-CVE-2009-2948: Information disclosure by setuid mount.cifs
-CVE-2009-2906: Remote DoS against smbd on authenticated connections
Security: CVE-2009-2813, CVE-2009-2948, CVE-2009-2906
Please note, that the 3.0 series will be DISCONTINUED after this release!
Major enhancements included in Samba 3.0.36 are:
o Fix Winbind crash on 'getent group' (bug #5906).
o Excel save operation corrupts file ACLs (bug #4308).
o Prevent segmentation fault on joining a very long domain name.
o Fix update of machine account passwords.
o Fix SMB signing issue on Windows Vista with MS Hotfix KB955302.
o Fix Winbind crashes.
o Correctly detect if the current dc is the closest one.
o Add saf_join_store() function to memorize the dc used at join time.
This avoids problems caused by replication delays shortly after domain
joins.
o Fix write list in setups using "security = share".
o Prevent crash bug in Winbind caused by a race condition
when a child process becomes unresponsive.
o Fix interactive password prompting in the "net" command.
o Documentation clarifications and typographical fixes.
o Correct issues with running Winbind runing on a Samba PDC.
o Problems with trusted Windows 2008 domains.
o Difficulty joining an NT4 or Windows 2000 AD domain.
Fix NFS quota handling
o Problems following domain trusts on a Samba DC.
o SMB Signing errors.
o Interoperability issues with Windows 2008 domains.
Approved by: shaun (mentor, implicit)
o CVS-2007-4572
Stack buffer overflow in nmbd's logon request processing.
o CVE-2007-5398
Remote code execution in Samba's WINS server daemon (nmbd)
when processing name registration followed name query requests.
- Bump PORTREVISION
Approved by: portmgr (erwin), maintainer
Security: http://www.vuxml.org/freebsd/a63b15f9-97ff-11dc-9e48-0016179b2dd5.html
3.0.26a. Detailed list of all the changes can be found:
http://www.samba.org/samba/history/samba-3.0.26a.html
Changes are:
o Memory leaks in Winbind's IDMap manager.
o CVE-2007-4138 - Incorrect primary group assignment for domain
users using the rfc2307 or sfu winbind nss info plugin.
o File sharing with Widows 9x clients.
o Winbind running out of file descriptors due to stalled child
processes.
o MS-DFS inter-operability issues.
o Offline caching of files with Windows XP/Vista clients.
o Improper cleanup of expired or invalid byte range locks on files.
o Crashes is idmap_ldap and idmap_rid.
Approved by: shaun (mentor)
Major bug fixes included in Samba 3.0.25a are:
o Missing supplementary Unix group membership when using "force
group".
o Premature expiration of domain user passwords when using a
Samba domain controller.
o Failure to open the Windows object picker against a server
configured to use "security = domain".
* Authentication failures when using security = server.
Plus additional local fixes.
PR: ports/113358
Submitted by: maintainer
Major features included in the 3.0.25 code base are:
o Significant improvements in the winbind off-line logon support.
o Support for secure DDNS updates as part of the 'net ads join'
process.
o Rewritten IdMap interface which allows for TTL based caching and
per domain backends.
o New plug-in interface for the "winbind nss info" parameter.
o New file change notify subsystem which is able to make use of
inotify on Linux.
o Support for passing Windows security descriptors to a VFS
plug-in allowing for multiple Unix ACL implements to running
side by side on the Same server.
o Improved compatibility with Windows Vista clients including
improved read performance with Linux servers.
o Man pages for IdMap and VFS plug-ins.
Security Fixes included in the Samba 3.0.25 release are:
o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation
o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution
o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution
PR: ports/112836
Submitted by: maintainer
Approved by: portmgr (self)
This release contains fixes for the following security advisories:
o CVE-2007-0452 (Potential Denial of Service bug in smbd)
o CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
o CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
- Improve RC-file.
PR: ports/108803
Submitted by: maintainer
- Update to 3.0.23c
Common bugs fixed in 3.0.23c include: [1]
o Authentication failures in pam_winbind when the AD domain
policy is set to not expire passwords.
o Authorization failures when using smb.conf options such
as "valid users" with the smbpasswd passdb backend.
*** net/samba-libsmbclient: [2]
- Small cosmetic changes
*** net/py-samba: [3]
- Reset PORTREVISION back, as master port version bumped
PR: ports/102805 [1]
ports/102806 [2]
ports/102807 [3]
Submitted by: Timur I. Bakeyev <timur@gnu.org> (maintainer)
Common bugs fixed in 3.0.23b include:
o Ambiguity with unqualified names in smb.conf parameters
such as "force user" and "valid users".
o Errors in 'net ads join' caused by bad IP address in the list
of domain controllers.
o SMB signing errors in the client and server code.
o Domain join failures when using smbpasswd on a Samba PDC.
Common bugs fixed in 3.0.23a include:
o Failure to strip the domain name from groups when 'winbind
use default domain = yes'
o Failure in pam_winbind to correctly parse arguments.
o Bad token creation of local users on member servers not
running winbindd.
o Failure to add users or groups to ACLs using the Windows
object picker.
o Failure in file serving code when 'kernel oplocks = yes'.
New features in 3.0.23a include:
o New "createupn" option to "net ads join"
o Rewritten Kerberos keytab generation when 'use kerberos
keytab = yes'
PR: ports/102040
Submitted by: maintainer
o Improved 'make test'
o New offline mode in winbindd.
o New Kerberos support for pam_winbind.so.
o New handling of unmapped users and groups.
o New non-root share management tools.
o Improved support for local and BUILTIN groups.
o Winbind IDMAP integration with RFC2307 schema objects supported
by Windows 2003 R2.
o Rewritten 'net ads join' to mimic Windows XP without requiring
administrative rights to join a domain.
PR: ports/100100
Submitted by: maintainer
Common bugs fixed in 3.0.21 include:
o Missing groups in a user's token when logging in via kerberos
o Incompatibilities with newer MS Windows hotfixes and
embedded OS platforms
o Portability and crash bugs.
o Performance issues in winbindd.
New features introduced in Samba 3.0.21 include:
o Complete NTLMv2 support by consolidating authentication
mechanism used at the CIFS and RPC layers.
o The capability to manage Unix services using the Win32
Service Control API.
o The capability to view external Unix log files via the
Microsoft Event Viewer.
o New libmsrpc share library for application developers.
o Rewrite of CIFS oplock implementation.
o Performance Counter external daemon.
o Winbindd auto-detection query methods when communicating with
a domain controller.
o The ability to enumerate long share names in libsmbclient
applications.
PR: ports/91528
Submitted by: Timur I. Bakeyev (maintainer)
Changes:
o A crash bug in winbindd
o Reporting files as read-only instead of returning the
correct error code of "access denied"
o File system quota support defects
o Stability problems with winbindd.
o Crash bugs caused by incompatibilities on 64-bit systems.
o User Manager interoperability problems.
PR: ports/87517
Submitted by: maintainer
Additional features introduced in Samba 3.0.20 include:
o Support for several new Win32 rpc pipes.
o Improved support for OS/2 clients.
o New 'net rpc service' tool for managing Win32 services.
o Capability to set the owner on new files and directory
based on the parent's ownership.
o Experimental, asynchronous IO file serving support.
o Completed Support for Microsoft Print Migrator.
o New Winbind IDmap plugin (ad) for retrieving uid and gid
from AD servers which maintain the SFU user and group
attributes.
o Rewritten support for POSIX pathnames when utilizing
the Linux CIFS fs client.
o New asynchronous winbindd.
o Support for Microsoft Print Migrator.
o New Windows NT registry file I/O library.
o New user right (SeTakeOwnershipPrivilege) added.
o New "net share migrate" options.
PR: 85276
Submitted by: Timur I. Bakeyev (maintainer)
Approved by: perky (mentor)
Currently, ADS support is off for the package builds, as it creates
dependency problems with Kerberos5. Also, an experimental support
for extended attributes is included.
PR: ports/79037
Submitted by: maintainer
o Problem updating roaming user profiles.
o Crash in smbd when printing from a Windows 9x client.
o Unresolved symbols in libsmbclient which caused
applications such as KDE's konqueror to fail when
accessing smb:// URLs.
PR: ports/74223
Submitted by: maintainer
This patch originally developed by miraclelinux.com team for v3.0.2a.
I integrated it to apply to v3.0.4. All complains about this knob
should be sent to me, not maintainer nor miraclelinux.com team.
No response from: maintainer
- Rewrite libsmbclient port to not conflict with samba port, stop installing
libsmbclient in samba port
- Split out python extensions into standalone port
PR: ports/65976
Submitted by: Timur I. Bakeyev <timur@gnu.org> (samba-devel maintainer)
Approved by: Koop Mast (samba-libsmbclient maintainer)
a lot of imporvements and bugfixes since 3.0.2a.
In addition following problems solved:
o linking agaist libiconv is mandatary now
o more ways of detecting Kerberos5 installation and
LIB_DEPENDS on Heimdal port if none is found -
should address problems with bentoo building as well
o fixed problem when port wasn't compilable when LDAP
wasn't chosen and ADS was.
Submitted by: Timur Bakeyev <timur@gnu.org> (maintainer)
PR: 65237
* Add a patch so libsmbclient.[ch] doesn't get installed, thus the CONFICTS
with samba-libsmbclient can be removed
PR: 61445
Submitted by: Koop Mast <kwm@rainbow-runner.nl>
Approved by: dwcjr (maintainer)
