From patchwork Sat Dec 17 12:14:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6310 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4NZ4fQ66Dmz3xlP for ; Sat, 17 Dec 2022 12:14:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4NZ4fJ0p6jz15h; Sat, 17 Dec 2022 12:14:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4NZ4fF4qJqz30D0; Sat, 17 Dec 2022 12:14:45 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4NZ4fD5ZMHz2ynV for ; Sat, 17 Dec 2022 12:14:44 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4NZ4fD0LGdzvT; Sat, 17 Dec 2022 12:14:44 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1671279284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DITk6aAVmp/xgbSQTkDseB+SCoAhhd9gFA8Mubqbvgo=; b=ZjgvUC2tMoHavNZw6JphFNS/QHAa28ncst61vRD5/AdF/ZTotBFSmLi7tsJZWerXYHihFa 6beYdY6HMZowniDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1671279284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DITk6aAVmp/xgbSQTkDseB+SCoAhhd9gFA8Mubqbvgo=; b=B0xIfi2ylcytU0gKk1ekxuX2DpkpG0vxa3ZMPfqe2uOet6ARgwGzk5NstPAcNaZRlTY1U8 x7s3sG3YHSY5h3gpk3Oe211/SjRpUP15c+kyFQmg/OyR+mTjRtw+RbFu1fbYEY3IszqWp3 lnWNlgiwLI5GL0NBjZStchcKqK1w3S+TcthJmfsXqs7Mnv9eGx0VMCJ2t7FipMO2p3Im0L H+bBo7W6GoR1w41WE9AE88KRIqFlSQ78cxnlGIB9LL1Mv2A1zKa+n+/lckGKnbnrs6eOnW 2enAoFo/xCh0nnw0w1mWJN/TmhRieLZV/UF/vFZ8Ic1zvAVDMOdSo8Aad+8xoQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] samba: Update to version 4.17.4 Date: Sat, 17 Dec 2022 13:14:26 +0100 Message-Id: <20221217121427.3532488-7-adolf.belka@ipfire.org> In-Reply-To: <20221217121427.3532488-1-adolf.belka@ipfire.org> References: <20221217121427.3532488-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 4.17.3 to 4.17.4 - Update of rootfile (Only the x86_64 rootfile updated with this patch) - Changelog Release Notes for Samba 4.17.4 This is the latest stable release of the Samba 4.17 release series. It also contains security changes in order to address the following defects: o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-37967 and CVE-2022-38023 carefully! samba-tool got a new 'domain trust modify' subcommand This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options). See 'samba-tool domain trust modify --help' for further details. smb.conf changes Parameter Name Description Default -------------- ----------- ------- allow nt4 crypto Deprecated no allow nt4 crypto:COMPUTERACCOUNT New kdc default domain supported enctypes New (see manpage) kdc supported enctypes New (see manpage) kdc force enable rc4 weak session keys New No reject md5 clients New Default, Deprecated Yes reject md5 servers New Default, Deprecated Yes server schannel Deprecated Yes server schannel require seal New, Deprecated Yes server schannel require seal:COMPUTERACCOUNT New winbind sealed pipes Deprecated Yes Changes since 4.17.3 o Jeremy Allison * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Andrew Bartlett * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15237: CVE-2022-37966. * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. o Ralph Boehme * BUG 15240: CVE-2022-38023. * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. o Stefan Metzmacher * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows. * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability. * BUG 15206: libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(). * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15230: Memory leak in snprintf replacement functions. * BUG 15237: CVE-2022-37966. * BUG 15240: CVE-2022-38023. * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression). o Noel Power * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Anoop C S * BUG 15198: Prevent EBADF errors with vfs_glusterfs. o Andreas Schneider * BUG 15237: CVE-2022-37966. * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15257: Stack smashing in net offlinejoin requestodj. o Joseph Sutton * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15231: CVE-2022-37967. * BUG 15237: CVE-2022-37966. o Nicolas Williams * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. Signed-off-by: Adolf Belka --- config/rootfiles/packages/x86_64/samba | 1 + lfs/samba | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba index e360fa494..5ce0c7ef5 100644 --- a/config/rootfiles/packages/x86_64/samba +++ b/config/rootfiles/packages/x86_64/samba @@ -508,6 +508,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/as_req_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/compatability_tests.py +#usr/lib/python3.10/site-packages/samba/tests/krb5/etype_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/fast_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/kcrypto.py #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_base_test.py diff --git a/lfs/samba b/lfs/samba index ee1d2be94..c73e3eb7f 100644 --- a/lfs/samba +++ b/lfs/samba @@ -24,7 +24,7 @@ include Config -VER = 4.17.3 +VER = 4.17.4 SUMMARY = A SMB/CIFS File, Print, and Authentication Server THISAPP = samba-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 89 +PAK_VER = 90 DEPS = avahi cups libtirpc perl-Parse-Yapp perl-JSON @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = dfd8e09914aa3f7188e8672ea06aa0409b48931bad9e56e2b54af3145c1df1285ba71d2f6b166a84aaa27a539d8a1de30c9418b337d56b4ae8470ecfb6f44f01 +$(DL_FILE)_BLAKE2 = 2f95ef07530c11b3b46fd5dec3b44c926bc4c06871a2d9405c86a791d8e28d84649444f8147275fe425923eefc46ec49a903b71d21aaca379618ffbfce1dcd84 install : $(TARGET)