mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
808afc79cc
Signed-off-by: Jule Anger <janger@samba.org>
1091 lines
39 KiB
Plaintext
1091 lines
39 KiB
Plaintext
===============================
|
|
Release Notes for Samba 4.14.11
|
|
December 15, 2021
|
|
===============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
Important Notes
|
|
===============
|
|
|
|
There have been a few regressions in the security release 4.14.10:
|
|
|
|
o CVE-2020-25717: A user on the domain can become root on domain members.
|
|
https://www.samba.org/samba/security/CVE-2020-25717.html
|
|
PLEASE [RE-]READ!
|
|
The instructions have been updated and some workarounds
|
|
initially adviced for 4.14.10 are no longer required and
|
|
should be reverted in most cases.
|
|
|
|
o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
|
|
un-deletable. While this release should fix this bug, it is
|
|
adviced to have a look at the bug report for more detailed
|
|
information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
|
|
|
|
Changes since 4.14.10
|
|
---------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14878: Recursive directory delete with veto files is broken.
|
|
* BUG 14879: A directory containing dangling symlinks cannot be deleted by
|
|
SMB2 alone when they are the only entry in the directory.
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14656: Spaces incorrectly collapsed in ldb attributes.
|
|
* BUG 14694: Ensure that the LDB request has not timed out during filter
|
|
processing as the LDAP server MaxQueryDuration is otherwise not honoured.
|
|
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
|
|
side effects for the local nt token.
|
|
* BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-
|
|
deletable.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk
|
|
* BUG 14922: Kerberos authentication on standalone server in MIT realm
|
|
broken.
|
|
* BUG 14923: Segmentation fault when joining the domain.
|
|
|
|
o Alexander Bokovoy <ab@samba.org>
|
|
* BUG 14903: Support for ROLE_IPA_DC is incomplete.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
|
|
smbd_smb2_ioctl_send.
|
|
* BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
|
|
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
|
|
side effects for the local nt token.
|
|
|
|
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
* BUG 14694: Ensure that the LDB request has not timed out during filter
|
|
processing as the LDAP server MaxQueryDuration is otherwise not honoured.
|
|
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
|
|
side effects for the local nt token.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
Release notes for older releases follow:
|
|
----------------------------------------
|
|
===============================
|
|
Release Notes for Samba 4.14.10
|
|
November 9, 2021
|
|
===============================
|
|
|
|
|
|
This is a security release in order to address the following defects:
|
|
|
|
o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
|
|
authentication.
|
|
https://www.samba.org/samba/security/CVE-2016-2124.html
|
|
|
|
o CVE-2020-25717: A user on the domain can become root on domain members.
|
|
https://www.samba.org/samba/security/CVE-2020-25717.html
|
|
(PLEASE READ! There are important behaviour changes described)
|
|
|
|
o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
|
|
by an RODC.
|
|
https://www.samba.org/samba/security/CVE-2020-25718.html
|
|
|
|
o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
|
|
tickets.
|
|
https://www.samba.org/samba/security/CVE-2020-25719.html
|
|
|
|
o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
|
|
(eg objectSid).
|
|
https://www.samba.org/samba/security/CVE-2020-25721.html
|
|
|
|
o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
|
|
checking of data stored.
|
|
https://www.samba.org/samba/security/CVE-2020-25722.html
|
|
|
|
o CVE-2021-3738: Use after free in Samba AD DC RPC server.
|
|
https://www.samba.org/samba/security/CVE-2021-3738.html
|
|
|
|
o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
|
|
https://www.samba.org/samba/security/CVE-2021-23192.html
|
|
|
|
|
|
Changes since 4.14.9
|
|
--------------------
|
|
|
|
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
* CVE-2020-25722
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* CVE-2020-25718
|
|
* CVE-2020-25719
|
|
* CVE-2020-25721
|
|
* CVE-2020-25722
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* CVE-2020-25717
|
|
|
|
o Alexander Bokovoy <ab@samba.org>
|
|
* CVE-2020-25717
|
|
|
|
o Samuel Cabrero <scabrero@samba.org>
|
|
* CVE-2020-25717
|
|
|
|
o Nadezhda Ivanova <nivanova@symas.com>
|
|
* CVE-2020-25722
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* CVE-2016-2124
|
|
* CVE-2020-25717
|
|
* CVE-2020-25719
|
|
* CVE-2020-25722
|
|
* CVE-2021-23192
|
|
* CVE-2021-3738
|
|
* ldb: version 2.3.2
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* CVE-2020-25719
|
|
|
|
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
* CVE-2020-17049
|
|
* CVE-2020-25718
|
|
* CVE-2020-25719
|
|
* CVE-2020-25721
|
|
* CVE-2020-25722
|
|
* MS CVE-2020-17049
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.libera.chat or the
|
|
#samba-technical:matrix.org matrix channel.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.9
|
|
October 27, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.8
|
|
--------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
|
|
|
|
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
* BUG 14868: rodc_rwdc test flaps.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14836: Python ldb.msg_diff() memory handling failure.
|
|
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
|
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
|
|
Heimdal.
|
|
* BUG 14845: "in" operator on ldb.Message is case sensitive.
|
|
* BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
|
|
* BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
|
|
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
|
|
* BUG 14874: Allow special chars like "@" in samAccountName when generating
|
|
the salt.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14826: Correctly ignore comments in CTDB public addresses file.
|
|
|
|
o Isaac Boukris <iboukris@gmail.com>
|
|
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
|
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
|
|
Heimdal.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Viktor Dukhovni <viktor@twosigma.com>
|
|
* BUG 12998: Fix transit path validation.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Luke Howard <lukeh@padl.com>
|
|
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
|
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
|
|
Heimdal.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Martin Schwenke <martin@meltin.net>
|
|
* BUG 14826: Correctly ignore comments in CTDB public addresses file.
|
|
|
|
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
|
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
|
|
Heimdal.
|
|
* BUG 14845: "in" operator on ldb.Message is case sensitive.
|
|
* BUG 14868: rodc_rwdc test flaps.
|
|
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
|
|
* BUG 14874: Allow special chars like "@" in samAccountName when generating
|
|
the salt.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
o Nicolas Williams <nico@twosigma.com>
|
|
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
|
|
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
|
|
Heimdal.
|
|
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.8
|
|
October 05, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.7
|
|
--------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14742: Python ldb.msg_diff() memory handling failure.
|
|
* BUG 14805: OpenDir() loses the correct errno return.
|
|
* BUG 14809: Shares with variable substitutions cause core dump upon
|
|
connection from MacOS Big Sur 11.5.2.
|
|
* BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
|
|
build.
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14806: Address a signifcant performance regression in database access
|
|
in the AD DC since Samba 4.12.
|
|
* BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
|
|
Samba 4.9 by using an explicit database handle cache.
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
* BUG 14818: Address flapping samba_tool_drs_showrepl test.
|
|
* BUG 14819: Address flapping dsdb_schema_attributes test.
|
|
* BUG 14841: Samba CI runs can now continue past the first error if
|
|
AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
|
|
* BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
|
|
* BUG 14783: smbd "deadtime" parameter doesn't work anymore.
|
|
* BUG 14787: net conf list crashes when run as normal user.
|
|
* BUG 14790: vfs_btrfs compression support broken.
|
|
* BUG 14804: winbindd can crash because idmap child state is not fully
|
|
initialized.
|
|
|
|
o Luke Howard <lukeh@padl.com>
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
|
|
o Gary Lockyer <gary@catalyst.net.nz>
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
|
|
o Martin Schwenke <martin@meltin.net>
|
|
* BUG 14784: Fix CTDB flag/status update race conditions.
|
|
|
|
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
|
|
server name in a TGS-REQ.
|
|
* BUG 14836: Python ldb.msg_diff() memory handling failure.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
==============================
|
|
Release Notes for Samba 4.14.7
|
|
August 24, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.6
|
|
--------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14769: smbd panic on force-close share during offload write.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 12033: smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK.
|
|
* BUG 14731: Fix returned attributes on fake quota file handle and avoid
|
|
hitting the VFS.
|
|
* BUG 14756: vfs_shadow_copy2 fix inodes not correctly updating inode
|
|
numbers.
|
|
|
|
o David Gajewski <dgajews@math.utoledo.edu>
|
|
* BUG 14774: Fix build on Solaris.
|
|
|
|
o Björn Jacke <bj@sernet.de>
|
|
* BUG 14654: Make dos attributes available for unreadable files.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap
|
|
7.3.7.
|
|
* BUG 14793: Start the SMB encryption as soon as possible.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.6
|
|
July 13, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.5
|
|
--------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
|
|
* BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
|
|
* BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
|
|
* BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
|
|
change_file_owner_to_parent() error path.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
|
|
glusterfs VFS module.
|
|
* BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
|
|
* BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
|
|
* BUG 14752: smbXsrv_{open,session,tcon}: protect
|
|
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
|
|
|
|
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
* BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
|
|
backend.
|
|
* BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
|
|
restoring a backup.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
==============================
|
|
Release Notes for Samba 4.14.5
|
|
June 01, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.4
|
|
--------------------
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
|
|
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
|
|
Windows ACL for directory handles.
|
|
* BUG 14721: s3: smbd: Fix uninitialized memory read in
|
|
process_symlink_open() when used with vfs_shadow_copy2().
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14689: docs: Expand the "log level" docs on audit logging.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14714: smbd: Correctly initialize close timestamp fields.
|
|
|
|
o Günther Deschner <gd@samba.org>
|
|
* BUG 14699: Fix gcc11 compiler issues.
|
|
|
|
o Pavel Filipenský <pfilipen@redhat.com>
|
|
* BUG 14718: docs-xml: Update smbcacls manpage.
|
|
* BUG 14719: docs: Update list of available commands in rpcclient.
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
|
|
set.
|
|
* BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.4
|
|
April 29, 2021
|
|
==============================
|
|
|
|
|
|
This is a security release in order to address the following defect:
|
|
|
|
o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
|
|
in the Samba file server process token.
|
|
|
|
|
|
=======
|
|
Details
|
|
=======
|
|
|
|
o CVE-2021-20254:
|
|
The Samba smbd file server must map Windows group identities (SIDs) into unix
|
|
group ids (gids). The code that performs this had a flaw that could allow it
|
|
to read data beyond the end of the array in the case where a negative cache
|
|
entry had been added to the mapping cache. This could cause the calling code
|
|
to return those values into the process token that stores the group
|
|
membership for a user.
|
|
|
|
Most commonly this flaw caused the calling code to crash, but an alert user
|
|
(Peter Eriksson, IT Department, Linköping University) found this flaw by
|
|
noticing an unprivileged user was able to delete a file within a network
|
|
share that they should have been disallowed access to.
|
|
|
|
Analysis of the code paths has not allowed us to discover a way for a
|
|
remote user to be able to trigger this flaw reproducibly or on demand,
|
|
but this CVE has been issued out of an abundance of caution.
|
|
|
|
|
|
Changes since 4.14.3
|
|
--------------------
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.3
|
|
April 20, 2021
|
|
==============================
|
|
|
|
|
|
This is the latest stable release of the Samba 4.14 release series.
|
|
|
|
|
|
Changes since 4.14.2
|
|
--------------------
|
|
|
|
o Trever L. Adams <trever.adams@gmail.com>
|
|
* BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
|
|
vfs_virusfilter_openat.
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14586: build: Notice if flex is missing at configure time.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14672: Fix smbd panic when two clients open same file.
|
|
* BUG 14675: Fix memory leak in the RPC server.
|
|
* BUG 14679: s3: smbd: fix deferred renames.
|
|
|
|
o Samuel Cabrero <scabrero@samba.org>
|
|
* BUG 14675: s3-iremotewinspool: Set the per-request memory context.
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 14675: Fix memory leak in the RPC server.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
|
|
* BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
|
|
|
|
o David Mulder <dmulder@suse.com>
|
|
* BUG 14665: samba-gpupdate: Test that sysvol paths download in
|
|
case-insensitive way.
|
|
|
|
o Sachin Prabhu <sprabhu@redhat.com>
|
|
* BUG 14662: smbd: Ensure errno is preserved across fsp destructor.
|
|
|
|
o Christof Schmitt <cs@samba.org>
|
|
* BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
|
|
conflict.
|
|
|
|
o Martin Schwenke <martin@meltin.net>
|
|
* BUG 14288: build: Only add -Wl,--as-needed when supported.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.2
|
|
March 24, 2021
|
|
==============================
|
|
|
|
|
|
This is a follow-up release to depend on the correct ldb version. This is only
|
|
needed when building against a system ldb library.
|
|
|
|
This is a security release in order to address the following defects:
|
|
|
|
o CVE-2020-27840: Heap corruption via crafted DN strings.
|
|
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
|
|
|
|
|
|
=======
|
|
Details
|
|
=======
|
|
|
|
o CVE-2020-27840:
|
|
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
|
|
crafted DNs as part of a bind request. More serious heap corruption is likely
|
|
also possible.
|
|
|
|
o CVE-2021-20277:
|
|
User-controlled LDAP filter strings against the AD DC LDAP server may crash
|
|
the LDAP server.
|
|
|
|
For more details, please refer to the security advisories.
|
|
|
|
|
|
Changes since 4.14.1
|
|
--------------------
|
|
|
|
o Release with dependency on ldb version 2.3.0.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.1
|
|
March 24, 2021
|
|
==============================
|
|
|
|
|
|
This is a security release in order to address the following defects:
|
|
|
|
o CVE-2020-27840: Heap corruption via crafted DN strings.
|
|
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
|
|
|
|
|
|
=======
|
|
Details
|
|
=======
|
|
|
|
o CVE-2020-27840:
|
|
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
|
|
crafted DNs as part of a bind request. More serious heap corruption is likely
|
|
also possible.
|
|
|
|
o CVE-2021-20277:
|
|
User-controlled LDAP filter strings against the AD DC LDAP server may crash
|
|
the LDAP server.
|
|
|
|
For more details, please refer to the security advisories.
|
|
|
|
|
|
Changes since 4.14.0
|
|
--------------------
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
|
|
|
|
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
* BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
|
|
bad DNs.
|
|
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
==============================
|
|
Release Notes for Samba 4.14.0
|
|
March 09, 2021
|
|
==============================
|
|
|
|
|
|
This is the first stable release of the Samba 4.14 release series.
|
|
Please read the release notes carefully before upgrading.
|
|
|
|
|
|
New GPG key
|
|
===========
|
|
|
|
The GPG release key for Samba releases changed from:
|
|
|
|
pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
|
|
Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
|
|
uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
|
|
sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
|
|
|
|
to the following new key:
|
|
|
|
pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
|
|
Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
|
|
uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
|
|
sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
|
|
|
|
Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
|
|
|
|
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
Here is a copy of a clarification note added to the Samba code
|
|
in the file: VFS-License-clarification.txt.
|
|
--------------------------------------------------------------
|
|
|
|
A clarification of our GNU GPL License enforcement boundary within the Samba
|
|
Virtual File System (VFS) layer.
|
|
|
|
Samba is licensed under the GNU GPL. All code committed to the Samba
|
|
project or that creates a "modified version" or software "based on" Samba must
|
|
be either licensed under the GNU GPL or a compatible license.
|
|
|
|
Samba has several plug-in interfaces where external code may be called
|
|
from Samba GNU GPL licensed code. The most important of these is the
|
|
Samba VFS layer.
|
|
|
|
Samba VFS modules are intimately connected by header files and API
|
|
definitions to the part of the Samba code that provides file services,
|
|
and as such, code that implements a plug-in Samba VFS module must be
|
|
licensed under the GNU GPL or a compatible license.
|
|
|
|
However, Samba VFS modules may themselves call third-party external
|
|
libraries that are not part of the Samba project and are externally
|
|
developed and maintained.
|
|
|
|
As long as these third-party external libraries do not use any of the
|
|
Samba internal structure, APIs or interface definitions created by the
|
|
Samba project (to the extent that they would be considered subject to the GNU
|
|
GPL), then the Samba Team will not consider such third-party external
|
|
libraries called from Samba VFS modules as "based on" and/or creating a
|
|
"modified version" of the Samba code for the purposes of GNU GPL.
|
|
Accordingly, we do not require such libraries be licensed under the GNU GPL
|
|
or a GNU GPL compatible license.
|
|
|
|
VFS
|
|
---
|
|
|
|
The effort to modernize Samba's VFS interface has reached a major milestone with
|
|
the next release Samba 4.14.
|
|
|
|
For details please refer to the documentation at source3/modules/The_New_VFS.txt or
|
|
visit the <https://wiki.samba.org/index.php/The_New_VFS>.
|
|
|
|
Printing
|
|
--------
|
|
|
|
Publishing printers in AD is more reliable and more printer features are
|
|
added to the published information in AD. Samba now also supports Windows
|
|
drivers for the ARM64 architecture.
|
|
|
|
Client Group Policy
|
|
-------------------
|
|
This release extends Samba to support Group Policy functionality for Winbind
|
|
clients. Active Directory Administrators can set policies that apply Sudoers
|
|
configuration, and cron jobs to run hourly, daily, weekly or monthly.
|
|
|
|
To enable the application of Group Policies on a client, set the global
|
|
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
|
|
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
|
|
|
|
Policies applied by Samba are 'non-tattooing', meaning that changes can be
|
|
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
|
|
re-applied using the `samba-gpupdate --force` command.
|
|
To view what policies have been or will be applied to a system, use the
|
|
`samba-gpupdate --rsop` command.
|
|
|
|
Administration of Samba policy requires that a Samba ADMX template be uploaded
|
|
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
|
|
provided as a convenient method for adding this policy. Once uploaded, policies
|
|
can be modified in the Group Policy Management Editor under Computer
|
|
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
|
|
may be managed using the `samba-tool gpo manage` command. This tool does not
|
|
require the admx templates to be installed.
|
|
|
|
Python 3.6 or later required
|
|
----------------------------
|
|
|
|
Samba's minimum runtime requirement for python was raised to Python
|
|
3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
|
|
3.6 also to build Samba. It is no longer possible to build Samba
|
|
(even just the file server) with Python versions 2.6 and 2.7.
|
|
|
|
As Python 2.7 has been End Of Life upstream since April 2020, Samba
|
|
is dropping ALL Python 2.x support in this release.
|
|
|
|
Miscellaneous samba-tool changes
|
|
--------------------------------
|
|
|
|
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
|
|
groups) now consistently use the "add" command when adding a new object to
|
|
the AD. The previous deprecation warnings when using the 'add' commands
|
|
have been removed. For compatibility reasons, both the 'add' and 'create'
|
|
commands can be used now.
|
|
|
|
Users, groups and contacts can now be renamed with the respective rename
|
|
commands.
|
|
|
|
Locked users can be unlocked with the new 'samba-tool user unlock' command.
|
|
|
|
The 'samba-tool user list' and 'samba-tool group listmembers' commands
|
|
provide additional options to hide expired and disabled user accounts
|
|
(--hide-expired and --hide-disabled).
|
|
|
|
|
|
CTDB CHANGES
|
|
============
|
|
|
|
* The NAT gateway and LVS features now uses the term "leader" to refer
|
|
to the main node in a group through which traffic is routed and
|
|
"follower" for other members of a group. The command for
|
|
determining the leader has changed to "ctdb natgw leader" (from
|
|
"ctdb natgw master"). The configuration keyword for indicating that
|
|
a node can not be the leader of a group has changed to
|
|
"follower-only" (from "slave-only"). Identical changes were made
|
|
for LVS.
|
|
|
|
* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
|
|
scripts and can be checked by users with "ctdb pnn" and "ctdb
|
|
recmaster".
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
smb encrypt Removed
|
|
async dns timeout New 10
|
|
client smb encrypt New default
|
|
honor change notify privilege New No
|
|
smbd force process locks New No
|
|
server smb encrypt New default
|
|
|
|
|
|
CHANGES SINCE 4.14.0rc4
|
|
=======================
|
|
|
|
o Trever L. Adams <trever.adams@gmail.com>
|
|
* BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
|
|
start-up failure.
|
|
|
|
o Peter Eriksson <pen@lysator.liu.se>
|
|
* BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
|
|
path.
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 14636: g_lock: Fix uninitalized variable reads.
|
|
|
|
|
|
CHANGES SINCE 4.14.0rc3
|
|
=======================
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
|
|
force a full reload of services.
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
|
|
expired tombstones.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14619: vfs: Restore platform specific POSIX sys_acl_set_file()
|
|
functions.
|
|
* BUG 14620: Fix the build on AIX.
|
|
* BUG 14629: smbd: Don't overwrite _mode if neither a msdfs symlink nor
|
|
get_dosmode is requested.
|
|
* BUG 14635: Fix printer driver upload.
|
|
|
|
|
|
CHANGES SINCE 4.14.0rc2
|
|
=======================
|
|
|
|
o Björn Jacke <bj@sernet.de>
|
|
* BUG 14624: classicupgrade: Treat old never expires value right.
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 13898: s3:pysmbd: fix fd leak in py_smbd_create_file().
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* BUG 14625: Fix smbd share mode double free crash.
|
|
|
|
o Paul Wise <pabs3@bonedaddy.net>
|
|
* BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
|
|
|
|
|
|
CHANGES SINCE 4.14.0rc1
|
|
=======================
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 13992: Fix SAMBA RPC share error.
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* BUG 14602: "winbind:ignore domains" doesn't prevent user login from trusted
|
|
domain.
|
|
* BUG 14617: smbd tries to delete files with wrong permissions (uses guest
|
|
instead of user from force user =).
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* BUG 14539: s3:idmap_hash: Reliably return ID_TYPE_BOTH.
|
|
|
|
o Andreas Schneider <asn@samba.org>
|
|
* BUG 14627: s3:smbd: Fix invalid memory access in
|
|
posix_sys_acl_blob_get_fd().
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.14#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|