Latest release. Many bugs have been fixed, including possibly security
relevant ones. This long overdue update has been postponed because of
binutils-2.17 ld(1) bugs in version scripts handling. The issue is not
fixed but at least worked around.
The SHARED_LIBS handling is a bit ugly because of the .cpython-XY tag added
to some libraries names.
Tests by Ian (co-maintainer)
When missing, samba builds pytdb support using its bundled copy of tdb,
and installs it in WRKINST, as shown by update-plist. samba runs fine
with the py-tdb package registered in its RUN_DEPENDS, but this is not
what was intended. Consistently use libtdb and py-tdb from databases/tdb.
Broken since ~2018 on clang+ld.lld archs, no analysis and no diff to fix
it, so it's time to send it to the Attic. Support for AD DC mode can't
be optimal anyway, with the deprecation of the ntvfs server code and our
lack of xattrs/ACLs.
"Fine by me" Ian
if a port needs 2.x then set MODPY_VERSION=${MODPY_DEFAULT_VERSION_2}.
This commit doesn't change any versions currently used; it may be that
some ports have MODPY_DEFAULT_VERSION_2 but don't require it, those
should be cleaned up in the course of updating ports where possible.
Python module ports providing py3-* packages should still use
FLAVOR=python3 so that we don't have a mixture of dependencies some
using ${MODPY_FLAVOR} and others not.
(which is not) throughout the ports Makefiles.
* Replace find|xargs with find -exec {} +
* Replace -exec {} \; with -exec {} + if applicable.
* Use the -delete operator to remove files and empty directories.
* Combine and tweak some find(1) invocations while here.
ok kn@ rsadowski@ espie@
Fixes for:
o CVE-2019-14902:
The implementation of ACL inheritance in the Samba AD DC was not complete,
and so absent a 'full-sync' replication, ACLs could get out of sync between
domain controllers.
o CVE-2019-14907:
When processing untrusted string input Samba can read past the end of the
allocated buffer when printing a "Conversion error" message to the logs.
o CVE-2019-19344:
During DNS zone scavenging (of expired dynamic entries) there is a read of
memory after it has been freed.
samba-4.10.10 and later fail to link on ld.bfd archs. Revert until
someone(tm) tracks down the problem.
Errors look like:
/usr/bin/ld: BFD 2.17 internal error, aborting at
/usr/src/gnu/usr.bin/binutils-2.17/bfd/elfcode.h line 190 in void
bfd_elf64_swap_symbol_in(bfd *, const void *, const void *,
Elf_Internal_Sym *)
/usr/bin/ld:
/pobj/samba-4.10.10/samba-4.10.10/bin/default/lib/param/libserver-role-samba4.so:
invalid string offset 3755991007 >= 625 for section `.dynstr'
3755991007 is 0xDFDFDFDF is likely already freed memory.
build failures:
http://build-failures.rhaalovely.net/sparc64/2019-12-11/net/samba,.loghttp://build-failures.rhaalovely.net/mips64/2019-12-06/net/samba,,-ldb.log
Fixes:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol
transition on Samba AD DC.
Fixes for:
o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the
full password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC
LDAP server via dirsync.
Release notes for 4.9.14 and 4.9.15:
https://www.samba.org/samba/history/samba-4.9.14.htmlhttps://www.samba.org/samba/history/samba-4.9.15.html
Tested by and ok gonzalo@
download.samba.org now rejects the HTTP/1.0 requests sent by our ftp(1).
Changing ftp(1) now is asking for trouble so work around it.
distfiles hosting courtesy of kmos@, thanks!
4.8.x is not supported upstream any more, so better update before 6.6 is
tagged if we want to benefit from upstream's security updates.
To stay on the safe side, this update doesn't enable the LMDB backend
which has become the default upstream. samba requires a 64 bits system
to use LMDB (32 bits systems can keep on using tdb); and LMDB has always
been a problem child on OpenBSD anyway.
Lightly tested by me, bulk build test and ok ajacoutot@ (thanks!)
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
It's not clear to me whether lld rightfully complains here:
ld: error: duplicate symbol 'pdb_search_init' in version script
Work around the error for now (tm) to unlock samba and consumers in the
llvm-7.0.1 test bulk builds.
Fixes for:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in
AD Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT
Kerberos configuration (unsupported))
Fixes:
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC
DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure
from the AD LDAP server.)
See https://www.samba.org/samba/history/samba-4.8.4.html for more
information.
