The situation is a mess. Upstream says that s3fs (the original smb code
from samba3) requires filesystem ACLs, which we don't have. The ntvfs
code (new in samba4, but now deprecated) fit the job, but
adding --with-ntvfs-fileserver doesn't actually provide a working 'smb'
service (see "server services" in smb.conf(5)).
So right now it seems that the workaround is to provision
using --use-ntvfs, but then to strip 'smb' from the 'server services'
line.
Reports welcome...
* CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
ok ajacoutot@, Ian McWilliam, sthen@ on a previous version. ok danj@
who noted missing entries in PLIST.
ok sthen@ Ian McWilliam
CVE-2015-5370 (Multiple errors in DCE-RPC code)
CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
CVE-2016-2112 (LDAP client and server don't enforce integrity)
CVE-2016-2113 (Missing TLS certificate validation)
CVE-2016-2114 ("server signing = mandatory" not enforced)
CVE-2016-2115 (SMB IPC traffic is not integrity protected)
CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
See https://www.samba.org/samba/history/samba-4.3.8.html for more
information.
i386 build by danj@, ok sthen@
The changelog between 4.1.23 and 4.3.6 is too big to be described here.
The point of updating now is that 4.1.x won't receive updates for the
freshly published security advisories. samba-4.3.8 will follow.
ChangeLog and descriptions of the relevant CVE's:
https://www.samba.org/samba/history/samba-4.1.22.html
This update changed the signature of a few functions in libsamba-util,
so bump the shlib major. Also update Ian's email adress while here.
ok ajacoutot@
Upcoming commits will add additional tweaks.
Many thanks to Vadim Zhukov (who did most of the work), Ian McWilliam
(co-maintainer), Stuart Henderson who provided lots of support and
feedback, Antoine Jacoutot who patiently dealt with my broken diffs,
and more generally all the people involved. Most of the recent work was
done during p2k15 and c2k15.
which should all be started/stopped together), previously "restart" would
restart each sub-daemon in turn, but actually it should stop all daemons
and only then start them again. Additionally, as suggested by ajacoutot,
stop the procedure and return an error if stopping one of the rc scripts
failed. ok ajacoutot@ rpe@
CVE-2014-0244: malformed packet can nmbd to loop, preventing further
NetBIOS name service
CVE-2014-3493: smbd "crash involving overwriting memory on an
authenticated connection" (just classed as a DoS in release notes,
but that may be optimistic)
DCE-RPC fragment length field is incorrectly checked. CVE-2013-4408
ACLs are not checked on opening an alternate data stream on a file or directory. CVE-2013-4475
ok sthen@
