-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Nov 2021 10:34:50 +0100
Source: samba
Architecture: source
Version: 2:4.9.5+dfsg-5+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Samba Maintainers <
pkg-samba-maint@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <
carnil@debian.org>
Closes: 939419
Changes:
samba (2:4.9.5+dfsg-5+deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
.
[ Salvatore Bonaccorso ]
* CVE-2020-25722 Ensure the structural objectclass cannot be changed
* CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during
LDAP add/modify
* s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()
* selftest: Fix ktest usermap file
* selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with
(winbindd => "offline")
* CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac"
settings
* CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative
= true
* CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to
r->out.authoritative = true
* CVE-2020-25717: s4:torture: start with authoritative = 1
* CVE-2020-25717: s4:smb_server: start with authoritative = 1
* CVE-2020-25717: s4:auth_simple: start with authoritative = 1
* CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
* CVE-2020-25717: s3:torture: start with authoritative = 1
* CVE-2020-25717: s3:rpcclient: start with authoritative = 1
* CVE-2020-25717: s3:auth: start with authoritative = 1
* CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
* CVE-2020-25717: loadparm: Add new parameter "min domain uid"
* CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the
low level errors
* CVE-2020-25717: s3:auth: Check minimum domain uid
* CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
* CVE-2020-25717: s3:auth: no longer let check_account() autocreate local
users
* CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
* CVE-2020-25717: s3:auth: don't let create_local_token depend on
!winbind_ping()
* CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or
member)
* CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
* CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
* CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac()
base the name on the PAC LOGON_INFO only
* CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate
everything to make_server_info_wbcAuthUserInfo()
* CVE-2020-25717: selftest: configure 'ktest' env with winbindd and
idmap_autorid
* CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a
PAC in standalone mode
* CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by
removing the unused logon_info argument
* CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing
unused arguments
* lib: Add dom_sid_str_buf
* CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the
configured domain
* CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named
based lookup fails
* waf: install: Remove installation of PIDL and manpages.
.
[ Mathieu Parent ]
* Drop libparse-pidl-perl package (Closes: #939419)
Checksums-Sha1:
7c1a30096180625d416a8a43ce76272ccd071c0a 4249 samba_4.9.5+dfsg-5+deb10u2.dsc
584e991700124fc657268d62ede53f588a0debaf 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz
Checksums-Sha256:
cf81437e962601a0f02d885b159a33adf8a7ef2e1d3c4ccf6eb5d066aef6fa55 4249 samba_4.9.5+dfsg-5+deb10u2.dsc
1593518732bcdfc203e36121b05510a273a095c95d29d00e24ac5a5f7797bd20 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz
Files:
7cf4d3af28587032986de521f42e5d69 4249 net optional samba_4.9.5+dfsg-5+deb10u2.dsc
df9857bead4a4f2141783901691eca6d 273680 net optional samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmGh/+tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiGgP/2AdfMqI2D/tsKST+Z6iUH/n22IdNLeI NixYKRltrPKnYQPpBHv7mCkM0a7O9scxkQCRFiyitaMT2LZ+sNX1r7ZoEsbKMB/x /yYKLTIxLY+OltMAGy8AkPmgLNI+m1Hrh8jPSfdzIV3/bIlHuIS1WE2k+/W6SwlJ 7YVmTTZNvo82UQA+75oceDSFcnmqMHVrkckOrlc8XBrFTueGssj/2SkiDiZzUrl7 Jb1U1atPuw6tt6kcKK35YI7hGxRM03l1Mm6IGsRYYvFAJTUDNOKEledzitYYGnlo XgsZotett1CDh0+GF8ToCBFSxy3iQlNGUuZlkt0rDCe/7MAsVKG3pXZipnicFWtN bbg6xl9745o4p2BZPHrq4B+3PTrJjLuqqCrKJP17lakTLoa0LembdryJFGEfN9jg 1G7mGXSkhslME7TVAPoFLuqXSvUCPyqv7FPhkE660O0xEZfvmcFhTWQWlJ5sW4UV j0FElwtv49Ms+CGQO7C5milibILU3QXPGb4PvoQgVfu1kR/af3kmQRWURIg5IVak sm1mfG4hd7sTQYkjJTEOB1NtGHcwImtdvzMzfkVYwv2jCk/puNgDGKcusy8K21ch gBVR/y6F0V89i4/vK8QY9VZHVt3QK84nqsB6QKyrU4NzQvYhkXwMrhWzen/rCTnJ
kjxxeonRKGAD
=7DJa
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)