-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 17 Mar 2017 22:14:34 +0100 Source: samba Binary: samba samba-libs samba-common samba-common-bin smbclient samba-testsuite registry-tools libparse-pidl-perl samba-dev samba-doc python-samba samba-dsdb-modules samba-vfs-modules libpam-smbpass libsmbclient libsmbclient-dev winbind libpam-winbind libnss-winbind samba-dbg libwbclient0 libwbclient-dev ctdb Architecture: source amd64 all Version: 2:4.2.14+dfsg-0+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org> Changed-By: Mathieu Parent <sathieu@debian.org> Description: ctdb - clustered database to store temporary data libnss-winbind - Samba nameservice integration plugins libpam-smbpass - pluggable authentication module for Samba libpam-winbind - Windows domain authentication integration plugin libparse-pidl-perl - IDL compiler written in Perl libsmbclient - shared library for communication with SMB/CIFS servers libsmbclient-dev - development files for libsmbclient libwbclient-dev - Samba winbind client library - development files libwbclient0 - Samba winbind client library python-samba - Python bindings for Samba registry-tools - tools for viewing and manipulating the Windows registry samba - SMB/CIFS file, print, and login server for Unix samba-common - common files used by both the Samba server and client samba-common-bin - Samba common files used by both the server and the client samba-dbg - Samba debugging symbols samba-dev - tools for extending Samba samba-doc - Samba documentation samba-dsdb-modules - Samba Directory Services Database samba-libs - Samba core libraries samba-testsuite - test suite from Samba samba-vfs-modules - Samba Virtual FileSystem plugins smbclient - command-line SMB/CIFS clients for Unix winbind - service to resolve user and group information from Windows NT ser Changes: samba (2:4.2.14+dfsg-0+deb8u3) jessie-security; urgency=high . * This is a security release in order to address the following defects: - CVE-2017-2619: symlink race permits opening files outside share directory * CVE-2017-2619 requires the following changes: - s3: vfs: dirsort doesn't handle opendir of "." correctly. - s3: smbd: Correctly canonicalize any incoming shadow copy path. - s3: lib: Add canonicalize_absolute_path(). - s3: smbd: Make set_conn_connectpath() call canonicalize_absolute_path(). - s3: VFS: shadow_copy2: Correctly initialize timestamp and stripped variables. - s3: VFS: shadow_copy2: Ensure pathnames for parameters are correctly relative and terminated. - s3: VFS: shadow_copy2: Fix length comparison to ensure we don't overstep a length. - s3: VFS: shadow_copy2: Add two new variables to the config data. Not yet used. - s3: VFS: shadow_copy2: Add a wrapper function to call the original shadow_copy2_strip_snapshot(). - s3: VFS: shadow_copy2: Change a parameter name. - s3: VFS: shadow_copy2: Add two currently unused functions to make pathnames absolute or relative to $cwd. - s3: VFS: shadow_copy2: Fix chdir to store off the needed private variables. - vfs_shadow_copy2: add shadow_copy2_do_convert() - vfs_shadow_copy2: fix case where snapshots are outside the share - s3: VFS: Allow shadow_copy2_connectpath() to return the cached path derived from $cwd. - s3: VFS: Ensure shadow:format cannot contain a / path separator. - s3: VFS: Add utility function check_for_converted_path(). - s3: VFS: shadow_copy2: Fix module to work with variable current working directory. - s3: VFS: shadow_copy2: Fix a memory leak in the connectpath function. - s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error. - s3: VFS: Don't allow symlink, link or rename on already converted paths. - s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). - vfs_streams_xattr: use fsp, not base_fsp - s3: vfs: streams_depot. Use conn->connectpath not conn->cwd. - s3: smbd: Create wrapper function for OpenDir in preparation for making robust. - s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. - s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). - s3: smbd: OpenDir_fsp() use early returns. - s3: smbd: OpenDir_fsp() - Fix memory leak on error. - s3: smbd: Move the reference counting and destructor setup to just before retuning success. - s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. - s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. - s3: smbd: Move special handling of symlink errno's into a utility function. - s3: smbd: Add the core functions to prevent symlink open races. - s3: smbd: Use the new non_widelink_open() function. Checksums-Sha1: 5309a4bdea8421c978c885970a8a5669e92b7404 4188 samba_4.2.14+dfsg-0+deb8u3.dsc c84a76444dd05317b9a55e6c0903cf99d5bce16b 249064 samba_4.2.14+dfsg-0+deb8u3.debian.tar.xz 4d88db7b299711c526dd2fd177dbad845f96eda4 1031098 samba_4.2.14+dfsg-0+deb8u3_amd64.deb fea5209ff3fe87020604c8a1f4e200b4d86ac8ab 5115266 samba-libs_4.2.14+dfsg-0+deb8u3_amd64.deb 2df56b446701d497ec526de553b2916b9228c681 270140 samba-common_4.2.14+dfsg-0+deb8u3_all.deb 0840491fce08095ebdd74d261fe1da57c40f206f 615068 samba-common-bin_4.2.14+dfsg-0+deb8u3_amd64.deb a1a4e060048bce133be8ecff78d5595882b66469 343124 smbclient_4.2.14+dfsg-0+deb8u3_amd64.deb fca45d9c23202c40e6c9ee1225c254004bc68e6b 1570594 samba-testsuite_4.2.14+dfsg-0+deb8u3_amd64.deb be8a13d27e191079fb8ac2a1475ae66fd64d3663 123198 registry-tools_4.2.14+dfsg-0+deb8u3_amd64.deb 417f4f43e9d340c1e780939059a49b55a1b3deb3 184400 libparse-pidl-perl_4.2.14+dfsg-0+deb8u3_amd64.deb 1783bd446d00a296821a0ba806dace0a5e5b433d 335598 samba-dev_4.2.14+dfsg-0+deb8u3_amd64.deb d523c645e81aca57285cf5e130cef3dda80d46d0 320708 samba-doc_4.2.14+dfsg-0+deb8u3_all.deb dfa79c09099f7beba89ed88a71fe5b6fa579997c 1019552 python-samba_4.2.14+dfsg-0+deb8u3_amd64.deb 0fb8613e37c10d140e208f980aa96e0990841892 307690 samba-dsdb-modules_4.2.14+dfsg-0+deb8u3_amd64.deb 1dfdadba44bba1f24ac37faebd8c441a5ff2273d 329888 samba-vfs-modules_4.2.14+dfsg-0+deb8u3_amd64.deb 9bf026cfe9e85f47f1851773280be9765b7c62cb 111230 libpam-smbpass_4.2.14+dfsg-0+deb8u3_amd64.deb 1c4c0c76702b4b2b92904057fd055b61bfaa4366 146502 libsmbclient_4.2.14+dfsg-0+deb8u3_amd64.deb 5de77fc08098c4cb4ed72e29f02bbc48b052df5c 134220 libsmbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb efb5d079a7a531bcbbc0e0250336b2f5433329c7 494736 winbind_4.2.14+dfsg-0+deb8u3_amd64.deb c01195a7f50cbd830d421f7841129b3315937486 122330 libpam-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 86ffa4b9a039cb80aefd93337695e499f60ebda5 106884 libnss-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb adc9f24f7b90da8d72cee7a4ab7bb7bb75647141 29546770 samba-dbg_4.2.14+dfsg-0+deb8u3_amd64.deb 3b10e261aada71898ec18665349d75b2663eb49e 121516 libwbclient0_4.2.14+dfsg-0+deb8u3_amd64.deb 28b66797e5b78f26e1eb8ffaece4dafa06b7a9d2 106650 libwbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb d80fd95dd991e53ed83e72a0252363fb884f7c89 511868 ctdb_4.2.14+dfsg-0+deb8u3_amd64.deb Checksums-Sha256: ebc26a38af7aa86905f825dae1fc0fde0bd58db9ad6a744b452c29acb0b1fe48 4188 samba_4.2.14+dfsg-0+deb8u3.dsc b56a3a923dd2d71652704d4dddc406b210cec1c0476596a61b4139c6ceabdb02 249064 samba_4.2.14+dfsg-0+deb8u3.debian.tar.xz 0c951a17972a1434301906fb13fc46ed319e85e2807c80c78fc90359add0b01d 1031098 samba_4.2.14+dfsg-0+deb8u3_amd64.deb fd02995f7adf925e43ff5c81c0d8fa04fa0a171a86a4e619a98326d3e0aca038 5115266 samba-libs_4.2.14+dfsg-0+deb8u3_amd64.deb 6891170f9bd6a6f4b2dcc0ad0bcab77bb33631bc3224b6b57e926ae56dbdf783 270140 samba-common_4.2.14+dfsg-0+deb8u3_all.deb 3e0f9244188589f4c156cef16681eb14216e1ec9920cc0901218fcafd039c8f5 615068 samba-common-bin_4.2.14+dfsg-0+deb8u3_amd64.deb 6a46e742c631ea968ca68034db9163edae3c9bc957e834ccf24064cc6eb7a47e 343124 smbclient_4.2.14+dfsg-0+deb8u3_amd64.deb 62103e9d6695edd9d7304e8ba49a0387c5f966e828525ceb7a18171d5bd01a85 1570594 samba-testsuite_4.2.14+dfsg-0+deb8u3_amd64.deb 7b0370da1e82bf053931c1569d108edaa02ee13abd7ed6da3c1a13fbaaba8f60 123198 registry-tools_4.2.14+dfsg-0+deb8u3_amd64.deb 60af6b1da4441ce21b6f3f1b69e65cf8455014bb84c78de9129c08e6f68be6c6 184400 libparse-pidl-perl_4.2.14+dfsg-0+deb8u3_amd64.deb 5a9849bf8579c872150e0a4156f38363ba0fc7905029d86298d2c747757a5d5a 335598 samba-dev_4.2.14+dfsg-0+deb8u3_amd64.deb 5d22c84aaaf4df783a0be24422be7e804d0ae6532c14553b48bfa69643df6b79 320708 samba-doc_4.2.14+dfsg-0+deb8u3_all.deb a557045febf0c0ec38fbeddf1718bf350fe1428313beb7be1b89e1411a5a6cca 1019552 python-samba_4.2.14+dfsg-0+deb8u3_amd64.deb b58cff3964aedfe60fd9566bf89503adeff80b4e731bb83b58bcd44bb77b002b 307690 samba-dsdb-modules_4.2.14+dfsg-0+deb8u3_amd64.deb 497188142b5a05a74f637c51bb04beed75d2e779ba219e668a1eb2ea89930a4b 329888 samba-vfs-modules_4.2.14+dfsg-0+deb8u3_amd64.deb 35bf35e306184a63a9e63796fcb6ba2d1d9957867728b3f763aabb387702fa7f 111230 libpam-smbpass_4.2.14+dfsg-0+deb8u3_amd64.deb ed74fbdeca91b303ef30d6ae055622c1ca60f2132a5c5a75d7444a3c31e23bf3 146502 libsmbclient_4.2.14+dfsg-0+deb8u3_amd64.deb dd7bbe29a46a5cf422fb9e536048f95a18f1049097867fcec07231c41889d3d5 134220 libsmbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb 7742a113deea3a98688a32b48303cb6ea900884035016dbbb4a81b967c85cca9 494736 winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 0b8b05ec4fff848b29fce1fe996b101c2a291bf393f23bd0aa0f4c24af18a3fe 122330 libpam-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 517da80147aca4208235367e5a9193a4f552b3cc945ba8df724fc4edf835adef 106884 libnss-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 8920c972a1d664e18c06e810162b13b3efb1eaedf6b866653b05e8ca9202d470 29546770 samba-dbg_4.2.14+dfsg-0+deb8u3_amd64.deb b87e85e1d11a695eb0964acb3be369fd7224928e4b0a0b43619ba0757314ddda 121516 libwbclient0_4.2.14+dfsg-0+deb8u3_amd64.deb 3d79146ac1ad4f030869aac5fd4574cd8ca3abd3fd72509e14a3547d90634ac7 106650 libwbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb 20126091bb3fd3f57e48317493e99c9491213eb86c5c4209b41582437988b7b4 511868 ctdb_4.2.14+dfsg-0+deb8u3_amd64.deb Files: 8667e407c0e76364dc5ec869b4378a10 4188 net optional samba_4.2.14+dfsg-0+deb8u3.dsc eb99fc465e23297405b6b875806b807a 249064 net optional samba_4.2.14+dfsg-0+deb8u3.debian.tar.xz 923268ab9ed2bdfbcec2086c7a58093d 1031098 net optional samba_4.2.14+dfsg-0+deb8u3_amd64.deb 07af0a91f0dc3a3f00d779adc37f3249 5115266 libs optional samba-libs_4.2.14+dfsg-0+deb8u3_amd64.deb eeeaa00f35021533de84e24ccce4174f 270140 net optional samba-common_4.2.14+dfsg-0+deb8u3_all.deb 20497528dd2c6ae5571974a4a77f89e6 615068 net optional samba-common-bin_4.2.14+dfsg-0+deb8u3_amd64.deb 7d1b1e42b72547b30707a09bc06f50b7 343124 net optional smbclient_4.2.14+dfsg-0+deb8u3_amd64.deb 36428cb5c7e028ffc985635300cba513 1570594 net optional samba-testsuite_4.2.14+dfsg-0+deb8u3_amd64.deb e09cc7431051445b52fd253a6687161e 123198 net optional registry-tools_4.2.14+dfsg-0+deb8u3_amd64.deb 0e99bf142ba94e5eb7caf9172156d14c 184400 perl optional libparse-pidl-perl_4.2.14+dfsg-0+deb8u3_amd64.deb 52e3f13c27264f8ce7133df866c4b76f 335598 devel optional samba-dev_4.2.14+dfsg-0+deb8u3_amd64.deb c470b1451b5b146cac17b7e21064b7e4 320708 doc optional samba-doc_4.2.14+dfsg-0+deb8u3_all.deb c334209224b87a857b7932090af2aa7e 1019552 python optional python-samba_4.2.14+dfsg-0+deb8u3_amd64.deb 071453804a088842739402a3338db5e5 307690 libs optional samba-dsdb-modules_4.2.14+dfsg-0+deb8u3_amd64.deb ca5ebda52eec09725ecdcb813d7b72c9 329888 net optional samba-vfs-modules_4.2.14+dfsg-0+deb8u3_amd64.deb 6ff22c5c4c35267d3030722bfa746963 111230 admin extra libpam-smbpass_4.2.14+dfsg-0+deb8u3_amd64.deb eff1d4b55610811f5e1219783d5db37e 146502 libs optional libsmbclient_4.2.14+dfsg-0+deb8u3_amd64.deb 35a95fb6f1d4f970f1159b6b6dd43921 134220 libdevel extra libsmbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb ece67a248b7fa2151b781b45c575d217 494736 net optional winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 2e246259d671e2dc6eac2cc58396d065 122330 net optional libpam-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb 95da366c0f41838374f70c91908c3ac9 106884 net optional libnss-winbind_4.2.14+dfsg-0+deb8u3_amd64.deb e21a1581952ec3d063f5d085467071c8 29546770 debug extra samba-dbg_4.2.14+dfsg-0+deb8u3_amd64.deb 0768051959b051e7a7737ce65aef0af5 121516 libs optional libwbclient0_4.2.14+dfsg-0+deb8u3_amd64.deb 5edfbe05660c581795a34b17a717c323 106650 libdevel optional libwbclient-dev_4.2.14+dfsg-0+deb8u3_amd64.deb 68ff96ecb277a95e7f65ebe36f3e0cfb 511868 net optional ctdb_4.2.14+dfsg-0+deb8u3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAljNJKsACgkQrgOYBGZo H6U/6g//XifImJxA8syzWceDMmC/cgV8YbZvpRzjeiO5YLnK5k+8cOtxQIoAGp5r 9W/sQ15eakVqoqU5ZMt4//8juKfd2GZ+ZHCvVhIvdS3KJvoNHvrFvn0QtilqR2LR cse2DVPna2ChHUD6/mr5KBKCTn8/9fIIf99Hx7FBMadrcn0q0J0BHFC6+XK3sOM5 e++Eo88lbyirY/K4ucI9rcE3VQrTkyj6WJLzra2WjY3zbPjIKLbYfFirstcq8tMg utvsX+b32QL7tie43KuuhK7Qi2M+KlKzzakg4vgCoMPHhB9KeqUYdVTDi/f+rQvl 7FW7yQm1lpT7/RSU4dssD6R8nsmAiuOUCIW77zTQooIKYb06MY1h9YO8MHJEaA8q sk8qLR02waPjZibdjrZGke8AaoVg/SDns7aLfXWoKx4EtUyUY0Ew4Ab2ua/pd4xr VJdHP/upSPsgttGJ4FmlED7Wv72o1i+PaYPm0Ux7MctaeeobtBZtPzzRJHcp+rLd TlbS2cqk65zN46qDoVCGO2ZztAQdrqeWZ/JkT/XsSim++NJo4QgPS19NphW5I4R4 WbE5zFNROz1N15XljYMmBNCsfhwlATjyQVdSHHXpwi9x0RU3SPcJ8pbojCAluvPo jD94Ew8HTA6QdyxWQIcEUqWU/RCnPQDzEy/MSX2cBxdfC30JQGk= =737C -----END PGP SIGNATURE-----