devel/reposurgeon: Makefile pkgsrc/devel/roundup: Makefile pkgsrc/devel/rox-lib: Makefile pkgsrc/devel/scons: Makefile pkgsrc/devel/stgit: Makefile pkgsrc/devel/tailor: Makefile pkgsrc/devel/talloc: Makefile pkgsrc/devel/transifex-client: Makefile pkgsrc/devel/umbrello: Makefile pkgsrc/devel/xulrunner10: mozilla-common.mk pkgsrc/devel/xulrunner17: mozilla-common.mk pkgsrc/devel/xulrunner192: mozilla-common.mk pkgsrc/editors/gedit-python: Makefile pkgsrc/editors/kdissert: Makefile pkgsrc/editors/lyx: Makefile pkgsrc/editors/medit: Makefile pkgsrc/editors/nts: Makefile pkgsrc/editors/pluma: options.mk pkgsrc/editors/zim: Makefile pkgsrc/emulators/fs-uae-launcher: Makefile pkgsrc/emulators/gns3: Makefile pkgsrc/emulators/hatari: Makefile pkgsrc/emulators/mame: Makefile pkgsrc/emulators/openmsx: Makefile pkgsrc/emulators/qemu: Makefile pkgsrc/emulators/qemu0: Makefile pkgsrc/emulators/unicorn: Makefile pkgsrc/filesystems/fuse-gmailfs: Makefile pkgsrc/filesystems/fuse-pcachefs: Makefile pkgsrc/filesystems/fuse-wikipediafs: Makefile pkgsrc/filesystems/glusterfs: Makefile pkgsrc/filesystems/py-filesystem: Makefile pkgsrc/filesystems/py-fuse-bindings: Makefile pkgsrc/filesystems/tahoe-lafs: Makefile pkgsrc/finance/gnucash: Makefile pkgsrc/finance/moneyguru: Makefile pkgsrc/finance/py-stripe: Makefile pkgsrc/finance/py-vatnumber: Makefile pkgsrc/fonts/mftrace: Makefile pkgsrc/fonts/py-TTFQuery: Makefile pkgsrc/games/4stAttack: Makefile pkgsrc/games/blindmine: Makefile pkgsrc/games/freeciv-share: Makefile.common pkgsrc/games/gcompris: Makefile pkgsrc/games/gnome-games: Makefile pkgsrc/games/jools: Makefile pkgsrc/games/kajongg: Makefile pkgsrc/games/kye: Makefile pkgsrc/games/monsterz: Makefile pkgsrc/games/py-easyAI: Makefile pkgsrc/games/py-renpy: Makefile pkgsrc/games/pysolfc: Makefile pkgsrc/games/pytraffic: Makefile pkgsrc/games/teeworlds: Makefile pkgsrc/games/wesnoth: Makefile pkgsrc/geography/gpsd: Makefile pkgsrc/geography/proj-swig: Makefile pkgsrc/geography/py-google-maps-services-python: Makefile pkgsrc/geography/py-obspy: Makefile pkgsrc/geography/qgis: options.mk pkgsrc/graphics/MesaLib: Makefile pkgsrc/graphics/MesaLib7: Makefile pkgsrc/graphics/blender: Makefile pkgsrc/graphics/comix: Makefile pkgsrc/graphics/dia-python: Makefile pkgsrc/graphics/eog: Makefile pkgsrc/graphics/eom: options.mk pkgsrc/graphics/gimp-docs-en: Makefile.common pkgsrc/graphics/libscigraphica: Makefile pkgsrc/graphics/mypaint: Makefile pkgsrc/graphics/py-OpenGL: Makefile pkgsrc/graphics/py-aafigure: Makefile pkgsrc/graphics/py-biggles: Makefile pkgsrc/graphics/py-cairo: Makefile pkgsrc/graphics/py-chart: Makefile pkgsrc/graphics/py-dot: Makefile pkgsrc/graphics/py-gdchart: Makefile pkgsrc/graphics/py-gdmodule: Makefile pkgsrc/graphics/py-gnuplot: Makefile pkgsrc/graphics/py-goocanvas: Makefile pkgsrc/graphics/py-gtkglext: Makefile pkgsrc/graphics/py-imaging: Makefile pkgsrc/graphics/py-imagingtk: Makefile pkgsrc/graphics/py-matplotlib-gtk2: Makefile pkgsrc/graphics/py-mcomix: Makefile pkgsrc/graphics/py-piddle: Makefile pkgsrc/graphics/py-pycha: Makefile pkgsrc/graphics/py-sk1libs: Makefile pkgsrc/graphics/py-uniconvertor: Makefile pkgsrc/graphics/scigraphica: Makefile pkgsrc/graphics/skencil: Makefile pkgsrc/graphics/xdot: Makefile pkgsrc/ham/gnuradio-core: Makefile.common pkgsrc/inputmethod/ibus-python: Makefile pkgsrc/inputmethod/ibus-tegaki: Makefile pkgsrc/inputmethod/mozc-server: Makefile.common pkgsrc/inputmethod/py-input-pad: Makefile pkgsrc/inputmethod/py-zinnia: Makefile pkgsrc/inputmethod/scim-python: Makefile pkgsrc/inputmethod/tegaki-pygtk: Makefile pkgsrc/inputmethod/tegaki-python: Makefile pkgsrc/inputmethod/tegaki-recognize: Makefile pkgsrc/inputmethod/tegaki-tools: Makefile pkgsrc/inputmethod/tegaki-train: Makefile pkgsrc/inputmethod/tegaki-wagomu: Makefile pkgsrc/lang/clang-static-analyzer: Makefile pkgsrc/lang/nodejs: Makefile.common pkgsrc/lang/py-basicproperty: Makefile pkgsrc/lang/py-pyrex: Makefile pkgsrc/lang/py-pythonz: Makefile pkgsrc/lang/python: pyversion.mk pkgsrc/mail/archivemail: Makefile pkgsrc/mail/fetchmailconf: Makefile pkgsrc/mail/getmail: Makefile pkgsrc/mail/mailman: Makefile pkgsrc/mail/offlineimap: Makefile pkgsrc/mail/py-libgmail: Makefile pkgsrc/mail/thunderbird-enigmail: Makefile.common pkgsrc/mail/tmda: Makefile pkgsrc/math/gnumeric: Makefile pkgsrc/math/gnumeric110: Makefile pkgsrc/math/gnumeric112: Makefile pkgsrc/math/py-Numeric: Makefile pkgsrc/math/py-Scientific: Makefile pkgsrc/math/py-cdecimal: Makefile pkgsrc/math/py-ephem: Makefile pkgsrc/math/py-fftw: Makefile pkgsrc/math/py-fpconst: Makefile pkgsrc/math/py-networkx: Makefile pkgsrc/math/py-numarray: Makefile pkgsrc/math/py-simpleeval: Makefile pkgsrc/meta-pkgs/bulk-large: Makefile pkgsrc/meta-pkgs/bulk-medium: Makefile pkgsrc/meta-pkgs/gnome: Makefile pkgsrc/meta-pkgs/py-gnome-bindings: Makefile pkgsrc/misc/byobu: Makefile pkgsrc/misc/calibre: Makefile pkgsrc/misc/calibre1: Makefile pkgsrc/misc/deskbar-applet: Makefile pkgsrc/misc/kdeutils3: Makefile pkgsrc/misc/khard: Makefile pkgsrc/misc/koffice: Makefile pkgsrc/misc/mnemosyne: Makefile pkgsrc/misc/openoffice3: Makefile pkgsrc/misc/orca: Makefile pkgsrc/misc/py-anita: Makefile pkgsrc/misc/py-anki2: Makefile pkgsrc/misc/py-carddav: Makefile pkgsrc/misc/py-stdnum: Makefile pkgsrc/misc/routeplanner-cli: Makefile pkgsrc/misc/superkaramba: Makefile pkgsrc/multimedia/farsight2: Makefile pkgsrc/multimedia/kodi: Makefile pkgsrc/multimedia/libkate: options.mk pkgsrc/multimedia/livestreamer: Makefile pkgsrc/multimedia/pitivi: Makefile pkgsrc/multimedia/py-gstreamer0.10: Makefile pkgsrc/multimedia/py-ming: Makefile pkgsrc/multimedia/totem: Makefile.common pkgsrc/net/Radicale: options.mk pkgsrc/net/avahi: options.mk pkgsrc/net/bittornado: Makefile pkgsrc/net/bittornado-gui: Makefile pkgsrc/net/bittorrent: Makefile pkgsrc/net/bittorrent-gui: Makefile pkgsrc/net/calypso: Makefile pkgsrc/net/coherence: Makefile pkgsrc/net/coilmq: Makefile pkgsrc/net/exabgp: Makefile pkgsrc/net/gitso: Makefile pkgsrc/net/gtk-vnc: options.mk pkgsrc/net/mimms: Makefile pkgsrc/net/mitmproxy: Makefile pkgsrc/net/nagstamon: Makefile pkgsrc/net/nicotine: Makefile pkgsrc/net/nmap: options.mk pkgsrc/net/omniORB: Makefile pkgsrc/net/py-GeoIP: Makefile pkgsrc/net/py-ORBit: Makefile pkgsrc/net/py-adns: Makefile pkgsrc/net/py-beanstalkc: Makefile pkgsrc/net/py-bitmessage: Makefile pkgsrc/net/py-caldav: Makefile pkgsrc/net/py-dpkt: Makefile pkgsrc/net/py-eventlib: Makefile pkgsrc/net/py-foolscap: Makefile pkgsrc/net/py-gevent: Makefile pkgsrc/net/py-google: Makefile pkgsrc/net/py-ipaddress: Makefile pkgsrc/net/py-kenosis: Makefile pkgsrc/net/py-libdnet: Makefile pkgsrc/net/py-libpcap: Makefile pkgsrc/net/py-medusa: Makefile pkgsrc/net/py-metar: Makefile pkgsrc/net/py-netifaces: Makefile pkgsrc/net/py-netsnmp: Makefile pkgsrc/net/py-omniORBpy: Makefile pkgsrc/net/py-pcap: Makefile pkgsrc/net/py-s3cmd: Makefile pkgsrc/net/py-soappy: Makefile pkgsrc/net/py-socketpool: Makefile pkgsrc/net/py-spreadmodule: Makefile pkgsrc/net/py-suds: Makefile pkgsrc/net/py-tweepy: Makefile pkgsrc/net/py-twisted: Makefile.common pkgsrc/net/py-txamqp: Makefile pkgsrc/net/py-zsi: Makefile pkgsrc/net/pygopherd: Makefile pkgsrc/net/samba4: Makefile pkgsrc/net/scapy: Makefile options.mk pkgsrc/net/upnpinspector: Makefile pkgsrc/net/wireshark: Makefile pkgsrc/net/wireshark1: Makefile pkgsrc/news/hellanzb: Makefile pkgsrc/news/lottanzb: Makefile pkgsrc/pkgtools/gnome-packagekit: Makefile pkgsrc/pkgtools/packagekit: Makefile pkgsrc/print/hplip: options.mk pkgsrc/print/lilypond: Makefile pkgsrc/print/pdfshuffler: Makefile pkgsrc/print/py-pisa: Makefile pkgsrc/print/py-poppler: Makefile pkgsrc/print/py-reportlab: Makefile pkgsrc/print/scribus: Makefile pkgsrc/print/scribus-qt4: Makefile pkgsrc/security/botan: Makefile pkgsrc/security/lasso: Makefile pkgsrc/security/libprelude-python: Makefile pkgsrc/security/libpreludedb-python: Makefile pkgsrc/security/mixminion: Makefile pkgsrc/security/prelude-correlator: Makefile pkgsrc/security/py-SSLCrypto: Makefile pkgsrc/security/py-backports.ssl_match_hostname: Makefile pkgsrc/security/py-cryptkit: Makefile pkgsrc/security/py-cryptopp: Makefile pkgsrc/security/py-cybox: Makefile pkgsrc/security/py-denyhosts: Makefile pkgsrc/security/py-gnupg: Makefile pkgsrc/security/py-lasso: Makefile pkgsrc/security/py-libtaxii: Makefile pkgsrc/security/py-m2crypto: Makefile pkgsrc/security/py-mcrypt: Makefile pkgsrc/security/py-oauth2: Makefile pkgsrc/security/py-openid: Makefile pkgsrc/security/py-prewikka: Makefile pkgsrc/security/py-service_identity: Makefile pkgsrc/security/py-stix: Makefile pkgsrc/security/py-tlslite: Makefile pkgsrc/security/py-urllib2-kerberos: Makefile pkgsrc/security/py-xmlsec: Makefile pkgsrc/security/py-yara: Makefile pkgsrc/security/py-yubiauth: Makefile pkgsrc/security/volatility: Makefile pkgsrc/shells/lshell: Makefile pkgsrc/sysutils/ansible: Makefile pkgsrc/sysutils/bup: Makefile pkgsrc/sysutils/caja-dropbox: Makefile pkgsrc/sysutils/cuisine: Makefile pkgsrc/sysutils/dbus-python-common: Makefile pkgsrc/sysutils/duplicity: Makefile pkgsrc/sysutils/euca2ools: Makefile pkgsrc/sysutils/fabric: Makefile pkgsrc/sysutils/gnome-commander: Makefile pkgsrc/sysutils/libvirt: Makefile pkgsrc/sysutils/manifold: Makefile pkgsrc/sysutils/monitoring: Makefile pkgsrc/sysutils/openxenmanager: Makefile pkgsrc/sysutils/polysh: Makefile pkgsrc/sysutils/py-borgbackup: Makefile pkgsrc/sysutils/py-gnome-menus: Makefile pkgsrc/sysutils/py-notify: Makefile pkgsrc/sysutils/py-notify-python: Makefile pkgsrc/sysutils/py-pefile: Makefile pkgsrc/sysutils/py-xattr: Makefile pkgsrc/sysutils/rdiff-backup: Makefile pkgsrc/sysutils/salt: Makefile pkgsrc/sysutils/salt-docs: Makefile pkgsrc/sysutils/virt-manager: Makefile pkgsrc/sysutils/virtinst: Makefile pkgsrc/sysutils/xenkernel3: Makefile pkgsrc/sysutils/xenkernel33: Makefile pkgsrc/sysutils/xenkernel41: Makefile pkgsrc/sysutils/xenkernel42: Makefile pkgsrc/sysutils/xenkernel45: Makefile pkgsrc/sysutils/xenkernel46: Makefile pkgsrc/sysutils/xentools3: Makefile pkgsrc/sysutils/xentools3-hvm: Makefile pkgsrc/sysutils/xentools33: Makefile pkgsrc/sysutils/xentools41: Makefile pkgsrc/sysutils/xentools42: Makefile pkgsrc/sysutils/xentools45: Makefile pkgsrc/sysutils/xentools46: Makefile pkgsrc/textproc/asciidoc: Makefile pkgsrc/textproc/coccigrep: Makefile pkgsrc/textproc/dblatex: Makefile pkgsrc/textproc/gnome-doc-utils: Makefile pkgsrc/textproc/gtk-doc: Makefile pkgsrc/textproc/ispell-lt: Makefile pkgsrc/textproc/itstool: Makefile pkgsrc/textproc/libplist: Makefile pkgsrc/textproc/markdown2social: Makefile pkgsrc/textproc/py-4Suite: Makefile pkgsrc/textproc/py-Excelerator: Makefile pkgsrc/textproc/py-HappyDoc: Makefile pkgsrc/textproc/py-Whoosh: Makefile pkgsrc/textproc/py-X2: Makefile pkgsrc/textproc/py-cabocha: Makefile pkgsrc/textproc/py-cjson: Makefile pkgsrc/textproc/py-cmTemplate: Makefile pkgsrc/textproc/py-elementtree: Makefile pkgsrc/textproc/py-empy: Makefile pkgsrc/textproc/py-generateDS: Makefile pkgsrc/textproc/py-gnosis-utils: Makefile pkgsrc/textproc/py-iniparse: Makefile pkgsrc/textproc/py-jsonlib: Makefile pkgsrc/textproc/py-libxslt: Makefile pkgsrc/textproc/py-marisa: Makefile pkgsrc/textproc/py-mecab: Makefile pkgsrc/textproc/py-relatorio: Makefile pkgsrc/textproc/py-vobject: Makefile pkgsrc/textproc/py-xlwt: Makefile pkgsrc/textproc/py-xml: Makefile pkgsrc/textproc/py-yamcha: Makefile pkgsrc/textproc/queequeg: Makefile pkgsrc/textproc/rubber: Makefile pkgsrc/textproc/xmlada: Makefile pkgsrc/time/etm: Makefile pkgsrc/time/gdeskcal: Makefile pkgsrc/time/hamster-applet: Makefile pkgsrc/time/py-goocalendar: Makefile pkgsrc/time/py-mxDateTime: Makefile pkgsrc/time/wxRemind: Makefile pkgsrc/wm/bmpanel2: Makefile pkgsrc/wm/ccsm: Makefile pkgsrc/wm/py-tyle: Makefile pkgsrc/www/ap-scgi: Makefile pkgsrc/www/bluefish: Makefile pkgsrc/www/browser-bookmarks-menu: Makefile pkgsrc/www/cherokee: Makefile pkgsrc/www/clearsilver: Makefile pkgsrc/www/firefox: mozilla-common.mk pkgsrc/www/firefox24: mozilla-common.mk pkgsrc/www/firefox31: mozilla-common.mk pkgsrc/www/firefox38: mozilla-common.mk pkgsrc/www/firefox45: mozilla-common.mk pkgsrc/www/ies4linux: Makefile pkgsrc/www/loggerhead: Makefile pkgsrc/www/py-ClientForm: Makefile pkgsrc/www/py-HTMLgen: Makefile pkgsrc/www/py-beautifulsoup: Makefile pkgsrc/www/py-blosxom: Makefile pkgsrc/www/py-clearsilver: Makefile pkgsrc/www/py-django-appmedia: Makefile pkgsrc/www/py-django-mezzanine-filebrowser: Makefile pkgsrc/www/py-django-mezzanine-grappelli: Makefile pkgsrc/www/py-django-photologue: Makefile pkgsrc/www/py-django14: Makefile options.mk pkgsrc/www/py-djangorestframework: Makefile pkgsrc/www/py-flup: Makefile pkgsrc/www/py-gdata: Makefile pkgsrc/www/py-google-api-python-client: Makefile pkgsrc/www/py-graphite-web: Makefile pkgsrc/www/py-jonpy: Makefile pkgsrc/www/py-mechanize: Makefile pkgsrc/www/py-mezzanine: Makefile pkgsrc/www/py-moin: Makefile pkgsrc/www/py-nevow: Makefile pkgsrc/www/py-pendrell: Makefile pkgsrc/www/py-python-digest: Makefile pkgsrc/www/py-pywebdav: Makefile pkgsrc/www/py-recaptcha: Makefile pkgsrc/www/py-scgi: Makefile pkgsrc/www/py-simpletal: Makefile pkgsrc/www/py-swish-e: Makefile pkgsrc/www/py-twill: Makefile pkgsrc/www/py-uliweb: Makefile pkgsrc/www/py-webpy: Makefile pkgsrc/www/py-werkzeug-docs: Makefile pkgsrc/www/ruby-pygments.rb: Makefile pkgsrc/www/trac: Makefile pkgsrc/www/urlgrabber: Makefile pkgsrc/www/viewvc: Makefile pkgsrc/www/webkit-gtk: Makefile pkgsrc/www/webkit24-gtk: Makefile.common pkgsrc/x11/alacarte: Makefile pkgsrc/x11/arandr: Makefile pkgsrc/x11/avant-window-navigator: Makefile pkgsrc/x11/driconf: Makefile pkgsrc/x11/gnome-applets: Makefile pkgsrc/x11/gnome-mag: Makefile pkgsrc/x11/gnome-panel: Makefile pkgsrc/x11/gnome-terminal: Makefile pkgsrc/x11/gtk2: Makefile pkgsrc/x11/kde-workspace4: Makefile pkgsrc/x11/libdesktop-agnostic: Makefile pkgsrc/x11/mozo: Makefile pkgsrc/x11/py-Pmw: Makefile pkgsrc/x11/py-gnome2: Makefile pkgsrc/x11/py-gnome2-desktop: Makefile pkgsrc/x11/py-gnome2-extras: Makefile pkgsrc/x11/py-gtk2: Makefile pkgsrc/x11/py-gtksourceview: Makefile pkgsrc/x11/py-keybinder: Makefile pkgsrc/x11/py-kiwi: Makefile pkgsrc/x11/py-qwt-qt4: Makefile pkgsrc/x11/py-terminator: Makefile pkgsrc/x11/py-vte: Makefile pkgsrc/x11/py-wxWidgets: Makefile pkgsrc/x11/rox-session: Makefile pkgsrc/x11/tint2: Makefile Log Message: Remove python33: adapt all packages that refer to it. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 pkgsrc/net/samba4/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jul 11 12:28:17 UTC 2016 Modified Files: pkgsrc/net/samba4: Makefile PLIST Log Message: If py-dns or py-iso8601 are installed, the PLIST is wrong because the separate copy coming with samba4 is not installed. Depend on the two packages and never install the separate copies. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 pkgsrc/net/samba4/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/net/samba4/PLIST
Update samba4 to 4.3.11 (Samba 4.3.11), including security fix for CVE-2016-2119. Changes from 4.3.9 to 4.3.10 are too many to write here, please refer WHATSNEW.txt file. ============================== Release Notes for Samba 4.3.11 July 07, 2016 ============================== This is a security release in order to address the following defect: o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded) ======= Details ======= o CVE-2016-2119: It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking to domain controllers as a member server, and trusted domains as a domain controller. These DCE/RPC connections were intended to protected by the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11"). Additionally, management tools like net, samba-tool and rpcclient use DCERPC over SMB2/3 connections. By default, other tools in Samba are unprotected, but rarely they are configured to use smb signing, via the "client signing" parameter (the default is "if_required"). Even more rarely the "client max protocol" is set to SMB2, rather than the NT1 default. If both these conditions are met, then this issue would also apply to these other tools, including command line tools like smbcacls, smbcquota, smbclient, smbget and applications using libsmbclient. Changes since 4.3.10: -------------------- o Stefan Metzmacher <metze@samba.org> * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade. * BUG 11948: Total dcerpc response payload more than 0x400000. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/).
Pullup ticket #5011 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.18 - net/samba4/PLIST 1.7 - net/samba4/distinfo 1.10 - net/samba4/patches/patch-lib_nss__wrapper_wscript deleted --- Module Name: pkgsrc Committed By: taca Date: Sat May 7 03:09:33 UTC 2016 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Removed Files: pkgsrc/net/samba4/patches: patch-lib_nss__wrapper_wscript Log Message: Update samba4 to 4.3.8, which contains security fix. This release fixes some regressions introduced by the last security fixes. Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of bugs addressing these regressions and more information. Changes since 4.3.8: -------------------- o Jeremy Allison <jra@samba.org> * BUG 11742: lib: tevent: Fix memory leak when old signal action restored. * BUG 11771: lib: tevent: Fix memory leak when old signal action restored. * BUG 11822: s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1. o Andrew Bartlett <abartlet@samba.org> * BUG 11780: smbd: Only check dev/inode in open_directory, not the full stat(). * BUG 11789: pydsdb: Fix returning of ldb.MessageElement. o Berend De Schouwer <berend.de.schouwer@gmail.com> * BUG 11643: docs: Add example for domain logins to smbspool man page. o Günther Deschner <gd@samba.org> * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build. o Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it> * BUG 8093: access based share enum: Handle permission set in configuration files. o Volker Lendecke <vl@samba.org> * BUG 11816: nwrap: Fix the build on Solaris. * BUG 11827: vfs_catia: Fix memleak. * BUG 11878: smbd: Avoid large reads beyond EOF. o Stefan Metzmacher <metze@samba.org> * BUG 11622: libcli/smb: Make sure we have a body size of 0x31 before dereferencing an ioctl response. * BUG 11623: libcli/smb: Fix BUFFER_OVERFLOW handling in tstream_smbXcli_np. * BUG 11755: s3:libads: Setup the msDS-SupportedEncryptionTypes attribute on ldap_add. * BUG 11771: tevent: Version 0.9.28. Fix memory leak when old signal action restored. * BUG 11782: s3:winbindd: Don't include two '\0' at the end of the domain list. * BUG 11789: s3:wscript: pylibsmb depends on pycredentials. * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share. * BUG 11847: Only validate MIC if "map to guest" is not being used. * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego option for testing. * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN. * BUG 11858: Allow anonymous smb connections. * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5). * BUG 11872: Fix 'wbinfo -u' and 'net ads search'. o Noel Power <noel.power@suse.com> * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee. o Garming Sam <garming@catalyst.net.nz> * BUG 11789: build: Mark explicit dependencies on pytalloc-util. o Partha Sarathi <partha@exablox.com> * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel. o Jorge Schrauwen <sjorge@blackdot.be> * BUG 11816: configure: Don't check for inotify on illumos. o Uri Simchoni <uri@samba.org> * BUG 11691: winbindd: Return trust parameters when listing trusts. * BUG 11753: smbd: Ignore SVHDX create context. * BUG 11763: passdb: Add linefeed to debug message. * BUG 11788: build: Fix disk-free quota support on Solaris 10. * BUG 11798: build: Fix build when '--without-quota' specified. * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set. * BUG 11852: libads: Record session expiry for spnego sasl binds. o Hemanth Thummala <hemanth.thummala@nutanix.com> * BUG 11740: Real memory leak(buildup) issue in loadparm. * BUG 11840: Mask general purpose signals for notifyd.
Update samba4 to 4.3.8, which contains security fix. This release fixes some regressions introduced by the last security fixes. Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of bugs addressing these regressions and more information. Changes since 4.3.8: -------------------- o Jeremy Allison <jra@samba.org> * BUG 11742: lib: tevent: Fix memory leak when old signal action restored. * BUG 11771: lib: tevent: Fix memory leak when old signal action restored. * BUG 11822: s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1. o Andrew Bartlett <abartlet@samba.org> * BUG 11780: smbd: Only check dev/inode in open_directory, not the full stat(). * BUG 11789: pydsdb: Fix returning of ldb.MessageElement. o Berend De Schouwer <berend.de.schouwer@gmail.com> * BUG 11643: docs: Add example for domain logins to smbspool man page. o Günther Deschner <gd@samba.org> * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build. o Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it> * BUG 8093: access based share enum: Handle permission set in configuration files. o Volker Lendecke <vl@samba.org> * BUG 11816: nwrap: Fix the build on Solaris. * BUG 11827: vfs_catia: Fix memleak. * BUG 11878: smbd: Avoid large reads beyond EOF. o Stefan Metzmacher <metze@samba.org> * BUG 11622: libcli/smb: Make sure we have a body size of 0x31 before dereferencing an ioctl response. * BUG 11623: libcli/smb: Fix BUFFER_OVERFLOW handling in tstream_smbXcli_np. * BUG 11755: s3:libads: Setup the msDS-SupportedEncryptionTypes attribute on ldap_add. * BUG 11771: tevent: Version 0.9.28. Fix memory leak when old signal action restored. * BUG 11782: s3:winbindd: Don't include two '\0' at the end of the domain list. * BUG 11789: s3:wscript: pylibsmb depends on pycredentials. * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share. * BUG 11847: Only validate MIC if "map to guest" is not being used. * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego option for testing. * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN. * BUG 11858: Allow anonymous smb connections. * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5). * BUG 11872: Fix 'wbinfo -u' and 'net ads search'. o Noel Power <noel.power@suse.com> * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee. o Garming Sam <garming@catalyst.net.nz> * BUG 11789: build: Mark explicit dependencies on pytalloc-util. o Partha Sarathi <partha@exablox.com> * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel. o Jorge Schrauwen <sjorge@blackdot.be> * BUG 11816: configure: Don't check for inotify on illumos. o Uri Simchoni <uri@samba.org> * BUG 11691: winbindd: Return trust parameters when listing trusts. * BUG 11753: smbd: Ignore SVHDX create context. * BUG 11763: passdb: Add linefeed to debug message. * BUG 11788: build: Fix disk-free quota support on Solaris 10. * BUG 11798: build: Fix build when '--without-quota' specified. * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set. * BUG 11852: libads: Record session expiry for spnego sasl binds. o Hemanth Thummala <hemanth.thummala@nutanix.com> * BUG 11740: Real memory leak(buildup) issue in loadparm. * BUG 11840: Mask general purpose signals for notifyd.
Pullup ticket #4958 - requested by manu net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.17 - net/samba4/PLIST 1.6 - net/samba4/distinfo 1.9 --- Module Name: pkgsrc Committed By: manu Date: Wed Apr 13 08:26:10 UTC 2016 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: Update net/samba4 to 4.3.8 This fixes the Badlock bug (CVE-2016-2118) and others vulnerabilities: o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) o CVE-2016-2115 (SMB IPC traffic is not integrity protected) o CVE-2016-2114 ("server signing = mandatory" not enforced) o CVE-2016-2113 (Missing TLS certificate validation) o CVE-2016-2112 (LDAP client and server don't enforce integrity) o CVE-2016-2111 (NETLOGON Spoofing Vulnerability) o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server) o CVE-2015-5370 (Multiple errors in DCE-RPC code)
Update net/samba4 to 4.3.8 This fixes the Badlock bug (CVE-2016-2118) and others vulnerabilities: o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) o CVE-2016-2115 (SMB IPC traffic is not integrity protected) o CVE-2016-2114 ("server signing = mandatory" not enforced) o CVE-2016-2113 (Missing TLS certificate validation) o CVE-2016-2112 (LDAP client and server don't enforce integrity) o CVE-2016-2111 (NETLOGON Spoofing Vulnerability) o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server) o CVE-2015-5370 (Multiple errors in DCE-RPC code)
Update to 4.3.4 Changelog: ============================= Release Notes for Samba 4.3.4 January 12, 2016 ============================= This is the latest stable release of Samba 4.3. Changes since 4.3.3: -------------------- o Michael Adam <obnox@samba.org> * BUG 11619: doc: Fix a typo in the smb.conf manpage, explanation of idmap config. * BUG 11647: s3:smbd: Fix a corner case of the symlink verification. o Jeremy Allison <jra@samba.org> * BUG 11624: s3: libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections. * BUG 11625: Reduce the memory footprint of empty string options. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 11659: Update lastLogon and lastLogonTimestamp. o Ralph Boehme <slow@samba.org> * BUG 11065: vfs_fruit: Enable POSIX directory rename semantics. * BUG 11466: Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix. * BUG 11645: smbd: Make "hide dot files" option work with "store dos attributes = yes". o Günther Deschner <gd@samba.org> * BUG 11639: lib/async_req: Do not install async_connect_send_test. o Stefan Metzmacher <metze@samba.org> * BUG 11394: Crash: Bad talloc magic value - access after free. o Rowland Penny <repenny241155@gmail.com> * BUG 11613: samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given. o Karolin Seeger <kseeger@samba.org> * BUG 11619: docs: Fix some typos in the idmap backend section. * BUG 11641: docs: Fix typos in man vfs_gpfs. o Uri Simchoni <uri@samba.org> * BUG 11649: smbd: Do not disable "store dos attributes" on-the-fly.
Pullup ticket #4881 - requested by wiz net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.14 - net/samba4/distinfo 1.7 --- Module Name: pkgsrc Committed By: wiz Date: Tue Dec 29 23:58:32 UTC 2015 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: Update samba4 to 4.3.3. ============================= Release Notes for Samba 4.3.3 December 16, 2015 ============================= This is a security release in order to address the following CVEs: o CVE-2015-3223 (Denial of service in Samba Active Directory server) o CVE-2015-5252 (Insufficient symlink verification in smbd) o CVE-2015-5299 (Missing access control check in shadow copy code) o CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack) o CVE-2015-8467 (Denial of service attack against Windows Active Directory server) o CVE-2015-5330 (Remote memory read in Samba LDAP server) Please note that if building against a system libldb, the required version has been bumped to ldb-1.1.24. This is needed to ensure we build against a system ldb library that contains the fixes for CVE-2015-5330 and CVE-2015-3223. ======= Details ======= o CVE-2015-3223: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. o CVE-2015-5252: All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is set to "no" (the default). o CVE-2015-5299: All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORY_LIST access rights in order to view the current snapshots. This was not being checked in the affected versions of Samba. o CVE-2015-5296: Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. o CVE-2015-8467: Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows. Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects. o CVE-2015-5330: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server. The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable. Changes since 4.3.2: -------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl. o Jeremy Allison <jra@samba.org> * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS. * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file access outside the share). * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on snapdir. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB. o Stefan Metzmacher <metze@samba.org> * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing smb encryption on the client side.
Update samba4 to 4.3.3. ============================= Release Notes for Samba 4.3.3 December 16, 2015 ============================= This is a security release in order to address the following CVEs: o CVE-2015-3223 (Denial of service in Samba Active Directory server) o CVE-2015-5252 (Insufficient symlink verification in smbd) o CVE-2015-5299 (Missing access control check in shadow copy code) o CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack) o CVE-2015-8467 (Denial of service attack against Windows Active Directory server) o CVE-2015-5330 (Remote memory read in Samba LDAP server) Please note that if building against a system libldb, the required version has been bumped to ldb-1.1.24. This is needed to ensure we build against a system ldb library that contains the fixes for CVE-2015-5330 and CVE-2015-3223. ======= Details ======= o CVE-2015-3223: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. o CVE-2015-5252: All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is set to "no" (the default). o CVE-2015-5299: All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORY_LIST access rights in order to view the current snapshots. This was not being checked in the affected versions of Samba. o CVE-2015-5296: Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. o CVE-2015-8467: Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows. Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects. o CVE-2015-5330: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server. The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable. Changes since 4.3.2: -------------------- o Andrew Bartlett <abartlet@samba.org> * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl. o Jeremy Allison <jra@samba.org> * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS. * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file access outside the share). * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on snapdir. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB. o Stefan Metzmacher <metze@samba.org> * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing smb encryption on the client side.
Update samba4 to 4.3.2. While here, comment a patch. Changes since 4.3.1: -------------------- o Michael Adam <obnox@samba.org> * BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000. o Jeremy Allison <jra@samba.org> * BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero. * BUG 11565: auth: gensec: Fix a memory leak. * BUG 11566: lib: util: Make non-critical message a warning. * BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them. * BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle. o Ralph Boehme <slow@samba.org> * BUG 11562: s4:lib/messaging: Use correct path for names.tdb. * BUG 11564: async_req: Fix non-blocking connect(). o Volker Lendecke <vl@samba.org> * BUG 11243: vfs_gpfs: Re-enable share modes. * BUG 11570: smbd: Send SMB2 oplock breaks unencrypted. * BUG 11612: winbind: Fix crash on invalid idmap configs. o YvanM <yvan.masson@openmailbox.org> * BUG 11584: manpage: Correct small typo error. o Stefan Metzmacher <metze@samba.org> * BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus. * BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer. o Marc Muehlfeld <mmuehlfeld@samba.org> * BUG 9912: Changing log level of two entries to DBG_NOTICE. * BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(). o Noel Power <noel.power@suse.com> * BUG 11569: Fix winbindd crashes with samlogon for trusted domain user. * BUG 11597: Backport some valgrind fixes from upstream master. o Andreas Schneider <asn@samba.org * BUG 11563: Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins. o Tom Schulz <schulz@adi.com> * BUG 11511: Add libreplace dependency to texpect, fixes a linking error on Solaris. * BUG 11512: s4: Fix linking of 'smbtorture' on Solaris. o Uri Simchoni <uri@samba.org> * BUG 11608: auth: Consistent handling of well-known alias as primary gid. Changes since 4.3.0: -------------------- o Jeremy Allison <jra@samba.org> * BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows. * BUG 10634: smbd: Fix file name buflen and padding in notify repsonse. * BUG 11486: s3: smbd: Fix mkdir race condition. * BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share directory. * BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw' * stream fix (bug #11522). * BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect. o Ralph Boehme <slow@samba.org> * BUG 11535: s3: smbd: Fix a crash in unix_convert(). * BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c. * BUG 11549: s3:locking: Initialize lease pointer in share_mode_traverse_fn(). * BUG 11550: s3:smbstatus: Add stream name to share_entry_forall(). * BUG 11555: s3:lib: Validate domain name in lookup_wellknown_name(). o Günther Deschner <gd@samba.org> * BUG 11038: kerberos: Make sure we only use prompter type when available. o Volker Lendecke <vl@samba.org> * BUG 11038: winbind: Fix 100% loop. * BUG 11053: source3/lib/msghdr.c: Fix compiling error on Solaris. o Stefan Metzmacher <metze@samba.org> * BUG 11316: s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket. * BUG 11515: s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs. * BUG 11526: lib/param: Fix hiding of FLAG_SYNONYM values. o Björn Jacke <bj@sernet.de> * BUG 10365: nss_winbind: Fix hang on Solaris on big groups. * BUG 11355: build: Use as-needed linker flag also on OpenBSD. o Har Gagan Sahai <SHarGagan@novell.com> * BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled. o Andreas Schneider <asn@samba.org> * BUG 11502: pam_winbind: Fix a segfault if initialization fails. o Uri Simchoni <uri@samba.org> * BUG 11528: net: Fix a crash with 'net ads keytab create'. * BUG 11547: vfs_commit: set the fd on open before calling SMB_VFS_FSTAT.
Add SHA512 digests for distfiles for net category Problems found with existing digests: Package haproxy distfile haproxy-1.5.14.tar.gz 159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded] da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated] Problems found locating distfiles: Package bsddip: missing distfile bsddip-1.02.tar.Z Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2 Package djbdns: missing distfile djbdns-cachestats.patch Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch Package gated: missing distfile gated-3-5-11.tar.gz Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz Package poink: missing distfile poink-1.6.tar.gz Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch Package waste: missing distfile waste-source.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Update to 4.3.0 Changelog: ============================= Release Notes for Samba 4.3.0 September 8, 2015 ============================= This is the first stable release of Samba 4.3. UPGRADING ========= Read the "New FileChangeNotify subsystem" and "smb.conf changes" sections (below). NEW FEATURES ============ Logging ------- The logging code now supports logging to multiple backends. In addition to the previously available syslog and file backends, the backends for logging to the systemd-journal, lttng and gpfs have been added. Please consult the section for the 'logging' parameter in the smb.conf manpage for details. Spotlight --------- Support for Apple's Spotlight has been added by integrating with Gnome Tracker. For detailed instructions how to build and setup Samba for Spotlight, please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight> New FileChangeNotify subsystem ------------------------------ Samba now contains a new subsystem to do FileChangeNotify. The previous system used a central database, notify_index.tdb, to store all notification requests. In particular in a cluster this turned out to be a major bottleneck, because some hot records need to be bounced back and forth between nodes on every change event like a new created file. The new FileChangeNotify subsystem works with a central daemon per node. Every FileChangeNotify request and every event are handled by an asynchronous message from smbd to the notify daemon. The notify daemon maintains a database of all FileChangeNotify requests in memory and will distribute the notify events accordingly. This database is asynchronously distributed in the cluster by the notify daemons. The notify daemon is supposed to scale a lot better than the previous implementation. The functional advantage is cross-node kernel change notify: Files created via NFS will be seen by SMB clients on other nodes per FileChangeNotify, despite the fact that popular cluster file systems do not offer cross-node inotify. Two changes to the configuration were required for this new subsystem: The parameters "change notify" and "kernel change notify" are not per-share anymore but must be set globally. So it is no longer possible to enable or disable notify per share, the notify daemon has no notion of a share, it only works on absolute paths. New SMB profiling code ---------------------- The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead of sysv IPC shared memory. This avoids performance problems and NUMA effects. The profile stats are a bit more detailed than before. Improved DCERPC man in the middle detection for kerberos -------------------------------------------------------- The gssapi based kerberos backends for gensec have support for DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY. SMB signing required in winbindd by default ------------------------------------------- The effective value for "client signing" is required by default for winbindd, if the primary domain uses active directory. Experimental NTDB was removed ----------------------------- The experimental NTDB library introduced in Samba 4.0 has been removed again. Improved support for trusted domains (as AD DC) ----------------------------------------------- The support for trusted domains/forests has improved a lot. samba-tool got "domain trust" subcommands to manage trusts: create - Create a domain or forest trust. delete - Delete a domain trust. list - List domain trusts. namespaces - Manage forest trust namespaces. show - Show trusted domain details. validate - Validate a domain trust. External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust. The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP. While a lot of things are working fine, there are currently a few limitations: - Both sides of the trust need to fully trust each other! - No SID filtering rules are applied at all! - This means DCs of domain A can grant domain admin rights in domain B. - It's not possible to add users/groups of a trusted domain into domain groups. SMB 3.1.1 supported ------------------- Both client and server have support for SMB 3.1.1 now. This is the dialect introduced with Windows 10, it improves the secure negotiation of SMB dialects and features. There's also a new optinal encryption algorithm aes-gcm-128, but for now this is only selected as fallback and aes-ccm-128 is preferred because of the better performance. This might change in future versions when hardware encryption will be supported. See https://bugzilla.samba.org/show_bug.cgi?id=11451. New smbclient subcommands ------------------------- - Query a directory for change notifications: notify <dir name> - Server side copy: scopy <source filename> <destination filename> New rpcclient subcommands ------------------------- netshareenumall - Enumerate all shares netsharegetinfo - Get Share Info netsharesetinfo - Set Share Info netsharesetdfsflags - Set DFS flags netfileenum - Enumerate open files netnamevalidate - Validate sharename netfilegetsec - Get File security netsessdel - Delete Session netsessenum - Enumerate Sessions netdiskenum - Enumerate Disks netconnenum - Enumerate Connections netshareadd - Add share netsharedel - Delete share New modules ----------- idmap_script - see 'man 8 idmap_script' vfs_unityed_media - see 'man 8 vfs_unityed_media' vfs_shell_snap - see 'man 8 vfs_shell_snap' New sparsely connected replia graph (Improved KCC) -------------------------------------------------- The Knowledge Consistency Checker (KCC) maintains a replication graph for DCs across an AD network. The existing Samba KCC uses a fully connected graph, so that each DC replicates from all the others, which does not scale well with large networks. In 4.3 there is an experimental new KCC that creates a sparsely connected replication graph and closely follows Microsoft's specification. It is turned off by default. To use the new KCC, set "kccsrv:samba_kcc=true" in smb.conf and let us know how it goes. You should consider doing this if you are making a large new network. For small networks there is little benefit and you can always switch over at a later date. Configurable TLS protocol support, with better defaults ------------------------------------------------------- The "tls priority" option can be used to change the supported TLS protocols. The default is to disable SSLv3, which is no longer considered secure. Samba-tool now supports all 7 FSMO roles ------------------------------------------------------- Previously "samba-tool fsmo" could only show, transfer or seize the five well-known FSMO roles: Schema Master Domain Naming Master RID Master PDC Emulator Infrastructure Master It can now also show, transfer or seize the DNS infrastructure roles: DomainDnsZones Infrastructure Master ForestDnsZones Infrastructure Master CTDB logging changes -------------------- The destination for CTDB logging is now set via a single new configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for details of CTDB_LOGGING. CTDB no longer runs a separate logging daemon. CTDB NFS support changes ------------------------ CTDB's NFS service management has been combined into a single 60.nfs event script. This updated 60.nfs script now uses a call-out to interact with different NFS implementations. See the CTDB_NFS_CALLOUT option in the ctdbd.conf(5) manual page for details. A default call-out is provided to interact with the Linux kernel NFS implementation. The 60.ganesha event script has been removed - a sample call-out is provided for NFS Ganesha, based on this script. The method of configuring NFS RPC checks has been improved. See ctdb/config/nfs-checks.d/README for details. Improved Cross-Compiling Support -------------------------------- A new "hybrid" build configuration mode is added to improve cross-compilation support. A common challenge in cross-compilation is that of obtaining the results of tests that have to run on the target, during the configuration phase of the build. The Samba build system already supports the following means to do so: - Executing configure tests using the --cross-execute parameter - Obtaining the results from an answers file using the --cross-answers parameter The first method has the drawback of inaccurate results if the tests are run using an emulator, or a need to be connected to a running target while building, if the tests are to be run on an actual target. The second method presents a challenge of figuring out the test results. The new hybrid mode runs the tests and records the result in an answer file. To activate this mode, use both --cross-execute and --cross-answers in the same configure invocation. This mode can be activated once against a running target, and then the generated answers file can be used in subsequent builds. Also supplied is an example script that can be used as the cross-execute program. This script copies the test to a running target and runs the test on the target, obtaining the result. The obtained results are more accurate than running the test with an emulator, because they reflect the exact kernel and system libraries that exist on the target. Improved Sparse File Support
Attempt to fix various build issues: - Explicitly disable samba-regedit for now, it is built depending on various curses characteristics that we do not currently support. - Avoid epoll implementation on SmartOS. - Pull in Active Directory and LDAP options from net/samba, LDAP support is dynamically configured and we need to ensure that, if enabled, we correctly pull in openldap. The SunOS native LDAP is missing some TLS functions that Samba depends upon. Tested with various PKG_OPTIONS combinations, fixes build on SmartOS.
Various changes to fix the build and install on SunOS.
Import samba-4.2.1 as net/samba4. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Samba is Free Software licensed under the GNU General Public License, the Samba project is a member of the Software Freedom Conservancy. Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member. This package tracks 4.x branch release.