-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 Nov 2021 10:34:50 +0100 Source: samba Architecture: source Version: 2:4.9.5+dfsg-5+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 939419 Changes: samba (2:4.9.5+dfsg-5+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Salvatore Bonaccorso ] * CVE-2020-25722 Ensure the structural objectclass cannot be changed * CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify * s3/auth: use set_current_user_info() in auth3_generate_session_info_pac() * selftest: Fix ktest usermap file * selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") * CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings * CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true * CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true * CVE-2020-25717: s4:torture: start with authoritative = 1 * CVE-2020-25717: s4:smb_server: start with authoritative = 1 * CVE-2020-25717: s4:auth_simple: start with authoritative = 1 * CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 * CVE-2020-25717: s3:torture: start with authoritative = 1 * CVE-2020-25717: s3:rpcclient: start with authoritative = 1 * CVE-2020-25717: s3:auth: start with authoritative = 1 * CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 * CVE-2020-25717: loadparm: Add new parameter "min domain uid" * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors * CVE-2020-25717: s3:auth: Check minimum domain uid * CVE-2020-25717: s3:auth: we should not try to autocreate the guest account * CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users * CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() * CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() * CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) * CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() * CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() * CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() * CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid * CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode * CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument * CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments * lib: Add dom_sid_str_buf * CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain * CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails * waf: install: Remove installation of PIDL and manpages. . [ Mathieu Parent ] * Drop libparse-pidl-perl package (Closes: #939419) Checksums-Sha1: 7c1a30096180625d416a8a43ce76272ccd071c0a 4249 samba_4.9.5+dfsg-5+deb10u2.dsc 584e991700124fc657268d62ede53f588a0debaf 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz Checksums-Sha256: cf81437e962601a0f02d885b159a33adf8a7ef2e1d3c4ccf6eb5d066aef6fa55 4249 samba_4.9.5+dfsg-5+deb10u2.dsc 1593518732bcdfc203e36121b05510a273a095c95d29d00e24ac5a5f7797bd20 273680 samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz Files: 7cf4d3af28587032986de521f42e5d69 4249 net optional samba_4.9.5+dfsg-5+deb10u2.dsc df9857bead4a4f2141783901691eca6d 273680 net optional samba_4.9.5+dfsg-5+deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmGh/+tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiGgP/2AdfMqI2D/tsKST+Z6iUH/n22IdNLeI NixYKRltrPKnYQPpBHv7mCkM0a7O9scxkQCRFiyitaMT2LZ+sNX1r7ZoEsbKMB/x /yYKLTIxLY+OltMAGy8AkPmgLNI+m1Hrh8jPSfdzIV3/bIlHuIS1WE2k+/W6SwlJ 7YVmTTZNvo82UQA+75oceDSFcnmqMHVrkckOrlc8XBrFTueGssj/2SkiDiZzUrl7 Jb1U1atPuw6tt6kcKK35YI7hGxRM03l1Mm6IGsRYYvFAJTUDNOKEledzitYYGnlo XgsZotett1CDh0+GF8ToCBFSxy3iQlNGUuZlkt0rDCe/7MAsVKG3pXZipnicFWtN bbg6xl9745o4p2BZPHrq4B+3PTrJjLuqqCrKJP17lakTLoa0LembdryJFGEfN9jg 1G7mGXSkhslME7TVAPoFLuqXSvUCPyqv7FPhkE660O0xEZfvmcFhTWQWlJ5sW4UV j0FElwtv49Ms+CGQO7C5milibILU3QXPGb4PvoQgVfu1kR/af3kmQRWURIg5IVak sm1mfG4hd7sTQYkjJTEOB1NtGHcwImtdvzMzfkVYwv2jCk/puNgDGKcusy8K21ch gBVR/y6F0V89i4/vK8QY9VZHVt3QK84nqsB6QKyrU4NzQvYhkXwMrhWzen/rCTnJ kjxxeonRKGAD =7DJa -----END PGP SIGNATURE-----