From fe4e88c4d2e7030f5c7284c63e0c4e27ea6d540a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 12 Apr 2016 14:44:50 +0200
Subject: [PATCH] Update to Samba 4.4.2, fix badlock security bug

resolves: #1326453 - CVE-2015-5370
resolves: #1326453 - CVE-2016-2110
resolves: #1326453 - CVE-2016-2111
resolves: #1326453 - CVE-2016-2112
resolves: #1326453 - CVE-2016-2113
resolves: #1326453 - CVE-2016-2114
resolves: #1326453 - CVE-2016-2115
resolves: #1326453 - CVE-2016-2118

Guenther
---
 .gitignore                                    |  1 +
 ...sure-domain-member-can-talk-to-trust.patch | 59 +++++++++++++++++++
 samba.spec                                    | 17 +++++-
 sources                                       |  2 +-
 4 files changed, 77 insertions(+), 2 deletions(-)
 create mode 100644 samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch

diff --git a/.gitignore b/.gitignore
index 53442a7..45ca060 100644
--- a/.gitignore
+++ b/.gitignore
@@ -63,3 +63,4 @@ samba-3.6.0pre1.tar.gz
 /samba-4.4.0rc4.tar.xz
 /samba-4.4.0rc5.tar.xz
 /samba-4.4.0.tar.xz
+/samba-4.4.2.tar.xz
diff --git a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
new file mode 100644
index 0000000..06b5a83
--- /dev/null
+++ b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
@@ -0,0 +1,59 @@
+From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 12 Apr 2016 09:36:12 +0300
+Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
+ domains DCs
+
+  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
+  running in a domain member configuration.
+
+  BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/winbindd/winbindd_cm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 45e3fad..6f5a042 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2851,9 +2851,10 @@ retry:
+  anonymous:
+ 
+ 	/* Finally fall back to anonymous. */
+-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++	    (IS_DC || domain->primary)) {
+ 		status = NT_STATUS_DOWNGRADE_DETECTED;
+-		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
++		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ 			  "without connection level security, "
+ 			  "must set 'winbind sealed pipes = false' and "
+ 			  "'require strong key = false' to proceed: %s\n",
+@@ -3150,7 +3151,8 @@ retry:
+ 
+  anonymous:
+ 
+-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++	    (IS_DC || domain->primary)) {
+ 		result = NT_STATUS_DOWNGRADE_DETECTED;
+ 		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ 			  "without connection level security, "
+@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ 	TALLOC_FREE(netlogon_creds);
+ 
+ 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+-		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++		    (IS_DC || domain->primary)) {
+ 			result = NT_STATUS_DOWNGRADE_DETECTED;
+-			DEBUG(1, ("Unwilling to make connection to domain %s"
++			DEBUG(1, ("Unwilling to make connection to domain %s "
+ 				  "without connection level security, "
+ 				  "must set 'winbind sealed pipes = false' and "
+ 				  "'require strong key = false' to proceed: %s\n",
+-- 
+2.5.5
+
diff --git a/samba.spec b/samba.spec
index 96a4e3f..b4ff3d0 100644
--- a/samba.spec
+++ b/samba.spec
@@ -8,7 +8,7 @@
 
 %define main_release 1
 
-%define samba_version 4.4.0
+%define samba_version 4.4.2
 %define talloc_version 2.1.6
 %define tdb_version 1.3.8
 %define tevent_version 0.9.28
@@ -106,6 +106,8 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 
+Patch0:		samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 Requires(pre): /usr/sbin/groupadd
@@ -680,6 +682,8 @@ and use CTDB instead.
 %prep
 %setup -q -n samba-%{version}%{pre_release}
 
+%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
 %global _tevent_lib ,tevent,pytevent
@@ -1972,6 +1976,17 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.2-1
+- Update to Samba 4.4.2, fix badlock security bug
+- resolves: #1326453 - CVE-2015-5370
+- resolves: #1326453 - CVE-2016-2110
+- resolves: #1326453 - CVE-2016-2111
+- resolves: #1326453 - CVE-2016-2112
+- resolves: #1326453 - CVE-2016-2113
+- resolves: #1326453 - CVE-2016-2114
+- resolves: #1326453 - CVE-2016-2115
+- resolves: #1326453 - CVE-2016-2118
+
 * Tue Mar 22 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.0-1
 - Update to Samba 4.4.0
 
diff --git a/sources b/sources
index c3fcefe..380e317 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9213a57f24129f20a57842c1d34dab13  samba-4.4.0.tar.xz
+5db423d90af75169ca5b8b8be4ff7ce5  samba-4.4.2.tar.xz