[Pkg-samba-maint] [samba] annotated tag debian/2%4.2.14+dfsg-0+deb8u6 created (now 296edc1)
Salvatore Bonaccorso
carnil at debian.org
Wed May 24 08:13:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a change to annotated tag debian/2%4.2.14+dfsg-0+deb8u6
in repository samba.
at 296edc1 (tag)
tagging 60568f26bc3aa6f0df686e8d7040f239bece36f1 (commit)
replaces debian/2%4.2.10+dfsg-0+deb8u3
tagged by Salvatore Bonaccorso
on Fri May 19 19:32:09 2017 +0200
- Log -----------------------------------------------------------------
tagging package samba version debian/2%4.2.14+dfsg-0+deb8u6
-----BEGIN PGP SIGNATURE-----
iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkfLBlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ea6QP/1RgLOSJTaWobp7jIk4hV/VWkgTMSKLa
dTFo7/3cCpuK9dWfPiPTOAjnJPD/qVwt0GyBW2a4WIllhiPWfaHfIPb8KexxJtOu
bjob3hCyssAZe7IJ9nAefsyZuVOTsCXX7GKZh+rTyOS+ipApwD8NWKqHfCzG6ro1
bMGCbzN7qXoFqr8iZTdsDjDpjjX5s9l/y6hPa+7ht/FIjGdCFGgD1kNA9g+qZyWf
ylIRDn3LRewLAH039Jka1ZM3YIT5nLwYZISJpZoHidLhg6Pks+EUqWzGBPvRofYB
qbNcwwxPqjdElCKXkrkpgqZ3QYKVlE3rOK8OJReIhK/gXFuoEWCudbOwZfqiOctr
FmKGeQI7aiC9AXq2RLVlnhGOhujUB9xMjhmHCcTelkS17wENzpaiZMIcKP7/lCKS
H5wRpwSqCTrHQt0d9HU0kjxuEVdrjr83El+/sgzO9ClnBkTSph3QWqD4QP3m/8ZM
J0UDuEviy8wDOS3GqkF4ogGdAEQa9/grqlGNNqKzDFD/eU1QRBSGXGzPdDPHETPg
pR4+4IEbS7GSMV7q3RFjpHZg6cf05Upepm25qPKkBGxBdAqkzFnH9k4/OkCKxYpT
cn4vCbkmtHpLS8ZHQOqSg7PGtP8vckoGa/0IJ9wUKQn5GK7nWw6ketcpMCcH0Els
NO4dL3pSMUA8
=VM5h
-----END PGP SIGNATURE-----
Amitay Isaacs (3):
ctdb-common: Protocol argument must be in host order for socket() call
ctdb-common: Use documented names for protocol family in socket()
ctdb-common: For AF_PACKET socket types, protocol is in network order
Andreas Schneider (7):
s3-client: Add a KRB5 wrapper for smbspool
waf: Only build smb_krb5_wrapper if we have CUPS
docs: Add smbspool_krb5_wrapper manpage
s4-gensec: Check if we have delegated credentials.
torture: Fix the usage of the MEMORY credential cache.
torture: Correctly invalidate the memory ccache.
torture: Free the temporary memory context
Andrew Bartlett (8):
smbd: Only check dev/inode in open_directory, not the full stat()
libsmb: Print the principal name that we failed to kinit for.
docs: Explain that winbindd enforces smb signing by default.
lib/tls: Add new 'tls priority' option
lib/tls: Change default supported TLS versions.
pydsdb: Also accept ldb.MessageElement values to dsdb routines
pydsdb: Fix returning of ldb.MessageElement.
build: mark explicit dependencies on pytalloc-util
Berend De Schouwer (1):
docs: Add example for domain logins to smbspool man page.
Björn Jacke (1):
tls: increase Diffie-Hellman group size to 2048 bits
Christian Ambach (2):
s3:utils/smbget fix recursive download
s4:torture/ntlmssp fix a compiler warning
Günther Deschner (20):
docs-xml: fix typo in smbspool_krb5_wrapper manpage.
gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
lib/util: globally include herrors in error.h
ntlmssp: add some missing defines from MS-NLMP to our IDL.
ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
ntlmssp: properly document version defines in IDL (from MS-NLMP).
ntlmssp: when pulling messages it is important to clear memory first.
s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
s4-smb_server: check for return code of cli_credentials_set_machine_account().
s3-auth: check for return code of cli_credentials_set_machine_account().
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
libsmb/pysmb: add pytalloc-util dependency to fix the build.
lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
s3:librpc:crypto:gse: increase debug level for gse_init_client().
libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
Hemanth Thummala (2):
loadparm: Fix memory leak issue.
Real memeory leak(buildup) issue in loadparm.
Jelmer Vernooij (15):
Reduce number of places where sys.path is (possibly) updated for external module paths.
Avoid importing TestCase and TestSkipped from testtools.
Rename TestSkipped to Skiptest, consistent with Python 2.7.
selftest/tests/*.py: remove use of testtools.
Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
Add replacement addCleanup.
Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
Provide TestCase.assertIsInstance for python < 2.7.
Use samba TestCase so we get all compatibility functions on Python < 2.7.
Run cleanup after tearDown, for consistency with Python >= 2.7.
Handle skips when running on python2.6.
Implement assertIsNone for Python < 2.7.
Implement TestCase.assertIn for older versions of Python.
Implement TestCase.assertIsNotNone for python < 2.7.
Jelmer Vernooij (16):
Simplify handling of dependencies on external libraries in test_headers.
tevent: Only set public headers field when installing as a public library.
New upstream version 4.2.14+dfsg
Merge tag 'upstream/4.2.14+dfsg' into jessie
New upstream release.
Drop obsolete patch security-2016-04-12-prerequisite-v4-2-regression- fixes.metze01.txt.
Drop patch sockets-with-htons; applied upstream.
Drop patch CVE-2016-2110-NTLMSSP-regression.patch; fixed upstream.
Drop patch s3-smbd-fix-anonymous-authentication-if-signing-is- m.patch: fixed upstream.
Reapply patches.
Ignore *.debhelper.log files.
Re-add rfc3454.txt-table.
Install smbspool_krb5_wrapper.
Extend debian/.gitignore.
Bump tevent dependency up to 0.9.28.
releasing package samba version 2:4.2.14+dfsg-0+deb8u1
Jeremy Allison (56):
s3: smbd: Fix timestamp rounding inside SMB2 create.
s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support.
s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
lib: tevent: Initial checkin of threaded tevent context calling code.
lib: tevent: Initial test of tevent threaded context code.
lib: tevent: tests: Add a second thread test that does request/reply.
lib: tevent: docs: Add tutorial on thread usage.
lib: tevent: Fix bug in poll backend - poll_event_loop_poll()
lib: tevent: Whitespace cleanup.
lib: tevent: Fix memory leak reported by Pavel Březina <pbrezina at redhat.com> when old signal action restored.
s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope.
s3: krb5: keytab - The done label can be jumped to with context == NULL.
Fix smbclient compatibility with Windows 10 (Closes: #820794)
s3: vfs: dirsort doesn't handle opendir of "." correctly.
s3: smbd: Correctly canonicalize any incoming shadow copy path.
s3: lib: Add canonicalize_absolute_path().
s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path().
s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables.
s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated.
s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length.
s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet used.
s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot().
s3: VFS: shadow_copy2: Change a parameter name.
s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd.
s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables.
vfs_shadow_copy2: fix case where snapshots are outside the share
s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd.
s3: VFS: Ensure shadow:format cannot contain a / path separator.
s3: VFS: Add utility function check_for_converted_path().
s3: VFS: shadow_copy2: Fix module to work with variable current working directory.
s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function.
s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error.
s3: VFS: Don't allow symlink, link or rename on already converted paths.
s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck().
s3: vfs: streams_depot. Use conn->connectpath not conn->cwd.
s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
s3: smbd: OpenDir_fsp() use early returns.
s3: smbd: OpenDir_fsp() - Fix memory leak on error.
s3: smbd: Move the reference counting and destructor setup to just before retuning success.
s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
s3: smbd: Move special handling of symlink errno's into a utility function.
s3: smbd: Add the core functions to prevent symlink open races.
s3: smbd: Use the new non_widelink_open() function.
CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
s3: smbd: Fix "follow symlink = no" regression part 2.
s3: smbd: Fix "follow symlink = no" regression part 2.
s3: libsmb: Correctly align create contexts in a create call.
s3: libsmb: Add return args to clistr_is_previous_version_path().
s3: libsmb: Add cli_smb2_shadow_copy_data() function that gets shadow copy info over SMB2.
s3: libsmb: Plumb new SMB2 shadow copy call into cli_shadow_copy_data().
s3: libsmb: Add the capability to find a @GMT- path in an SMB2 create and transform to a timewarp token.
Jorge Schrauwen (1):
configure: Don't check for inotify on illumos
Jose A. Rivera (1):
s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file.
Justin Maggard (2):
s3:smbd: rework negprot remote arch detection
s3:smbd: add negprot remote arch detection for OSX
Kamen Mazdrashki (3):
s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
s4-tests: Print out what the error is in delete_force()
s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
Karolin Seeger (12):
VERSION: Bump version up to 4.2.9...
WHATSNEW: Start release notes for Samba 4.2.12.
WHATSNEW: Update release notes.
WHATSNEW: Last bugfix release.
WHATSNEW: Add release date.
VERSION: Disable git snapshots for the 4.2.12 release.
VERSION: Bump version up to 4.2.12...
WHATSNEW: Add release notes for Samba 4.2.13.
VERSION: Disable git snapshots for the 4.2.13 release.
VERSION: Bump version up to 4.2.14...
WHATSNEW: Add release notes for Samba 4.2.14.
VERSION: Disable git snapshots for the 4.2.14 release.
Martin Schwenke (1):
ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."
Mathieu Parent (11):
Add one more closed bug
Changelog for previous commit
Release 2:4.2.14+dfsg-0+deb8u2
Add security-2016-12-19.patch
Release 2:4.2.14+dfsg-0+deb8u2
Patch for CVE-2017-2619
Release 2:4.2.14+dfsg-0+deb8u3
Add patches for previous commits
Release 2:4.2.14+dfsg-0+deb8u5
Add patch for previous commit
Re-release 2:4.2.14+dfsg-0+deb8u5
Nathan Huff (1):
Fix ETIME handling for Solaris event ports.
Ralph Boehme (16):
lib/tsocket: workaround sockets not supporting FIONREAD
CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
vfs_streams_xattr: use fsp, not base_fsp
CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
Richard Sharpe (5):
Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
Convert all uint32/16/8 to _t in source3/libsmb.
Convert all uses of uint32/16/8 to _t in source3/rpc_server.
Convert all uses of uint32/16/8 to _t in source3/rpc_client.
Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
Salvatore Bonaccorso (3):
Release 2:4.2.14+dfsg-0+deb8u4
CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
Prepare changelog for release
Stefan Metzmacher (410):
Merge tag 'samba-4.2.9' into v4-2-test
VERSION: Bump version up to 4.2.10...
VERSION: Bump version up to 4.2.10...
s4:auth/gensec_gssapi: remove compiler warnings
s4:lib/tls: add tls_cert_generate() prototype to tls.h
s4:lib/tls: remove allow_warnings=True
auth/kerberos: avoid compiler warnings
auth/kerberos: remove allow_warnings=True
s4:auth/gensec_gssapi: remove allow_warnings=True
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
s4:lib/tls: fix tstream_tls_connect_send() define
s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
s4:libcli/ldap: conversion to tstream
s4:auth/gensec: remove unused and untested cyrus_sasl module
s4:auth/gensec: remove unused include of lib/socket/socket.h
s4:auth/gensec: remove unused gensec_socket_init()
auth/gensec: remove unused gensec_[un]wrap_packets() hooks
s3:ntlm_auth: don't start gensec backend twice
auth/credentials: anonymous should not try to use kerberos
midltests: add valid/midltests_DRS_EXTENSIONS.*
librpc/rpc: add faultcode to nt_status mappings
librpc/rpc: add dcerpc_fault_from_nt_status()
librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
s4:pyrpc: add base.bind_time_features_syntax(features)
lib/util: fix output format in dump_data*()
librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
python/samba/tests: don't lower case path names in connect_samdb()
python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
python/samba/tests: move hexdump() from DNSTest to TestCase
python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
s4:pyrpc: remove pointless alter_context() method
dcerpc.idl: fix calculatin of uint16 secondary_address_size;
heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
s4:selftest: run rpc.netlogon.admin against also ad_dc
s4:rpc_server: pass the remote address to gensec_set_remote_address()
s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
lib/util_net: add support for .ipv6-literal.net
s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
epmapper.idl: make epm_twr_t available in python bindings
dcerpc.idl: make WERROR RPC faults available in ndr_print output
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
s3:libads: remove unused ads_connect_gc()
wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
s3:librpc/gse: fix debug message in gse_init_client()
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
s4:pygensec: make sig_size() and sign/check_packet() available
auth/gensec: keep a pointer to a possible child/sub gensec_security context
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
auth/gensec: make gensec_security_by_name() public
s3:auth_generic: add auth_generic_client_start_by_name()
s3:auth_generic: add auth_generic_client_start_by_sasl()
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
auth/ntlmssp: add gensec_ntlmssp_server_domain()
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
s3:auth_generic: make use of the top level NTLMSSP client code
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
auth/ntlmssp: add ntlmssp_version_blob()
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
auth/ntlmssp: use ntlmssp_version_blob() in the server
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
ntlmssp.idl: make AV_PAIR_LIST public
librpc/ndr: add ndr_ntlmssp_find_av() helper function
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
s4:libcli/ldap: fix retry authentication after a bad password
s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
s4:selftest: simplify the loops over samba4.ldb.ldap
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
s3:libads: add missing TALLOC_FREE(frame) in error path
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
s3:libads: keep service and hostname separately in ads_service_principal
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
s3:libsmb: unused ntlmssp.c
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
s3:libsmb: remove unused functions in clispnego.c
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
s4:rpc_server: dcesrv_generic_session_key should only work on local transports
selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
selftest: add some helper scripts to mange a CA
selftest: add config and script to create a samba.example.com CA
selftest: add CA-samba.example.com (non-binary) files
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
selftest: add Samba::prepare_keyblobs() helper function
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
selftest: set tls crlfile if it exist
selftest: setup information of new samba.example.com CA in the client environment
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
s4:torture/rpc/schannel: don't use validation level 6 without privacy
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
s4:rpc_server: require access to the machine account credentials
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
s3:rpc_server/samr: correctly handle session_extract_session_key() failures
s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
CVE-2016-2113: selftest: use "tls verify peer = no_check"
CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
CVE-2016-2114: s4:smb2_server: fix session setup with required signing
CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
CVE-2016-2115: docs-xml: add "client ipc signing" option
CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
CVE-2015-5370: s4:rpc_server: check frag_length for requests
CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
CVE-2015-5370: s3:rpc_server: verify presentation context arrays
CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
WHATSNEW: Add release notes for Samba 4.2.10.
VERSION: Disable git snapshots for the 4.2.10 release.
VERSION: Bump version up to 4.2.11...
s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
WHATSNEW: Add release notes for Samba 4.2.11.
VERSION: Disable git snapshots for the 4.2.11 release.
Merge tag 'samba-4.2.11' into v4-2-test
VERSION: Bump version up to 4.2.12
tevent: version 0.9.26
tevent: version 0.9.27
tevent: version 0.9.28
s3:wscript: pylibsmb depends on pycredentials
s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
auth/spnego: handle broken mechListMIC response from Windows 2000
auth/ntlmssp: don't require any flags in the ccache_resume code
auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
s3:libsmb: use password = NULL for anonymous connections
libcli/smb: add smb1cli_session_set_action() helper function
libcli/smb: add SMB1 session setup action flags
libcli/smb: add smbXcli_session_is_guest() helper function
s3:libsmb: record the session setup action flags
s3:libsmb: don't finish the gensec handshake for guest logins
s3:libsmb: use anonymous authentication via spnego if possible
auth/spnego: only try to verify the mechListMic if signing was negotiated.
s4:auth_anonymous: anonymous authentication doesn't allow a password
s3:auth_builtin: anonymous authentication doesn't allow a password
libcli/security: implement SECURITY_GUEST
s3:smbd: make use SMB_SETUP_GUEST constant
s3:smbd: only mark real guest sessions with the GUEST flag
auth/ntlmssp: do map to guest checking after the authentication
auth/spnego: add spnego:simulate_w2k option for testing
auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
s3:test_smbclient_auth.sh: this script reqiures 5 arguments
selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
s3:selftest: add smbclient_ntlm tests
libcli/auth: let msrpc_parse() return talloc'ed empty strings
s3:ntlm_auth: make ntlm_auth_generate_session_info() more complete
s3:smbd: fix anonymous authentication if signing is mandatory
s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
s4:rpc_server: use a variable for the max total reassembled request payload
dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing
CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
Uri Simchoni (10):
libads: record session expiry for spnego sasl binds
vfs_shadow_copy2: add shadow_copy2_do_convert()
vfs_shadow_copy: handle non-existant files and wildcards
vfs_shadow_copy2: fix crash in 4.2.x backport
vfs_shadow_copy2: add a blackbox test suite
s2-selftest: run shadow_copy2 test both in NT1 and SMB3 modes
selftest: add content to files created during shadow_copy2 test
selftest: check file readability in shadow_copy2 test
selftest: test listing directories inside snapshots
libads: Fix deadlock when re-joining a domain and updating keytab
Volker Lendecke (28):
param: Fix str_list_v3 to accept ; again
rpc_server: Fix CID 1035534 Uninitialized scalar variable
rpc_server: Fix CID 1035535 Uninitialized scalar variable
asn1: Remove an unused asn1 function
asn1: Make asn1_peek_full_tag return 0/errno
asn1: Add overflow check to asn1_write
asn1: Add some early returns
asn1: Make "struct nesting" private
asn1: Add asn1_has_error()
lib: Use asn1_has_error()
asn1: Add asn1_set_error()
lib: Use asn1_set_error()
asn1: Add asn1_extract_blob()
lib: Use asn1_extract_blob()
asn1: Add asn1_has_nesting
lib: Use asn1_has_nesting
asn1: Add asn1_current_ofs()
lib: Use asn1_current_ofs()
libcli: Remove a reference to asn1->ofs
asn1: Remove a reference to asn1_data internals
asn1: Make 'struct asn1_data' private
spnego: Correctly check asn1_tag_remaining retval
libsmb: Fix CID 1356312 Explicit null dereferenced
libads: Fix CID 1356316 Uninitialized pointer read
vfs_catia: Fix bug 11827, memleak
nwrap: Fix the build on Solaris
smbd: Fix an assert
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
-----------------------------------------------------------------------
No new revisions were added by this update.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list