diff options
author | Günther Deschner <gd@samba.org> | 2016-04-12 14:44:50 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2016-04-12 19:34:47 +0200 |
commit | fe4e88c4d2e7030f5c7284c63e0c4e27ea6d540a (patch) | |
tree | 8ed336555c0cb30d883881f4198ddcc7b4fb9611 | |
parent | 67c517ec83898ea5b5771e16925e40cb901b4848 (diff) |
Update to Samba 4.4.2, fix badlock security bug
resolves: #1326453 - CVE-2015-5370
resolves: #1326453 - CVE-2016-2110
resolves: #1326453 - CVE-2016-2111
resolves: #1326453 - CVE-2016-2112
resolves: #1326453 - CVE-2016-2113
resolves: #1326453 - CVE-2016-2114
resolves: #1326453 - CVE-2016-2115
resolves: #1326453 - CVE-2016-2118
Guenther
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch | 59 | ||||
-rw-r--r-- | samba.spec | 17 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 77 insertions, 2 deletions
@@ -63,3 +63,4 @@ samba-3.6.0pre1.tar.gz /samba-4.4.0rc4.tar.xz /samba-4.4.0rc5.tar.xz /samba-4.4.0.tar.xz +/samba-4.4.2.tar.xz diff --git a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch new file mode 100644 index 0000000..06b5a83 --- /dev/null +++ b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch @@ -0,0 +1,59 @@ +From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy <abokovoy@redhat.com> +Date: Tue, 12 Apr 2016 09:36:12 +0300 +Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted + domains DCs + + Allow cm_connect_netlogon() to talk to trusted domains' DCs when + running in a domain member configuration. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 + +Signed-off-by: Alexander Bokovoy <ab@samba.org> +--- + source3/winbindd/winbindd_cm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 45e3fad..6f5a042 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -2851,9 +2851,10 @@ retry: + anonymous: + + /* Finally fall back to anonymous. */ +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + status = NT_STATUS_DOWNGRADE_DETECTED; +- DEBUG(1, ("Unwilling to make SAMR connection to domain %s" ++ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", +@@ -3150,7 +3151,8 @@ retry: + + anonymous: + +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make LSA connection to domain %s " + "without connection level security, " +@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + TALLOC_FREE(netlogon_creds); + + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && ++ (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; +- DEBUG(1, ("Unwilling to make connection to domain %s" ++ DEBUG(1, ("Unwilling to make connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' and " + "'require strong key = false' to proceed: %s\n", +-- +2.5.5 + @@ -8,7 +8,7 @@ %define main_release 1 -%define samba_version 4.4.0 +%define samba_version 4.4.2 %define talloc_version 2.1.6 %define tdb_version 1.3.8 %define tevent_version 0.9.28 @@ -106,6 +106,8 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade +Patch0: samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -680,6 +682,8 @@ and use CTDB instead. %prep %setup -q -n samba-%{version}%{pre_release} +%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch + %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent @@ -1972,6 +1976,17 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.2-1 +- Update to Samba 4.4.2, fix badlock security bug +- resolves: #1326453 - CVE-2015-5370 +- resolves: #1326453 - CVE-2016-2110 +- resolves: #1326453 - CVE-2016-2111 +- resolves: #1326453 - CVE-2016-2112 +- resolves: #1326453 - CVE-2016-2113 +- resolves: #1326453 - CVE-2016-2114 +- resolves: #1326453 - CVE-2016-2115 +- resolves: #1326453 - CVE-2016-2118 + * Tue Mar 22 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.0-1 - Update to Samba 4.4.0 @@ -1 +1 @@ -9213a57f24129f20a57842c1d34dab13 samba-4.4.0.tar.xz +5db423d90af75169ca5b8b8be4ff7ce5 samba-4.4.2.tar.xz |