[PATCH] samba: Update to version 4.17.4

17 Dec 2022

- Update from version 4.17.3 to 4.17.4
- Update of rootfile (Only the x86_64 rootfile updated with this patch)
- Changelog
    Release Notes for Samba 4.17.4
    This is the latest stable release of the Samba 4.17 release series.
    It also contains security changes in order to address the following defects:
    	o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
    	                  RC4-HMAC Elevation of Privilege Vulnerability
    	                  disclosed by Microsoft on Nov 8 2022.
    	                  A Samba Active Directory DC will issue weak rc4-hmac
    	                  session keys for use between modern clients and servers
    	                  despite all modern Kerberos implementations supporting
    	                  the aes256-cts-hmac-sha1-96 cipher.
    	                  On Samba Active Directory DCs and members
    	                  'kerberos encryption types = legacy' would force
    	                  rc4-hmac as a client even if the server supports
    	                  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
    	                  https://www.samba.org/samba/security/CVE-2022-37966.html
    	o CVE-2022-37967: This is the Samba CVE for the Windows
    	                  Kerberos Elevation of Privilege Vulnerability
    	                  disclosed by Microsoft on Nov 8 2022.
    	                  A service account with the special constrained
    	                  delegation permission could forge a more powerful
    	                  ticket than the one it was presented with.
    	                  https://www.samba.org/samba/security/CVE-2022-37967.html
    	o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
    	                  same algorithms as rc4-hmac cryptography in Kerberos,
    	                  and so must also be assumed to be weak.
    	                  https://www.samba.org/samba/security/CVE-2022-38023.html
    	Note that there are several important behavior changes
    	included in this release, which may cause compatibility problems
    	interacting with system still expecting the former behavior.
    	Please read the advisories of CVE-2022-37966,
    	CVE-2022-37967 and CVE-2022-38023 carefully!
    samba-tool got a new 'domain trust modify' subcommand
    	This allows "msDS-SupportedEncryptionTypes" to be changed
    	on trustedDomain objects. Even against remote DCs (including Windows)
    	using the --local-dc-ipaddress= (and other --local-dc-* options).
    	See 'samba-tool domain trust modify --help' for further details.
    smb.conf changes
    	  Parameter Name                               Description             Default
    	  --------------                               -----------             -------
    	  allow nt4 crypto                             Deprecated              no
    	  allow nt4 crypto:COMPUTERACCOUNT             New
    	  kdc default domain supported enctypes        New (see manpage)
    	  kdc supported enctypes                       New (see manpage)
    	  kdc force enable rc4 weak session keys       New                     No
    	  reject md5 clients                           New Default, Deprecated Yes
    	  reject md5 servers                           New Default, Deprecated Yes
    	  server schannel                              Deprecated              Yes
    	  server schannel require seal                 New, Deprecated         Yes
    	  server schannel require seal:COMPUTERACCOUNT New
    	  winbind sealed pipes                         Deprecated              Yes
    Changes since 4.17.3
    o  Jeremy Allison jra@samba.org
       * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
         same size.
    o  Andrew Bartlett abartlet@samba.org
       * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
         user-controlled pointer in FAST.
       * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
       * BUG 15237: CVE-2022-37966.
       * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
    o  Ralph Boehme slow@samba.org
       * BUG 15240: CVE-2022-38023.
       * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
    o  Stefan Metzmacher metze@samba.org
       * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
         Windows.
       * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
         atomically.
       * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
         vulnerability.
       * BUG 15206: libnet: change_password() doesn't work with
         dcerpc_samr_ChangePasswordUser4().
       * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
       * BUG 15230: Memory leak in snprintf replacement functions.
       * BUG 15237: CVE-2022-37966.
       * BUG 15240: CVE-2022-38023.
       * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
         (CVE-2021-20251 regression).
    o  Noel Power noel.power@suse.com
       * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
         same size.
    o  Anoop C S anoopcs@samba.org
       * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
    o  Andreas Schneider asn@samba.org
       * BUG 15237: CVE-2022-37966.
       * BUG 15243: %U for include directive doesn't work for share listing
         (netshareenum).
       * BUG 15257: Stack smashing in net offlinejoin requestodj.
    o  Joseph Sutton josephsutton@catalyst.net.nz
       * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
       * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
       * BUG 15231: CVE-2022-37967.
       * BUG 15237: CVE-2022-37966.
    o  Nicolas Williams nico@twosigma.com
       * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
         user-controlled pointer in FAST.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
---
 config/rootfiles/packages/x86_64/samba | 1 +
 lfs/samba                              | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba
index e360fa494..5ce0c7ef5 100644
--- a/config/rootfiles/packages/x86_64/samba
+++ b/config/rootfiles/packages/x86_64/samba
@@ -508,6 +508,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/as_req_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/compatability_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/etype_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/fast_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kcrypto.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_base_test.py
diff --git a/lfs/samba b/lfs/samba
index ee1d2be94..c73e3eb7f 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -24,7 +24,7 @@
include Config
-VER        = 4.17.3
+VER        = 4.17.4
 SUMMARY    = A SMB/CIFS File, Print, and Authentication Server
THISAPP    = samba-$(VER)
@@ -33,7 +33,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 89
+PAK_VER    = 90
DEPS       = avahi cups libtirpc perl-Parse-Yapp perl-JSON
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = dfd8e09914aa3f7188e8672ea06aa0409b48931bad9e56e2b54af3145c1df1285ba71d2f6b166a84aaa27a539d8a1de30c9418b337d56b4ae8470ecfb6f44f01
+$(DL_FILE)_BLAKE2 = 2f95ef07530c11b3b46fd5dec3b44c926bc4c06871a2d9405c86a791d8e28d84649444f8147275fe425923eefc46ec49a903b71d21aaca379618ffbfce1dcd84
install : $(TARGET)
-- 
2.39.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH] samba: Update to version 4.17.4