rpms/samba
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to Samba 4.3.8, fix badlock security bug

Browse Source 
resolves: #1326453 - CVE-2015-5370
resolves: #1326453 - CVE-2016-2110
resolves: #1326453 - CVE-2016-2111
resolves: #1326453 - CVE-2016-2112
resolves: #1326453 - CVE-2016-2113
resolves: #1326453 - CVE-2016-2114
resolves: #1326453 - CVE-2016-2115
resolves: #1326453 - CVE-2016-2118

Guenther
This commit is contained in:
Günther Deschner 2016-04-12 15:12:49 +02:00
parent b63b68e4e4
commit 6c80ac25fc
4 changed files with 78 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -59,3 +59,4 @@ samba-3.6.0pre1.tar.gz
/samba-4.3.4.tar.xz /samba-4.3.4.tar.xz
/samba-4.3.5.tar.xz /samba-4.3.5.tar.xz
/samba-4.3.6.tar.xz /samba-4.3.6.tar.xz
/samba-4.3.8.tar.xz

60
samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch Normal file
View File

@ -0,0 +1,60 @@
From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
domains DCs
Allow cm_connect_netlogon() to talk to trusted domains' DCs when
running in a domain member configuration.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/winbindd/winbindd_cm.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 63175e5..1ef3d17 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
anonymous:
/* Finally fall back to anonymous. */
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
status = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
anonymous:
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make LSA connection to domain %s"
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
no_schannel:
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make connection to domain %s"
+ DEBUG(1, ("Unwilling to make connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
--
2.5.5

17
samba.spec
View File

@ -8,7 +8,7 @@
%define main_release 0 %define main_release 0
%define samba_version 4.3.6 %define samba_version 4.3.8
%define talloc_version 2.1.3 %define talloc_version 2.1.3
%define tdb_version 1.3.7 %define tdb_version 1.3.7
%define tevent_version 0.9.25 %define tevent_version 0.9.25
@ -107,6 +107,8 @@ Source6: samba.pamd
Source200: README.dc Source200: README.dc
Source201: README.downgrade Source201: README.downgrade
Patch0: samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
@ -685,6 +687,8 @@ and use CTDB instead.
%prep %prep
%setup -q -n samba-%{version}%{pre_release} %setup -q -n samba-%{version}%{pre_release}
%patch0 -p 1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
%build %build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _talloc_lib ,talloc,pytalloc,pytalloc-util
%global _tevent_lib ,tevent,pytevent %global _tevent_lib ,tevent,pytevent
@ -2031,6 +2035,17 @@ rm -rf %{buildroot}
%endif # with_clustering_support %endif # with_clustering_support
%changelog %changelog
* Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.8-0
- Update to Samba 4.3.8, fix badlock security bug
- resolves: #1326453 - CVE-2015-5370
- resolves: #1326453 - CVE-2016-2110
- resolves: #1326453 - CVE-2016-2111
- resolves: #1326453 - CVE-2016-2112
- resolves: #1326453 - CVE-2016-2113
- resolves: #1326453 - CVE-2016-2114
- resolves: #1326453 - CVE-2016-2115
- resolves: #1326453 - CVE-2016-2118
* Tue Mar 08 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.6-0 * Tue Mar 08 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.6-0
- Update to Samba 4.3.6 - Update to Samba 4.3.6
- resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path - resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path

2
sources
View File

@ -1 +1 @@
7edb8a3b68951de02b150bb2b902e530 samba-4.3.6.tar.xz effebb4844ea50d733c4625e66326727 samba-4.3.8.tar.xz