summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Bump version up to 4.9.19.v4-9-testKarolin Seeger2020-01-211-1/+1
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* Merge tag 'samba-4.9.18' into v4-9-testKarolin Seeger2020-01-219-168/+749
|\ | | | | | | samba: tag release samba-4.9.18
| * VERSION: Disable GIT_SNAPSHOT for the 4.9.18 release.samba-4.9.18v4-9-stableKarolin Seeger2020-01-141-1/+1
| | | | | | | | | | | | | | | | | | | | o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * WHATSNEW: Add release notes for Samba 4.9.18.Karolin Seeger2020-01-141-2/+74
| | | | | | | | | | | | | | | | | | | | o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * CVE-2019-19344 kcc dns scavenging: Fix use after free in ↵Gary Lockyer2020-01-101-9/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | dns_tombstone_records_zone ldb_msg_add_empty reallocates the underlying element array, leaving old_el pointing to freed memory. This patch takes two defensive copies of the ldb message, and performs the updates on them rather than the ldb messages in the result. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2019-14907 lib/util: Do not print the failed to convert string into the logsAndrew Bartlett2020-01-101-15/+18
| | | | | | | | | | | | | | | | | | | | | | | | The string may be in another charset, or may be sensitive and certainly may not be terminated. It is not safe to just print. Found by Robert Święcki using a fuzzer he wrote for smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 Signed-off-by: Andrew Bartlett <abartlet@samba.org> (adapted from master commit)
| * CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is ↵Noel Power2020-01-101-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | never read warning Fixes: lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer gary@catalyst.net.nz (cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
| * CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing ↵Andrew Bartlett2020-01-105-154/+156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to be GUIDs We can not process on the basis of a DN, as the DN may have changed in a rename, not only that this module can see, but also from repl_meta_data below. Therefore remove all the complex tree-based change processing, leaving only a tree-based sort of the possible objects to be changed, and a single stopped_dn variable containing the DN to stop processing below (after a no-op change). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) ↵Andrew Bartlett2020-01-102-1/+13
| | | | | | | | | | | | | | | | | | | | | | after any rename Previously if there was a conflict, but the incoming object would still win, this was not marked as a rename, and so inheritence was not done. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 repl_meta_data: Fix issue where inherited Security ↵Andrew Bartlett2020-01-102-2/+21
| | | | | | | | | | | | | | | | Descriptors were not replicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DNAndrew Bartlett2020-01-101-1/+16
| | | | | | | | | | | | | | | | We need to check the SD of the parent if we rename, it is not the same as an incoming SD change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 dsdb: Ensure we honour both change->force_self and ↵Andrew Bartlett2020-01-101-0/+7
| | | | | | | | | | | | | | | | | | | | change->force_children If we are renaming a DN we can be in a situation where we need to BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be ↵Andrew Bartlett2020-01-101-0/+7
| | | | | | | | | | | | | | | | done here BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is ↵Andrew Bartlett2020-01-101-0/+3
| | | | | | | | | | | | | | | | | | | | | | proctected by a transaction This means we can trust the DB did not change between the two search requests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * selftest: Add test to confirm ACL inheritence really happensAndrew Bartlett2020-01-101-21/+94
| | | | | | | | | | | | | | | | While we have a seperate test (sec_descriptor.py) that confirms inheritance in general we want to lock in these specific patterns as this test covers rename. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 selftest: Add test for a special case around replicated renamesAndrew Bartlett2020-01-102-0/+70
| | | | | | | | | | | | | | | | It appears Samba is currently string-name based in the ACL inheritence code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14902 selftest: Add test for replication of inherited security ↵Andrew Bartlett2020-01-103-0/+265
| | | | | | | | | | | | | | | | descriptors BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * VERSION: Bump version up to Samba 4.9.18...Karolin Seeger2020-01-101-2/+2
| | | | | | | | | | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org> (cherry picked from commit 5d91d4cdbeb0921257c6f6701cc6f963ab629842)
* | VERSION: Bump version up to Samba 4.9.18...Karolin Seeger2019-12-101-2/+2
|/ | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.9.17 release.samba-4.9.17Karolin Seeger2019-11-291-1/+1
| | | | | | | | | o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS management server (dnsserver). o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition on Samba AD DC. Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.9.17.Karolin Seeger2019-11-291-2/+64
| | | | | | | | | o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS management server (dnsserver). o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition on Samba AD DC. Signed-off-by: Karolin Seeger <kseeger@samba.org>
* CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flagIsaac Boukris2019-11-292-11/+11
| | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14187 Signed-off-by: Isaac Boukris <iboukris@samba.org>
* CVE-2019-14870: heimdal: enforce delegation_not_allowed in S4U2SelfIsaac Boukris2019-11-292-23/+36
| | | | Signed-off-by: Isaac Boukris <iboukris@gmail.com>
* CVE-2019-14870: heimdal: add S4U test for delegation_not_allowedIsaac Boukris2019-11-293-0/+75
| | | | Signed-off-by: Isaac Boukris <iboukris@gmail.com>
* samba-tool: add user-sensitive command to set not-delegated flagIsaac Boukris2019-11-291-0/+59
| | | | Signed-off-by: Isaac Boukris <iboukris@gmail.com>
* s4-torture: Reduce flapping in SambaToolDrsTests.test_samba_tool_replicate_localAndrew Bartlett2019-11-291-1/+2
| | | | | | | | | | This test often flaps in Samba 4.9 (where more tests and DCs run in the environment) with obj_1 being 3. This is quite OK, we just need to see some changes get replicated, not 0 changes. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 4ae0f9ce0f5ada99cf1d236377e5a1234c879ae3)
* CVE-2019-14861: Test to demonstrate the bugAndrew Bartlett2019-11-291-0/+47
| | | | | | | | | This test does not fail every time, but when it does it casues a segfault which takes out the rpc_server master process, as this hosts the dnsserver pipe. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via ↵Andrew Bartlett2019-11-293-27/+17
| | | | | | | | | | | | | | | | | dcesrv_DnssrvEnumRecords) dns_name_compare() had logic to put @ and the top record in the tree being enumerated first, but if a domain had both then this would break the older qsort() implementation in ldb_qsort() and cause a read of memory before the base pointer. By removing this special case (not required as the base pointer is already seperatly located, no matter were it is in the returned records) the crash is avoided. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2019-14861: s4-rpc_server: Remove special case for @ in dns_build_tree()Andrew Bartlett2019-11-291-4/+5
| | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2019-14861: s4-rpc/dnsserver: Confirm sort behaviour in ↵Andrew Bartlett2019-11-292-0/+103
| | | | | | | | | | | dcesrv_DnssrvEnumRecords The sort behaviour for child records is not correct in Samba so we add a flapping entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* VERSION: Bump version up to 4.9.17...Karolin Seeger2019-11-291-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for th 4.9.16 release.samba-4.9.16Karolin Seeger2019-11-261-1/+1
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.9.16.Karolin Seeger2019-11-261-2/+47
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* Merge tag 'samba-4.9.15' into v4-9-testKarolin Seeger2019-11-269-17/+247
|\ | | | | | | | | samba: tag release samba-4.9.15 Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * VERSION: Disable GIT_SNAPSHOT for the 4.9.15 release.samba-4.9.15Karolin Seeger2019-10-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | * Bug 14071: CVE-2019-10218: Client code can return filenames containing path separators. * Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive the full password. * Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync. Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * WHATSNEW: Add release notes for Samba 4.9.15.Karolin Seeger2019-10-241-2/+76
| | | | | | | | | | | | | | | | | | | | | | * Bug 14071: CVE-2019-10218: Client code can return filenames containing path separators. * Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive the full password. * Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync. Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with ↵Andrew Bartlett2019-10-243-9/+28
| | | | | | | | | | | | | | | | dirsync BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results ↵Andrew Bartlett2019-10-242-0/+27
| | | | | | | | | | | | | | | | | | | | | | style attributes and dirsync Incremental results are provided by a flag on the dirsync control, not by changing the attribute name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14847 dsdb/modules/dirsync: ensure attrs exist (CID 1107212)Douglas Bagnall2019-10-241-0/+4
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> (cherry picked from commit 23f72c4d712f8d1fec3d67a66d477709d5b0abe2)
| * CVE-2019-14833 dsdb: send full password to check password scriptBjörn Baumbach2019-10-242-7/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | utf8_len represents the number of characters (not bytes) of the password. If the password includes multi-byte characters it is required to write the total number of bytes to the check password script. Otherwise the last bytes of the password string would be ignored. Therefore we rename utf8_len to be clear what it does and does not represent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 Signed-off-by: Björn Baumbach <bb@sernet.de> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-14833: Use utf8 characters in the unacceptable passwordAndrew Bartlett2019-10-242-1/+2
| | | | | | | | | | | | | | This shows that the "check password script" handling has a bug. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-10218 - s3: libsmb: Protect SMB2 client code from evil server ↵Jeremy Allison2019-10-241-0/+7
| | | | | | | | | | | | | | | | | | | | returned names. Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 Signed-off-by: Jeremy Allison <jra@samba.org>
| * CVE-2019-10218 - s3: libsmb: Protect SMB1 client code from evil server ↵Jeremy Allison2019-10-242-0/+78
| | | | | | | | | | | | | | | | | | | | returned names. Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 Signed-off-by: Jeremy Allison <jra@samba.org>
| * VERSION: Bump version up to 4.9.15...Karolin Seeger2019-10-241-2/+2
| | | | | | | | | | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org> (cherry picked from commit 5942df0864495dbaea68d2f45b5a6d343f0556ba)
* | ctdb-tcp: Close inflight connecting TCP sockets after forkVolker Lendecke2019-11-201-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit c68b6f96f26 changed the talloc hierarchy such that outgoing TCP sockets while sitting in the async connect() syscall are not freed via ctdb_tcp_shutdown() anymore, they are hanging off a longer-running structure. Free this structure as well. If an outgoing TCP socket leaks into a long-running child process (possibly the recovery daemon), this connection will never be closed as seen by the destination node. Because with recent changes incoming connections will not be accepted as long as any incoming connection is alive, with that socket leak into the recovery daemon we will never again be able to successfully connect to the node that is affected by this leak. Further attempts to connect will be discarded by the destination as long as the recovery daemon keeps this socket alive. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175 RN: Avoid communication breakdown on node reconnect Signed-off-by: Martin Schwenke <martin@meltin.net> Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit a6d99d9e5c5bc58e6d56be7a6c1dbc7c8d1a882f) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Wed Nov 20 14:58:33 UTC 2019 on sn-devel-144
* | ctdb-tcp: Drop tracking of file descriptor for incoming connectionsMartin Schwenke2019-11-204-11/+0
| | | | | | | | | | | | | | | | | | | | | | This file descriptor is owned by the incoming queue. It will be closed when the queue is torn down. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit bf47bc18bb8a94231870ef821c0352b7a15c2e28)
* | ctdb-tcp: Avoid orphaning the TCP incoming queueMartin Schwenke2019-11-201-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CTDB's incoming queue handling does not check whether an existing queue exists, so can overwrite the pointer to the queue. This used to be harmless until commit c68b6f96f26664459187ab2fbd56767fb31767e0 changed the read callback to use a parent structure as the callback data. Instead of cleaning up an orphaned queue on disconnect, as before, this will now free the new queue. At first glance it doesn't seem possible that 2 incoming connections from the same node could be processed before the intervening disconnect. However, the incoming connections and disconnect occur on different file descriptors. The queue can become orphaned on node A when the following sequence occurs: 1. Node A comes up 2. Node A accepts an incoming connection from node B 3. Node B processes a timeout before noticing that outgoing the queue is writable 4. Node B tears down the outgoing connection to node A 5. Node B initiates a new connection to node A 6. Node A accepts an incoming connection from node B Node A processes then the disconnect of the old incoming connection from (2) but tears down the new incoming connection from (6). This then occurs until the originally affected node is restarted. However, due to the number of outgoing connection attempts and associated teardowns, this induces the same behaviour on the corresponding incoming queue on all nodes that node A attempts to connect to. Therefore, other nodes become affected and need to be restarted too. As a result, the whole cluster probably needs to be restarted to recover from this situation. The problem can occur any time CTDB is started on a node. The fix is to avoid accepting new incoming connections when a queue for incoming connections is already present. The connecting node will simply retry establishing its outgoing connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit d0baad257e511280ff3e5c7372c38c43df841070)
* | ctdb-tcp: Check incoming queue to see if incoming connection is upMartin Schwenke2019-11-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | This makes it consistent with the reverse case. Also, in_fd will soon be removed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit e62b3a05a874db13a848573d2e2fb1c157393b9c)
* | VERSION: Bump version up to 4.9.16.Karolin Seeger2019-10-291-1/+1
| | | | | | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* | VERSION: Bump version up to 4.9.15...Karolin Seeger2019-10-221-2/+2
|/ | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org>
View Lorry Controller Status