• Accepted samba 2:4.9.5+dfsg-5+deb10u2 (source) into oldstable-proposed-

    From Debian FTP Masters@21:1/5 to All on Tue Nov 30 21:40:01 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sat, 27 Nov 2021 10:34:50 +0100
    Source: samba
    Architecture: source
    Version: 2:4.9.5+dfsg-5+deb10u2
    Distribution: buster-security
    Urgency: high
    Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org>
    Closes: 939419
    Changes:
    samba (2:4.9.5+dfsg-5+deb10u2) buster-security; urgency=high
    .
    * Non-maintainer upload by the Security Team.
    .
    [ Salvatore Bonaccorso ]
    * CVE-2020-25722 Ensure the structural objectclass cannot be changed
    * CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during
    LDAP add/modify
    * s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()
    * selftest: Fix ktest usermap file
    * selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with
    (winbindd => "offline")
    * CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac"
    settings
    * CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative
    = true
    * CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to
    r->out.authoritative = true
    * CVE-2020-25717: s4:torture: start with authoritative = 1
    * CVE-2020-25717: s4:smb_server: start with authoritative = 1
    * CVE-2020-25717: s4:auth_simple: start with authoritative = 1
    * CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
    * CVE-2020-25717: s3:torture: start with authoritative = 1
    * CVE-2020-25717: s3:rpcclient: start with authoritative = 1
    * CVE-2020-25717: s3:auth: start with authoritative = 1
    * CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
    * CVE-2020-25717: loadparm: Add new parameter "min domain uid"
    * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the
    low level errors
    * CVE-2020-25717: s3:auth: Check minimum domain uid
    * CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
    * CVE-2020-25717: s3:auth: no longer let check_account() autocreate local
    users
    * CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
    * CVE-2020-25717: s3:auth: don't let create_local_token depend on
    !winbind_ping()
    * CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or
    member)
    * CVE-2020-25717: s4:auth: remove unused
    auth_generate_session_info_principal()
    * CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
    ntlm_auth_generate_session_info_pac()
    * CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac()
    base the name on the PAC LOGON_INFO only
    * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate
    everything to make_server_info_wbcAuthUserInfo()
    * CVE-2020-25717: selftest: configure 'ktest' env with winbindd and
    idmap_autorid
    * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a
    PAC in standalone mode
    * CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by
    removing the unused logon_info argument
    * CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing
    unused arguments
    * lib: Add dom_sid_str_buf
    * CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the
    configured domain
    * CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named
    based lookup fails
    * waf: install: Remove installation of PIDL and manpages.
    .
    [ Mathieu Parent ]
    * Drop libparse-pidl-perl package (Closes: #939419)
    Checksums-Sha1:
    7c1a30096180625d416a8a43ce76272ccd071c0a 4249 samba_4.9.5+dfsg-5+deb10u2.dsc
    584e991700124fc657268d62ede53f588a0debaf 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz
    Checksums-Sha256:
    cf81437e962601a0f02d885b159a33adf8a7ef2e1d3c4ccf6eb5d066aef6fa55 4249 samba_4.9.5+dfsg-5+deb10u2.dsc
    1593518732bcdfc203e36121b05510a273a095c95d29d00e24ac5a5f7797bd20 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz
    Files:
    7cf4d3af28587032986de521f42e5d69 4249 net optional samba_4.9.5+dfsg-5+deb10u2.dsc
    df9857bead4a4f2141783901691eca6d 273680 net optional samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz

    -----BEGIN PGP SIGNATURE-----

    iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmGh/+tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiGgP/2AdfMqI2D/tsKST+Z6iUH/n22IdNLeI NixYKRltrPKnYQPpBHv7mCkM0a7O9scxkQCRFiyitaMT2LZ+sNX1r7ZoEsbKMB/x /yYKLTIxLY+OltMAGy8AkPmgLNI+m1Hrh8jPSfdzIV3/bIlHuIS1WE2k+/W6SwlJ 7YVmTTZNvo82UQA+75oceDSFcnmqMHVrkckOrlc8XBrFTueGssj/2SkiDiZzUrl7 Jb1U1atPuw6tt6kcKK35YI7hGxRM03l1Mm6IGsRYYvFAJTUDNOKEledzitYYGnlo XgsZotett1CDh0+GF8ToCBFSxy3iQlNGUuZlkt0rDCe/7MAsVKG3pXZipnicFWtN bbg6xl9745o4p2BZPHrq4B+3PTrJjLuqqCrKJP17lakTLoa0LembdryJFGEfN9jg 1G7mGXSkhslME7TVAPoFLuqXSvUCPyqv7FPhkE660O0xEZfvmcFhTWQWlJ5sW4UV j0FElwtv49Ms+CGQO7C5milibILU3QXPGb4PvoQgVfu1kR/af3kmQRWURIg5IVak sm1mfG4hd7sTQYkjJTEOB1NtGHcwImtdvzMzfkVYwv2jCk/puNgDGKcusy8K21ch gBVR/y6F0V89i4/vK8QY9VZHVt3QK84nqsB6QKyrU4NzQvYhkXwMrhWzen/rCTnJ
    kjxxeonRKGAD
    =7DJa
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)