From 6c80ac25fc962d70a27a89e384fe24f64f73324f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 12 Apr 2016 15:12:49 +0200 Subject: [PATCH] Update to Samba 4.3.8, fix badlock security bug resolves: #1326453 - CVE-2015-5370 resolves: #1326453 - CVE-2016-2110 resolves: #1326453 - CVE-2016-2111 resolves: #1326453 - CVE-2016-2112 resolves: #1326453 - CVE-2016-2113 resolves: #1326453 - CVE-2016-2114 resolves: #1326453 - CVE-2016-2115 resolves: #1326453 - CVE-2016-2118 Guenther --- .gitignore | 1 + ...sure-domain-member-can-talk-to-trust.patch | 60 +++++++++++++++++++ samba.spec | 17 +++++- sources | 2 +- 4 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch diff --git a/.gitignore b/.gitignore index 3e05210..a947928 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,4 @@ samba-3.6.0pre1.tar.gz /samba-4.3.4.tar.xz /samba-4.3.5.tar.xz /samba-4.3.6.tar.xz +/samba-4.3.8.tar.xz diff --git a/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch new file mode 100644 index 0000000..3d092ff --- /dev/null +++ b/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch @@ -0,0 +1,60 @@ +From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 12 Apr 2016 09:36:12 +0300 +Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted + domains DCs + + Allow cm_connect_netlogon() to talk to trusted domains' DCs when + running in a domain member configuration. + +Signed-off-by: Alexander Bokovoy +--- + source3/winbindd/winbindd_cm.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 63175e5..1ef3d17 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + anonymous: + + /* Finally fall back to anonymous. */ +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + status = NT_STATUS_DOWNGRADE_DETECTED; +- DEBUG(1, ("Unwilling to make SAMR connection to domain %s" ++ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", +@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + + anonymous: + +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; +- DEBUG(1, ("Unwilling to make LSA connection to domain %s" ++ DEBUG(1, ("Unwilling to make LSA connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", +@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, + + no_schannel: + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; +- DEBUG(1, ("Unwilling to make connection to domain %s" ++ DEBUG(1, ("Unwilling to make connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", +-- +2.5.5 + diff --git a/samba.spec b/samba.spec index bfc0ee3..0fa5279 100644 --- a/samba.spec +++ b/samba.spec @@ -8,7 +8,7 @@ %define main_release 0 -%define samba_version 4.3.6 +%define samba_version 4.3.8 %define talloc_version 2.1.3 %define tdb_version 1.3.7 %define tevent_version 0.9.25 @@ -107,6 +107,8 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade +Patch0: samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -685,6 +687,8 @@ and use CTDB instead. %prep %setup -q -n samba-%{version}%{pre_release} +%patch0 -p 1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch + %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent @@ -2031,6 +2035,17 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Tue Apr 12 2016 Guenther Deschner - 4.3.8-0 +- Update to Samba 4.3.8, fix badlock security bug +- resolves: #1326453 - CVE-2015-5370 +- resolves: #1326453 - CVE-2016-2110 +- resolves: #1326453 - CVE-2016-2111 +- resolves: #1326453 - CVE-2016-2112 +- resolves: #1326453 - CVE-2016-2113 +- resolves: #1326453 - CVE-2016-2114 +- resolves: #1326453 - CVE-2016-2115 +- resolves: #1326453 - CVE-2016-2118 + * Tue Mar 08 2016 Guenther Deschner - 4.3.6-0 - Update to Samba 4.3.6 - resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path diff --git a/sources b/sources index 1d051ec..7fc43ff 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7edb8a3b68951de02b150bb2b902e530 samba-4.3.6.tar.xz +effebb4844ea50d733c4625e66326727 samba-4.3.8.tar.xz