NetBSD's libc and Samba both proide SHA2 function with the same
protoype, but with different private context structures. The
Samba version must not override the libc version, otherwise they
are used when using LDAP/SSL, through libldap/libssl/libcrypto
but libcrtypo expect to use the libc flavor.
Without this fix, Samba cannot connect to a LDAP directory that
has a SHA2-signed certificate. This rather cryptic error is raised
in smbd logs:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
==============================
Release Notes for Samba 3.6.25
February 23, 2015
==============================
This is a security release in order to address CVE-2015-0240 (Unexpected
code execution in smbd).
o CVE-2015-0240:
All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
unexpected code execution vulnerability in the smbd file server
daemon.
A malicious client could send packets that may set up the stack in
such a way that the freeing of memory in a subsequent anonymous
netlogon packet could allow execution of arbitrary code. This code
would execute with root privileges.
o CVE-2014-0178:
In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.
A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.
==============================
Release Notes for Samba 3.6.24
June 23, 2014
==============================
This is a security release in order to address
CVE-2014-0244 (Denial of service - CPU loop) and
CVE-2014-3493 (Denial of service - Server crash/memory corruption).
o CVE-2014-0244:
All current released versions of Samba are vulnerable to a denial of
service on the nmbd NetBIOS name services daemon. A malformed packet
can cause the nmbd server to loop the CPU and prevent any further
NetBIOS name service.
This flaw is not exploitable beyond causing the code to loop expending
CPU resources.
o CVE-2014-3493:
All current released versions of Samba are affected by a denial of service
crash involving overwriting memory on an authenticated connection to the
smbd file server.
==============================
Release Notes for Samba 3.6.23
March 11, 2014
==============================
This is a security release in order to address
CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
o CVE-2013-4496:
Samba versions 3.4.0 and above allow the administrator to implement
locking out Samba accounts after a number of bad password attempts.
However, all released versions of Samba did not implement this check for
password changes, such as are available over multiple SAMR and RAP
interfaces, allowing password guessing attacks.
Changes since 3.6.21:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
o Stefan Metzmacher <metze@samba.org>
* BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
o Noel Power <noel.power@suse.com>
* BUGs 10300, 10306: CVE-2012-6150: Fail authentication if user isn't
member of *any* require_membership_of specified groups.
Changes since 3.6.20:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10139: Valid utf8 filenames cause "invalid conversion error"
messages.
* BUG 10167: s3-smb2 server: smb2 breaks "smb encryption = mandatory".
* BUG 10187: Missing talloc_free can leak stackframe in error path.
* BUG 10247: xattr: Fix listing EAs on *BSD for non-root users.
o Korobkin <korobkin+samba@gmail.com>
* BUG 10118: Raise debug level for being unable to open a printer.
o Volker Lendecke <vl@samba.org>
* BUG 10195: nsswitch: Fix short writes in winbind_write_sock.
o Arvid Requate <requate@univention.de>
* BUG 10267: Fix Windows 8 printing via local printer drivers.
o Andreas Schneider <asn@cryptomilk.org>
* BUG 10194: Make offline logon cache updating for cross child domain
group membership.
These are security releases in order to address CVE-2013-4475 (ACLs are not checked on opening an alternate data stream on a file or directory) and CVE-2013-4476 (Private key in key.pem world readable).
Changes since 3.6.18:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 5917: Make Samba work on site with Read Only Domain Controller.
o Christian Ambach <ambi@samba.org>
* BUG 8955: NetrServerPasswordSet2 timeout is too short.
o Günther Deschner <gd@samba.org>
* BUG 9899: Fix fallback to ncacn_np in cm_connect_lsat().
* BUG 9615: Fix fallback to ncacn_np in cm_connect_lsat().
* BUG 10127: Fix 'smbstatus' as non-root user.
o Volker Lendecke <vl@samba.org>
* BUG 8955: Give machine password changes 10 minutes of time.
* BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo
requests.
* BUG 10114: Handle Dropbox (write-only-directory) case correctly in
pathname lookup.
o Karolin Seeger <kseeger@samba.org>
* BUG 10076: Fix variable list in man vfs_crossrename.
o Andreas Schneider <asn@samba.org>
* BUG 9994: s3-winbind: Do not delete an existing valid credential cache.
* BUG 10073: 'net ads join': Fix segmentation fault in
create_local_private_krb5_conf_for_domain.
o Richard Sharpe <realrichardsharpe@gmail.com>
* BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed
out by Samba.
==============================
Release Notes for Samba 3.6.17
August 05, 2013
==============================
This is a security release in order to address
CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
server to loop with DOS).
o CVE-2013-4124:
All current released versions of Samba are vulnerable to a denial of
service on an authenticated or guest connection. A malformed packet
can cause the smbd server to loop the CPU performing memory
allocations and preventing any further service.
A connection to a file share, or a local account is needed to exploit
this problem, either authenticated or unauthenticated if guest
connections are allowed.
This flaw is not exploitable beyond causing the code to loop
allocating memory, which may cause the machine to exceed memory
limits.
Changes since 3.6.16:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
reading can cause server to loop with DOS.
* BUG 9130: Certain xattrs cause Windows error 0x800700FF.
* BUG 9724: Use is_encrypted_packet() function correctly inside server.
* BUG 9733: Fix 'smbcontrol close-share' is not working.
* BUG 9747: Make sure that we only propogate the INHERITED flag when we are
allowed to.
* BUG 9748: Remove unneeded fstat system call from hot read path.
* BUG 9811: Fix bug in old create temp SMB request. Only use VFS functions.
* BUG 9650: New or deleted CUPS printerqueues are not recognized by Samba.
* BUG 9807: wbinfo: Fix segfault in wbinfo_pam_logon.
* BUG 9727: wkssvc: Fix NULL pointer dereference.
* BUG 9736: smbd: Tune "dir" a bit.
* BUG 9775: Fix segfault for "artificial" conn_structs.
* BUG 9809: RHEL SPEC: Package dbwrap_tool man page.
* BUG 9139: Fix the username map optimization.
* BUG 9699: Fix adding case sensitive spn.
* BUG 9723: Add a tool to migrate latin1 printing tdbs to registry.
* BUG 9735: Fix Winbind separator in upn to username conversion.
* BUG 9766: Cache name_to_sid/sid_to_name correctly.
==============================
Release Notes for Samba 3.6.12
January 30, 2013
==============================
This is a security release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
o CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
o CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
Changes since 3.6.11:
--------------------
o Kai Blin <kai@samba.org>
* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
=============================
Release Notes for Samba 3.6.6
June 25, 2012
=============================
This is is the latest stable release of Samba 3.6.
Major enhancements in Samba 3.6.6 include:
o Fix possible memory leaks in the Samba master process (bug #8970).
o Fix uninitialized memory read in talloc_free().
o Fix joining of XP Pro workstations to 3.6 DCs (bug #8373).
Changes since 3.6.5:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 8738: SMB2 server will not release unused shares.
* BUG 8749: Sign non guest sessions in SessionSetup.
* BUG 8921: Fix race writing registry values.
o Jeremy Allison <jra@samba.org>
* BUG 8373: Fix joining of XP Pro workstations to 3.6 DCs.
* BUG 8627: Fix crash bug in dns_create_probe when dns_create_update fails.
* BUG 8723: Add pthread-based aio VFS module.
* BUG 8784: When calculating the share security mask, take priviliges into
account for the connecting user.
* BUG 8811: sd_has_inheritable_components segfaults on an SD that
se_access_check accepts.
* BUG 8837: Fix crash in smbd when deleting directory and veto files are
enabled.
* BUG 8857: Setting traverse rights fails to enable directory traversal when
acl_xattr in use.
* BUG 8882: Broken processing of %U with vfs_full_audit when force user is
set.
* BUG 8897: Make winbind_krb5_locator not only returning one IP address.
* BUG 8910: resolve_ads() code can return zero addresses and miss valid
DC IP addresses.
* BUG 8922: smbclient's tarmode insists on listing excluded directories.
* BUG 8953: Winbind can hang as nbt_getdc() has no timeout.
* BUG 8957: Typo in pam_winbindd code MUST fix.
* BUG 8970: Fix possible memory leaks in the Samba master process.
* BUG 8971: cleanup_timeout_fn() is called too often, on exiting when an
smbd is idle.
* BUG 8972: Directory group write permission bit is set if unix extensions
are enabled.
o Christian Ambach <ambi@samba.org>
* BUG 8406: Fix a return code check in Winbind.
* BUG 8807: Fix crash in dcerpc_lsa_lookup_sids_noalloc() crashes when
groups has more than 1000 groups.
o Andrew Bartlett <abartlet@samba.org>
* BUG 8599: Only use SamLogonEx when we can get unencrypted session keys.
* BUG 8727: Fix smbclients with posix large reads.
* BUG 8943: Slow but responsive DC can lock up Winbind for > 10 minutes
at a time.
o Björn Baumbach <bb@sernet.de>
* BUG 7564: Fix default name resolve order in the manpage.
* BUG 8554, 8612, 8748: Add new printers to registry.
* BUG 8789: Remove whitespace in example samba.ldif.
o Alexander Bokovoy <ab@samba.org>
* BUG 8988: Avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute().
o Alejandro Escanero Blanco <aescanero@gmail.com>
* BUG 8798: The primary rid should be in the groups rid array.
o Ira Cooper <samba@ira.wakeful.net>
* BUG 8729: Fix getpass regressions on Solaris/Illumos.
* BUG 8743: Fix configure.developer builds on Solaris.
* BUG 8910: Fix bad bugfix for bug #8910.
* BUG 8952: Fix negative SID->uid/gid cache handling.
* BUG 8995: Use fsp_persistent_id() as persistent_file_id part for SMB2.
o David Disseldorp <ddiss@samba.org>
* BUG 8762: Fix crash in printer_list_set_printer().
o Olaf Flebbe <o.flebbe@science-computing.de>
* BUG 8859: Fix assertion in reg_parse.
o Björn Jacke <bj@sernet.de>
* BUG 8732: Fix compile of krb5 locator on Solaris.
* BUG 8869: Remove outdated netscape ds 5 schema file.
* BUG 8978: Remove dependency on automake for 'make everything'.
o Steve Langasek <steve.langasek@ubuntu.com>
* BUG 8920: Fix null dereference in pdb_interface.
o Volker Lendecke <vl@samba.org>
* Fix uninitialized memory read in talloc_free().
* BUG 8567: Fix segfault in dom_sid_compare.
* BUG 8733: Delete streams on directories (streams_depot).
* BUG 8760: Add SERVERID_UNIQUE_ID_NOT_TO_VERIFY.
* BUG 8836: Fix segfaults on "smbcontrol close-share" in aio_fork.
* BUG 8861: Fix a segfault with debug level 3 on Solaris.
* BUG 8904: Fix Winbind crash triggered by 'wbinfo --lookup-sids ""'.
* BUG 8998: Notify code can miss a ChDir.
o Stefan Metzmacher <metze@samba.org>
* BUG 8139: Ignore SMBecho errors (the server may not support it).
* BUG 8527: db_ctdb_traverse fails to traverse records created within the
current transaction.
* BUG 8311: Winzip occasionally can not read files out of an open winzip
dialog.
* BUG 8739: Fill the sids array of the info in
wbcAuthUserInfo_to_netr_SamInfo3().
* BUG 8749: Sign non guest sessions in SessionSetup.
* BUG 8995: Use fsp_persistent_id() as persistent_file_id part for SMB2.
o Matthieu Patou <mat@matws.net>
* BUG 8599: Set the can_do_validation6 also for trusted domain.
* BUG 8714: Catch with pid filename's change when config file is not
smb.conf.
* BUG 8734: Don't try to do clever thing if the username is not found while
authenticating through Winbind.
* BUG 8771: Winbind takes up to 20 minutes to change from DC 1 to DC 2.
* BUG 8975: Call dump_core_setup after command line option has been parsed.
o SATOH Fumiyasu <fumiyas@osstech.co.jp>
* BUG 8826: Prepend '/' to filename argument (docs).
o Andreas Schneider <asn@samba.org>
* BUG 8944 and 8567: Don't lookup the system user in pdb.
o Richard Sharpe <realrichardsharpe@gmail.com>
* BUG 8768: Honor SeTakeOwnershipPrivilege when file opened with
SEC_STD_WRITE_OWNER.
* BUG 8797: Correctly handle DENY ACEs when privileges apply.
* BUG 8822: Fix building out-of-tree modules.
* BUG 8945: vfs_acl_common discards errors from writing to the underlying
storage.
* BUG 8970: Fix possible memory leaks in the Samba master process.
o Simo Sorce <idra@samba.org>
* BUG 8915: Fix pam_winbind build against newer iniparser library.
o Joseph Tam <jtam.home@gmail.com>
* BUG 8877: Syslog broken owing to mistyping of debug_settings.syslog.
o Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
* BUG 8845: Move print_backend_init() behind init_system_info().
=============================
Release Notes for Samba 3.6.5
April 30, 2012
=============================
This is a security release in order to address
CVE-2012-2111 (Incorrect permission checks when granting/removing
privileges can compromise file server security).
o CVE-2012-2111:
Samba 3.4.x to 3.6.4 are affected by a
vulnerability that allows arbitrary users
to modify privileges on a file server.
This is a security release in order to address
CVE-2012-1182 ("root" credential remote code execution).
o CVE-2012-1182:
Samba 3.0.x to 3.6.3 are affected by a
vulnerability that allows remote code
execution as the "root" user.
Changes since 3.6.3:
--------------------
o Stefan Metzmacher <metze@samba.org>
*BUG 8815: PIDL based autogenerated code allows overwriting beyond of
allocated array (CVE-2012-1182).
Samba 3.6.3:
This is a security release in order to address
CVE-2012-0817 (Memory leak/Denial of service).
o CVE-2012-0817:
The Samba File Serving daemon (smbd) in Samba versions
3.6.0 to 3.6.2 is affected by a memory leak that can
cause a server denial of service.
Samba 3.6.2:
Major enhancements in Samba 3.6.2 include:
o Make Winbind receive user/group information (bug #8371).
o Several SMB2 fixes.
For complete changes, please refer
http://www.samba.org/samba/history/samba-3.6.2.html and
http://www.samba.org/samba/history/samba-3.6.3.html.
Major enhancements in Samba 3.6.1 include:
o Fix smbd crashes triggered by Windows XP clients (bug #8384).
o Fix a Winbind race leading to 100% CPU load (bug #8409).
o Several SMB2 fixes.
o The VFS ACL modules are no longer experimental but production-ready.
Full release notes at http://www.samba.org/samba/history/samba-3.6.1.html
Major enhancements in Samba 3.6.0 include:
- Changed security defaults:
client ntlmv2 auth = yes
client use spnego principal = no
send spnego principal = no
- SMB2 support (fully functional with one omission)
- Internal Winbind passdb changes
- New Spoolss code
- ID Mapping Changes
- Endpoint Mapper
- Internal restructuring
- SMB Traffic Analyzer (http://holger123.wordpress.com/smb-traffic-analyzer/)
- NFS quota backend on Linux
Full release notes at http://www.samba.org/samba/history/samba-3.6.0.html
This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.
Please note that Samba 3.0 is not maintained any longer. This security
release is shipped on a voluntary basis.
o CVE-2009-2813:
In all versions of Samba later than 3.0.11, connecting to the home
share of a user will use the root of the filesystem
as the home directory if this user is misconfigured to have
an empty home directory in /etc/passwd.
o CVE-2009-2948:
If mount.cifs is installed as a setuid program, a user can pass it a
credential or password path to which he or she does not have access and
then use the --verbose option to view the first line of that file.
o CVE-2009-2906:
Specially crafted SMB requests on authenticated SMB connections can
send smbd into a 100% CPU loop, causing a DoS on the Samba server.
Please note, that the 3.0 series will be DISCONTINUED after this release!
There will be neither any bugfix release nor any security release. Updating
to the latest release series is strongly recommended. For more information
on current Samba releases, please see
Major enhancements included in Samba 3.0.36 are:
o Fix Winbind crash on 'getent group' (bug #5906).
o Excel save operation corrupts file ACLs (bug #4308).
o Prevent segmentation fault on joining a very long domain name.
- CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
This security fix has already been integrated into "pkggsrc" via a patch
previously. The package was only updated to make future maintenance easier.
CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
bump PKGREVISION
- Fix update of machine account passwords.
- Fix SMB signing issue on Windows Vista with MS Hotfix KB955302.
- Fix Winbind crashes.
- Correctly detect if the current dc is the closest one.
- Add saf_join_store() function to memorize the dc used at join time.
This avoids problems caused by replication delays shortly after
domain joins.
- Fix write list in setups using "security = share".
AIX method was being chosen in preference (on NetBSD 5.0 at least). This
broke net and rpcclient, etc. as they failed to enumerate interfaces
correctly.
- Prevent crash bug in Winbind caused by a race condition
when a child process becomes unresponsive.
- Fix interactive password prompting in the "net" command.
- Documentation clarifications and typographical fixes.
- Correct issues with running Winbind running on a Samba PDC.
- Problems with trusted Windows 2008 domains.
- Difficulty joining an NT4 or Windows 2000 AD domain.
- Fix for CVE-2008-1105.
- Remove man pages for ldb tools not included in Samba 3.0.
- Fix build for pam_smbpass.
- Fix a crash in tdb_wrap_log().
- BUG 5267: Fix for nmbd termination problems when no interfaces
found.
- BUG 5326: OS/2 servers give strange "high word" replies for
print jobs.
- Remove MS-DFS check that required the target host be ourself.
- BUG 5372: Fix high CPU usage of cupsd on large print servers
by using more efficient CUPS queries in smbd.
- Rewrite integer wrap checks to deal with gcc 4.x optimizations.
- BUG 5095: Fix the enforcement of the "Manage Documents" access right.
- Don't free memory from getpass() in mount.cifs.
- BUG 5460: Fix MS-DFS referral problem in server code.
- Fix bug in Winbind that caused the parent to ignore dead children.
- Fix compile warnings.
- Fix build for pam_smbpass.
- Document build fixes.
- BUG 4235: Improve compliance to the Squid helper protocol.
- BUG 5107: Fix handling of large DNS replies on AIX and Solaris.
- Prevent cycle in Wibind's list of children when reaping dead processes.
- BUG 5419: Fix memory leak in ads_do_search_all_args() (merge from v3-2).
- Fix winbind NETLOGON credential chain on a samba dc for w2k8 trusts.
- Fix client connections and negotiation with Windows 2008 DCs
in member server code.
- Add NT_STATUS_DOWNGRADE_DETECTED error code (merge from v3-2).
- BUG 5430: Fix pam_winbind.so on Solaris (requires -lsocket).
- Re-add samr getdispinfoindex parsing which got lost in the glue commit.
- BUG 5461: Implement a very basic _samr_GetDisplayEnumerationIndex().
Corrects interop problem between Citrix PM and a Samba DC.
- BUG 3840: Fix smbclient connecting to NetApp filers when using
whitespace in the user's password.
- BUG 4901: Fix behavior of "ldap passwd sync = only".
- BUG 5317: Fix debug output from domain_client_validate().
- BUG 5338: Fix format string bug in rpcclient.
- Ensure that "wbinfo -a trusted\\user%password" works correctly
on a Samba DC with trusts.
- BUG 5336: Fix SetUsetrInfo(level 25) to update the pwdLastSet
attribute.
- BUG 5350: Fallback to anonymous sessions if not trust password
could be obtained on Samba DCs and member servers.
- BUG 5366: Fix password chat on Sun OpenSolaris (Nevada).
- Fix signing problem in the client with trans requests.
- Fix alignment bug hitting Solaris with "reset in zero vc" activated.
- Fix build with glibc 2.8.
- Enable winbind child processes to do something with signals, in
particular closing and reopening logs on SIGHUP.
- Documentation cleanup after r emerging docs from svn to git and
back-porting from the v3-2 branch.
- Add implementation of machine-authenticated connection to netlogon
pipe used when connecting to win2k and newer domain controllers.
- Fix trusted users on a DC that uses the old idmap syntax.
- Only have Winbind cache domain password policies that were
successfully retrieved.
- Fix alignment bug when marshalling printer data replies.
- Fix DeleteDriverDriverEx() checks to prevent removing in use files.
CHANGES FOR PKGSRC:
==================
Makefile:
+ Modify section that manually handles the ELF symlinks for samba
shared libraries -- add additional libraries that are built (addns,
smbsharemodes) and reorganize so we don't need two loops where one
will do.
+ Pass --with-included-popt to the configure script to force using
the popt distribution included with samba to avoid any library
mismatch errors between samba and any installed popt. This fixes
PR pkg/34444 by Jason Lingohr.
+ Don't build the smbmount programs on Linux -- they're deprecated in
favor of the mount.cifs programs.
+ Remove some pkgviews-related settings -- I'm not supporting pkgviews
installation of samba.
Makefile.patches:
+ Empty out PATCHFILES because we are updating to the latest release
of samba, which has all previous patches for security advisories
already rolled into the main sources.
Makefile.mirrors:
+ Update SAMBA_MIRRORS in Makefile.mirrors to the latest list of FTP
mirrors.
options.mk:
+ Only show the ``acl'' option on platforms that actually support
POSIX ACLs.
+ Add a new ``fam'' option to enable building the notify_fam VFS
module.
patch-ab, patch-ax:
+ Remove patch-ab and update patch-ax -- there's nothing for the
scripts to back up so we don't need to patch the install* scripts
to avoid this.
patch-ae, patch-ah:
+ Update patch-ae and remove patch-ah -- we should definitely check
that PAM_AUTHTOK_RECOVERY_ERR is defined before using its value to
define PAM_AUTHTOK_RECOVER_ERR.
patch-at, patch-au:
+ Fix patch-at and patch-au -- in configure.in, we need to "escape"
left and right brackets or else m4 will strip them away in the
resulting configure script. This should fix the detection of FreeBSD
and NetBSD systems capable of using nss_winbind noted in PR pkg/38076
by Ingo Meyer.
patch-ay:
+ Remove some unnecessary changes -- we can safely just do "mkdir" in
some places because we know the parent and any intermediate directories
exist.
patch-be:
+ Fix a bug in locating WINS_LIST -- nmbd/nmbd_winsserver.c was
referring to WINS_LIST under the state directory in one place and
under the lock directory in another; change all references to be
under the state directory.
patch-db:
+ Add patch to fix the build of samba on older BSDs. Patch supplied
in PR pkg/37487 by John Frear.
All remaining changes to patches/patch-* are simply to remove fuzz.
MAJOR CHANGES FROM VERSION 3.0.26a:
* Fix failure to join Windows 2008 domains.
* Fix Windows Vista (including SP1 RC) inter-op issues.
* Add a new ``administrative share'' service parameter for defining
hidden shares that cannot be managed from Windows.
* Fix for CVS-2007-6015 (already fixed in 3.0.26anb4 in pkgsrc).
* Fix for CVS-2007-5398 (already fixed in 3.0.26anb4 in pkgsrc).
* Fix for CVS-2007-4572 (already fixed in 3.0.26anb4 in pkgsrc). Also
subsequent fix for regression experienced by smbfs clients caused by
the fix for CVS-2007-4572, noted in PR pkg/38300 by Dave Barnes.
* Many other bugs fixed and memory leaks plugged.
