← Back to team overview

enterprise-support team mailing list archive

[Bug 2040363] [NEW] Merge samba from Debian unstable for noble

 

Public bug reported:

Upstream: 4.18.8
Debian:   2:4.19.2+dfsg-1    
Ubuntu:   2:4.18.6+dfsg-1ubuntu2


Debian does new releases regularly, so it's likely there will be newer
versions available before FF that we can pick up if this merge is done
later in the cycle.

If it turns out this needs a sync rather than a merge, please change the
tag 'needs-merge' to 'needs-sync', and (optionally) update the title as
desired.


### New Debian Changes ###

samba (2:4.19.2+dfsg-1) unstable; urgency=medium

  * new upstream stable/bugfix release:
   - https://bugzilla.samba.org/show_bug.cgi?id=15423
     Use-after-free in aio_del_req_from_fsp during smbd shutdown
     after failed IPC FSCTL_PIPE_TRANSCEIVE
   - https://bugzilla.samba.org/show_bug.cgi?id=15426
     clidfs.c do_connect() missing a 'return' after a cli_shutdown() call
   - https://bugzilla.samba.org/show_bug.cgi?id=15463
     macOS mdfind returns only 50 results
   - https://bugzilla.samba.org/show_bug.cgi?id=15481
     GETREALFILENAME_CACHE can modify incoming new filename
     with previous cache entry value
   - https://bugzilla.samba.org/show_bug.cgi?id=15464
     libnss_winbind causes memory corruption since samba-4.18,
     impacts sendmail, zabbix, potentially more
   - https://bugzilla.samba.org/show_bug.cgi?id=15479
     ctdbd: setproctitle not initialized messages flooding logs
   - https://bugzilla.samba.org/show_bug.cgi?id=15491
     CVE-2023-5568 Heap buffer overflow with freshness tokens
     in the Heimdal KDC in Samba 4.19
   - https://bugzilla.samba.org/show_bug.cgi?id=15477
     The heimdal KDC doesn't detect s4u2self correctly when fast is in use
  * d/samba-common.maintscript: remove obsolete conffile
    /etc/dhcp/dhclient-enter-hooks.d/samba conffile (Closes: #1053780)

 -- Michael Tokarev <mjt@xxxxxxxxxx>  Mon, 16 Oct 2023 18:26:31 +0300

samba (2:4.19.1+dfsg-4) unstable; urgency=medium

  * d/samba-common.postinst: restore installing of smb.conf using ucf

 -- Michael Tokarev <mjt@xxxxxxxxxx>  Tue, 10 Oct 2023 22:33:32 +0300

samba (2:4.19.1+dfsg-3) unstable; urgency=medium

  * d/ctdb.install: sync ceph arch list
  * d/control: mention other places where ceph arch list is used

 -- Michael Tokarev <mjt@xxxxxxxxxx>  Tue, 10 Oct 2023 20:12:20 +0300

samba (2:4.19.1+dfsg-2) unstable; urgency=medium

  * d/rules: sync with-ceph arch list from d/control

 -- Michael Tokarev <mjt@xxxxxxxxxx>  Tue, 10 Oct 2023 19:03:42 +0300

samba (2:4.19.1+dfsg-1) unstable; urgency=medium

  * new stable security bugfix release:
    o CVE-2023-3961: https://www.samba.org/samba/security/CVE-2023-3961.html
      Unsanitized pipe names allow SMB clients to connect as root
      to existing unix domain sockets on the file system.
    o CVE-2023-4091: https://www.samba.org/samba/security/CVE-2023-4091.html
      SMB client can truncate files to 0 bytes by opening files with OVERWRITE
      disposition when using the acl_xattr Samba VFS module with the smb.conf
      setting 'acl_xattr:ignore system acls = yes'
    o CVE-2023-4154: https://www.samba.org/samba/security/CVE-2023-4154.html
      An RODC and a user with the GET_CHANGES right can view all attributes,
      including secrets and passwords.  Additionally, the access check fails
      open on error conditions.
    o CVE-2023-42669: https://www.samba.org/samba/security/CVE-2023-42669.html
      Calls to the rpcecho server on the AD DC can request that the server
      block for a user-defined amount of time, denying service.
    o CVE-2023-42670: https://www.samba.org/samba/security/CVE-2023-42670.html
      Samba can be made to start multiple incompatible RPC listeners,
      disrupting service on the AD DC.
  * remove debconf questions and wins dhcp hooks together with po files
    (wins is not relevant today anymore)
  * d/control: bump mit-krb5 build-dep (on mitkrb5 profile) to 1.20
  * d/control: disable ceph (libcephfs-dev, librados-dev) on 32bit
    architectures (Closes: #1053202)
  * d/control: enable rados on riscv64 once it's available there
  * d/control: samba-libs: depend on libldb of the same version since libldb
    symbols might appear during previous stable series but they don't propagate
    to next releases with previous minor version numbers.  This is ABI breakage
    but the symbols are mostly internal to samba itself
  * debian/libldb2.symbols: update
  * drop attempts to keep ldb ABI versioning

 -- Michael Tokarev <mjt@xxxxxxxxxx>  Tue, 10 Oct 2023 18:02:05 +0300

samba (2:4.19.0+dfsg-1) unstable; urgency=medium

  * new upstream release. Some highlights:
   o changed command-line interface of smbget utility
   o improved winbindd logging
   o AD database prepared to FL 2016 standards for new domains
   o initial, partial implementation of AD FL 2012, 2012R2 and 2016
   o samba-tool support for silos, claims, sites and subnets
   o updated Heimdal import
   o other improvements and changes, see WHATSNEW.txt file for details.
  * d/patches: remove patches applied upstream, refresh patches
  * d/control: update talloc/tevent/tdb build-deps
  * d/smbclient.install: remove smbgetrc.5
  * d/patches: add ldb 2.7.1 & 2.7.2 ABI files
  * d/libldb2.symbols: add new symbols (ldb_val_as_*) and new version (2.8.0)
  * d/python3-ldb.symbols: remove unused versions, add new version
  * d/control: fix description of samba-common-bin (samba-client)
  * d/samba-common-bin.install: install samba-log-parser (for winbindd for now)


### Old Ubuntu Delta ###

samba (2:4.18.6+dfsg-1ubuntu2) mantic; urgency=medium

  * No-change rebuild with glusterfs 10.3 (LP: #2035127)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Wed, 13 Sep 2023 09:57:01
-0300

samba (2:4.18.6+dfsg-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2031655, LP: #2031619). Remaining changes:
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
      + enable the liburing vfs module, except on i386 where liburing is
        not available
    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
      samba AD DC provisioning and domain join tests with internal DNS
      (LP #1977746, LP #2011745)
  * Dropped:
    - build-depend on libglusterfs-dev only on !i386 arches
      [In 2:4.18.5+dfsg-2]
    - Add changes to fix uncaught exception when updating old password
      containing regex metacharacters by simplifying samba-tool password
      redaction (LP #2002949).
      + d/p/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch
      + d/p/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch
      + d/p/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch
      + d/p/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch
      + d/p/python-Add-glue.burn_commandline-method.patch
      + d/p/python-Move-PyList_AsStringList-to-common-code-so-we.patch
      + d/p/python-Remove-const-from-PyList_AsStringList.patch
        [Fixed upstream in 4.18.6]
  * Added:
    - d/control: adjust breaks/replaces for file move that Debian did in
      4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
      file conflict in a dist-upgrade from earlier Ubuntu releases, like
      Kinetic (LP: #2024663)
    - d/rules: ceph is not available in Ubuntu i386, disable it

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Thu, 17 Aug 2023 09:52:00
-0300

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: needs-merge upgrade-software-version

** Changed in: samba (Ubuntu)
    Milestone: None => ubuntu-24.01

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2040363

Title:
  Merge samba from Debian unstable for noble

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2040363/+subscriptions



Follow ups