| Age | Commit message (Collapse) | Author |
|---|
|
This is a security release in order to address the following defects:
CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD
DC LDAP Server with ASQ, VLV and paged_results.
CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU
CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Also backport 3 patches to fix build error with musl.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1609df11530ebb73de863d0c705e16107015dbe3)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This is seen with glibc 2.32 where these names are also defined
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5cf2665446f3fdc16b484c64afffaa0ac8373a35)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This is a security release in order to address the following defects:
CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a41c021cfb11418f1a32e49be0716b00b5234210)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It is unnecessary, and libbsd uses the "BSD-4-Clause" license, which can
be problematic.
To make it deterministic, a patch is introduced to allow libbsd support
to be disabled. It resembles similar patches in, e.g., libldb,
libtalloc, libtdb and libtevent.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Changelog:
https://www.samba.org/samba/history/samba-4.10.13.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Security fixes:
CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
See: https://www.samba.org/samba/history/samba-4.10.11.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Guest accounts for Samba are a known potential vulnerability
(see https://www.tenable.com/plugins/nessus/26919) where info
about the host can be obtained without proper access. The option
"map to guest = bad user" allows login attempts with usernames
that don't exist to map to the guest account, while the
"restrict anonymous" value (implicitly set to 0 before this patch)
would allow any queries to obtain user and group list information.
Raise the default security level by setting "restrict anonymous"
to "1" and "map to guest" to "never" to avoid providing user/group
info to unauthenticated users and reject login attempts with an
invalid password, respectively.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
fix wrong shebang "#!/usr/bin/env python3/"
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Avoid warning due to the class rename in OE-Core.
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Security fixes:
CVE-2019-10218: Client code can return filenames containing path
separators.
CVE-2019-14833: Samba AD DC check password script does not receive the
full password.
CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP
server via dirsync.
See: https://www.samba.org/samba/history/samba-4.10.10.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
| chmod: cannot access '.../image/etc/sudoers.d': No such file or directory
| sed: can't read .../image/usr/bin/samba-tool: No such file or directory
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Security fixes:
CVE-2019-10197: Combination of parameters and permissions can allow user
to escape from the share path definition.
See: https://www.samba.org/samba/history/samba-4.10.8.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Do not use nested functions ( main inside main )
Use global scope for __thread variables
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
1. switch to python3, from 4.10.x, samba support both python2 and python3,
and from 4.11.x, python2 will be dropped.
2. fix cross-compile problem caused by waf
3. disable lmdb
4. refresh patch
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
The only change is the fix for CVE-2018-16860.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
samba have bundled libldb, so when both samba and libldb, or both pyldb \
and samba-python is installed, below error will appear:
file /usr/bin/ldbadd conflicts between attempted installs of samba-4.8.11-r0.i586 and libldb-1.4.1-r0.i586
file /usr/bin/ldbdel conflicts between attempted installs of samba-4.8.11-r0.i586 and libldb-1.4.1-r0.i586
...
file /usr/lib/python2.7/site-packages/ldb.so conflicts between attempted installs of libpyldb-util1-1.4.1-r0.i586 and samba-python-4.8.11-r0.i586
so add rconflicts for both packages
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
* This includes security fixes that adresses the following defects:
CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
CVE-2019-3880 (Save registry file outside share as unprivileged user)
* Upstreamed patch removed:
0001-ldb-Refuse-to-build-Samba-against-a-newer-minor-vers.patch
* Extended PACKAGECONFIG ad-dc to be able to build MIT Kerberos
see https://bugzilla.samba.org/show_bug.cgi?id=13678
Signed-off-by: Johannes Pointner <johannes.pointner@br-automation.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Add libunwind switch, this makes it have a chance to compile
codes which are conditioned by "HAVE_LIBUNWIND_H"
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Now that we can install smbclient without samba package e.g for gvfs there are
complains:
| gvsd: mkdir failed on directory /var/lib/samba: Permission denied
and browsing Windows network does not work anymore
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Otherwise bundled libraries find their way into samba
-> that causes several packages to rdepend on samba package
-> samba package rdepends on samba-base (and others) installing daemons
smbd & nmbd autostarted by default. This is unwanted / not necessary:
* NetBIOS (nmbd) can cause a security problems
* slow boot: times reported by systemd-analyse reduced from ~16s -> ~8s
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
A couple have still been missed in the past despite multiple
attempts at doing so (or simply have re-appeared?).
Search & replace made using the following command:
sed -e 's|\(d\.getVar \?\)( \?\([^,()]*\), \?True)|\1(\2)|g' \
-i $(git grep -E 'getVar ?\( ?([^,()]*), ?True\)' \
| cut -d':' -f1 \
| sort -u)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
There is the same issue as for libldb, the header has conflicting defs
for unitptr_t. Fix it as done for the other recipe.
Fix
/cmocka/cmocka.h:126:28: error: conflicting types for 'uintptr_t'
typedef unsigned int uintptr_t;
^~~~~~~~~
Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Security fixes:
CVE-2018-1139 (Weak authentication protocol allowed.)
CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
CVE-2018-10858 (Insufficient input validation on client directory listing in libsmbclient.)
CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP server.)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
LDB 1.4.0 breaks Samba < 4.9 therefore use internal version
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Since those modules are dynamically split into sub-packages, they need
a regexp added to PACKAGES_DYNAMIC in order for the samba recipe to
RPROVIDE those packages. Without that, those packages are only known as
RRECOMMENDS for samba-base, which can be an issue when building an image
with NO_RECOMMENDATIONS = "1".
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
An error in the Samba installation occurs with distros LSB:
install: cannot stat 'packaging/LSB/samba.sh': No such
file or directory
exit 1 from 'install -m 0755 packaging/LSB/samba.sh
LSB packaging directory was removed in Samba 4.7:
commit 0a23cde8efea06f81c6d34227b71dab627cc87b9
Author: Andreas Schneider <asn@samba.org>
Date: Tue May 9 15:48:09 2017 +0200
packaging: Remove LSB packaging
This hasn't been touched since 2001.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
This patch removes the conditional 'if' and uses always
compatible sysv script.
Signed-off-by: Pablo Saavedra <psaavedra@igalia.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
For 16-do-not-check-xsltproc-manpages.patch devtool created a heavy monster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This includes security fixes that adresses the following defects:
CVE-2018-1050 (Denial of Service Attack on external print server.)
CVE-2018-1057 (Authenticated users can change other users' password.)
* Detail release note:
- https://www.samba.org/samba/history/samba-4.7.6.html
Signed-off-by: Johannes Pointner <johannes.pointner@br-automation.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
This includes security fixes that adresses the following defects:
CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
* Detail release note:
- https://www.samba.org/samba/history/samba-4.7.5.html
Signed-off-by: Johannes Pointner <johannes.pointner@br-automation.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
last update left the musl builds broken since the
patch was not forward ported
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Add packagegroup for samba, for there are too many rpms in samba and it's hard to manage.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
smbnetfs: require pam in DISTRO_FEATURES
* there is explicit dependency on libpam without respecting pam in DISTRO_FEATURES
so add the check to prevent people building it against broken libpam
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
ad-dc code is built and krb5 is used. If booting using systemd,
'nmb' and 'smb' are started. 'samba' is not.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
this slipped in. it should not have been merged to master
This reverts commit 9245c2a7ec30ba5df6826acd91d7a76d7f51d017.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
* samba-tool requires the python modules from samba-python
or it fails with:
Traceback (most recent call last):
File "/usr/bin/samba-tool", line 33, in <module>
from samba.netcmd.main import cmd_sambatool
ImportError: No module named samba.netcmd.main
* Provisioning with samba-tool requires samba-dsdb-modules
or it fails with:
Setting up secrets.ldb
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
WARNING: Module [samba_secrets] not found - do you need to set LDB_MODULES_PATH?
Unable to load modules for /var/lib/samba/private/secrets.ldb: (null)
ERROR(ldb): uncaught exception - None
* samba-python requires pytalloc and python-tdb or it fails with:
TypeError: pytalloc: unable to get talloc.BaseObject type
ERROR(<type 'exceptions.ImportError'>): uncaught exception - No module named tdb
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Upgrade samba from 4.6.5 to 4.6.7 to fix CVE-2017-11103.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
This includes a security fix that adresses the following defect:
CVE-2017-7494 (Remote code execution from a writable share)
* Detail release note:
- https://www.samba.org/samba/history/samba-4.6.5.html
* Remove 00-fix-typos-in-man-pages.patch which has been fixed
upstream a long time ago
Signed-off-by: Johannes Pointner <johannes.pointner@br-automation.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Use the same permissions for sudoers.d as in the sudo package.
Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Update the tevent_internal.h file to the same version
as the current OpenEmbedded recipe version, otherwise
nmbd will segfault immediately at start, and strange
crashes occurs with smbd. Samba uses this internal
libtevent header file, and it is crucial to match
this file to the external libtevent.
Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
This reverts commit cd366899ed6f0f07d643fd4e54c1ccb91540fc23.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Since Samba uses libtevent-internal.h in some places, it is
incompatible with external libtevent versions if they're not
the same as the built-in, and just crashes.
Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
Yi Zhao
Khem Raj
Peter Kjellerstedt
Trevor Gamblin
Changqing Li
Denys Dmytriyenko
Andreas Oberritter
Adrian Bunk
Johannes Pointner
Wenlin Kang
Andreas Müller
André Draszik
Andrea Adami
leimaohui
Rémi Rérolle
Pablo Saavedra
Zheng Ruoqin
Martin Jansa
Joe Slater
Armin Kuster
Jackie Huang
Huang Qiyu
Kai Kang
Szombathelyi György
Joe MacDonald