enterprise-support team mailing list archive

Thread
Date
[Bug 1905048] Re: samba ftbfs in hirsute, needs merge

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1905048@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Dec 2020 08:35:17 -0000
Reply-to: Bug 1905048 <1905048@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package samba - 2:4.13.2+dfsg-3ubuntu1

---------------
samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable (LP: #1905048). Remaining changes:
    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - d/control, d/rules: Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247
    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
      change nfs service name from nfs to nfs-kernel-server
      (LP #722201)
    - d/p/ctdb-config-enable-syslog-by-default.patch:
      enable syslog and systemd journal by default
    - debian/rules: Ubuntu i386 binary compatibility:
      + drop ceph support
      + disable the following binary packages:
        - ctdb
        - libnss-winbind
        - libpam-winbind
        - python3-samba
        - samba
        - samba-common-bin
        - samba-testsuite
        - winbind
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
    - debian/rules: Ubuntu i386 binary compatibility:
      + re-enable the following binary packages:
        - libnss-winbind
        - samba-common-bin
        - python3-samba
        - winbind
    - d/control: add a versioned libgnutls28-dev build-depends to reduce
      the amount of in-tree crypto code that is built
  * d/t/smbclient-anonymous-share-list: add set -x and set -e
  * Factor out common DEP8 test code into d/t/util and change the tests
    to source from it:
    - d/t/util: added
    - d/t/cifs-share-access, d/t/smbclient-share-access: source from
      util, use random share name and add set -x and set -u
    - d/t/smbclient-authenticated-share-list: source from util and add
      set -x and set -u
  * d/control: enable the liburing vfs module, except on i386 where
    liburing is not available
  * Add new DEP8 tests for the uring vfs module:
    - d/t/control: add smbclient-share-access-uring and
      cifs-share-access-uring tests
    - d/t/smbclient-share-access-uring: new test
    - d/t/cifs-share-access-uring: new test
  * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
    guard uring tests with a kernel version check and skip if it's too old
  * Dropped changes:
    - SECURITY UPDATE: Unauthenticated domain controller compromise by
      subverting Netlogon cryptography (ZeroLogon)
      + debian/patches/zerologon-*.patch: backport upstream patches:
        + For compatibility reasons, allow specifying an insecure netlogon
          configuration per machine. See the following link for examples:
          https://www.samba.org/samba/security/CVE-2020-1472.html
        + Add additional server checks for the protocol attack in the
          client-specified challenge to provide some protection when
          'server schannel = no/auto' and avoid the false-positive results
          when running the proof-of-concept exploit.
    [ Incorporated by upstream. ]
    - SECURITY UPDATE: Missing handle permissions check in ChangeNotify
      + debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
        get set unless the directory handle is open for SEC_DIR_LIST in
        source4/torture/smb2/notify.c, source3/smbd/notify.c.
      + CVE-2020-14318
    - SECURITY UPDATE: Unprivileged user can crash winbind
      + debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
        source3/winbindd/winbindd_lookupsids.c,
        source4/torture/winbind/struct_based.c.
      + CVE-2020-14323
    - SECURITY UPDATE: DNS server crash via invalid records
      - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
        with NULL  and do not crash when additional data not found in
        source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
      + CVE-2020-14383
    [ Incorporated by upstream. ]

 -- Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>  Tue, 24 Nov
2020 22:12:00 -0500

** Changed in: samba (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14318

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14323

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14383

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1472

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1905048

Title:
  samba ftbfs in hirsute, needs merge

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1905048/+subscriptions
References

[Bug 1905048] [NEW] samba ftbfs in hirsute, needs merge
From: Matthias Klose, 2020-11-20