a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
==============================
Release Notes for Samba 3.5.21
January 30, 2013
==============================
This is a security release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
o CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
o CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
Changes since 3.5.20:
---------------------
o Kai Blin <kai@samba.org>
* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
* 3.5.20
Changes since 3.5.19:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 7781: Samba transforms ShareName to lowercase (sharename) when
adding new share via MMC.
* BUG 9236: Apply ACL masks correctly when setting ACLs.
* BUG 9455: munmap called for an address location not mapped by Samba.
o Bj«Órn Baumbach <bb@sernet.de>
* BUG 9345: Fix usage of <smbconfoption> tag.
o Stefan Metzmacher <metze@samba.org>
* BUG 9390: Fix segfaults in log level = 10 on Solaris.
* BUG 9402: Fix dns updates against BIND9 (used in a Samba4 domain).
* 3.5.19
Changes since 3.5.18:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 9016: Connection to outbound trusted domain goes offline.
* BUG 9117: smbclient can't connect to a Windows 7 server using NTLMv2.
* BUG 9213: Bad ASN.1 NegTokenInit packet can cause invalid free.
* BUG 9236: ACL masks incorrectly applied when setting ACLs.
o Andrew Bartlett <abartlet@samba.org>
* BUG 8788: libsmb: Initialise ticket to ensure we do not free invalid
memory.
o Bj«Órn Jacke <bj@sernet.de>
* BUG 8344: autoconf: Fix --with(out)-sendfile-support option handling.
* BUG 8732: Fix compile of krb5 locator on Solaris.
* BUG 9172: Add quota support for gfs2.
o Matthieu Patou <mat@matws.net>
* BUG 9259: lib-addns: Ensure that allocated buffer are pre set to 0.
o Andreas Schneider <asn@samba.org>
* BUG 9218: Samba panics if a user specifies an invalid port number.
* 3.5.18
Changes since 3.5.17:
---------------------
o Michael Adam <obnox@samba.org>
* BUG 7788: Clarify the idmap_rid manpage.
o Jeremy Allison <jra@samba.org>
* BUG 9098: Winbind does not refresh Kerberos tickets.
* BUG 9147: Winbind can't fetch user or group info from AD via LDAP.
* BUG 9150: Valid open requests can cause smbd assert due to incorrect
oplock handling on delete requests.
o Neil R. Goldberg <ngoldber@mitre.org>
* BUG 9100: Winbind doesn't return "Domain Local" groups from own domain.
o Hargagan <shargagan@novell.com>
* BUG 9085: NMB registration for a duplicate workstation fails with
registration refuse.
o Bj«Órn Jacke <bj@sernet.de>
* BUG 7814: Fix build of sysquote_xfs.
* BUG 8402: Winbind log spammed with idmap messages.
o Volker Lendecke <vl@samba.org>
* BUG 9084: Fix a smbd crash in reply_lockingX_error.
o Herb Lewis <hlewis@panasas.com>
* BUG 9104: Fix Winbind crashes caused by mis-identified idle clients.
o Luca Lorenzetto <lorenzetto-luca@ubuntu-it.org>
* BUG 9013: Desktop Managers (xdm, gdm, lightdm...) crash with SIGSEGV in
_pam_winbind_change_pwd() when password is expiring.
* 3.5.17
Changes since 3.5.16:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 9034: Fix typo in set_re_uid() call when USE_SETRESUID selected in
configure.
o Bj«Órn Jacke <bj@sernet.de>
* BUG 8996: Fix build without ads support.
* BUG 9011: Second part of a fix for bug #9011 (Build on HP-UX broken).
o Stefan Metzmacher <metze@samba.org>
* BUG 9022: Make vfs_gpfs less verbose in get/set_xattr functions.
Bump PKGREVISION
---
Module Name: pkgsrc
Committed By: sbd
Date: Sun Aug 19 07:28:36 UTC 2012
Modified Files:
pkgsrc/net/samba: INSTALL.nss_winbind Makefile options.mk
Added Files:
pkgsrc/net/samba: DEINSTALL.nss_winbind
Log Message:
NSS winbind option install script fixes:
1) Move the INSTALL_TEMPLATES line to the 'winbind' option section.
2) Enable the install script on all platforms.
3) Use the value of ${NSS_WINBIND} in the script as the name of the
library (should work on all platforms).
4) In the install script only create the symlink if ${NSS_WINBIND} doesn't
start with '@comment' (i.e. no nss winbind on this platform) and the
target file exists and the symlink _doesn't_ already exist.
5) Create a DEINSTALL_TEMPLATES to remove the nss winbind symlink if it
exists and point to the correct target.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 pkgsrc/net/samba/DEINSTALL.nss_winbind
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/samba/INSTALL.nss_winbind
cvs rdiff -u -r1.220 -r1.221 pkgsrc/net/samba/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/samba/options.mk
==============================
Release Notes for Samba 3.5.16
July 2, 2012
==============================
This is the latest stable release of Samba 3.5.
Major enhancements in Samba 3.5.16 include:
o Fix possible memory leaks in the Samba master process (bug #8970).
o Fix uninitialized memory read in talloc_free().
o Fix smbd crash with unknown user (bug #8314).
Changes since 3.5.15:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 8314: Fix smbd crash with unknown user.
* BUG 8831: Fix inconsistent (with manpage) command-line switch for "help"
in smbtree.
* BUG 8882: Fix processing of %U with vfs_full_audit when "force user"
is set.
* BUG 8897: winbind_krb5_locator only returns one IP address.
* BUG 8910: resolve_ads() code can return zero addresses and miss valid DC
IP addresses.
* BUG 8957: Fix typo in pam_winbindd code.
* BUG 8972: Directory group write permission bit is set if unix extensions
are enabled.
* BUG 8974: Kernel oplocks are broken when uid(file) != uid(process).
* BUG 8989: Send correct responses to NT Transact Secondary when no data and
no params.
* BUG 8994: Fix "winbind normalize names".
o Andrew Bartlett <abartlet@samba.org>
* BUG 8599: Only use SamLogonEx when we can get unencrypted session keys.
* BUG 8943: Slow but responsive DC can lock up winbindd for > 10 minutes
at a time.
o Björn Baumbach <bb@sernet.de>
* BUG 7564: Fix default name resolve order in the manpage.
o John Bradshaw <john@johnbradshaw.org>
* BUG 7938: Fix typo (overrided -> overridden) in Samba3-HOWTO.
o Olaf Flebbe <o.flebbe@science-computing.de>
* BUG 8552: Correct documentation of "case sensitive".
o Björn Jacke <bj@sernet.de>
* BUG 8869: Remove outdated netscape ds 5 schema file.
* BUG 9011: Fix build on HP-UX.
o Volker Lendecke <vl@samba.org>
* Fix uninitialized memory read in talloc_free().
* BUG 8338: OS/X can not deal with a 10-vwv read on normal files.
* BUG 8998: Notify code can miss a ChDir.
* BUG 9000: Fix a Winbind race leading to 100% CPU.
* BUG 9003: Fix posix acl on gpfs.
o Matthieu Patou <mat@matws.net>
* BUG 8975: Make sure that Winbind can coredump.
o Karolin Seeger <kseeger@samba.org>
* BUG 7930: Add hint that setting "profile acls = yes" on normal shares can
cause trouble.
o Richard Sharpe <realrichardsharpe@gmail.com>
* BUG 8822: Fix building out-of-tree vfs modules.
* BUG 8970: Fix possible memory leaks in the Samba master process.
o Simo Sorce <idra@samba.org>
* BUG 8915: Fix pam_winbind build against newer iniparser library.
==============================
Release Notes for Samba 3.5.15
April 30, 2012
==============================
This is a security release in order to address
CVE-2012-2111 (Incorrect permission checks when granting/removing
privileges can compromise file server security).
o CVE-2012-2111:
Samba 3.4.x to 3.6.4 are affected by a
vulnerability that allows arbitrary users
to modify privileges on a file server.
This is a security release in order to address
CVE-2012-1182 ("root" credential remote code execution).
o CVE-2012-1182:
Samba 3.0.x to 3.6.3 are affected by a
vulnerability that allows remote code
execution as the "root" user.
Changes since 3.5.13:
---------------------
o Stefan Metzmacher <metze@samba.org>
*BUG 8815: PIDL based autogenerated code allows overwriting beyond of
allocated array (CVE-2012-1182).
* BUG 8327: Fix config reload to reload shares from registry.
* BUG 8139: Ignore SMBecho errors.
* BUG 8521: Fix Winbind cache timeout expiry test.
* BUG 8561: Fully observe password change settings.
* BUG 8631: Fix POSIX ACE x permission mapping to and from a DACL.
* BUG 8636: When returning an ACL without SECINFO_DACL requested, we still
set SEC_DESC_DACL_PRESENT in the type field.
* BUG 8644: Make sure that vfs_acl_xattr and vfs_acl_tdb modules add
inheritable entries on a directory with no stored ACL.
* BUG 8663: Fix deleting a symlink if the symlink target is outside of the
* share.
* BUG 8664: Fix renaming a symlink if the symlink target is outside of the
share.
* BUG 8673: Fix NT ACL issue.
* BUG 8679: Make sure that recvfile code path using splice() on Linux
does not leave data in the pipe on short write.
* BUG 8687: Fix typo in 'net memberships' usage.
Now that samba-nss-winbind-install and samba-nss-wins-install work again.
1) Switch back to using the the above mentioned targets for installing
nss-winbind and nss_wins. (These targets work on all platforms.)
2) Switch back to using ${NSS_WINBIND} and ${NSS_WINS} in the PLIST as
these work on all platforms.
Bump PKGREVISION
This is the latest stable release of Samba 3.5.
Major enhancements in Samba 3.5.12 include:
o Fix race condition in Winbind (bug 7844).
o The VFS ACL modules are no longer experimental but production-ready.
See full release notes at http://www.samba.org/samba/history/samba-3.5.12.html
* Fix access to Samba shares when Windows security patch KB2536276 is installed
* Fix DoS in Winbind and smbd with many file descriptors open
* Fix Winbind panics if verify_idpool() fails
"checking for replacing readdir using getdirentries()".
The functions in samba-3.5.10/lib/replace/repdir_getdirentries.c
fail on NetBSD 5.99.54, and the test code in
samba-3.5.10/lib/replace/test/os2_delete.c
did not handle the failure.
Not bumping PKGREVISION, because this affects only the
configure script, and the package did not build on
NetBSD-current before.
==============================
Release Notes for Samba 3.5.10
July 26, 2011
==============================
This is a security release in order to address
CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site scripting
vulnerability.
Please note that SWAT must be enabled in order for these
vulnerabilities to be exploitable. By default, SWAT
is *not* enabled on a Samba install.
Changes since 3.5.9:
--------------------
o Kai Blin <kai@samba.org>
* BUG 8289: SWAT contains a cross-site scripting vulnerability.
* BUG 8290: CSRF vulnerability in SWAT.
* Fix Winbind crash bug when no DC is available
* Fix finding users on domain members
* Fix memory leaks in Winbind
* Fix printing with Windows 7 clients
Release Announcements
=====================
Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to
address CVE-2011-0719.
o CVE-2011-0719:
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Changes
-------
o Jeremy Allison <jra at samba.org>
* BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
These services may be hosted off any TCP/IP-enabled platform. The
Samba project includes not only an impressive feature set in file and
print serving capabilities, but has been extended to include client
functionality, utilities to ease migration to Samba, tools to aid
interoperability with Microsoft Windows, and administration tools.
