* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 09e6a4fa16cc5e90e343049abc1e12d448bcfa49
@ 2023-12-30 7:27 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2023-12-30 7:27 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 9050 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 09e6a4fa16cc5e90e343049abc1e12d448bcfa49 (commit)
via fefd0cb8497870b791b2ae957b5d40fa0deb6d28 (commit)
via 17cad1e885987703ebdea3721df4c346695cd68c (commit)
from acdb9df0895626e48fccde773d6e1ff27702eef9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 09e6a4fa16cc5e90e343049abc1e12d448bcfa49
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Dec 30 07:26:18 2023 +0000
Core Update 183: Ship p11-kit
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit fefd0cb8497870b791b2ae957b5d40fa0deb6d28
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Dec 18 18:29:01 2023 +0100
p11-kit: Update to version 0.25.3
- Update from version 0.25.2 to 0.25.3
- Update of rootfile
- Changelog
0.25.3
rpc: fix serialization of NULL mechanism pointer [PR#601]
fix meson build failure in macOS (appleframeworks not found) [PR#603]
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
commit 17cad1e885987703ebdea3721df4c346695cd68c
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Dec 18 18:29:02 2023 +0100
samba: Update to version 4.19.3
- Update from version 4.19.2 to 4.19.3
- Update of rootfile not required
- I don't believe that the CVE from this version will affect IPFire users as Samba on
IPFire is not run as an Active Directory Domain Controller. That functionality was
removed some time ago.
- Changelog
4.19.3
This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
https://www.samba.org/samba/security/CVE-2018-14628.html
Description of CVE-2018-14628
All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.
When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).
This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.
No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.
There is no further vulnerability associated with this error, merely an
information disclosure.
Action required in order to resolve CVE-2018-14628!
The patched Samba does NOT protect existing domains!
The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:
samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
Owner mismatch: SY (in ref) DA(in current)
Group mismatch: SY (in ref) DA(in current)
Part dacl is different between reference and current here is the detail:
(A;;LCRPLORC;;;AU) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
(A;;LCRP;;;BA) ACE is not present in the current
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.
Changes since 4.19.2
* BUG 15520: sid_strings test broken by unix epoch > 1700000000.
* BUG 15487: smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.
* BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor().
* BUG 15499: Improve logging for failover scenarios.
* BUG 15093: Files without "read attributes" NFS4 ACL permission are not
listed in directories.
* BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
AD LDAP to normal users.
* BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
accounts.
* BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
* BUG 15513: Samba doesn't build with Python 3.12
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/p11-kit | 4 +---
config/rootfiles/{oldcore/160 => core/183}/filelists/p11-kit | 0
lfs/p11-kit | 4 ++--
lfs/samba | 6 +++---
4 files changed, 6 insertions(+), 8 deletions(-)
copy config/rootfiles/{oldcore/160 => core/183}/filelists/p11-kit (100%)
Difference in files:
diff --git a/config/rootfiles/common/p11-kit b/config/rootfiles/common/p11-kit
index df9001e27..02e4d81cd 100644
--- a/config/rootfiles/common/p11-kit
+++ b/config/rootfiles/common/p11-kit
@@ -15,7 +15,7 @@ usr/bin/trust
#usr/lib/libp11-kit.la
#usr/lib/libp11-kit.so
usr/lib/libp11-kit.so.0
-usr/lib/libp11-kit.so.0.3.0
+usr/lib/libp11-kit.so.0.3.1
usr/lib/p11-kit-proxy.so
#usr/lib/pkcs11
#usr/lib/pkcs11/p11-kit-client.la
@@ -27,8 +27,6 @@ usr/lib/pkcs11/p11-kit-trust.so
#usr/libexec/p11-kit/p11-kit-remote
#usr/libexec/p11-kit/p11-kit-server
#usr/libexec/p11-kit/trust-extract-compat
-#usr/share/gtk-doc
-#usr/share/gtk-doc/html
#usr/share/gtk-doc/html/p11-kit
#usr/share/gtk-doc/html/p11-kit/config-example.html
#usr/share/gtk-doc/html/p11-kit/config-files.html
diff --git a/config/rootfiles/core/183/filelists/p11-kit b/config/rootfiles/core/183/filelists/p11-kit
new file mode 120000
index 000000000..e652deb67
--- /dev/null
+++ b/config/rootfiles/core/183/filelists/p11-kit
@@ -0,0 +1 @@
+../../../common/p11-kit
\ No newline at end of file
diff --git a/lfs/p11-kit b/lfs/p11-kit
index eb715adb2..f5ee90cf3 100644
--- a/lfs/p11-kit
+++ b/lfs/p11-kit
@@ -24,7 +24,7 @@
include Config
-VER = 0.25.2
+VER = 0.25.3
THISAPP = p11-kit-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = d2cb738eaf1941a5e043dfdb0beaac01c6c7a25be516308b262e538d04a132682855da60b9dbf9b20f19510b25f469f88d27091d8a339a3fc01e6a96e36060e6
+$(DL_FILE)_BLAKE2 = 5c695c1ef95edf4bbbab001aa634076c433df0bc89cb8104deaec2ce00c6908640e467755b49c6900e5d7d5d81e1a3871f4978a212c6f6ae088386ac0b95289a
install : $(TARGET)
diff --git a/lfs/samba b/lfs/samba
index 2f2184ecc..7ebac8ded 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -24,7 +24,7 @@
include Config
-VER = 4.19.2
+VER = 4.19.3
SUMMARY = A SMB/CIFS File, Print, and Authentication Server
THISAPP = samba-$(VER)
@@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = samba
-PAK_VER = 97
+PAK_VER = 98
DEPS = avahi cups perl-Parse-Yapp perl-JSON
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = cb3747f1be6e712c6e68f3720e68aee7db2e4dcc48a9210d002337d6690ed8b027919f333dc4a7c1e74b716ebceeff1d8071463899513edfe51da967d71d8148
+$(DL_FILE)_BLAKE2 = f83af3b50d795bdc4a250fe96040721150acc3b8effddd473e3cfa3ef6eeec99928b1307a18a472be45049e1d0b74650b9f6dd4bf5c434277c94ab88cb493b3b
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-12-30 7:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-30 7:27 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 09e6a4fa16cc5e90e343049abc1e12d448bcfa49 Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox