- Update from version 4.17.5 to 4.18.1 - Update of rootfile some libraries now use x86-64 instead of x86_64 but most are still left with x86_64 Good thing that we create a separate version of the rootfile for each architecture because it is no longer just the arm version that is unique but also the x86_64 one. - Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability. As SMB1 is insecure and has known exploits including ransomeware based ones it seems reasonable to build samba without SMB1 server capability for use on a firewall. The option to build wiythout SMB1 server capability has been added to the LFS file. - Changelog Release Notes for Samba 4.18.1 This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html * BUG 15276: CVE-2023-0225. * BUG 15270: CVE-2023-0614. * BUG 15331: ldb wildcard matching makes excessive allocations. * BUG 15332: large_ldap test is inefficient. * BUG 15315: CVE-2023-0922. * BUG 15270: CVE-2023-0614. * BUG 15276: CVE-2023-0225. Release Notes for Samba 4.18.0 NEW FEATURES/CHANGES SMB Server performance improvements The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads. While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again. More succinct samba-tool error messages Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER> which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchronisation improvements Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. REMOVED FEATURES smb.conf changes Parameter Name Description Default acl_xattr:security_acl_name New security.NTACL server addresses New CHANGES SINCE 4.18.0rc4 * BUG 15314: streams_xattr is creating unexpected locks on folders. * BUG 15310: New samba-dcerpc architecture does not scale gracefully. CHANGES SINCE 4.18.0rc3 * BUG 15308: Avoid that tests fail because other tests didn't do cleanup on failure. * BUG 15311: fd_load() function implicitly closes the fd where it should not. CHANGES SINCE 4.18.0rc2 * BUG 15301: Improve file_modtime() and issues around smb3 unix test. * BUG 15299: Spotlight doesn't work with latest macOS Ventura. * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0). (tevent 0.14.1 and ldb 2.7.1 are already released...) * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. * BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1. * BUG 15301: Improve file_modtime() and issues around smb3 unix test. CHANGES SINCE 4.18.0rc1 * BUG 10635: Office365 azure Password Sync not working. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free. Release Notes for Samba 4.17.7 This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html * BUG 15276: CVE-2023-0225. * BUG 15270: CVE-2023-0614. * BUG 15331: ldb wildcard matching makes excessive allocations. * BUG 15332: large_ldap test is inefficient. * BUG 15315: CVE-2023-0922. * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes). * BUG 15270: CVE-2023-0614. * BUG 15276: CVE-2023-0225. Release Notes for Samba 4.17.6 * BUG 15314: streams_xattr is creating unexpected locks on folders. * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. * BUG 15299: Spotlight doesn't work with latest macOS Ventura. * BUG 15310: New samba-dcerpc architecture does not scale gracefully. * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free. * BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/packages/x86_64/samba | 17 ++++++++++++++++- lfs/samba | 9 +++++---- 2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba index 5ce0c7ef5..8d2943ef8 100644 --- a/config/rootfiles/packages/x86_64/samba +++ b/config/rootfiles/packages/x86_64/samba @@ -62,6 +62,7 @@ usr/bin/wbinfo #usr/include/samba-4.0/gen_ndr #usr/include/samba-4.0/gen_ndr/atsvc.h #usr/include/samba-4.0/gen_ndr/auth.h +#usr/include/samba-4.0/gen_ndr/claims.h #usr/include/samba-4.0/gen_ndr/dcerpc.h #usr/include/samba-4.0/gen_ndr/drsblobs.h #usr/include/samba-4.0/gen_ndr/drsuapi.h @@ -196,7 +197,7 @@ usr/lib/libtevent-util.so.0 usr/lib/libtevent-util.so.0.0.1 usr/lib/libwbclient.so usr/lib/libwbclient.so.0 -usr/lib/libwbclient.so.0.15 +usr/lib/libwbclient.so.0.16 #usr/lib/pkgconfig/dcerpc.pc #usr/lib/pkgconfig/dcerpc_samr.pc #usr/lib/pkgconfig/ndr.pc @@ -223,6 +224,7 @@ usr/lib/python3.10/site-packages/samba/auth.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/auth_util.py usr/lib/python3.10/site-packages/samba/colour.py usr/lib/python3.10/site-packages/samba/common.py +usr/lib/python3.10/site-packages/samba/compression.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/credentials.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/crypto.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dbchecker.py @@ -231,6 +233,7 @@ usr/lib/python3.10/site-packages/samba/dcerpc/__init__.py usr/lib/python3.10/site-packages/samba/dcerpc/atsvc.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dcerpc/auth.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dcerpc/base.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/samba/dcerpc/claims.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dcerpc/dcerpc.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dcerpc/dfs.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/dcerpc/dns.cpython-310-x86_64-linux-gnu.so @@ -382,6 +385,8 @@ usr/lib/python3.10/site-packages/samba/provision/kerberos_implementation.py usr/lib/python3.10/site-packages/samba/provision/sambadns.py usr/lib/python3.10/site-packages/samba/registry.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/samba/remove_dc.py +usr/lib/python3.10/site-packages/samba/reparse_symlink.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/samba/safe_tarfile.py #usr/lib/python3.10/site-packages/samba/samba3 usr/lib/python3.10/site-packages/samba/samba3/__init__.py usr/lib/python3.10/site-packages/samba/samba3/libsmb_samba_cwrapper.cpython-310-x86_64-linux-gnu.so @@ -437,6 +442,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/blackbox/traffic_summary.py #usr/lib/python3.10/site-packages/samba/tests/common.py #usr/lib/python3.10/site-packages/samba/tests/complex_expressions.py +#usr/lib/python3.10/site-packages/samba/tests/compression.py #usr/lib/python3.10/site-packages/samba/tests/core.py #usr/lib/python3.10/site-packages/samba/tests/cred_opt.py #usr/lib/python3.10/site-packages/samba/tests/credentials.py @@ -507,9 +513,11 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/krb5/alias_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/as_req_tests.py +#usr/lib/python3.10/site-packages/samba/tests/krb5/claims_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/compatability_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/etype_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/fast_tests.py +#usr/lib/python3.10/site-packages/samba/tests/krb5/group_tests.py #usr/lib/python3.10/site-packages/samba/tests/krb5/kcrypto.py #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_base_test.py #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tests.py @@ -540,6 +548,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/ldap_referrals.py #usr/lib/python3.10/site-packages/samba/tests/ldap_spn.py #usr/lib/python3.10/site-packages/samba/tests/ldap_upn_sam_account.py +#usr/lib/python3.10/site-packages/samba/tests/libsmb-basic.py #usr/lib/python3.10/site-packages/samba/tests/libsmb.py #usr/lib/python3.10/site-packages/samba/tests/loadparm.py #usr/lib/python3.10/site-packages/samba/tests/logfiles.py @@ -577,12 +586,14 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/pso.py #usr/lib/python3.10/site-packages/samba/tests/py_credentials.py #usr/lib/python3.10/site-packages/samba/tests/registry.py +#usr/lib/python3.10/site-packages/samba/tests/reparsepoints.py #usr/lib/python3.10/site-packages/samba/tests/s3_net_join.py #usr/lib/python3.10/site-packages/samba/tests/s3idmapdb.py #usr/lib/python3.10/site-packages/samba/tests/s3param.py #usr/lib/python3.10/site-packages/samba/tests/s3passdb.py #usr/lib/python3.10/site-packages/samba/tests/s3registry.py #usr/lib/python3.10/site-packages/samba/tests/s3windb.py +#usr/lib/python3.10/site-packages/samba/tests/safe_tarfile.py #usr/lib/python3.10/site-packages/samba/tests/samba3sam.py #usr/lib/python3.10/site-packages/samba/tests/samba_tool #usr/lib/python3.10/site-packages/samba/tests/samba_tool/__init__.py @@ -632,6 +643,9 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py #usr/lib/python3.10/site-packages/samba/tests/sid_strings.py #usr/lib/python3.10/site-packages/samba/tests/smb-notify.py #usr/lib/python3.10/site-packages/samba/tests/smb.py +#usr/lib/python3.10/site-packages/samba/tests/smb1posix.py +#usr/lib/python3.10/site-packages/samba/tests/smb2symlink.py +#usr/lib/python3.10/site-packages/samba/tests/smb3unix.py #usr/lib/python3.10/site-packages/samba/tests/smbconf.py #usr/lib/python3.10/site-packages/samba/tests/smbd_base.py #usr/lib/python3.10/site-packages/samba/tests/smbd_fuzztest.py @@ -783,6 +797,7 @@ usr/lib/samba/libsmbd-shim-samba4.so usr/lib/samba/libsmbldaphelper-samba4.so usr/lib/samba/libsmbpasswdparser-samba4.so usr/lib/samba/libsocket-blocking-samba4.so +usr/lib/samba/libstable-sort-samba4.so usr/lib/samba/libsys-rw-samba4.so usr/lib/samba/libtalloc-report-printf-samba4.so usr/lib/samba/libtalloc-report-samba4.so diff --git a/lfs/samba b/lfs/samba index 32c9fab39..cda2a2820 100644 --- a/lfs/samba +++ b/lfs/samba @@ -24,7 +24,7 @@
include Config
-VER = 4.17.5 +VER = 4.18.1 SUMMARY = A SMB/CIFS File, Print, and Authentication Server
THISAPP = samba-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 92 +PAK_VER = 93
DEPS = avahi cups perl-Parse-Yapp perl-JSON
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = f8d6cf3c0f5333c5a6b1ac16793d8fd443c517068211829f40ca2fbc08d80921de65a4f3e2c08775a5551a4f834f406208c0941a4eb496720cc45ecaeb6c173f +$(DL_FILE)_BLAKE2 = f8df6582044ff802766a397cc2a9216eb41c9353822d94281b86fb6b833b23eeaf3eb5a0d32e3f2079e59d098a16f87406cf1da65f58818a73767f27b7f7dc1f
install : $(TARGET)
@@ -96,7 +96,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-avahi \ --enable-cups \ --enable-fhs \ - --with-syslog + --with-syslog \ + --without-smb1-server cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install