WHATS NEW IN Samba 2.2.0a: 23rd June 2001
==========================================
SECURITY FIX
============
This is a security bugfix release for Samba 2.2.0. This release provides the
following two changes *ONLY* from the 2.2.0 release.
1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
and described in the security advisory below.
2). Fix for the hosts allow/hosts deny parameters not being honoured.
No other changes are being made for this release to ensure a security fix only.
For new functionality (including these security fixes) download Samba 2.2.1
when it is available.
The security advisory follows :
IMPORTANT: Security bugfix for Samba
------------------------------------
June 23rd 2001
Summary
-------
A serious security hole has been discovered in all versions of Samba
that allows an attacker to gain root access on the target machine for
certain types of common Samba configuration.
The immediate fix is to edit your smb.conf configuration file and
remove all occurances of the macro "%m". Replacing occurances of %m
with %I is probably the best solution for most sites.
Details
-------
A remote attacker can use a netbios name containing unix path
characters which will then be substituted into the %m macro wherever
it occurs in smb.conf. This can be used to cause Samba to create a log
file on top of an important system file, which in turn can be used to
compromise security on the server.
The most commonly used configuration option that can be vulnerable to
this attack is the "log file" option. The default value for this
option is VARDIR/log.smbd. If the default is used then Samba is not
vulnerable to this attack.
The security hole occurs when a log file option like the following is
used:
log file = /var/log/samba/%m.log
In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the
server.
If your Samba configuration has something like the following:
log file = /var/log/samba/%m
Then the attacker could successfully compromise your server remotely
as no symbolic link is required. This type of configuration is very
rare.
The most commonly used log file configuration containing %m is the
distributed in the sample configuration file that comes with Samba:
log file = /var/log/samba/log.%m
in that case your machine is not vulnerable to this attack unless you
happen to have a subdirectory in /var/log/samba/ which starts with the
prefix "log."
Credit
------
Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
vulnerability.
New Release
-----------
While we recommend that vulnerable sites immediately change their
smb.conf configuration file to prevent the attack we will also be
making new releases of Samba within the next 24 hours to properly fix
the problem. Please see http://www.samba.org/ for the new releases.
Please report any attacks to the appropriate authority.
The Samba Team
security@samba.org
This is pconsole, the parallel console tool. pconsole was meant as an
interactive administrative shell tool for clusters.
pconsole allows you to connect to each node of your cluster simultaneously,
and you can type your administrative commands in a specialized window that
'multiplies' the input to each of the connections you have opened.
pconsole is best run from within X Windows, although it is possible to
employ it without X (in console mode) as well.
You need to install pconsole on only 1 machine in the cluster, this would
usually be your central administrative node.
pconsole makes use of ssh if possible.
FOO_REQD=1.0 being converted to foo>=1.0, one can now directly specify
the dependency pattern as FOO_DEPENDS=foo>=1.0. This allows things like
JPEG_DEPENDS=jpeg-6b, or fancier expressions like for postgresql-lib.
Change existing FOO_REQD definitions in Makefiles to FOO_DEPENDS.
Changes include:
4.2.1.23, Released Sunday 17 June 2001, changes:
Fixed compilation error in stats-sol.c
4.2.1.22, Released Saturday 16 June 2001, changes:
Darwin / MacOS X support
BeOS support
Improved Irix support
BSD idle-time-submit(tm) support
New SendCPULevel option (BSD, Solaris & Irix only)
Debian init.d script
Alternative to the upchk script added
Fixed compilating error when using the NR_LINUX_UPTIME_WRAPAROUNDS
That's all folks!
Notable changes in reverse order (newest on top):
* mrtg_lib had broken scanning for Ip tables in populateconfcache
this caused reference by IP to break
* new option for mrtg --logging replaces $main::debugfile from 2.9.13.
It can be set to a file which will take all mrtg output. On Win32 it can
also be set to 'eventlog' which will make all mrtg output go to the
eventlog.
* snmpv2 regexp did not match in cfgmaker
* fix for indexmakers extension feature
* improved mrtg logfile format description
* require perl 5.005 for mrtg_lib
* populateconfcache steps across non existing tables gracefully
* in mrtg, handle bigint more carefully and remove excess + from results
as some perls seem to crash on them ...
* check if gd was linked with jpeg and even freetype ...
* if $main::debugfile is set to a writeable filename, all output form mrtg
will go there (Firedeamon Suggenstion)
* SNMP_Session 0.86 added ... lenient_source_port_matching replaces the ad hoc
only_ip_address_matching from mrtg 2.9.11 ... AS/400 folks beware
* added --section=portname to indexmaker
* try to fix IsCounterBroken test in cfgmaker ... just cant find any broken
coutners to test this :-(
* fix for broken --dns-domain in cfgmaker
* fix for broken RouterUptime[] configurable
* fix for broken snmp with returns negative numbers for counters ...
* integrated my SNMP_utils changes into the real thing.
* make sure cfgmaker puts now raw < or > into the PageTop tag
* properly integrated ytics support in rateup
* properly deal with target math resulting in non integer data even when
logging to rateup which can not deal with floats.
* cleanup of rateup.c and some new options -b -a -o -i
* new options for mrtg noborder, noarrow, noi, noo, nobanner and nolegend
check reference.pod for docs.
* generator meta tag to html pages
* add 'only_ip_address_matching' feature to SNMP_Session. We are
more libaral when accepting snmp responses now.
* be more tolerant with external scripts input
* added feature to SNMP_utils: If first snmp var name is a HASH pointer,
the hash contents is used to set snmp options on the connection
* handle descriptions with & in cfgmaker
* added SnmpOptions: command to mrtg.cfg lanuage ... It allows
to set Snmp Options as available in SNMP_Session. Check the reference.txt file.
* test for availability of ifHCInOctets when running cfgmaker for v2 targets
* fixed indexmake image path for situations with Directories
* added option --prefix to indexmaker for people keeping thier index
somewhere else than default.
* honor background option in cfg file for indexmaker pages
* fixed warning in indexmaker (Use of uninitialized value in concatenation <.>
at indexmaker line 174)
* when the integer option was specified, there was still a .x printed in the summary area ...
* mrtg will now timestamp any warning and error message it emits
* fixed threshold processing ... IT REALY WORKS NOW! ...
**** Incompatible CHANGE ****************
ThreshProgOK now gets the same
commandline arguments as the normal ThreshProg ...
**** Incompatible CHANGE ****************
* configurable confcache (.ok) file location
* add <meta http-equiv="Cache-Control" content="no-cache">
to html files as this seems to be more understandable than "Pragma" content="no-cache"
vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously
this is not a guarantee, but a reflection that I have written the entire
codebase with security in mind, and carefully designed the program to be
resilient to attack.
Recent evidence suggests that vsftpd is also extremely fast (and this is
before any explicit performance tuning!) In tests against wu-ftpd, vsftpd
was always faster, supporting over twice as many users in some tests.
Package provided by Jacek Latos <vaneth@krasnik.org> in pkg/13208;
minor modifications by me.
entry to prevent finding libncurses and unnecessary patches to configure
script to handle SSL location and probing libcups. Also use FILES_SUBST
instead of repeating a sed script throughout the Makefile.
Changes:
merged changes from axfr-get.html into axfr-get.8:
http://cr.yp.to/djbdns/doc.tar.gz
added contributed man-page tinydns-edit.8, thanks Jonathan de Boyne Pollard.
o modify patch-aa to match my current taste:
don't remove CFLAGS line, just change '=' to '+=' and remove -O switch
o don't hack install target in ipw's Makefile any longer, it's easier to
install binary in do-install target in pkg's Makefile (we already have
the post-install target as it installs README file, so I hope it's ok)
--- 9.2.0a2 released ---
899. [bug] lib/dns/soa.c failed to compile on many platforms
due to inappropriate use of a void value.
[RT #1372, #1373, #1386, #1387, #1395]
898. [bug] "dig" failed to set a nonzero exit status
on UDP query timeout. [RT #1323]
897. [bug] A config.guess update changed the system identification
string of UnixWare systems; configure now recognizes
the new string.
896. [bug] If a configuration file is set on named's command line
and it has a relative pathname, the current directory
(after any possible jailing resulting from named -t)
will be prepended to it so that reloading works
properly even when a directory option is present.
895. [func] New function, isc_dir_current(), akin to POSIX's
getcwd().
894. [bug] When using the DNSSEC tools, a message intended to warn
when the keyboard was being used because of the lack
of a suitable random device was not being printed.
893. [func] Removed isc_file_test() and added isc_file_exists()
for the basic functionality that was being added
with isc_file_test().
892. [placeholder]
891. [bug] Return an error when a SIG(0) signed response to
an unsigned query is seen. This should actually
do the verification, but it's not currently
possible. [RT #1391]
890. [cleanup] The man pages no longer require the mandoc macros
and should now format cleanly using most versions of
nroff, and HTML versions of the man pages have been
added. Both are generated from DocBook source.
889. [port] Eliminated blank lines before .TH in nroff man
pages since they cause problems with some versions
of nroff. [RT #1390]
888. [bug] Don't die when using TKEY to delete a nonexistent
TSIG key. [RT #1392]
887. [port] Detect broken compilers that can't call static
functions from inline functions. [RT #1212]
866. [func] Close debug only file channels when debug is set to
zero. [RT #1246]
865. [bug] The new configuration parser did not allow
the optional debug level in a "severity debug"
clause of a logging channel to be omitted.
This is now allowed and treated as "severity
debug 1;" like it does in BIND 8.2.4, not as
"severity debug 0;" like it did in BIND 9.1.
[RT #1367]
864. [cleanup] Multithreading is now enabled by default on
OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
863. [bug] If an error occurred while an outgoing zone transfer
was starting up, the server could access a domain
name that had already been freed when logging a
message saying that the transfer was starting.
[RT #1383]
862. [bug] Use after realloc(), non portable pointer arithmetic in
grmerge().
861. [port] Add support for Mac OS X, by making it equivalent
to Darwin. This was derived from the config.guess
file shipped with Mac OS X. [RT #1355]
860. [func] Drop cross class glue in zone transfers.
859. [bug] Cache cleaning now won't swamp the CPU if there
is a persistent overlimit condition.
858. [func] isc_mem_setwater() no longer requires that when the
callback function is non-NULL then its hi_water
argument must be greater than its lo_water argument
(they can now be equal) or that they be non-zero.
857. [cleanup] Use ISC_MAGIC() to define all magic numbers for
structs, for our friends in EBCDIC-land.
856. [func] Allow partial rdatasets to be returned in answer and
authority sections to help non-TCP capable clients
recover from truncation. [RT #1301]
855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings.
854. [bug] The config parser didn't properly handle config
options that were specified in units of time other
than seconds. [RT #1372]
853. [bug] configure_view_acl() failed to detach existing acls.
[RT #1374]
852. [bug] Handle responses from servers which do not know
about IXFR.
851. [cleanup] The obsolete support-ixfr option was not properly
ignored.
--- 9.2.0a1 released ---
850. [bug] dns_rbt_findnode() would not find nodes that were
split on a bitstring label somewhere other than in
the last label of the node. [RT #1351]
849. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined.
848. [func] A minimum max-cache-size of two megabytes is enforced
by the cache cleaner.
847. [func] Added isc_file_test(), which currently only has
some very basic functionality to test for the
existence of a file, whether a pathname is absolute,
or whether a pathname is the fundamental representation
of the current directory. It is intended that this
function can be expanded to test other things a
programmer might want to know about a file.
846. [func] A non-zero 'param' do dst_key_generate() when making an
hmac-md5 key means that good entropy is not required.
845. [bug] The access rights on the public file of a symmetric
key are now restricted as soon as the file is opened,
rather than after it has been written and closed.
844. [func] <isc/net.h> will ensure INADDR_LOOPBACK is defined,
just as <lwres/net.h> does.
843. [func] If no controls statement is present in named.conf,
or if any inet phrase of a controls statement is
lacking a keys clause, then a key will be automatically
generated by named and an rndc.conf-style file
named named.key will be written that uses it. rndc
will use this file only if its normal configuration
file, or one provided on the command line, does not
exist.
842. [func] 'rndc flush' now takes an optional view.
841. [bug] When sdb modules were not declared threadsafe, their
create and destroy functions were not serialized.
840. [bug] The config file parser could print the wrong file
name if an error was detected after an included file
was parsed. [RT #1353]
839. [func] Dump packets for which there was no view or that the
class could not be determined to category "unmatched".
838. [port] UnixWare 7.x.x is now suported by
bin/tests/system/ifconfig.sh.
837. [cleanup] Multithreading is now enabled by default only on
OSF1, Solaris 2.7 and newer, and AIX.
836. [func] Upgraded libtool to 1.4.
835. [bug] The dispatcher could enter a busy loop if
it got an I/O error receiving on a UDP socket.
[RT #1293]
834. [func] Accept (but warn about) master files beginning with
an SOA record without an explicit TTL field and
lacking a $TTL directive, by using the SOA MINTTL
as a default TTL. This is for backwards compatibility
with old versions of BIND 8, which accepted such
files without warning although they are illegal
according to RFC1035.
833. [cleanup] Moved dns_soa_*() from <dns/journal.h> to
<dns/soa.h>, and extended them to support
all the integer-valued fields of the SOA RR.
832. [bug] The default location for named.conf in named-checkconf
should depend on --sysconfdir like it does in named.
[RT #1258]
831. [placeholder]
830. [func] Implement 'rndc status'.
829. [bug] The DNS_R_ZONECUT result code should only be returned
when an ANY query is made with DNS_DBFIND_GLUEOK set.
In all other ANY query cases, returning the delegation
is better.
828. [bug] The errno value from recvfrom() could be overwritten
by logging code. [RT #1293]
827. [bug] When an IXFR protocol error occurs, the slave
should retry with AXFR.
826. [bug] Some IXFR protocol errors were not detected.
825. [bug] zone.c:ns_query() detached from the wrong zone
reference. [RT #1264]
824. [bug] Correct line numbers reported by dns_master_load().
[RT #1263]
823. [func] The output of "dig -h" now goes to stdout so that it
can easily be piped through "more". [RT #1254]
822. [bug] Sending nxrrset prerequisites would crash nsupdate.
[RT #1248]
821. [bug] The program name used when logging to syslog should
be stripped of leading path components.
[RT #1178, #1232]
820. [bug] Name server address lookups failed to follow
A6 chains into the glue of local authoritative
zones.
819. [bug] In certain cases, the resolver's attempts to
restart an address lookup at the root could cause
the fetch to deadlock (with itself) instead of
restarting. [RT #1225]
818. [bug] Certain pathological responses to ANY queries could
cause an assertion failure. [RT #1218]
817. [func] Adjust timeouts for dialup zone queries.
816. [bug] Report potential problems with log file accessibility
at configuration time, since such problems can't
reliably be reported at the time they actually occur.
815. [bug] If a log file was specified with a path separator
character (i.e. "/") in its name and the directory
did not exist, the log file's name was treated as
though it were the directory name. [RT #1189]
814. [bug] Socket objects left over from accept() failures
were incorrectly destroyed, causing corruption
of socket manager data structures.
813. [bug] File descriptors exceeding FD_SETSIZE were handled
badly. [RT #1192]
812. [bug] dig sometimes printed incomplete IXFR responses
due to an uninitialized variable. [RT #1188]
811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
810. [bug] The signer name in SIG records was not properly
downcased when signing/verifying records. [RT #1186]
809. [bug] Configuring a non-local address as a transfer-source
could cause an assertion failure during load.
808. [func] Add 'rndc flush' to flush the server's cache.
807. [bug] When setting up TCP connections for incoming zone
transfers, the transfer-source port was not
ignored like it should be.
806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
the calling stack to the zone maintence level, causing
zones to not reload when an included file was touched
but the top-level zone file was not.
805. [bug] When using "forward only", missing root hints should
not cause queries to fail. [RT #1143]
804. [bug] Attempting to obtain entropy could fail in some
situations. This would be most common on systems
with user-space threads. [RT #1131]
803. [bug] Treat all SIG queries as if they have the CD bit set,
otherwise no data will be returned [RT #749]
802. [bug] DNSSEC key tags were computed incorrectly in almost
all cases. [RT #1146]
801. [bug] nsupdate should treat lines beginning with ';' as
comments. [RT #1139]
800. [bug] dnssec-signzone produced incorrect statistics for
large zones. [RT #1133]
799. [bug] The ADB didn't find AAAA glue in a zone unless A6
glue was also present.
798. [bug] nsupdate should be able to reject bad input lines
and continue. [RT #1130]
797. [func] Issue a warning if the 'directory' option contains
a relative path. [RT #269]
796. [func] When a size limit is associated with a log file,
only roll it when the size is reached, not every
time the log file is opened. [RT #1096]
795. [func] Add the +multiline option to dig. [RT #1095]
794. [func] Implement the "port" and "default-port" statements
in rndc.conf.
793. [cleanup] The DNSSEC tools could create filenames that were
illegal or contained shell metacharacters. They
now use a different text encoding of names that
doesn't have these problems. [RT #1101]
792. [cleanup] Replace the OMAPI command channel protocol with a
simpler one.
791. [bug] The command channel now works over IPv6.
790. [bug] Wildcards created using dynamic update or IXFR
could fail to match. [RT #1111]
789. [bug] The "localhost" and "localnets" ACLs did not match
when used as the second element of a two-element
sortlist item.
788. [func] Add the "match-mapped-addresses" option, which
causes IPv6 v4mapped addresses to be treated as
IPv4 addresses for the purpose of acl matching.
787. [bug] The DNSSEC tools failed to downcase domain
names when mapping them into file names.
786. [bug] When DNSSEC signing/verifying data, owner names were
not properly downcased.
785. [bug] A race condition in the resolver could cause
an assertion failure. [RT #673, #872, #1048]
784. [bug] nsupdate and other programs would not quit properly
if some signals were blocked by the caller. [RT #1081]
783. [bug] Following CNAMEs could cause an assertion failure
when either using an sdb database or under very
rare conditions.
782. [func] Implement the "serial-query-rate" option.
781. [func] Avoid error packet loops by dropping duplicate FORMERR
responses. [RT #1006]
780. [bug] Error handling code dealing with out of memory or
other rare errors could lead to assertion failures
by calling functions on unitialized names. [RT #1065]
779. [func] Added the "minimal-responses" option.
778. [bug] When starting cache cleaning, cleaning_timer_action()
returned without first pausing the iterator, which
could cause deadlock. [RT #998]
777. [bug] An empty forwarders list in a zone failed to override
global forwarders. [RT #995]
776. [func] Improved error reporting in denied messages. [RT #252]
775. [placeholder]
774. [func] max-cache-size is implemented.
773. [func] Added isc_rwlock_trylock() to attempt to lock without
blocking.
772. [bug] Owner names could be incorrectly omitted from cache
dumps in the presence of negative caching entries.
[RT #991]
771. [cleanup] TSIG errors related to unsynchronized clocks
are logged better. [RT #919]
770. [func] Add the "edns yes_or_no" statement to the server
clause. [RT #524]
769. [func] Improved error reporting when parsing rdata. [RT #740]
768. [bug] The server did not emit an SOA when a CNAME
or DNAME chain ended in NXDOMAIN in an
authoritative zone.
767. [placeholder]
766. [bug] A few cases in query_find() could leak fname.
This would trigger the mpctx->allocated == 0
assertion when the server exited.
[RT #739, #776, #798, #812, #818, #821, #845,
#892, #935, #966]
765. [func] ACL names are once again case insensitive, like
in BIND 8. [RT #252]
764. [func] Configuration files now allow "include" directives
in more places, such as inside the "view" statement.
[RT #377, #728, #860]
763. [func] Configuration files no longer have reserved words.
[RT #731, #753]
762. [cleanup] The named.conf and rndc.conf file parsers have
been completely rewritten.
761. [bug] _REENTRANT was still defined when building with
--disable-threads.
760. [contrib] Significant enhancements to the pgsql sdb driver.
759. [bug] The resolver didn't turn off "avoid fetches" mode
when restarting, possibly causing resolution
to fail when it should not. This bug only affected
platforms which support both IPv4 and IPv6. [RT #927]
758. [bug] The "avoid fetches" code did not treat negative
cache entries correctly, causing fetches that would
be useful to be avoided. This bug only affected
platforms which support both IPv4 and IPv6. [RT #927]
757. [func] Log zone transfers.
756. [bug] dns_zone_load() could "return" success when no master
file was configured.
755. [bug] Fix incorrectly formatted log messages in zone.c.
754. [bug] Certain failure conditions sending UDP packets
could cause the server to retry the transmission
indefinitely. [RT #902]
753. [bug] dig, host, and nslookup would fail to contact a
remote server if getaddrinfo() returned an IPv6
address on a system that doesn't support IPv6.
[RT #917]
752. [func] Correct bad tv_usec elements returned by
gettimeofday().
751. [func] Log successful zone loads / transfers. [RT #898]
750. [bug] A query should not match a DNAME whose trust level
is pending. [RT #916]
749. [bug] When a query matched a DNAME in a secure zone, the
server did not return the signature of the DNAME.
[RT #915]
748. [doc] List supported RFCs in doc/misc/rfc-compliance.
[RT #781]
747. [bug] The code to determine whether an IXFR was possible
did not properly check for a database that could
not have a journal. [RT #865, #908]
746. [bug] The sdb didn't clone rdatasets properly, causing
a crash when the server followed delegations. [RT #905]
745. [func] Report the owner name of records that fail
semantic checks while loading.
744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
result of an ANY or SIG query, the resolver failed
to setup the return event's rdatasets, causing an
assertion failure in the query code. [RT #881]
743. [bug] Receiving a large number of certain malformed
answers could cause named to stop responding.
[RT #861]
CXXFLAGS, and LDFLAGS by the buildlink.mk files so remove the extra
definitions to add them from the package Makefiles. As advised by the
bsd.buildlink.mk file, also ensure that the buildlink.mk files are
included prior to defining any package-specific CFLAGS/LDFLAGS to ensure
that the buildlink directories are at the head of the compiler search
paths.
-I${BUILDLINK}/include through via CPPFLAGS as well as CFLAGS to ensure
that readline/readline.h is found by the configure script. Fixes
pkg/13110 by Jesse Off.
By the means of a DHIS client a host which is assigned a dynamic
IP address (either from its ISP or from DHCP) is able to communicate
with a DHIS server in order to advertise its newly acquired IP
address.
The DHIS server (permanently online) listens to UDP messages from
its clients and authenticates these against its knowledge of keys.
When authentication is successful the DHIS server updates one or
more databases with the newly received IP address for the given
client.
The server then keeps sending, every period of time, check requests
to each of its connected clients. These need to be acknowledged.
If not the server will consider, on an individual basis, that the
client has disconnected and will
again update the databases to an offline state.
Alternativelly the server may receive an OFFLINE_REQ packet from
the client, in which case the DNS record is updated at once and
the online state droped.
