Fixes for:
o CVE-2019-14902:
The implementation of ACL inheritance in the Samba AD DC was not complete,
and so absent a 'full-sync' replication, ACLs could get out of sync between
domain controllers.
o CVE-2019-14907:
When processing untrusted string input Samba can read past the end of the
allocated buffer when printing a "Conversion error" message to the logs.
o CVE-2019-19344:
During DNS zone scavenging (of expired dynamic entries) there is a read of
memory after it has been freed.
samba-4.10.10 and later fail to link on ld.bfd archs. Revert until
someone(tm) tracks down the problem.
Errors look like:
/usr/bin/ld: BFD 2.17 internal error, aborting at
/usr/src/gnu/usr.bin/binutils-2.17/bfd/elfcode.h line 190 in void
bfd_elf64_swap_symbol_in(bfd *, const void *, const void *,
Elf_Internal_Sym *)
/usr/bin/ld:
/pobj/samba-4.10.10/samba-4.10.10/bin/default/lib/param/libserver-role-samba4.so:
invalid string offset 3755991007 >= 625 for section `.dynstr'
3755991007 is 0xDFDFDFDF is likely already freed memory.
build failures:
http://build-failures.rhaalovely.net/sparc64/2019-12-11/net/samba,.loghttp://build-failures.rhaalovely.net/mips64/2019-12-06/net/samba,,-ldb.log
Fixes:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol
transition on Samba AD DC.
Fixes for:
o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the
full password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC
LDAP server via dirsync.
Release notes for 4.9.14 and 4.9.15:
https://www.samba.org/samba/history/samba-4.9.14.htmlhttps://www.samba.org/samba/history/samba-4.9.15.html
Tested by and ok gonzalo@
download.samba.org now rejects the HTTP/1.0 requests sent by our ftp(1).
Changing ftp(1) now is asking for trouble so work around it.
distfiles hosting courtesy of kmos@, thanks!
4.8.x is not supported upstream any more, so better update before 6.6 is
tagged if we want to benefit from upstream's security updates.
To stay on the safe side, this update doesn't enable the LMDB backend
which has become the default upstream. samba requires a 64 bits system
to use LMDB (32 bits systems can keep on using tdb); and LMDB has always
been a problem child on OpenBSD anyway.
Lightly tested by me, bulk build test and ok ajacoutot@ (thanks!)
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
It's not clear to me whether lld rightfully complains here:
ld: error: duplicate symbol 'pdb_search_init' in version script
Work around the error for now (tm) to unlock samba and consumers in the
llvm-7.0.1 test bulk builds.
Fixes for:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in
AD Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT
Kerberos configuration (unsupported))
Fixes:
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC
DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure
from the AD LDAP server.)
See https://www.samba.org/samba/history/samba-4.8.4.html for more
information.
o CVE-2018-1050 (Denial of Service Attack on external print server.)
o CVE-2018-1057 (Authenticated users can change other users' password.)
If you have an AD setup, you are *strongly* advised to upgrade asap
and/or apply the documented workarounds.
More details at
https://www.samba.org/samba/history/samba-4.7.6.html
o CVE-2017-12150 (SMB1/2/3 connections may not require signing where
they should)
o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS
redirects)
o CVE-2017-12163 (Server memory information leak over SMB1)
