Update to Samba 4.4.2, fix badlock security bug
resolves: #1326453 - CVE-2015-5370 resolves: #1326453 - CVE-2016-2110 resolves: #1326453 - CVE-2016-2111 resolves: #1326453 - CVE-2016-2112 resolves: #1326453 - CVE-2016-2113 resolves: #1326453 - CVE-2016-2114 resolves: #1326453 - CVE-2016-2115 resolves: #1326453 - CVE-2016-2118 Guenther
This commit is contained in:
parent
67c517ec83
commit
fe4e88c4d2
1
.gitignore
vendored
1
.gitignore
vendored
@ -63,3 +63,4 @@ samba-3.6.0pre1.tar.gz
|
||||
/samba-4.4.0rc4.tar.xz
|
||||
/samba-4.4.0rc5.tar.xz
|
||||
/samba-4.4.0.tar.xz
|
||||
/samba-4.4.2.tar.xz
|
||||
|
@ -0,0 +1,59 @@
|
||||
From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Tue, 12 Apr 2016 09:36:12 +0300
|
||||
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
|
||||
domains DCs
|
||||
|
||||
Allow cm_connect_netlogon() to talk to trusted domains' DCs when
|
||||
running in a domain member configuration.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
source3/winbindd/winbindd_cm.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
||||
index 45e3fad..6f5a042 100644
|
||||
--- a/source3/winbindd/winbindd_cm.c
|
||||
+++ b/source3/winbindd/winbindd_cm.c
|
||||
@@ -2851,9 +2851,10 @@ retry:
|
||||
anonymous:
|
||||
|
||||
/* Finally fall back to anonymous. */
|
||||
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
||||
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
||||
+ (IS_DC || domain->primary)) {
|
||||
status = NT_STATUS_DOWNGRADE_DETECTED;
|
||||
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
|
||||
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
|
||||
"without connection level security, "
|
||||
"must set 'winbind sealed pipes = false' and "
|
||||
"'require strong key = false' to proceed: %s\n",
|
||||
@@ -3150,7 +3151,8 @@ retry:
|
||||
|
||||
anonymous:
|
||||
|
||||
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
||||
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
||||
+ (IS_DC || domain->primary)) {
|
||||
result = NT_STATUS_DOWNGRADE_DETECTED;
|
||||
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
|
||||
"without connection level security, "
|
||||
@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
|
||||
TALLOC_FREE(netlogon_creds);
|
||||
|
||||
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
|
||||
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
||||
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
||||
+ (IS_DC || domain->primary)) {
|
||||
result = NT_STATUS_DOWNGRADE_DETECTED;
|
||||
- DEBUG(1, ("Unwilling to make connection to domain %s"
|
||||
+ DEBUG(1, ("Unwilling to make connection to domain %s "
|
||||
"without connection level security, "
|
||||
"must set 'winbind sealed pipes = false' and "
|
||||
"'require strong key = false' to proceed: %s\n",
|
||||
--
|
||||
2.5.5
|
||||
|
17
samba.spec
17
samba.spec
@ -8,7 +8,7 @@
|
||||
|
||||
%define main_release 1
|
||||
|
||||
%define samba_version 4.4.0
|
||||
%define samba_version 4.4.2
|
||||
%define talloc_version 2.1.6
|
||||
%define tdb_version 1.3.8
|
||||
%define tevent_version 0.9.28
|
||||
@ -106,6 +106,8 @@ Source6: samba.pamd
|
||||
Source200: README.dc
|
||||
Source201: README.downgrade
|
||||
|
||||
Patch0: samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
|
||||
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
@ -680,6 +682,8 @@ and use CTDB instead.
|
||||
%prep
|
||||
%setup -q -n samba-%{version}%{pre_release}
|
||||
|
||||
%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
|
||||
|
||||
%build
|
||||
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
|
||||
%global _tevent_lib ,tevent,pytevent
|
||||
@ -1972,6 +1976,17 @@ rm -rf %{buildroot}
|
||||
%endif # with_clustering_support
|
||||
|
||||
%changelog
|
||||
* Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.2-1
|
||||
- Update to Samba 4.4.2, fix badlock security bug
|
||||
- resolves: #1326453 - CVE-2015-5370
|
||||
- resolves: #1326453 - CVE-2016-2110
|
||||
- resolves: #1326453 - CVE-2016-2111
|
||||
- resolves: #1326453 - CVE-2016-2112
|
||||
- resolves: #1326453 - CVE-2016-2113
|
||||
- resolves: #1326453 - CVE-2016-2114
|
||||
- resolves: #1326453 - CVE-2016-2115
|
||||
- resolves: #1326453 - CVE-2016-2118
|
||||
|
||||
* Tue Mar 22 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.0-1
|
||||
- Update to Samba 4.4.0
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user