samba (2:4.22.6+dfsg-0+deb13u1) trixie; urgency=medium
* new upstream stable/security release:
- https://bugzilla.samba.org/show_bug.cgi?id=15843:
macOS Finder client DFS broken on 4.22.0
- https://bugzilla.samba.org/show_bug.cgi?id=15900:
'net ads group' failed to list domain groups
- https://bugzilla.samba.org/show_bug.cgi?id=15905:
samba-4.21 fails to join AD when multiple DCs are returned
- https://bugzilla.samba.org/show_bug.cgi?id=15919:
vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for fsync_send
- https://bugzilla.samba.org/show_bug.cgi?id=15921:
CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set
- https://bugzilla.samba.org/show_bug.cgi?id=15926:
Samba 4.22 breaks Time Machine
- https://bugzilla.samba.org/show_bug.cgi?id=15927:
Spotlight search restriction for shares incomplete and default search
searches in too many attributes
- https://bugzilla.samba.org/show_bug.cgi?id=15931:
rpcd_mdssvc may crash because name mangling is not initialized
- https://bugzilla.samba.org/show_bug.cgi?id=15933:
Only increment lease epoch if a lease was granted
* new upstream security release:
- CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr
https://www.samba.org/samba/security/CVE-2025-9640.html
- CVE-2025-10230: Command injection via WINS server hook script
https://www.samba.org/samba/security/CVE-2025-10230.html
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 16 Oct 2025 19:19:45 +0300
samba (2:4.22.4+dfsg-1~deb13u1) trixie; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=14981:
netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
- https://bugzilla.samba.org/show_bug.cgi?id=15663:
Apparently there is a conflict between shadow_copy2 module
and virusfilter (action quarantine)
- https://bugzilla.samba.org/show_bug.cgi?id=15816:
vfs_streams_depot fstatat broken
- https://bugzilla.samba.org/show_bug.cgi?id=15840:
kinit command is failing with Missing cache Error
- https://bugzilla.samba.org/show_bug.cgi?id=15844:
getpwuid does not shift to new DC when current DC is down
- https://bugzilla.samba.org/show_bug.cgi?id=15876:
Windows security hardening locks out schannel'ed
netlogon dc calls like netr_DsRGetDCName
- https://bugzilla.samba.org/show_bug.cgi?id=15877:
Fix handling of empty GPO link
- https://bugzilla.samba.org/show_bug.cgi?id=15880:
SMB ACL inheritance doesn't work for files created
- https://bugzilla.samba.org/show_bug.cgi?id=15881:
Unresponsive second DC can cause idmapping failure when using idmap_ad
(was libads-fix-get_kdc_ip_string.patch)
- https://bugzilla.samba.org/show_bug.cgi?id=15891:
Figuring out the DC name from IP address fails
and breaks fork_domain_child()
- https://bugzilla.samba.org/show_bug.cgi?id=15892:
Delayed leader broadcast can block ctdb forever
* libads-fix-get_kdc_ip_string.patch: remove, included upstream
* d/gbp.conf: debian-branch=debian/4.22
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 21 Aug 2025 20:37:38 +0300
samba (2:4.22.3+dfsg-4) unstable; urgency=medium
* fix python3-talloc.symbols generation to not have -debian_revision
or +dfsg/+samba suffix in the version number - just the epoch if any
and the upstream version (fix lintian error)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 17 Jul 2025 13:52:35 +0300
samba (2:4.22.3+dfsg-3) unstable; urgency=medium
[ Sascha Lucas ]
* winbind pam-config: fix account section to actually execute pam_winbind
entries after usually successful cal to pam_unix, in a way how it's done
in sssd (Closes: #907318)
[ Douglas Bagnall ]
* debian/panic-action: make the wording more user-friendly and steer users
towards configuration and logs (Closes: #1089853)
[ Michael Tokarev ]
* d/python3-talloc.symbols.in: add forgotten epoch number for recent versions
(this doesn't actually affect anything since there were no new symbols with
these versions, but it's better to stay correct)
* d/control: fix winbind:Enhances for libkrb5-26-heimdal which
is libkrb5-26t64-heimdal in trixie and up, keeping in mind possible
backporting to older debian/ubuntu versions (before-trixie build profile)
* libads-fix-get_kdc_ip_string.patch (upstream fix for #1109005)
(Closes: #1109005)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 15 Jul 2025 12:42:04 +0300
samba (2:4.22.3+dfsg-2) unstable; urgency=medium
* Revert "d/control,d/rules: ensure we use the most recent talloc/tevent/tdb"
There's no need for samba-libs to depend on exact versions of support libs
anymore, since 4.21.3+dfsg-5 (where the mistake has been made) is long gone
* Revert "d/control: add conflicts/breaks for libtevent0t64 on mjt repo"
This Breaks was special and temporary, and not useful for debian archive at
all (it was only needed for mjt's own repository where the wrong package
name slipped out once). Remove this cruft for trixie
* python3-talloc.symbols[.in] -- provide long-forgotten symbols file, so that
versioned dependency on python3-talloc (mostly for python3-samba) will be
less strict. For smoother upgrades
* document forgotten change in previous changelog entry
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 09 Jul 2025 17:08:31 +0300
samba (2:4.22.3+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release, mostly targetting the Jul-08 update
for Active Directory Domain Controllers
(https://bugzilla.samba.org/show_bug.cgi?id=15876, Closes: #1108904):
- https://bugzilla.samba.org/show_bug.cgi?id=15854:
samba-tool cannot add user to group whose name
is exactly 16 characters long
- https://bugzilla.samba.org/show_bug.cgi?id=15869:
Startup messages of rpc daemons fills /var/log/messages
- https://bugzilla.samba.org/show_bug.cgi?id=15876:
Windows security hardening locks out schannel'ed netlogon
dc calls like netr_DsRGetDCName
* update d/copyright to point to https://www.gnu.org/licenses/
instead of FSF postal address
* d/control: stop depending on exact same version of samba-common
Package samba-common contains a few files/dirs common for several samba
packages. Its contents hasn't changed for quite some time. There's
definitely no need to depend on exact version of this package - eg, 4.17
(from bookworm) will work just fine with samba version 4.22. Drop version
requirement for samba-common dep entirely. If/when we have real change in
samba-common which is needed by other packages, we can specify particular
version there. For smoother upgrades
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 07 Jul 2025 23:16:23 +0300
samba (2:4.22.2+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15707:
CVE-2025-0620: smbd doesn't pick up group membership changes when
re-authenticating an expired SMB session
Closes: #1107248
- https://bugzilla.samba.org/show_bug.cgi?id=15727:
net ad join fails with
"Failed to join domain: failed to create kerberos keytab"
- https://bugzilla.samba.org/show_bug.cgi?id=15819:
vfs_ceph_snapshots fails to list snapshots for entries at any level
beyond share root
- https://bugzilla.samba.org/show_bug.cgi?id=15851:
dcerpcd not able to bind to listening port
- https://bugzilla.samba.org/show_bug.cgi?id=15858:
CTDB does not put nodes running NFS into grace on graceful shutdown
- https://bugzilla.samba.org/show_bug.cgi?id=15861:
Profile sync fails due to Directory Leases
* d/control: add libcrypt-dev build-dependency (Closes: #1106959)
* add-support-for-bind-9.20.patch (Closes: #1107139)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 05 Jun 2025 19:12:34 +0300
samba (2:4.22.1+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15727:
net ad join fails with "Failed to join domain:
failed to create kerberos keytab"
- https://bugzilla.samba.org/show_bug.cgi?id=15767:
Deadlock between two smbd processes
- https://bugzilla.samba.org/show_bug.cgi?id=15774:
Running "gpo manage motd set" twice fails with backtrace
- https://bugzilla.samba.org/show_bug.cgi?id=15791:
Remove of file or directory not possible with vfs_acl_tdb
- https://bugzilla.samba.org/show_bug.cgi?id=15810:
Add async io API from libcephfs to ceph_new VFS module
- https://bugzilla.samba.org/show_bug.cgi?id=15818:
vfs_ceph_new module does not work with other modules
for snapshot management
- https://bugzilla.samba.org/show_bug.cgi?id=15822:
Enable support for cephfs case insensitive behavior
- https://bugzilla.samba.org/show_bug.cgi?id=15823:
Subnet based interfaces definition not listening
on all covered IP addresses
- https://bugzilla.samba.org/show_bug.cgi?id=15829:
samba-tool gpo backup creates entity backups it can't read
- https://bugzilla.samba.org/show_bug.cgi?id=15834:
vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
SMB_VFS_FCHMOD and SMB_VFS_FNTIMES
- https://bugzilla.samba.org/show_bug.cgi?id=15836:
PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
sconn->oplocks.exclusive_open>=0
- https://bugzilla.samba.org/show_bug.cgi?id=15839:
gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with prepended 0's
- https://bugzilla.samba.org/show_bug.cgi?id=15841:
Wide link issue in samba 4.22
- https://bugzilla.samba.org/show_bug.cgi?id=15845:
NT_STATUS_INVALID_PARAMETER: Can't create folders
on share of an exfat file system
- https://bugzilla.samba.org/show_bug.cgi?id=15849:
Lease code is not endian-safe
* drop widelinks-nofollow.patch (included upstream)
* drop smbd-fix-handling-of-directory-leases-and-oplock-lev.patch (ditto)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 18 Apr 2025 13:02:55 +0300
samba (2:4.22.0+dfsg-3) unstable; urgency=medium
* widelinks-nofollow.patch (https://bugzilla.samba.org/show_bug.cgi?id=15841)
(Closes: #1101581)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Apr 2025 14:34:31 +0300
samba (2:4.22.0+dfsg-2) unstable; urgency=medium
* smbd-fix-handling-of-directory-leases-and-oplock-lev.patch
(Closes: #1100604)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 29 Mar 2025 07:24:47 +0300
samba (2:4.22.0+dfsg-1) unstable; urgency=medium
* new upstream release
* samba-libs: provide libndr5 too (with a compat symlink)
* add libsamba-security-private.so link for freeipa testsuite
(Closes: #1099340)
* d/samba-vfs-ceph.install: install also ceph_new vfs module
(Closes: #1098670)
* d/*.install: s@/*/@/${DEB_HOST_MULTIARCH}/@
* d/source/lintian-overrides: add dh-exec-useless-usage *DEB_HOST_MULTIARCH*
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 07 Mar 2025 00:02:26 +0300
samba (2:4.22.0~rc1+dfsg-1) experimental; urgency=medium
* d/control: remove vorlon@ from Uploaders.
Thank you, dear friend, for all the work you've done. RIP!
* new upstream release candidate
Closes: #1084559 (crypt module removal in python 3.13)
* remove patches which has been applied upstream
* fix-nfs-service-name-to-nfs-kernel-server.patch:
refresh, remove now-unneeded hunk
* revert-ldb-use-hexchars_upper-from-replace.h.patch
to avoid linking libldb2 with libreplace
* replace-xpg-strerror.patch
to avoid linking other libs with libreplace
* d/rules: fixup component versions
* libtalloc, libtevent, libtdb, libldb: symbols: add new versions
* libldb2.symbols: add new version
* samba-libs: libndr.so soname bump to 6, add new symbols
* samba-libs: add libutil-crypt-private-samba.so.0
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 07 Feb 2025 12:37:12 +0300
samba (2:4.21.3+dfsg-6) unstable; urgency=medium
* d/genshlibs: remove the special-case for libsmbclient0 since
we expand t64:Provides in d/control directly
* d/control: add ${t64:Provides} comments
* d/control: more t64 work: for libtevent0t64, break libtevent0
not <<${source:Version} but <<${binary:Version}, because source
is samba not tevent (Closes: #1092881)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 12 Jan 2025 23:16:00 +0300
samba (2:4.21.3+dfsg-5) unstable; urgency=medium
* the Fixing Big Mishaps release.
* d/rules: fix talloc, tevent, tdb subpackages version numbers, add epoch
Due to a mistake, I screwed up sub-packages versions completely,
by using the wrong variable when generating the versions, - so
all mentioned packages had version number of ldb, not their own.
Fix this.
Unfortunately, the wrong version is larger than all the correct ones.
To compensate, use the same epoch number as is already used by current
samba package (2:).
While at it, use common variable to hold the +samba version suffix.
* d/*.symbols: mark most recent version markers with 2: epoch too
* d/control,d/rules: ensure we use the most recent libtalloc/libtevent/libtdb
for now, to compensate for the wrong versions.
* d/control: add explicit Provides of non-t64 libs
Apparentlty due to usage of both t64 and pre-t64 packages
(with different build profiles), debhelper is not populating
necessary values for ${t64:Provides}. So libtevent0t64 is
not providing libtevent0 on the relevant architectures.
Ditto for libsmbclient0 providing libsmbclient.
Add explicit arch-specific Provides: for libsmbclient0 and
libtevent0t64.
List only the affected release architectures in there.
This removes the only user of X-Time64-Compat control field
in debian.
* d/rules: do not install wscript_build in examples
* d/control: fix libtevent wrong build profile when building for mjt's
repository. Does not affect debian thankfully. The problem is that
libtevent0t64 slipped into the repository for older (before-trixie)
distributions, where t64 migration hasn't been completed. This should
not cause actual problems as a problem is only possible when upgrading
to the new debian (or ubuntu) release where t64 transition has happened,
and during such upgrade, new libtevent0t64 will be pulled in - thanks to
the first big mistake above, since it now has 2: epoch.
* d/control: add Breaks for libtevent0t64 on mjt repo. This also
does not affect debian, but makes my life definitely easier.
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 12 Jan 2025 00:17:49 +0300
samba (2:4.21.3+dfsg-4) unstable; urgency=medium
* Revert "d/control: mark arch-all perl and python packages with :native
for now" - it worked just fine on local build but fails on buildds?
* d/control: add :native alternative for arch-all perl & python packages
for now, to help cross-building samba on bookworm and before
(no difference for trixie). Use foo:native|foo alternative to work
around dpkg/apt disparity in handling :native deps.
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 11 Jan 2025 11:47:04 +0300
samba (2:4.21.3+dfsg-2) unstable; urgency=medium
* ctdb-failover-statd_callout-PATH_MAX-workaround.patch
another tweak for hurd (for missing PATH_MAX)
* d/control: add a note about ntp & signd socket, replace ntp with ntpsec
* d/control: provide ability to cross-build samba finally
(using qemu-user helper)
* d/control: mark arch-all perl and python packages with :native for now
(to help cross-building on bookworm)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 10 Jan 2025 23:23:31 +0300
samba (2:4.21.3+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=6750:
After 'machine password timeout' /etc/krb5.keytab is not updated
- https://bugzilla.samba.org/show_bug.cgi?id=15697:
Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease
- https://bugzilla.samba.org/show_bug.cgi?id=15701:
More possible replication loops against Azure AD
- https://bugzilla.samba.org/show_bug.cgi?id=15724:
vfs crossrename seems not work correctly
- https://bugzilla.samba.org/show_bug.cgi?id=15755:
Avoid event failure race when disabling an event script
- https://bugzilla.samba.org/show_bug.cgi?id=15758:
Segfault in vfs_btrfs
- https://bugzilla.samba.org/show_bug.cgi?id=15765:
Fix heap-user-after-free with association groups
- https://bugzilla.samba.org/show_bug.cgi?id=15771:
Memory leak wbcCtxLookupSid
* d/patches/: specify more Forwarded: urls
* d/patches/: source3-lib-util_sec.c-include-grp.h-for-setgroups.patch >
include-grp.h-for-setgroups-in-a-few-places.patch:
add 1 more place for setgroups()
* d/rules: remember last versions of ldb/talloc/tevent/tdb, reality check
* d/control: since we don't use debconf anymore, no need
to (build-)depend on po-debconf either
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 06 Jan 2025 21:20:31 +0300
samba (2:4.21.2+dfsg-4) unstable; urgency=medium
* d/rules: guard building compile_et target with !mitkrb5
* source3-lib-util_sec.c-include-grp.h-for-setgroups.patch for hurd ftbfs
* build talloc/tevent/tdb from samba source:
- import talloc, tevent and tdb packaging into samba
- stop shipping internal-to-samba libpytalloc-util development files
* d/copyright: mention myself for d/*
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 01 Dec 2024 22:28:05 +0300
samba (2:4.21.2+dfsg-3) unstable; urgency=medium
* Revert "d/rules: as of 4.17, no need to explicitly build intermediate
targets anymore". It is still a problem with samba 4.21, it just were
hidden.
* ldb-no-replace.diff: avoid embedding rpath to private samba libs
for libldb.so
* heimdal-spelling.patch: remove (forgotten, applied upstream)
* d/patches/* update dep3 metadata
* add-missing-libs-deps.diff: update to include more missing deps
(as submitted upstream)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 28 Nov 2024 22:28:27 +0300
samba (2:4.21.2+dfsg-2) unstable; urgency=medium
* resurrect python3-ldb (removed in previous release)
The removal of python3-ldb were unwarranted, as long as libldb
itself is stand-alone, lets keep its python bindings stand-alone
too.
* d/rules: s/execute_after_dh_install/execute_after_dh_install-arch/
since it is arch-specific
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 26 Nov 2024 18:56:17 +0300
samba (2:4.21.2+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=14356
protocol error - Unclear debug message "pad length mismatch"
for invalid bind packet
- https://bugzilla.samba.org/show_bug.cgi?id=15320
Update CTDB to track all TCP connections to public IP addresses
- https://bugzilla.samba.org/show_bug.cgi?id=15425
NetrGetLogonCapabilities QueryLevel 2 needs to be implemented
- https://bugzilla.samba.org/show_bug.cgi?id=15732
smbd fails to correctly check sharemode against OVERWRITE dispositions
- https://bugzilla.samba.org/show_bug.cgi?id=15740
gss_accept_sec_context() from Heimdal does not imply GSS_C_MUTUAL_FLAG
with GSS_C_DCE_STYLE
- https://bugzilla.samba.org/show_bug.cgi?id=15749
winbindd should call process_set_title() for locator child
- https://bugzilla.samba.org/show_bug.cgi?id=15752
winexe no longer works with samba 4.21
- https://bugzilla.samba.org/show_bug.cgi?id=15754
Panic in close_directory
* d/control: add python3-cryptography to python3-samba Depends
(Closes: #1086768)
* d/control: move python3-gpg recommends from python3-samba to samba-ad-dc
* d/control: extend libpcap-dev from hurd-i386 to hurd-any (Closes: #1087409)
* ship winexe binary (Closes: #1081269).
New Build-Depends: gcc-mingw-w64-i686-win32 gcc-mingw-w64-x86-64-win32
* d/control: provide Breaks/Replaces for winexe in kali linux (#1081269)
* swallow python3-ldb by python3-samba (and remove python3-ldb-dev)
* d/rules: drop mis-using --bundled-libraries configure option
* d/samba.postinst: replace test for /usr/bin/deb-systemd-helper file
with "command -v" (lintian)
* d/libldb2.lintian-overrides: remove overrides which were needed for compat
symlink (compat for older ldb in separate source)
* d/samba.install: stop shipping log2pcap.1 (the tool is not installed)
* d/rules: rename LDB_* vars to ldb-, and use common var for -Vldb:Version
* move-msg.sock-from-var-lib-samba-to-run-samba.patch: update
to cover failing tests too
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 25 Nov 2024 21:38:17 +0300
samba (2:4.21.1+dfsg-2) unstable; urgency=medium
* d/control: add Recommends: samba-ad-dc for samba for now
to avoid breaking existing installs
* d/samba.postrm: stop unmasking of samba-ad-dc
(it is already done in postinst)
* d/samba.postinst,d/samba.maintscripts: remove samba-ad-dc
startup files and stop the service (Closes: #1085617)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 25 Oct 2024 12:30:52 +0300
samba (2:4.21.1+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release
* d/salsa-ci.yml: disable reprotest vary build_path
* d/control: Build-Depend on python3-setuptools (Closes: #1080851)
* d/rules: stop providing compat symlink for old ldb
modules location for old sssd
* d/changelog: mention closing of #835404 by 4.21.0-1
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 14 Oct 2024 21:21:50 +0300
samba (2:4.21.0+dfsg-1) unstable; urgency=medium
* switch to 4.21 branch
* update to 4.21.0 (new upstream)
(Closes: #835404)
* fix-nfs-service-name-to-nfs-kernel-server.patch: refresh
* Force-LDB-as-standalone.patch: remove (ldb is always internal now)
* d/rules: ldb lib is now private by default, expose it as public
* d/rules: ldb uses LDB_VERSION variable now, not VERSION
* tilde-in-version.diff: remove (applied upstream)
* heimdal-spelling.patch: disable for now
* d/rules: s/vendor-name/vendor-suffix/
* d/ctdb.install: no more sudoers file
* d/samba-libs.symbols, d/control, d/samba-libs.install: libndr4=>libndr5
This requires sssd to be rebuilt
* samba-{libs,dev}.install, python3-{samba,ldb).install: refresh libs
(with lintian-overrides)
* samba-libs.install, samba-dev.install: new (semi-public) library:
libsamba-policy.so (used by the python stuff only, for now)
* samba-libs.install: new private library: libsamba-net-private-samba.so.0
* libldb2.symbols: add new symbols & 2.10.0 version
(and remove 2.9.1 minor version)
* d/control: bump libtdb version dependency to 1.4.12
* d/ctdb.install: install winbind_ctdb_updatekeytab.sh file
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 Sep 2024 17:48:34 +0300
samba (2:4.20.4+dfsg-1) unstable; urgency=medium
* new upstream (minor/bugfix) release fixing the ABI symbol generation
(Closes: #1078008)
* mention d/*.symbols change in previous changelog entry
* revert: d/*.symbols: add new variant of version marks (with underscore)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 06 Aug 2024 16:58:18 +0300
samba (2:4.20.3+dfsg-1) unstable; urgency=medium
* update to the new upstream stable/bugfix release (4.20.3).
See WHATSNEW.txt for details.
* tilde-in-version.diff: remove, an equivalent is applied upstream
* d/rules: s/vendor-name/vendor-suffix/ as per new upstream option
* d/samba-ad-dc.lintian-overrides: add systemd-diversion override too
* d/*.symbols: add new variant of version marks (with underscore)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 02 Aug 2024 18:33:51 +0300
samba (2:4.20.2+dfsg-11) unstable; urgency=medium
* d/control: remove Andrew Bartlett email from Uploaders per his request
* samba-common-bin.lintian-override: fixup python3-script-but-no-python3-dep
override
* fix name of samba-common-bin.lintian-overrides (it is plural)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 30 Jul 2024 15:54:36 +0300
samba (2:4.20.2+dfsg-10) unstable; urgency=medium
* d/rules: shorten dpkg_late_eval
* d/rules: stop renaming heimdal dir for mitkrb5 profile
* d/rules: remove the only usage of ${with_mitkrb5}
* d/rules: rearrange CFLAGS/LDFLAGS settings to use
DEB_*_MAINT_APPEND due to dpkg #1077005
* skip -9 release because of test upload to experimental
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 25 Jul 2024 11:35:21 +0300
samba (2:4.20.2+dfsg-8) unstable; urgency=medium
* d/samba-common-bin.lintian-override: fix the typo in the last fix
* d/samba-log-parser: python3-minimal is enough
* d/rules: define dpkg_late_eval macro since dpkg 1.22.8 does not define
it anymore (Closes: #1076920)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 24 Jul 2024 16:54:54 +0300
samba (2:4.20.2+dfsg-7) unstable; urgency=medium
* d/samba-common-bin.lintian-override: update samba-log-parser override
* d/control: add Breaks: older samba-ad-dc by samba (Closes: #1076196)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 14 Jul 2024 19:42:39 +0300
samba (2:4.20.2+dfsg-6) unstable; urgency=medium
* make-python-optional.diff: remove the forgotten unneeded patch
* d/samba.NEWS: re-wrap it a little bit
* d/samba.postinst: notify the user about probably-missing samba-ad-dc
package on upgrade (debconf template samba/no-samba-ad-dc)
* d/samba-common.postinst: remove (clean up) old debconf entries
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 08 Jul 2024 16:40:49 +0300
samba (2:4.20.2+dfsg-5) unstable; urgency=medium
* replace internal-to-samba-build python3-ldb-dev package
with a transitional empty package (to be removed in trixie+1)
* d/control: ensure python3-samba depends on exact version of python3-ldb,
the same way as samba-libs depends on exact version of libldb2
* d/rules: ensure python3-ldb does not depend on samba-libs|python3-samba
* d/rules: refine and explain --with-shared-modules
* d/control: d/control: drop old (buster and before) Breaks
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 01 Jul 2024 10:41:04 +0300
samba (2:4.20.2+dfsg-4) unstable; urgency=medium
* d/control: add the forgotten epoch for Breaks/Replaces
of samba-vfs-ceph & samba-vfs-glusterfs (Closes: #1074299)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 26 Jun 2024 12:20:08 +0300
samba (2:4.20.2+dfsg-3) unstable; urgency=medium
* split out samba-vfs-glusterfs from samba-vfs-modules
(pick up and rework ubuntu changes)
* split out samba-vfs-ceph from samba-vfs-modules
* merge samba-vfs-modules (remaining) into main samba package
* the only remaining extra vfs module, snapper, does not need extra handling
* d/samba-ad-dc.lintian-overrides: add conflicts-with-version override
for /usr-move
* samba-common-bin: use trivial separate shell wrapper for the python script
* d/rules: use before-trixie build profile to control dh_movetousr run too
* d/*.service: provide empty value for referenced environment vars
(Closes: #1073969)
* d/dirs: remove leftover file
* d/samba-common-bin.dirs: stop creating /etc/samba/tls/
* d/samba.dirs: stop creating bin & sbin
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Jun 2024 07:58:16 +0300
samba (2:4.20.2+dfsg-2) unstable; urgency=medium
* tilde-in-version.diff - allow tilde in version string
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 20 Jun 2024 09:49:50 +0300
samba (2:4.20.2+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=13019
Dynamic DNS updates with the internal DNS are not working
- https://bugzilla.samba.org/show_bug.cgi?id=13213
Samba build is not reproducible
- https://bugzilla.samba.org/show_bug.cgi?id=14981
netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
- https://bugzilla.samba.org/show_bug.cgi?id=15412 Anonymous smb3
signing/encryption should be allowed (similar to Windows Server 2022)
- https://bugzilla.samba.org/show_bug.cgi?id=15435
Regression DFS not working with widelinks = true
- https://bugzilla.samba.org/show_bug.cgi?id=15569
ldb qsort might r/w out of bounds with an intransitive compare function
- https://bugzilla.samba.org/show_bug.cgi?id=15573
Panic in dreplsrv_op_pull_source_apply_changes_trigger
- https://bugzilla.samba.org/show_bug.cgi?id=15620
s4:nbt_server: does not provide unexpected handling, so winbindd
can't use nmb requests instead cldap
- https://bugzilla.samba.org/show_bug.cgi?id=15625
Many qsort() comparison functions are non-transitive, which can lead
to out-of-bounds access in some circumstances
- https://bugzilla.samba.org/show_bug.cgi?id=15633
samba-gpupdate - Invalid NtVer in netlogon_samlogon_response
- https://bugzilla.samba.org/show_bug.cgi?id=15638
Need to change gitlab-ci.yml tags in all branches to avoid CI bill
- https://bugzilla.samba.org/show_bug.cgi?id=15642 winbindd,
net ads join and other things don't work on an ipv6 only host
- https://bugzilla.samba.org/show_bug.cgi?id=15653 idmap_ad creates
an incorrect local krb5.conf in case of trusted domain lookups
- https://bugzilla.samba.org/show_bug.cgi?id=15654
new --vendor-name and --vendor-patch-revision options for ./configure
- https://bugzilla.samba.org/show_bug.cgi?id=15659
Segmentation fault when deleting files in vfs_recycle
Closes: #1073252
- https://bugzilla.samba.org/show_bug.cgi?id=15660 The images don't build
after the git security release and CentOS 8 Stream is EOL
- https://bugzilla.samba.org/show_bug.cgi?id=15662
vfs_widelinks with DFS shares breaks case insensitivity
- https://bugzilla.samba.org/show_bug.cgi?id=15664
Panic in vfs_offload_token_db_fetch_fsp()
- https://bugzilla.samba.org/show_bug.cgi?id=15665
CTDB RADOS mutex helper misses namespace support
- https://bugzilla.samba.org/show_bug.cgi?id=15666 "client use kerberos"
and --use-kerberos is ignored for the machine account
* d/libldb2.symbols,d.python3-ldb.symbols.in: add new version (2.9.1)
* use ./configure --vendor-name= instead of patching ./VERSION
* omit samba-ad-dc for i386 ubuntu
* samba-ad-dc: usr-move compensation maintscripts: add "set -e"
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Jun 2024 23:59:36 +0300
samba (2:4.20.1+dfsg-5) unstable; urgency=medium
* Build-Depends: dpkg-dev>=trixie for Arch packages only (for t64 rename)
* d/samba.NEWS: reword the last entry a bit
* d/samba-ad-dc.init: chmod +x
* d/control: bump Standards-Version to 4.7.0 (no changes needed)
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 10 Jun 2024 20:17:53 +0300
samba (2:4.20.1+dfsg-4) unstable; urgency=medium
[ Helmut Grohne ]
* Mitigate ineffective replaces due to /usr-move (DEP17 P1)
(Closes: #1072102)
[ Michael Tokarev ]
* d/control: mark libkeyutils-dev as linux-only [linux-any]
* d/control: drop old versions of versioned dependencies
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 29 May 2024 20:31:41 +0300
samba (2:4.20.1+dfsg-3) unstable; urgency=medium
* d/rules: move samba-common install to d/samba-common.install
* d/rules: install samba-ad-dc init files for the right package
* d/samba.postinst: remove nmbd_error_handler for the initscript
(it is not used in systemd case)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 26 May 2024 18:48:17 +0300
samba (2:4.20.1+dfsg-2) unstable; urgency=medium
* move many files from samba package to samba-ad-dc package.
From now on, samba-ad-dc isn't just a meta-package, it is actually
needed for AD-DC functionality. If you run AD-DC, please ensure
that samba-ad-dc package is installed (it is not recommended by samba)
Closes: #1051770
* move samba-tool and samba-gpupdate from samba-common-bin and samba
packages to python3-samba. This is an Active Directory stuff, not
needed for a stand-alone server or a client, but might be useful
for auth-only (neither file-server nor file-client) AD installs
Closes: #1068360
* remove addshare.py, setoption.py and source_samba.py python scripts
These aren't used by samba packages and are hardly useful generally, esp.
having in mind their unusual locations. The apport hook (source_samba.py)
is mostly obsolete, it hasn't been updated for a very long time.
* add make-python-optional.diff, so python3 can be made optional
for samba-common-bin
* remove python3-samba and python from Depends of samba and samba-common-bin
packages, moving it to Recommends. This lets the user to install a stand-
alone samba file server without any Active Directory bits and even without
python interpreter
* d/samba.install: do not install samba_downgrade_db (to old pre-4.8 version)
* move smbcontrol binary from samba to samba-common-bin,
since it can also be used to control winbindd
* d/control: tdb-tools (tdbbackup) are run from python modules,
move from samba:Depends to python3-samba:Recommends
* d/control: samba: no need to depend on libpam-runtime or libpam-modules
* d/control: samba: no need to recommend samba-ad-provision
* debian/TODO: update a bit, remove many obsolete entries
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 26 May 2024 17:48:13 +0300
samba (2:4.20.1+dfsg-1) unstable; urgency=medium
* new upstream major release
* d/control: bump tevent/talloc/tdb versions for Build-Depends
* d/libldb2.symbols, d/python3-ldb.symbols.in: add new version (2.9.0)
* d/patches/meaningful-error-if-no-python3-markdown.patch: fixup
* d/*.install: internal library names changed:
libfoo-samba4.so.0 => libfoo-private-samba.so.0
* d/samba-libs.install: update names for libdcerpc & libndr private libs
* d/samba-libs.install, d/samba-libs.links, d/samba-libs.symbols:
libndr has soversion 4 now. This breaks binaries linked with libndr!
* d/samba-libs.symbols: update with new ndr4 symbols
* d/libsmbclient.symbols: update with new symbols
* d/samba-dev.install: add smb3posix.h
* d/not-installed: add usr/bin/wspsearch experimental windows search binary
* d/control: libperl-json is not needed for build anymore
* d/control: bump minimum mit-krb5 version in Build-Depends to 1.21
(for pkg.samba.mitkrb5 build profile)
* Closes: #1070335 (wronly filed)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 08 May 2024 13:23:57 +0300
samba (2:4.19.6+dfsg-3) unstable; urgency=medium
* fix brown-paper-bag bugs in previous upload
(in meaningful-error-if-no-python3-markdown.patch)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 02 May 2024 20:47:15 +0300
samba (2:4.19.6+dfsg-2) unstable; urgency=medium
[ Michael Tokarev ]
* meaningful-error-if-no-python3-markdown.patch:
update to include 2 other places where markdown gets improted
* d/winbind.service:
- order it before nss-user-lookup.target (Closes: #1068649)
- fix typo
- nmb.service is nmbd.service in debian
* move include/samba/core/*.h from samba-libs to libwbclient-dev
(Closes: #1064544)
[ Alex Murray ]
* fix smbd apparmor breakage since change to local systemd services
(Cloes: #1069661)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 02 May 2024 14:08:31 +0300
samba (2:4.19.6+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15527 fd_handle_destructor()
panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close()
- https://bugzilla.samba.org/show_bug.cgi?id=15580
Packet marshalling push support missing for
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED
- https://bugzilla.samba.org/show_bug.cgi?id=15588
samba-gpupdate: Correctly implement site support
- https://bugzilla.samba.org/show_bug.cgi?id=15599
libgpo: Segfault in python bindings
* revert d/rules: remove Debian/Ubuntu "branding"
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 08 Apr 2024 11:18:38 +0300
samba (2:4.19.5+dfsg-5) unstable; urgency=medium
* implement pkg.samba.before-trixie build profile
(undo t64 changhes and drop build-dep)
* d/rules: remove Debian/Ubuntu "branding", no need in that
* d/control: samba-dsdb-modules: drop hardcoded dependency on libgpgme11
(Closes: #1068526)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 07 Apr 2024 16:04:30 +0300
samba (2:4.19.5+dfsg-4) unstable; urgency=medium
* stop shipping python3/dist-packages/samba/tests
(Closes: #1064512, #1063149)
* add Debian-Specific tag to debian-specific patches
* d/genshlibs: run dh_makeshlibs on libsmbclient0
(Closes: #1065349)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 03 Mar 2024 15:37:16 +0300
samba (2:4.19.5+dfsg-3) unstable; urgency=medium
* d/control: add versioned depends on dpkg-dev to avoid accidental
build of time64_t packages on older systems
* +lower-dns-lookup-mismatch-messages.patch (reduce log noise)
* d/control: add libtirpc-dev and rpcsvc-proto to Build-Depends-Arch
(Closes: #1065188)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 01 Mar 2024 19:18:35 +0300
samba (2:4.19.5+dfsg-2) unstable; urgency=medium
* rename libsmbclient => libsmbclient0 for 64-bit time_t transition
Closes: #1064337
* d/libsmbclient.lintian-overrides: remove, soname now = package name
* add Breaks: of sssd packages to samba-libs
* +passchange-error-message.patch - fix password change error message
* +edns0.patch: enable EDNS0 support in internal UDP-only DNS client
https://bugzilla.samba.org/show_bug.cgi?id=15536
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 28 Feb 2024 19:38:48 +0300
samba (2:4.19.5+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release (4.19.5)
* reformat previous changelog entry to fit in 80cols
* d/winbind.postrm: stop recursively removing plain files
* d/winbind.postrm: winbindd_cache.tdb is in /var/lib now,
not in /var/cache
* d/control: RulesRequiresRoot:no
* d/*.symbols: use #PACKAGE# placeholders where appropriate
(or add comments where it is not)
* +silence-can-not-convert-group-sid.diff -
make another log message less annoying
* -python-fix-invalid-escape-sequences.patch (applied upstream)
* d/control: replace pkg-config=>pkgconf in Build-Depends, remove
pkg-config from Depends of libldb-dev and python3-ldb-dev
* d/samba-libs.symbols, d/control: make libsmbldapN a virtual package
provided by samba-libs too, like libndrN
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 19 Feb 2024 15:21:14 +0300
samba (2:4.19.4+dfsg-3) unstable; urgency=medium
* samba,winbind: remove logrotate scripts
samba does its own log rotation (max log size (=5000 by default) and
renaming to .old). The two clashes with each other in an interesting way.
* d/samba-libs.symbols, d/control: make libndrN a virtual package
to ensure rdeps pick the right dependency
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 30 Jan 2024 12:12:42 +0300
samba (2:4.19.4+dfsg-2) unstable; urgency=medium
* d/samba.smbd.service, d/samba.nmbd.service: expand forgotten @BINDIR@
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 08 Jan 2024 20:44:51 +0300
samba (2:4.19.4+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release. See WHATSNEW.txt for details.
* d/control: drop pkg.samba.nouring build profile: was needed
for focal which we do not support anymore
* remove /etc/cron.daily/samba: there's no reason to keep backing it up,
most stuff is in ldb/tdb files these days.
* d/samba.maintscript, d/winbind.maintscript:
remove old rm_connfiles (pre-buster versions)
* d/rules, d/*.service: provide .service files directly instead of renaming
and patching upstream templates, and use dh_installsystemd to install them
(partially Closes: #1059187)
* d/rules: run dh_movetousr for libpam-winbind & libnss-winbind, if exists.
This fixes remaining files in /lib (hopefully). In a search for better
way to detect where to put system libs (/lib vs /usr/lib) as a configure
option. Closes: #1059187
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 08 Jan 2024 19:11:37 +0300
samba (2:4.19.3+dfsg-2) unstable; urgency=medium
* d/rules: simplify LDFLAGS assignment
* d/rules: add -mlong-jump-table-offsets to CFLAGS on m68k (fix FTBFS there)
* d/rules: CFLAGS += -ffile-prefix-map=../../=
* d/control: fix versioned dependency on samba for samba-ad-dc
* +python-fix-invalid-escape-sequences.patch from upstream (Closes: #1057668)
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 11 Dec 2023 13:19:18 +0300
samba (2:4.19.3+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=13595
CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP
to normal users (Closes: #1034803). Please see WHATSNEW.txt file for
more information about this issue: actual fix requires extra steps to
be performed against samba-based AD-DC
- https://bugzilla.samba.org/show_bug.cgi?id=15093
Files without "read attributes" NFS4 ACL permission are not listed
in directories
- https://bugzilla.samba.org/show_bug.cgi?id=15487
smbd crashes if asked to return full information on close of
a stream handle with delete on close disposition set
- https://bugzilla.samba.org/show_bug.cgi?id=15492
Kerberos TGS-REQ with User2User does not work for normal accounts
- https://bugzilla.samba.org/show_bug.cgi?id=15499
Improve logging for failover scenarios
- https://bugzilla.samba.org/show_bug.cgi?id=15507
vfs_gpfs stat calls fail due to file system permissions
- https://bugzilla.samba.org/show_bug.cgi?id=15513
Samba doesn't build with Python 3.12
- https://bugzilla.samba.org/show_bug.cgi?id=15520
sid_strings test broken by unix epoch > 1700000000
- https://bugzilla.samba.org/show_bug.cgi?id=15521
smbd: fix close order of base_fsp and stream_fsp
in smb_fname_fsp_destructor()
* d/samba-common.maintscript: fix version number for dhcp hook removal
(Closes: #1053780)
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 27 Nov 2023 22:22:54 +0300
samba (2:4.19.2+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15423
Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE
- https://bugzilla.samba.org/show_bug.cgi?id=15426
clidfs.c do_connect() missing a "return" after a cli_shutdown() call
- https://bugzilla.samba.org/show_bug.cgi?id=15463
macOS mdfind returns only 50 results
- https://bugzilla.samba.org/show_bug.cgi?id=15481
GETREALFILENAME_CACHE can modify incoming new filename
with previous cache entry value
- https://bugzilla.samba.org/show_bug.cgi?id=15464
libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more
- https://bugzilla.samba.org/show_bug.cgi?id=15479
ctdbd: setproctitle not initialized messages flooding logs
- https://bugzilla.samba.org/show_bug.cgi?id=15491
CVE-2023-5568 Heap buffer overflow with freshness tokens
in the Heimdal KDC in Samba 4.19
- https://bugzilla.samba.org/show_bug.cgi?id=15477
The heimdal KDC doesn't detect s4u2self correctly when fast is in use
* d/samba-common.maintscript: remove obsolete conffile
/etc/dhcp/dhclient-enter-hooks.d/samba (Closes: #1053780)
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 16 Oct 2023 18:26:31 +0300
samba (2:4.19.1+dfsg-4) unstable; urgency=medium
* d/samba-common.postinst: restore installing of smb.conf using ucf
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 10 Oct 2023 22:33:32 +0300
samba (2:4.19.1+dfsg-3) unstable; urgency=medium
* d/ctdb.install: sync ceph arch list
* d/control: mention other places where ceph arch list is used
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 10 Oct 2023 20:12:20 +0300
samba (2:4.19.1+dfsg-2) unstable; urgency=medium
* d/rules: sync with-ceph arch list from d/control
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 10 Oct 2023 19:03:42 +0300
samba (2:4.19.1+dfsg-1) unstable; urgency=medium
* new stable security bugfix release:
o CVE-2023-3961: https://www.samba.org/samba/security/CVE-2023-3961.html
Unsanitized pipe names allow SMB clients to connect as root
to existing unix domain sockets on the file system.
o CVE-2023-4091: https://www.samba.org/samba/security/CVE-2023-4091.html
SMB client can truncate files to 0 bytes by opening files with OVERWRITE
disposition when using the acl_xattr Samba VFS module with the smb.conf
setting "acl_xattr:ignore system acls = yes"
o CVE-2023-4154: https://www.samba.org/samba/security/CVE-2023-4154.html
An RODC and a user with the GET_CHANGES right can view all attributes,
including secrets and passwords. Additionally, the access check fails
open on error conditions.
o CVE-2023-42669: https://www.samba.org/samba/security/CVE-2023-42669.html
Calls to the rpcecho server on the AD DC can request that the server
block for a user-defined amount of time, denying service.
o CVE-2023-42670: https://www.samba.org/samba/security/CVE-2023-42670.html
Samba can be made to start multiple incompatible RPC listeners,
disrupting service on the AD DC.
* remove debconf questions and wins dhcp hooks together with po files
(wins is not relevant today anymore)
* d/control: bump mit-krb5 build-dep (on mitkrb5 profile) to 1.20
* d/control: disable ceph (libcephfs-dev, librados-dev) on 32bit
architectures (Closes: #1053202)
* d/control: enable rados on riscv64 once it's available there
* d/control: samba-libs: depend on libldb of the same version since libldb
symbols might appear during previous stable series but they don't propagate
to next releases with previous minor version numbers. This is ABI breakage
but the symbols are mostly internal to samba itself
* debian/libldb2.symbols: update
* drop attempts to keep ldb ABI versioning
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 10 Oct 2023 18:02:05 +0300
samba (2:4.19.0+dfsg-1) unstable; urgency=medium
* new upstream release. Some highlights:
o changed command-line interface of smbget utility
o improved winbindd logging
o AD database prepared to FL 2016 standards for new domains
o initial, partial implementation of AD FL 2012, 2012R2 and 2016
o samba-tool support for silos, claims, sites and subnets
o updated Heimdal import
o other improvements and changes, see WHATSNEW.txt file for details.
* d/patches: remove patches applied upstream, refresh patches
* d/control: update talloc/tevent/tdb build-deps
* d/smbclient.install: remove smbgetrc.5
* d/patches: add ldb 2.7.1 & 2.7.2 ABI files
* d/libldb2.symbols: add new symbols (ldb_val_as_*) and new version (2.8.0)
* d/python3-ldb.symbols: remove unused versions, add new version
* d/control: fix description of samba-common-bin (samba-client)
* d/samba-common-bin.install: install samba-log-parser (for winbindd for now)
* d/samba-libs.install: 2 new libs
* d/samba-libs.install, d/samba-testsuite.install: move libshares-samba4.so.0
from samba-libs to samba-testsuite
* d/samba-libs.install, d/samba-vfs-modules.install: move
libdfs-server-ad-samba4.so.0 from samba-libs to samba-vfs-modules
* d/samba-libs.install, d/samba-common-bin.install: move
libnet-keytab-samba4.so.0 from samba-libs to samba-common-bin (used by net)
* d/samba-libs.install, d/samba-common-bin.install: move
libRPC-WORKER-samba4.so.0 from samba-libs to samba-common-bin
(used by usr/libexec/samba/rpcd_*)
* samba-libs: add libndr 3.0.1 symbols
* d/source/lintian-overrides: remove unused source-is-missing override
* d/samba-vfs-modules.lintian-overrides: remove unused
spelling-error-in-binary override
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 04 Sep 2023 22:57:48 +0300
samba (2:4.18.6+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=9959
Windows client join fails if a second container CN=System exists somewhere
- https://bugzilla.samba.org/show_bug.cgi?id=15289
post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself
- https://bugzilla.samba.org/show_bug.cgi?id=15342
Spotlight sometimes returns no results on latest macOS
- https://bugzilla.samba.org/show_bug.cgi?id=15346
2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2
- https://bugzilla.samba.org/show_bug.cgi?id=15390
Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation)
- https://bugzilla.samba.org/show_bug.cgi?id=15400
rpcserver no longer accepts double backslash in dfs pathname
- https://bugzilla.samba.org/show_bug.cgi?id=15414
"net offlinejoin provision" does not work as non-root user
- https://bugzilla.samba.org/show_bug.cgi?id=15417
Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted
to remove the destination
- https://bugzilla.samba.org/show_bug.cgi?id=15420
reply_sesssetup_and_X() can dereference uninitialized tmp pointer
- https://bugzilla.samba.org/show_bug.cgi?id=15427
Spotlight results return wrong date in result list
- https://bugzilla.samba.org/show_bug.cgi?id=15430
Missing return in reply_exit_done()
- https://bugzilla.samba.org/show_bug.cgi?id=15433
cm_prepare_connection() calls close(fd) for the second time
- https://bugzilla.samba.org/show_bug.cgi?id=15435
Regression DFS not working with widelinks = true
- https://bugzilla.samba.org/show_bug.cgi?id=15441
samba-tool ntacl get segfault if aio_pthread appended
- https://bugzilla.samba.org/show_bug.cgi?id=15446
DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed
- https://bugzilla.samba.org/show_bug.cgi?id=15449
mdssvc: Do an early talloc_free() in _mdssvc_open()
* d/control: python3-testtools is only needed for selftest,
remove from Build-Depends for now
* d/rules: export PYTHONDONTWRITEBYTECODE=1 to stop python from generating
.pyc caches (Closes: #1048754)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 16 Aug 2023 20:11:26 +0300
samba (2:4.18.5+dfsg-2) unstable; urgency=medium
* d/rules, d/control: only build glusterfs support on 64bits
(Closes: #1041996)
* d/rules: make ceph conditional similar to gluster
* d/rules: wrap _PYTHON_SYSCONFIGDATA_NAME setting to cross-compile case
On e.g. buster, _PYTHON_SYSCONFIGDATA_NAME is different, so this assignment
does not work right. In order for it to work on buster, add condition on
host vs build gnu type. This breaks compilation with foreign python binary.
* d/control: fix description of samba-common-bin (samba-client)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 04 Aug 2023 17:29:06 +0300
samba (2:4.18.5+dfsg-1) unstable; urgency=medium
* new upstream stable/security release 4.18.5, including:
o CVE-2022-2127: When winbind is used for NTLM authentication,
a maliciously crafted request can trigger an out-of-bounds read
in winbind and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin
configured "server signing = required" or for SMB2 connections to
Domain Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service
for Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service
for Spotlight can be used by an unauthenticated attacker to trigger
a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses
the server-side absolute path of shares and files and directories
in search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
o BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
https://bugzilla.samba.org/show_bug.cgi?id=15418
(this has been patched in the previous upload; Closes: #1041043)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Jul 2023 17:55:58 +0300
samba (2:4.18.4+dfsg-2) unstable; urgency=medium
* +fix-unsupported-netr_LogonGetCapabilities-l2.patch
Fix windows logon/trust issues with 2023-07 windows updates:
https://bugzilla.samba.org/show_bug.cgi?id=15418
* d/copyright: also remove ctdb/doc/*.?.html pre-generated manpages
from the upstream tarball (forgotten previously)
* d/rules: add comment about -latomic gcc issue and drop --as-needed
there since it is already in use
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 14 Jul 2023 12:30:31 +0300
samba (2:4.18.4+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release, including:
- https://bugzilla.samba.org/show_bug.cgi?id=2312
smbcacls and smbcquotas do not check // before the server
- https://bugzilla.samba.org/show_bug.cgi?id=14030
Named crashes on DLZ zone update (was in debian before)
- https://bugzilla.samba.org/show_bug.cgi?id=15355
NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
and causes test timeouts
- https://bugzilla.samba.org/show_bug.cgi?id=15381
Register Samba processes with GPFS
- https://bugzilla.samba.org/show_bug.cgi?id=15382
cli_list loops 100% CPU against pre-lanman2 servers
- https://bugzilla.samba.org/show_bug.cgi?id=15383
Remove comments about deprecated 'write cache size'
- https://bugzilla.samba.org/show_bug.cgi?id=15384
net ads lookup (with unspecified realm) fails
- https://bugzilla.samba.org/show_bug.cgi?id=15390
Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation)
- https://bugzilla.samba.org/show_bug.cgi?id=15391
smbclient leaks fds with showacls
- https://bugzilla.samba.org/show_bug.cgi?id=15398
The winbind child segfaults when listing users with
`winbind scan trusted domains = yes`
- https://bugzilla.samba.org/show_bug.cgi?id=15402
smbd returns NOT_FOUND when creating files on a r/o filesystem
- https://bugzilla.samba.org/show_bug.cgi?id=15403
smbget memory leak if failed to download files recursively
- https://bugzilla.samba.org/show_bug.cgi?id=15404
Backport --pidl-developer fixes
* remove dnsserver-rename-dns_name_equal.patch (applied upstream)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 05 Jul 2023 18:14:20 +0300
samba (2:4.18.3+dfsg-3) unstable; urgency=medium
* d/rules: query for DEB_HOST_ARCH, not DEB_HOST_ARCH_CPU,
for -latomic workaround
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 21 Jun 2023 23:11:59 +0300
samba (2:4.18.3+dfsg-2) unstable; urgency=medium
* d/rules: include -latomic gcc issue workaround for select arches
apparently due to a gcc issue, some architectures (armel, mipsel, ...)
fail to link samba due to not finidng __atomic_load_8 etc symbols
after using atomic_load etc from stdatomic.h (part of gcc).
Add -latomic explicitly to the list of libraries we link with.
* d/rules: add libwbclient0 to the list of krb5-versioned packages
(thanks to Andrew Kornilov)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 20 Jun 2023 11:35:13 +0300
samba (2:4.18.3+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15375
Symlinks to files can have random DOS mode information
in a directory listing
- https://bugzilla.samba.org/show_bug.cgi?id=15378
vfs_fruit might cause a failing open for delete
- https://bugzilla.samba.org/show_bug.cgi?id=15361
winbind recurses into itself via rpcd_lsad
- https://bugzilla.samba.org/show_bug.cgi?id=15366
wbinfo -u fails on ad dc with >1000 users
- https://bugzilla.samba.org/show_bug.cgi?id=15338
DS ACEs might be inherited to unrelated object classes
- https://bugzilla.samba.org/show_bug.cgi?id=15362
a lot of messages: get_static_share_mode_data:
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND
- https://bugzilla.samba.org/show_bug.cgi?id=15374
aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse()
- https://bugzilla.samba.org/show_bug.cgi?id=15360
Setting veto files = /.*/ break listing directories
- https://bugzilla.samba.org/show_bug.cgi?id=15363
"samba-tool domain provision" does not run interactive mode
if no arguments are given
- https://bugzilla.samba.org/show_bug.cgi?id=15325
dsgetdcname: assumes local system uses IPv4
* dnsserver-rename-dns_name_equal.patch
(forgotten) patch from upstream targetting next stable
Fixes crashes of named with samba DLZ plugin due to
symbol name conflict (dns_name_equal() function).
There's no resulting code changes, just a symbol rename.
https://bugzilla.samba.org/show_bug.cgi?id=14030
Closes: #1036587, #927747
* remove generated manpage files upstream ships in
docs/manpages/ and ctdb/doc/
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 31 May 2023 20:09:05 +0300
samba (2:4.18.2+dfsg-1) experimental; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15302
Log flood: smbd_calculate_access_mask_fsp: Access denied:
message level should be lower.
- https://bugzilla.samba.org/show_bug.cgi?id=15306
Floating point exception (FPE) via cli_pull_send
at source3/libsmb/clireadwrite.c.
- https://bugzilla.samba.org/show_bug.cgi?id=15328
test_tstream_more_tcp_user_timeout_spin fails intermittently
on Rackspace GitLab runners.
- https://bugzilla.samba.org/show_bug.cgi?id=15329
Reduce flapping of ridalloc test.
- https://bugzilla.samba.org/show_bug.cgi?id=15351
large_ldap test is unreliable.
- https://bugzilla.samba.org/show_bug.cgi?id=15143
New filename parser doesn't check veto files smb.conf parameter.
- https://bugzilla.samba.org/show_bug.cgi?id=15354
mdssvc may crash when initializing.
- https://bugzilla.samba.org/show_bug.cgi?id=15313
large directory optimization broken for non-lcomp path elements.
- https://bugzilla.samba.org/show_bug.cgi?id=15357
streams_depot fails to create streams.
- https://bugzilla.samba.org/show_bug.cgi?id=15358
shadow_copy2 and streams_depot don't play well together.
- https://bugzilla.samba.org/show_bug.cgi?id=15316
Flapping tests in samba_tool_drs_show_repl.py.
- https://bugzilla.samba.org/show_bug.cgi?id=15317
winbindd idmap child contacts the domain controller without a need.
- https://bugzilla.samba.org/show_bug.cgi?id=15318
idmap_autorid may fail to map sids of trusted domains for the first time.
- https://bugzilla.samba.org/show_bug.cgi?id=15319
idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
- https://bugzilla.samba.org/show_bug.cgi?id=15323
net ads search -P doesn't work against servers in other domains.
- https://bugzilla.samba.org/show_bug.cgi?id=15353
Temporary smbXsrv_tcon_global.tdb can't be parsed.
- https://bugzilla.samba.org/show_bug.cgi?id=15316
Flapping tests in samba_tool_drs_show_repl.py.
- https://bugzilla.samba.org/show_bug.cgi?id=15343
Tests use depricated and removed methods like assertRegexpMatches.
* d/rules, d/libldb2.symbols; add ldb 2.6.2 version
* heimdal-to-support-KEYRING-ccache.patch: enable KEYRING in heimdal
(Closes: #1023609)
* d/control: build-depend on libkeyutils-dev
(it is pulled by some other dep, but better to be safe)
* -s3-smbd-open.c-smbd_calculate_access_mask_fsp-lower-.patch
(the change has been applied upstream)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Apr 2023 14:02:49 +0300
samba (2:4.18.1+dfsg-1~exp1) experimental; urgency=high
* upstream stable/security/bugfix release, fixing the following issues:
o CVE-2023-0225: An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to delete this
attribute from any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was insufficient and
an attacker may be able to obtain confidential BitLocker recovery keys
from a Samba AD DC. Installations with such secrets in their Samba AD
should assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614
* update libldb symbols and versions
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 29 Mar 2023 17:59:17 +0300
samba (2:4.18.0+dfsg-1~exp1) experimental; urgency=medium
* new upstream release (4.18.0):
* SMB Server performance improvements
* More succinct samba-tool error messages
* Colour output with samba-tool --color
* New samba-tool dsacl subcommand for deleting ACES
* New wbinfo option --change-secret-at
* New option to change the NT ACL default location
* Azure Active Directory / Office365 synchronisation improvements
* new smb.conf parameters:
server addresses
acl_xattr:security_acl_name
* For more details, please refer to WHATSNEW.txt file.
* d/control: bump talloc/tdb/tevent build-deps
* patches:
- refresh: hurd-compat.patch
- refresh: spelling.patch, remove many, add 3 new changes
- new: heimdal-spelling.patch, spelling fixes for third_party/heimdal
- remove: unwrap-getresgid-typo.patch, not needed
* d/samba-libs.install: add new internal library libstable-sort-samba4.so.0
* d/libldb2.symbols, python3-ldb.symbols.in: add new versions (2.7.0, 2.7.1)
* d/libwbclient0.symbols: add new version and two new symbols:
wbcChangeTrustCredentialsAt wbcCtxChangeTrustCredentialsAt
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 14:47:05 +0300
samba (2:4.17.6+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release 4.17.6:
* https://bugzilla.samba.org/show_bug.cgi?id=15314
streams_xattr is creating unexpected locks on folders.
* https://bugzilla.samba.org/show_bug.cgi?id=10635
Use of the Azure AD Connect cloud sync tool is now supported for password
hash synchronisation, allowing Samba AD Domains to synchronise passwords
with this popular cloud environment.
* https://bugzilla.samba.org/show_bug.cgi?id=15299
Spotlight doesn't work with latest macOS Ventura.
* https://bugzilla.samba.org/show_bug.cgi?id=15310
New samba-dcerpc architecture does not scale gracefully.
* https://bugzilla.samba.org/show_bug.cgi?id=15307
vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd()
in close and fstat.
* https://bugzilla.samba.org/show_bug.cgi?id=15293
With clustering enabled samba-bgqd can core dump due to use after free.
* https://bugzilla.samba.org/show_bug.cgi?id=15311
fd_load() function implicitly closes the fd where it should not.
* debian/po/ro.po update from Remus-Gabriel Chelu
* s3-smbd-open.c-smbd_calculate_access_mask_fsp-lower-.patch
makes smbd a bit less spammy in logs
* d/control: clarify some package descriptions (Closes: #1031922)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 12:52:14 +0300
samba (2:4.17.5+dfsg-2) unstable; urgency=medium
* d/control: samba: depends on exact version of python3-samba
* d/control: fix typo
* more tweaks for foreign/cross build
* d/control: work around autodep8 #904999 again
* introduce upstream-like aliases for debian .service names,
add rationale
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 04 Feb 2023 17:15:40 +0300
samba (2:4.17.5+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release. From WHATSNEW.txt:
* BUG 14808: smbc_getxattr() return value is incorrect.
* BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX
are not handled correctly.
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
* BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs()
fails to find DC when there is only an AAAA record for the DC in DNS
(Closes: #1023606).
* BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
* BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
* BUG 15283: vfs_virusfilter segfault on access,
directory edgecase (accessing NULL value).
* BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
based SChannel on NETLOGON (additional changes).
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum) (the fix was in debian before).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4
(the fix was in debian before).
* BUG 15269: ctdb: use-after-free in run_proc.
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15268: smbclient segfaults with use after free on an optimized build
* BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
* BUG 15164: Leak in wbcCtxPingDc2.
* BUG 15265: Access based share enum does not work in Samba 4.16+.
* BUG 15267: Crash during share enumeration.
* BUG 15271: rep_listxattr on FreeBSD does not properly check
for reads off end of returned buffer.
* BUG 15281: Avoid relying on C89 features in a few places.
* remove patches applied upstream:
- reload-registry-shares-after-reloading-services.patch
- rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch
* d/control: Standards-Version: 4.6.2 (no changes)
* d/control: put all doc-generating build-deps into one line
* little prep for cross-compilation
- build-depend on python3:any and python3-dev:any
- build-depend on libpython3-dev for actual module building,
and use arch-specific python3-config from there
- set and export _PYTHON_SYSCONFIGDATA_NAME to get foreign-arch values
provided by libpython3-dev (also helps when python itself is foreign)
- depend on perl:any not just perl
- export CC/CPP/LD/PKGCONFIG for ./configure (buildtools.mk)
* d/gbp.conf: unignore branch
* d/control: samba, ctdb, winbind: do not depend on lsb-base
(the script is in sysvinit-utils now)
* d/control: drop unused build-dep on libncurses5-dev
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 27 Jan 2023 11:15:01 +0300
samba (2:4.17.4+dfsg-3) unstable; urgency=medium
* +rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch
https://bugzilla.samba.org/show_bug.cgi?id=15265
* +reload-registry-shares-after-reloading-services.patch
https://bugzilla.samba.org/show_bug.cgi?id=15266
* d/samba.postinst: fix /var/spool/samba => /var/tmp handling
(old spooldir can be referred to in other sections too)
* create common script "is-configured" to check if the service is configured
in smb.conf, and stop masking services in postinst
* rewrite SysV init scripts (simplify, make consistent, etc)
* d/winbind.postinst: create/change /var/lib/samba/winbindd_privileged
at install time only (it should be in /run/samba/ somewhere these days)
* d/control: change version of samba which samba-ad-provisioning
Breaks to where provisioning was split out
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 03 Jan 2023 10:45:36 +0300
samba (2:4.17.4+dfsg-2) unstable; urgency=medium
* d/control: samba-dc-provision Replaces+Breaks samba (< 4.17.4+dfsg-2).
Closes: #1026387
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 19 Dec 2022 16:36:00 +0300
samba (2:4.17.4+dfsg-1) unstable; urgency=medium
* new upstream stable/security release, with the following changes:
- CVE-2022-37966: Windows Kerberos RC4-HMAC Elevation of Privilege
Vulnerability disclosed by Microsoft on Nov 8 2022, see
https://www.samba.org/samba/security/CVE-2022-37966.html
- CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022. See
https://www.samba.org/samba/security/CVE-2022-37967.html
- CVE-2022-38023: Weak "RC4" (rc4-hmac) protection of the NetLogon Secure
channel uses, see https://www.samba.org/samba/security/CVE-2022-38023.html
There are several important behavior changes included in this release,
which may cause compatibility problems interacting with system still
expecting the former behavior. Please read the documents referenced above!
See also the WHATSNEW.txt document, as there are several new, changed
and deprecated smb.conf parameters.
* Other bugfixes in this release (from WHATSNEW.txt):
https://bugzilla.samba.org/show_bug.cgi?id=14929 CVE-2022-44640
Upstream Heimdal free of user-controlled pointer in FAST.
https://bugzilla.samba.org/show_bug.cgi?id=15219
Heimdal session key selection in AS-REQ examines wrong entry.
https://bugzilla.samba.org/show_bug.cgi?id=13135 The KDC logic around
msDs-supportedEncryptionTypes differs from Windows.
https://bugzilla.samba.org/show_bug.cgi?id=14611 CVE-2021-20251
Bad password count not incremented atomically.
https://bugzilla.samba.org/show_bug.cgi?id=15206 libnet: change_password()
doesn't work with dcerpc_samr_ChangePasswordUser4()
https://bugzilla.samba.org/show_bug.cgi?id=15230
Memory leak in snprintf replacement functions.
https://bugzilla.samba.org/show_bug.cgi?id=15253 RODC doesn't reset
badPwdCount reliable via an RWDC (CVE-2021-20251 regression).
https://bugzilla.samba.org/show_bug.cgi?id=15198
Prevent EBADF errors with vfs_glusterfs.
https://bugzilla.samba.org/show_bug.cgi?id=15243
%U for include directive doesn't work for share listing (netshareenum).
https://bugzilla.samba.org/show_bug.cgi?id=15257
Stack smashing in net offlinejoin requestodj.
* removed patches which are now included upstream:
- nsswitch-pam-data-time_t.patch
- CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 15 Dec 2022 21:54:31 +0300
samba (2:4.17.3+dfsg-4) unstable; urgency=medium
* create samba-ad-provision package with contents of /usr/share/samba/setup.
It is recommended by samba, so can be uninstalled if not needed.
* create samba-ad-dc package. It is an empty metapackage for now, but with
dependencies needed to run an Active Directory Domain Controller (AD-DC)
* samba-ad-provision.lintian-overrides: license files
* print meaningful error message if samba-ad-provision is not installed
(meaningful-error-if-no-samba-ad-provision.patch)
* print meaningful error message if python3-markdown is not installed
(meaningful-error-if-no-python3-markdown.patch)
* ctdb: move rundir from /var/run to /run
* fix typo in fruit patch
* a few more spelling fixes
* add #DEBHELPER# tokens to libnss-winbind.{postinst,postrm}
* remove mentions of /var/spool/samba from samba.lintian-overrides
(moved to /var/tmp)
* change embedded-library heimdal lintian override in a way to be understood
by both old and new lintian, so the package can be uploaded
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 05 Dec 2022 14:39:43 +0300
samba (2:4.17.3+dfsg-3) unstable; urgency=medium
* d/control: winbind should depend on the same binary:Version
of libwbclient, or else its components can't talk to the daemon.
Thank you Stefan Weichinger for the patience while finding this one!
* libnss-winbind: add postinst/postrm scripts to add/remove nsswitch.conf
entry for winbind (but not for wins)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 01 Dec 2022 22:38:07 +0300
samba (2:4.17.3+dfsg-2) unstable; urgency=medium
* fruit-disable-useless-size_t-overflow-check.patch (Closes: #974868)
* CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
Fix regression on 32bit systems:
https://bugzilla.samba.org/show_bug.cgi?id=15203
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 21 Nov 2022 20:41:46 +0300
samba (2:4.17.3+dfsg-1) unstable; urgency=medium
* new upstream security release 4.17.3, fixing the following issue:
CVE-2022-42898: Heimdal Kerberos libraries suffers from an integer
multiplication overflow vulnerability which affects 32bit platforms,
see https://www.samba.org/samba/security/CVE-2022-42898.html
This changes third_party/heimdal/, it does not affect mitkrb5 builds.
* d/rules: stop stripping +dfsg suffix from ldb version
* d/control: declare dependency on password (for groupadd in postinst)
for winbind and samba (Closes: #1023759)
* implement pkg.samba.mitkrb5 build profile to build with system mit-krb5
(with "mitkrb5" version suffix in some packages for now)
* d/control: mark libufing-dev build dep with <!pkg.samba.nouring>
(to simplify out-of-archive builds for older systems)
* d/rules: parametrise list of packages to omit (eg on ubuntu-i386)
with ${omit-pkgs}
* d/rules: use variables in a more consistent way, use single ${config-args}
* d/control: tdb-tools and lmdb-utils packages are also needed for tests
(everything is commented out for now anyway)
* d/rules: update knownfail tests
* d/rules: stop exporting buildflags, export compiler options when needed
* d/rules: always define rados:Depends & vfsmods:Depends substvars
* unwrap-getresgid-typo.patch - fix crash during p11-kit execution
(https://bugzilla.samba.org/show_bug.cgi?id=15227) (for the testsuite only)
* nsswitch-pam-data-time_t.patch - fix time_t not fit in a pointer (eg x32)
(https://bugzilla.samba.org/show_bug.cgi?id=15224)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 15 Nov 2022 19:26:10 +0300
samba (2:4.17.2+dfsg-9) unstable; urgency=medium
* hurd-compat.patch: some minor compatibility tweaks for hurd
* d/rules compat work:
- ceph is linux-only like glusterfs
- d/rules: add another conditional, with_snapper
- combine linux features into single block
* d/rules: support "terse" build option for non-verbose build
* d/rules: remove third_party/heimdal/lib/gssapi/gssapi.h before build
(Closes: #1013205). This fixes -I path order and <gssapi/gssapi.h>
include mess which caused samba to FTBFS on sparc64 for quite some time
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 06 Nov 2022 20:13:19 +0300
samba (2:4.17.2+dfsg-8) unstable; urgency=medium
* d/rules: do not explicitly enable quotas on non-linux:
enable everything interesting on linux explicitly and let ./configure
to figure it out in other systems. This should fix FTBFS problem on hurd.
* d/rules: do not disable systemd on non-linux, let ./configure figure it out
* d/winbind.postinst: switch addgroup => groupadd and eliminate getent.
winbind package never declared dependency on adduser but always used
addgroup command in its postinst script. Finally this broke piuparts.
Switch to groupadd which is even easier to use.
* d/samba.postinst: switch addgroup => groupadd and eliminate getent
* d/smb.conf: use useradd in example create user script too
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 03 Nov 2022 15:04:46 +0300
samba (2:4.17.2+dfsg-7) unstable; urgency=medium
* another way to work around #1013259: provide a compatibility symlink
libndr.so.2 pointing to libndr.so.3:
- libndr-debug-level-compat.diff, libndr-revert-so3.diff: remove
- d/samba-libs.symbols: adjust symbols/versions
- d/samba-libs.install: libndr.so.2 => libndr.so.3
- d/samba-libs.links: provide the compat libndr.so.2 symlink
* d/samba-libs.links: add comments describing libndr.so.N issue
* d/samba-libs.links: add libndr.so.1 compat symlink too (for bullseye sssd)
* d/control: unbreak bullseye/jammy sssd-ad-common, sssd-ad, sssd-ipa
by samba-libs once libndr.so.1 compat link is here
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 20:43:53 +0300
samba (2:4.17.2+dfsg-6) unstable; urgency=medium
* d/control: fix comment in previous upload
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 10:45:26 +0300
samba (2:4.17.2+dfsg-5) unstable; urgency=medium
* d/control: bump version of broken-by-samba-libs sssd
and add more affected sssd packages;
also reformat the comment there so dpkg-gencontrol does not complain
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 02 Nov 2022 09:34:10 +0300
samba (2:4.17.2+dfsg-4) unstable; urgency=medium
* d/control: stop suggesting old/orphaned/gone-upstream smbldap-tools
* libndr work (Closes: #1013259):
- d/control: samba-libs breaks bullseye sssd-ad due to libndr.so.1=>.2 bump
- d/samba-libs.install: be more explicit about sonames of public libs
to catch soname changes
- libndr-debug-level-compat.diff, libndr-revert-so3.diff: revert
libndr.so.2->3 soname bump by providing compat wrapper for new symbol
- d/samba-libs.symbols: provide symbols for libndr.so.2
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 01 Nov 2022 12:53:22 +0300
samba (2:4.17.2+dfsg-3) unstable; urgency=low
* rebase on top of debian 4.16.6+dfsg-6 release, include some
history of 4.17.* experimental releases in changelog
* d/samba-libs.lintian-overrides: update package-name-doesnt-match-sonames
to match all libs
* urgency is set to low to delay unstable->testing transition a bit
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 30 Oct 2022 16:23:51 +0300
samba (2:4.17.2+dfsg-2) experimental; urgency=medium
* d/rules: stop dh_installpam from installing samba.pam
to the samba package (Closes: #1022775, #1022776)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 20:13:53 +0300
samba (2:4.17.2+dfsg-1) experimental; urgency=medium
* upstream 4.17.2 security release:
CVE-2022-3592 A malicious client can use a symlink to escape the exported
directory. https://www.samba.org/samba/security/CVE-2022-3592.html
(Samba 4.17 only)
* Remove poptGetArg-misuse-fixes-1022826.diff (applied to 4.17.2)
* d/rules: no need to build compile_et,asn1_compile intermediate targets
anymore; also remove now-unused ${WAFv} macro
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 14:30:44 +0300
samba (2:4.17.1+dfsg-1) experimental; urgency=medium
* new upstream bugfix release containing a security fix:
* CVE-2021-20251 Bad password count not incremented atomically.
* Merge changes from 4.16.x (debian/master) branch.
* use-bzero-instead-of-memset_s.diff : use explicit_bzero() instead of
bzero() for the substitute of memset_s(). bzero() is wrong here because
it, just like memset, can be optimized out by the compiler.
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 19 Oct 2022 21:34:11 +0300
samba (2:4.17.0+dfsg-2) experimental; urgency=medium
* mention closing of CVE-2022-32743 by the 4.17.0 upload
* mention closing of CVE-2022-1615 by the 4.17.0 upload
* move libpac-samba4.so.0 from samba to samba-libs (Closes: #1021450)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 08 Oct 2022 23:00:05 +0300
samba (2:4.17.0+dfsg-1) experimental; urgency=medium
* new upstream release 4.17.0
Closes: CVE-2022-1615
Closes: #1021022, CVE-2022-32743
* removed: spelling.patch (partially applied upstream)
* removed: weak-crypto-allowed-clarify.diff (applied upstream)
* refresh: ctdb-create-piddir.patch
* refresh: fix-nfs-service-name-to-nfs-kernel-server.patch
* d/control: update minimum versions for talloc/tevent/tdb
* d/rules: do not install ctdb.service, it is installed by upstream now
* d/ctdb.install: do not install ctdb_wrapper (not used anymore)
* d/libldb2.symbols, d/d/python3-ldb.symbols.in: new versions: 2.6.0 2.6.1
per upstream, re-version symbols added in 2.5.2 as added in 2.6.1
(ldb users needs to be recompiled anyway after updating libldb)
* new: spelling.patch: a few more spelling fixes
* d/control: bump Standards-Version to 4.6.1 (no changes)
* Remove dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch
(included in 4.17.0 already)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 13 Sep 2022 20:47:05 +0300
samba (2:4.16.6+dfsg-6) unstable; urgency=medium
* d/rules: use the right dir for dh_shlibdeps -l (long-standing issue)
* rewrite shlibs/symbols-generating file d/genshlibs, make whole process
much more clean and strighforward, and 10x times faster too
* debian/libnss-winbind.triggers: activate ldconfig trigger
* add debian/samba-libs.symbols with libsmbldap library
* d/samba.examples: do not install smbadduser: csh considered harmful
* d/rules: remove long-unused commented-out override_dh_perl-arch
* d/samba.lintian-overrides: *docs-outside-share-doc usr/share/samba/setup/
* d/genshlibs: add the forgotten mkdir for d/$pkg/DEBIAN
* remove static/fixed branding d/patches/VERSION.patch
* d/rules: implement dynamic branding of VERSION file based on dpkg-vendor
* d/rules: simplify package interdependency checking rules
* d/rules: add a lot more interpackage dependency checks
* d/NEWS: merge it into d/samba.NEWS (removes several lintian warnings)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 29 Oct 2022 08:28:53 +0300
samba (2:4.16.6+dfsg-5) unstable; urgency=medium
* move samba:idmap_script.8.gz and samba-libs:idmap_rfc2307.8.gz manpages to
winbind package where they belong and where actual idmap modules lives.
(install all idmap_*.8 manpages to winbind package)
* d/rules: install pam.d/samba with mode 0644, not 0755
* many lintian-override updates:
- source: ctdb/doc/*.html actually has sources
- source: +very-long-line-length-in-source-file * (for generated files)
- source: +debian-control-has-unusual-field-spacing Breaks
- winbind: +spare-manual-page for module manpages
- *: update some overrides for new lintian
- libpam-winbind: +spare-manual-page pam_winbind.8
- libldb2: +package-contains-empty-directory .../ldb/modules/ldb/
- *: +hardening-no-fortify-functions for some simple shared libs
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 26 Oct 2022 22:27:00 +0300
samba (2:4.16.6+dfsg-4) unstable; urgency=medium
* poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse
for popt-1.9 (Closes: #1022826)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 26 Oct 2022 19:45:38 +0300
samba (2:4.16.6+dfsg-3) unstable; urgency=medium
* d/rules: stop dh_installpam from installing samba.pam
to the samba package (Closes: #1022775, #1022776)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 20:13:53 +0300
samba (2:4.16.6+dfsg-2) unstable; urgency=medium
* d/rules: pam.d/samba should go to /etc, not /
* d/README.source.md: it is README.source.md not README.source
* d/control: bump Standards-Version to 4.6.1 (no changes)
* d/rules: verify that samba-libs does not depend on samba
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 13:55:33 +0300
samba (2:4.16.6+dfsg-1) unstable; urgency=medium
* new upstream security release 4.16.6, fixing:
CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
* use explicit_bzero() instead of bzero() for the substitute of memset_s()
* d/rules: make it a bit more consistent with other samba packages
* d/rules: stop exporting ${PYTHON}
* a bunch of ubuntu-related changes:
- d/rules: omit glusterfs on ubuntu-i386
- apply Ubuntu changes to smb.conf at install time (d/smb.conf.ubuntu.diff)
- d/tests/: ensure io_uring module is built before testing it
- d/rules: inline parallel check from dpkg/buildopts.mk
(buildopts.mk does not exist on ubuntu 20.04 focal)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 25 Oct 2022 12:48:20 +0300
samba (2:4.16.5+dfsg-2) unstable; urgency=medium
[ Michael Tokarev ]
* d/tests/util: use printf for formatting password for smbpasswd,
not non-standard echo \n (mr !60)
* introduce LDB_2.4.4 version symbol (Closes: #1021371)
Create an empty ABI file just to make the scripts run during the build
stage to introduce LDB_2.4.4 version symbol into libldb.so, and remove
this empty file in the clean target. It is a bit hackish but works fine.
This is only needed to upgrade from bullseye to bookworm, from
4.13.13+dfsg-1~deb11u5+ to the next release, 4.16+.
Remove this for bookworm+.
* dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch:
GnuTLS gnutls_rnd() can fail and give predictable random values.
Closes: #1021024, CVE-2022-1615
[ John Paul Adrian Glaubitz ]
* disable ceph support on ppc64 and x32 (Closes: #1020781, #1012165)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 08 Oct 2022 15:11:15 +0300
samba (2:4.16.5+dfsg-1) unstable; urgency=medium
* new (minor) upstream release 4.16.5
* removed fix-samba-tool-domain-join-segfault.patch (included upstream)
* d/gbp.conf: no need to filter orig.tar: uscan already does that
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 08 Sep 2022 12:44:38 +0300
samba (2:4.16.4+dfsg-2) unstable; urgency=medium
* d/libldb2.symbols: include newly added symbols
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 01 Aug 2022 15:43:11 +0300
samba (2:4.16.4+dfsg-1) unstable; urgency=high
* new upstream security release fixing:
o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
o CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
o CVE-2022-32744: Samba AD users can forge password change requests
for any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
o CVE-2022-32745: Samba AD users can crash the server process with an LDAP
add or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
* Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744,
CVE-2022-32745, CVE-2022-32746
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 27 Jul 2022 18:35:53 +0300
samba (2:4.16.3+dfsg-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream minor/bugfix releae. See WHATSNEW.txt for details.
* d/watch: add the forgotten repacksuffix=+dfsg
[ Andreas Hasenack ]
* update nfs configuration examples for ctdb
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Jul 2022 17:15:07 +0300
samba (2:4.16.2+dfsg-1) unstable; urgency=medium
* new upstream minor/bugfix release.
* removed waf-add-support-for-GNU-kFreeBSD.patch (applied upstream)
* new minor version of libldb
(no code changes, just the build system update to support python 3.11)
* move samba-dcerpcd from samba package to samba-common-bin due to winbind
New in 4.16 samba-dcerpcd binary is used by smbd and winbind, so putting
it to samba package makes winbind unable to run it without samba.
For now, in order to fix this issue, move this binary from samba to
samba-common-bin package. It might be worth creating its own package
for this binary (or maybe some more binaries), once it is clear where
upstream is going to. Making this binary a part of samba-common-bin
adds some more files to smbclient-only setup.
(Closes: #1012240)
* remove mksmbpasswd script and manpage: we have smbpasswd whcih can add
entries to smbpasswd file if needed, and can handle other passwod storage
formats too
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 13 Jun 2022 19:08:44 +0300
samba (2:4.16.1+dfsg-8) unstable; urgency=medium
* fix the Breaks/Replaces versions in the previous upload for moving
libsamba-utils.so, and use the same Breaks/Replaces for the -dev
packages too
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 07 Jun 2022 14:11:09 +0300
samba (2:4.16.1+dfsg-7) unstable; urgency=medium
* drop libunwind-dev build dependency again: it turned out the
internal stack unwind is better anyway
* move libsamba-utils.so and its dependencies from libwbclient0
into samba-libs. In the past, libwbclient were built using this
library, but it does not depend on libsamba-utils anymore
* d/control: libnss-winbind and libpam-winbind does not depend
on samba-common. None of the files in samba-common are used by
nss and pam modules; winbind does use them but not the modules.
* d/rules: add --with-sockets-dir=/run/samba (or else it was
/var/run/samba)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 07 Jun 2022 12:09:50 +0300
samba (2:4.16.1+dfsg-6) unstable; urgency=medium
* d/control: specify arch list for libunwind-dev build-dep to be the same
as for libunwind itself (it is not built on all architectures)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 29 May 2022 12:09:22 +0300
samba (2:4.16.1+dfsg-5) unstable; urgency=medium
* add-missing-libs-deps.diff: add missing dependencies for a few samba
libraries. Closes: #1010922
* point [printers] to /var/tmp/, stop shipping /var/spool/samba/.
For a long time, we shipped an alternative /var/tmp/ directory with mode
01777 (so that anyone can use it to store files) but without the same setup
as for regular /var/tmp/ (in particular, without removing old files and
since it is not a usual place to store temp files, no one actually looked
at it the same way someone would take care of /var/tmp/. Change smb.conf
to use /var/tmp/ instead of /var/spool/samba/. In the postinst script,
remove /var/spool/samba/, check if it is still used in smb.conf,
and create a compatibility symlink pointing to tmp/, suggesting changing
smb.conf. And remove this compat symlink in postrm.
This probably can be accomplished by a debconf question, but the
thing is complicated by the fact that smb.conf might be upgrading
too at the same time.
* debian/patches/weak-crypto-allowed-clarify.diff: update
* testparm-do-not-fail-if-pid-dir-does-not-exist.patch: also cover samba-tool
testparm too, not only regular stand-alone testparm.
* fix-samba-tool-domain-join-segfault.patch: fix segfault when joining an
AD-DC domain using samba-tool join.
* d/rules: enable --with-profilig-data to build samba with profiling
collection (if set in smb.conf)
* d/control: add libunwind-dev to build-deps, to compile in stack backtrace
logging in case of crash
* d/control: stop build-conflicting with now-unused libtracker-miner-2.0-dev
* d/control: stop build-conflicting with libtracker-sparql-2.0-dev: there's
no point in explicitly disabling libtracker-sparql support (bullseye-only
for now anyway)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 28 May 2022 22:50:43 +0300
samba (2:4.16.1+dfsg-4) unstable; urgency=medium
[ Michael Tokarev ]
* fix spelling in disable-setuid-confchecks.patch
* d/NEWS: split it into different $package.NEWS files
* d/upstream/metadata: add Bug-Database
* d/samba.postinst: create sambashare group and usershare directory
on new install only
* libldb2: provide compat symlinks for bullseye ldb modules dir
* d/rules: provide Build-Depends-Package: for python3-ldb
* samba-vfs-modules.lintian-overrides: add spare-manual-page vfs_*.8 override
* winbind.lintian-overrides: add spare-manual-page idmap_*.8 override
[ Arnaud Rebillout ]
* Fix patch testparm-do-not-fail-if-pid-dir-does-not-exist (Closes: #1010835)
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 11 May 2022 09:50:03 +0300
samba (2:4.16.1+dfsg-3) unstable; urgency=medium
* fix ldb package version generation in d/make_shlibs
which was wrong in 2 previous uploads.
Will I *ever* make it actually work someday?
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 18:32:24 +0300
samba (2:4.16.1+dfsg-2) unstable; urgency=medium
* rethink ldb version *again*, to be 2.5.0+smb4.16.1-2
or else 2.5.0+smb-1 from samba-4.16.1-2 sorts before
2.5.0+smb-7 from samba-4.16.0-7.
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 17:02:16 +0300
samba (2:4.16.1+dfsg-1) unstable; urgency=medium
* new upstream minor release 4.16.1
* move-msg.sock-from-var-lib-samba-to-run-samba.patch:
move /var/lib/samba/private/msg.sock/ to /run/samba/msg.sock/.
This is a (private) socket directory for IPC, it should not be in /var.
* Remove /var/lib/samba/private/msg.sock/ in postinst
* testparm-do-not-fail-if-pid-dir-does-not-exist.patch:
testparm deliberately fails if /run/samba does not exist,
while testparam itself does not use it and daemons will
create it on demand. Just make it a warning instead of a
fatal error, and we'll not need to pre-create this dir
in a random place using hackish ways
* ctdb-create-piddir.patch: create /run/ctdb/ in ctdb.service
and ctdb.init before invoking ctdbd (as the latter does not
create its pid directory on demand).
* stop (ab)using tmpfiles.d to pre-create /run/samba/ and /run/ctdb/
and stop creating /run/samba/ in samba-common-bin.postinst just to
make testparam happy.
* d/rules: minor tweaks
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 02 May 2022 13:16:12 +0300
samba (2:4.16.0+dfsg-7) unstable; urgency=medium
* another bunch of small tweaks to d/rules:
- set SHELL to /bin/sh -e
- rework the clean target
- provide fast replacement of architecture.mk
- better expression for DEB_REVISION
- rearrange configure options
* do not disable glusterfs on ubuntu-i386 (glusterfs is now in main)
* mention closing of #1001053 by the 4.16 upload
* change the ldb version string again, removing te "+samba*" suffix
to allow bin-NMUs +b1 (Closes: #1010100)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 24 Apr 2022 16:56:34 +0300
samba (2:4.16.0+dfsg-6) unstable; urgency=medium
* another attempt to fix/work around #221618. Re-enable
libsmbclient-ensure-lfs-221618.patch and change it to just define
an extra type array int[sizeof(off_t)-7]. If off_t is small it will
become a compile error. It is an ugly way to do it, but it should
actually work, unlike various static_assert/_Static_assert which are
language (C/C++) and standard-dependent. Closes: #221618.
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 17:27:09 +0300
samba (2:4.16.0+dfsg-5) unstable; urgency=medium
* disable libsmbclient-ensure-lfs-221618.patch for now.
It throws errors in one or another configuration no matter what.
Repoens: #221618
* d/salsa-ci.yml: re-allow blhc salsa-ci test to fail again
due to different bug in blhc
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 16:33:57 +0300
samba (2:4.16.0+dfsg-4) unstable; urgency=medium
* libsmbclient-ensure-lfs-221618.patch: replace _Static_assert with
static_assert (and include <assert.h> to make C++ happy too
(Closes: #1009211)
* disable-setuid-confchecks.patch: when running configure tests,
samba tries to verify setuid/setgid etc calls are actually
*working*, not just exists. This is only possible when the
configure is running as root. But it turns out in some salsa-ci
configuration (namely in the reprotest), the second build is
actually running as root, and in that environment, actual
setegid call is failing somehow. Just disable the config-time
check for correctly working setgid and assume it "just works"
if present, exactly like non-root build will do.
* d/salsa-ci.yml: do not expect failure in blhc test (the original
prob has been fixed long ago), and stop requiring experimental
* mention closing of #999876 by 4.16
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 09 Apr 2022 00:42:38 +0300
samba (2:4.16.0+dfsg-3) unstable; urgency=medium
* d/control: comment out the selftest-mode build deps for now
* d/control: forgotten python3-samba:Replaces against samba package too,
not just samba-libs, when moving dckeytab python lib (Closes: #1009175)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 08 Apr 2022 10:18:23 +0300
samba (2:4.16.0+dfsg-2) unstable; urgency=medium
* use strict versioned dependency between samba-dsdb-modules and libldb2,
since they're tied to each other and are now built from the same source
* fix forgotten shlib symbols generation for python3-ldb
* change libldb versioning scheme
from ldb_2:2.5.0+samba4.16.0-1
to ldb_2:2.5.0-1+samba4.16.0
so that symbols versioning works correctly. Unfortunately the previous
upload to experimental used the first form which is greather than the
correct one, so temporarily (just for this 2.5.0 version of ldb) use
this: ldb_2:2.5.0+smb-1+samba4.16.0
(with "+smb" suffix to be removed for 2.5.1+)
* exclude samba-vfs-modules for i386 ubuntu build since this package
is useless without samba itself (which is not built on this environment)
* create selftest rules and add !nocheck build-dependencies
(but do not enable selftests for now as they're failing)
* split build system into -arch and -indep parts. We build only one arch-all
package (samba-common) which contains only static files from debian/,
there's no need to build whole samba to build this package.
Move almost all Build-Depends to Build-Depends-Arch (and reindent them).
* various updates to d/rules
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 07 Apr 2022 09:56:56 +0300
samba (2:4.16.0+dfsg-1) experimental; urgency=medium
* New upstream major release.
Closes: #1004690, CVE-2021-20316: Fileserver symlink metadata share escape
Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape
Closes: #1004692, CVE-2021-44141: UNIX extensions in SMB1 disclose whether
the outside target of a symlink exists
Closes: #1005642 (windows client data corruption due to cache poisoning)
Closes: #1001053 (MIT-kerberos config broken after fix for CVE-2020-25717)
Closes: #988197 (legacy printing support, 47d79d7e7e406f7dd2)
Closes: #998423 (coredump connecting from macos to shares with var substs)
Closes: #999876 (winbind allow trusted domains = no regression)
* Notable changes in 4.16 series compared to 4.13:
- modular VFS (see The_New_VFS.txt)
- publishing printers in AD is more complete
- group policies for winbindd cilents (like linux systems)
- certificate auto enrollement in AD group policy
- large list of improvements in samba-tool
- SMB1 protocol has been deprecated, some subcommands has been removed
- more consistend options/subcommands in samba commands
* d/rules: export PYTHONHASHSEED=1. This makes lots of sporadic build-time
debian-specific failures to go away, by preserving order of waf hashes
* refresh patches, update build-depend versions (talloc, tdb, tevent)
* refresh lintian-overrides files, add many new overrides
* build-depend on python3-markdown
* build-depend on libjson-perl for new heimdal bits
* more consistent internal lib naming; refresh file lists everywhere
* samba: install new rpc_* services, install samba-dcerpc
* refresh symbols files
* build libldb from samba sources, not from separate source
(this moves ldb plugins from /usr/lib/$triple/ldb/plugin/ldb/ to
/usr/lib/$triple/samba/ldb/ - the same where dsdb modules are).
* optimizations for d/make_shlibs; also allow one to specify explicit
version for some packages
* as per clarifications for waf --{bundled,builtin}-libraries, remove
now-wrong usage there. This also fixes build failures with current
samba sources
* d/rules: various optimizations to reduce startup costs by eliminating
unnecessary external command calls during d/rules read by make.
Including caching of LDB version information in d/ldb-version.mk file.
This does not affect the buildd processing much (and does not affect
runtime at all), but helps with build procedure debugging.
* d/rules: numerous small fixes, cleanups and other changes, including:
- clean up the install target
- remove some now-irrelevant parts
- fix no-glusterfs-build on non-linux
* change build procedure: instead of `waf build', run `waf install'.
`waf build' builds samba to be run from the build dir, and `waf install'
rebuilds/relinks everything again for production. Build the production
variant only, no build-dir one.
* samba-common-bin.postinst: explicitly mkdir /run/samba before invoking
samba binaries (Closes: #953530)
* in the salsa git repository of samba, stop keeping debian patches in
applied form, keep them in d/patches/ only as most other packages do.
* move single python (helper) module, libsamba-policy, together with
2 internal libraries used by it, from samba-libs package to python3-samba.
This makes samba-libs to be free from python-related files, and makes
python3-samba to be the only python-providing package.
Closes: #1006875, #878612, #862338
* also move dckeytab python module from samba to python3-samba
(actually stop moving it from python3-samba to samba to incorrectly
avoid a circular dependency). Also verify that python3-samba does
not depend on samba package.
* weak-crypto-allowed-clarify.diff: clarify "weak crypto is allowed"
testparm message (Closes: #975882)
* spelling.patch: fix many common spelling mistakes in the source
* ctdb: simplify/cleanup instllation of READMEs/examples
* d/control: remove breaks/replaces/depends on ancient versions of some
packages (ancient dpkg version in Pre-Depends, ancient samba-libs)
* d/rules: rework wrong shlibdeps handling
* move helper programs from /usr/lib/$multiarch/ to /usr/libexec/
where they belongs. This should not affect users.
* smbclient: re-do the fix for an old bug, #221618. The original "fix"
did not fix anything (it is too late already to #define _FILE_OFFSET_BITS
when all types has already been defined). From now on, raise an error
if off_t is less than 64bits (it should >=64 when #include'ing
<libsmbclient.h> with proper LFS defines). In theory this can break
some sources which either included libsmbclient.h without a reason or
which didn't use any of the functions which deals with off_t (smbc_lseek
etc), - which did not explicitly enable LFS on a 32bit system.
Please email us if you faced such situation.
* drop 07_private_lib patch: we do not need to force rpath for
private libraries into every samba binary, upstream build system
does a good job here.
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 05 Apr 2022 16:01:25 +0300
samba (2:4.13.14+dfsg-1) unstable; urgency=high
* New upstream security release in order to address the following defects:
- CVE-2016-2124: don't fallback to non spnego authentication if we require
kerberos
- MS CVE-2020-17049 in Samba: 'Bronze bit' S4U2Proxy Constrained Delegation
bypass
- CVE-2020-25717: A user on the domain can become root on domain members
- CVE-2020-25718: An RODC can issue (forge) administrator tickets to other
servers
+ Bump build-depends ldb >= 2.2.3
- CVE-2020-25719: AD DC Username based races when no PAC is given
- CVE-2020-25721: Kerberos acceptors need easy access to stable AD
identifiers (eg objectSid)
- CVE-2020-25722: AD DC UPN vs samAccountName not checked (top-level bug
for AD DC validation issues)
- CVE-2021-3738: crash in dsdb stack
- CVE-2021-23192: dcerpc requests don't check all fragments against the
first auth_state
+ Update d/samba-libs.install for libdcerpc-pkt-auth.so.0
* Add patch to fix "allow trusted domains"
* Bump ldb build-depends to 2.2.3
* Update d/samba-libs.install
-- Mathieu Parent <sathieu@debian.org> Tue, 09 Nov 2021 20:53:03 +0100
samba (2:4.13.13+dfsg-1) unstable; urgency=high
[ Athos Ribeiro ]
* Add autopkgtest to verify tmpfiles setup (LP: #1905387)
- d/t/reinstall-samba-common-bin: make sure /run/samba is created
by the samba-common-bin installation process (postinst script)
- d/t/control: run new reinstall-samba-common-bin test case
[ Paride Legovini ]
* samba.postinst: do not populate sambashare from the Ubuntu admin group
(LP: #1942195)
[ Mathieu Parent ]
* New upstream version
- Remove CVE-2021-20254.patch
- Bump build-depends ldb >= 2.2.0
* libwbclient0: Add Breaks+Replaces: libsamba-util0 (<< 2:4.0.0)
(Closes: #988170)
-- Mathieu Parent <sathieu@debian.org> Mon, 01 Nov 2021 08:59:20 +0100
samba (2:4.13.5+dfsg-2) unstable; urgency=high
* CVE-2021-20254: Negative idmap cache entries can cause incorrect group
entries in the Samba file server process token (Closes: #987811)
* Add Breaks+Replaces: samba-dev (<< 2:4.11) (Closes: #987209)
-- Mathieu Parent <sathieu@debian.org> Thu, 06 May 2021 21:09:29 +0200
samba (2:4.13.5+dfsg-1) unstable; urgency=medium
* New upstream version (Closes: #984863)
-- Mathieu Parent <sathieu@debian.org> Sat, 13 Mar 2021 08:31:27 +0100
samba (2:4.13.4+dfsg-1) unstable; urgency=medium
* New upstream version
- GPG signature has changed
- Update samba-libs.install
- Update symbols
* Never use priority high when asking for DHCP integration (Closes: #981554)
* Sync CTDB patches with Ubuntu:
- Add "ctdb-config: enable syslog by default"
- Update "fix nfs related service names"
* d/rules: Ubuntu specifics
- No Ceph on i386
- Disable some i386 packages
- No GlusterFS
-- Mathieu Parent <sathieu@debian.org> Tue, 09 Feb 2021 22:26:43 +0100
samba (2:4.13.3+dfsg-1) unstable; urgency=medium
[ Andreas Hasenack ]
* d/control: enable the liburing vfs module (Closes: #976854)
* Add new DEP8 tests for the uring vfs module
* Factor out common DEP8 test code into d/t/util and change the tests to
source from it
* Add set -x and set -e to DEP8 tests
[ Mathieu Parent ]
* liburing-dev is linux-any
* New upstream version
-- Mathieu Parent <sathieu@debian.org> Wed, 16 Dec 2020 18:23:09 +0100
samba (2:4.13.2+dfsg-3) unstable; urgency=medium
* Ensure systemd-tmpfiles is called before testparm (Closes: #975422)
* Only check configuration on configure step
-- Mathieu Parent <sathieu@debian.org> Sun, 22 Nov 2020 10:44:51 +0100
samba (2:4.13.2+dfsg-2) unstable; urgency=medium
* Upload to unstable
-- Mathieu Parent <sathieu@debian.org> Wed, 18 Nov 2020 20:34:51 +0100
samba (2:4.13.2+dfsg-1) experimental; urgency=medium
* New upstream major version
- Update d/gbp.conf, d/watch and d/README.source for 4.13
- Update patches
- Bump build-depends ldb >= 2.2.0
- Install new files
- Update symbols
* Includes the following security fixes:
- CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
(Closes: #973400)
- CVE-2020-14323: Unprivileged user can crash winbind (Closes: #973399)
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
easily crafted records (Closes: #973398)
- CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon")
(Closes: #971048)
* Includes the following fixes:
- Fixes "samba_dnsupdate gives depreacation warnings" (Closes: #973957)
- s3: libsmbclient.h: add missing time.h include (Closes: #946840)
* Remove unused python3-crypto dependency (Closes: #971292)
* Enable Spotlight with ES backend (Closes: #956096, #956482)
* Standards-Version: 4.5.0
* Add missing Build-Depends-Package in libsmbclient.symbols and
libwbclient0.symbols
* d/copyright: Fix duplicate-globbing-patterns
* Remove outdated/malformed lintian overrides
* d/winbind.logrotate: Only reload winbindd when running (Closes: #946821)
* Bump to debhelper compat 13
* Add another library-not-linked-against-libc override
-- Mathieu Parent <sathieu@debian.org> Thu, 12 Nov 2020 11:23:01 +0100
samba (2:4.12.5+dfsg-3) unstable; urgency=high
* Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump
(Closes: #963971)
* Add patch traffic_packets: fix SyntaxWarning: "is" with a literal
(Closes: #964165)
* Add patch Rename mdfind to mdsearch (Closes: #963985)
-- Mathieu Parent <sathieu@debian.org> Sat, 04 Jul 2020 23:57:59 +0200
samba (2:4.12.5+dfsg-2) unstable; urgency=high
* Add missing symbol (path_expand_tilde)
-- Mathieu Parent <sathieu@debian.org> Thu, 02 Jul 2020 15:27:25 +0200
samba (2:4.12.5+dfsg-1) unstable; urgency=high
* New upstream security release:
- CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD
DC LDAP Server with ASQ, VLV and paged_results
- CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU
- CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
- CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
- Bump build-depends ldb >= 2.1.4
-- Mathieu Parent <sathieu@debian.org> Thu, 02 Jul 2020 14:03:36 +0200
samba (2:4.12.3+dfsg-2) unstable; urgency=medium
* Upload to unstable
-- Mathieu Parent <sathieu@debian.org> Sun, 28 Jun 2020 11:45:14 +0200
samba (2:4.12.3+dfsg-1) experimental; urgency=medium
* New upstream major version (Closes: #963106)
- Update d/gbp.conf, d/watch and d/README.source for 4.12
- Drop merged patches
- Bump build-depends talloc >= 2.3.1, tdb >= 1.4.3, tevent >= 0.10.2 and
ldb >= 2.1.3
- Upstream fixes:
+ pygpo: use correct method flags
(Closes: #963242, #961585, #960171, #956428)
+ CVE-2020-10700: A use-after-free flaw was found in the way samba AD DC
LDAP servers, handled 'Paged Results' control is combined with the 'ASQ'
control. A malicious user in a samba AD could use this flaw to cause
denial of service (Closes: #960189)
+ CVE-2020-10704: A flaw was found when using samba as an Active Directory
Domain Controller. Due to the way samba handles certain requests as an
Active Directory Domain Controller LDAP server, an unauthorized user can
cause a stack overflow leading to a denial of service. The highest
threat from this vulnerability is to system availability
(Closes: #960188)
- intel aes-ni no more needed as GnuTLS is used
- Install new files
- Update symbols
- Update samba-libs.lintian-overrides
* d/control: Remove unused libattr1-dev Build-Depends (Closes: #953915)
-- Mathieu Parent <sathieu@debian.org> Wed, 24 Jun 2020 23:12:11 +0200
samba (2:4.11.5+dfsg-1) unstable; urgency=medium
* New upstream security release
- CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
- CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
- CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
- Bump build-depends ldb >= 2.0.8
-- Mathieu Parent <sathieu@debian.org> Tue, 28 Jan 2020 07:19:46 +0100
samba (2:4.11.3+dfsg-1) unstable; urgency=high
* New upstream security release
- Drop merged patches for previous security fixes
- CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management
server by creating records with matching the zone name.
- CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was
not being applied when processing protocol transition requests (S4U2Self),
in the AD DC KDC.
* d/control: drop python3-matplotlib
* d/control: Fix stronger-dependency-implies-weaker
(samba depends -> recommends python3-dnspython)
-- Mathieu Parent <sathieu@debian.org> Mon, 16 Dec 2019 09:47:45 +0100
samba (2:4.11.1+dfsg-3) unstable; urgency=medium
* Add some python dependencies:
- python3-matplotlib : samba-tool visualize
- python3-markdown : samba-tool domain schemaupgrade
- python3-dnspython : samba-tool dns
* Only build with default python3 (Closes: #943635)
-- Mathieu Parent <sathieu@debian.org> Sun, 17 Nov 2019 14:48:02 +0100
samba (2:4.11.1+dfsg-2) unstable; urgency=high
* New upstream security release
- CVE-2019-10218: Malicious servers can cause Samba client code to return
filenames containing path separators to calling code.
- CVE-2019-14833: When the password contains multi-byte (non-ASCII)
characters, the check password script does not receive the full password
string.
-- Mathieu Parent <sathieu@debian.org> Fri, 18 Oct 2019 20:26:45 +0200
samba (2:4.11.1+dfsg-1) unstable; urgency=medium
* New upstream release
-- Mathieu Parent <sathieu@debian.org> Fri, 18 Oct 2019 19:00:46 +0200
samba (2:4.11.0+dfsg-11) unstable; urgency=medium
* Stop building with spotlight support which pulls glib (Closes: #941654)
* Force quota support (Closes: #941899)
* Standards-Version: 4.4.1, no change
-- Mathieu Parent <sathieu@debian.org> Mon, 14 Oct 2019 12:16:04 +0200
samba (2:4.11.0+dfsg-10) unstable; urgency=medium
* Add libwbclient-dev to samba-dev depends as samba-util was moved there
(Closes: #941750)
-- Mathieu Parent <sathieu@debian.org> Sat, 05 Oct 2019 15:57:07 +0200
samba (2:4.11.0+dfsg-9) unstable; urgency=medium
* Remove versioned depends on libtdb-dev (>= 2) and add libldb-dev (>= 2:2)
-- Mathieu Parent <sathieu@debian.org> Thu, 03 Oct 2019 19:08:17 +0200
samba (2:4.11.0+dfsg-8) unstable; urgency=medium
* d/gbp.conf: sign-tags = True
* Do not check smb.conf with testparm when server role=active directory domain
controller (Closes: #931734)
* Force one job during configure step with -j 1 (Closes: #941467).
Not setting -j leads to default which is number of cpus
-- Mathieu Parent <sathieu@debian.org> Thu, 03 Oct 2019 07:52:39 +0200
samba (2:4.11.0+dfsg-7) unstable; urgency=medium
* Always evaluate WAF_NO_PARALLEL to ensure correct value (Closes: #941467)
* This version is built with talloc from sid (Closes: #940963)
-- Mathieu Parent <sathieu@debian.org> Wed, 02 Oct 2019 20:45:24 +0200
samba (2:4.11.0+dfsg-6) unstable; urgency=medium
* Do not run waf configure in parallel. Fix FTBFS on arm (Closes: #941467)
-- Mathieu Parent <sathieu@debian.org> Tue, 01 Oct 2019 22:35:36 +0200
samba (2:4.11.0+dfsg-5) experimental; urgency=medium
* d/gitlabracadabra.yml: only_allow_merge_if_pipeline_succeeds: false
* Remove patches:
- "build: Remove tests for _readdir() and __readdir()"
- "build: Remove tests for rdchk()"
- "build: Remove tests for _pwrite() and __pwrite()"
* Add patches by Ralph Boehme:
- "wscript: remove all checks for _FUNC and __FUNC"
- "wscript: split function check to one per line and sort alphabetically"
-- Mathieu Parent <sathieu@debian.org> Mon, 30 Sep 2019 13:37:50 +0200
samba (2:4.11.0+dfsg-4) experimental; urgency=medium
* Use the same arches for librados-dev than libcephfs-dev (Fix missing
build-depends on alpha and sh4)
* Split vfsmods:Recommends substvar into
{vfsceph,vfsglusterfs,vfssnapper}:Recommends to make the code more readable
and fix FTBFS on linux platforms without ceph (hppa and sparc64, and also
alpha and sh4)
* Add patch for "build: Remove tests for _readdir() and _readdir()", to
hopefully fix FTBFS on armel
-- Mathieu Parent <sathieu@debian.org> Sun, 29 Sep 2019 09:29:03 +0200
samba (2:4.11.0+dfsg-3) experimental; urgency=medium
* Try to fix FTBFS on armel (armhf is fixed):
- Add patch for build: Remove tests for rdchk()
-- Mathieu Parent <sathieu@debian.org> Sat, 28 Sep 2019 22:17:04 +0200
samba (2:4.11.0+dfsg-2) experimental; urgency=medium
* d/gitlabracadabra.yml: Add samba-team/libsmb2
* Try to fix FTBFS on armel and armhf:
- Add patch for build: Remove tests for _pwrite() and __pwrite()
-- Mathieu Parent <sathieu@debian.org> Sat, 28 Sep 2019 11:47:56 +0200
samba (2:4.11.0+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
* Upload to experimental
* New upstream major release
- Update d/gbp.conf, d/watch and d/README.source for 4.11
- Import upstream release
- Update fix-nfs-service-name-to-nfs-kernel-server.patch
- Bump build-depends talloc >= 2.2.0, tdb >= 1.4.2, tevent >= 0.10.0 and
ldb >= 2:2.0.7
- libsamba-passdb.so bumped to 0.28.0
- libnon-posix-acls is now a subsystem
- Drop libparse-pidl-perl package (Closes: #939419)
- Add new files to d/*.install
- Move libsamba-util.so.* to libwbclient0, to avoid circular dependencies
- Move libsamba-util deps to libwbclient0
* Add build-Remove-tests-for-getdents-and-getdirentries.patch, to fix FTBFS on
armel and armhf
* salsa-ci: Build on experimental
[ John Paul Adrian Glaubitz ]
* Disable cephfs support on architectures where it's not stable
(Closes: #940697)
[ Louis van Belle ]
* d/control, d/samba.install: added libtasn1-bin, libtasn1-6-dev to build
dumpmscat
* d/control, d/rules: Enable spotlight (TimeMachine)
* d/control: Bump libtdb-dev (>= 2) in samba-dev deps
* Update libwbclient0.symbols
* d/rules: adjust LDB_DEPENDS
-- Mathieu Parent <sathieu@debian.org> Thu, 26 Sep 2019 09:37:51 +0200
samba (2:4.10.8+dfsg-1) unstable; urgency=medium
* Upload to unstable
* New upstream release:
- CVE-2019-10197: Combination of parameters and permissions can allow user
to escape from the share path definition
-- Mathieu Parent <sathieu@debian.org> Tue, 10 Sep 2019 18:46:54 +0200
samba (2:4.10.7+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
* New upstream release
- Update patches
- Drop nsswitch-Add-try_authtok-option-to-pam_winbind.patch, merged
- libsamba-passdb.so bumped to 0.27.2
- Update symbols
- Update installed files
* samba-libs: Fix Breaks+Replaces: libndr-standard0 (<< 2:4.0.9)
(Closes: #910242)
* Add missing Breaks+Replace found by piuparts (Closes: #929217)
* Enable vfs_nfs4acl_xattr (Closes: #930540)
* ctdb:
- enable ceph and etcd recovery lock
- Downgrade ctdb_mutex_ceph_rados_helper shlibdeps to recommends
* Add gitlabracadabra.yml
* Update salsa-ci.yml
[ Rafael David Tinoco ]
* debian/rules: Make DEB_HOST_ARCH_CPU initialized through dpkg-architecture
(Closes: #931138)
* CTDB NFS fixes from Ubuntu (Closes: #929931, LP: #722201):
- d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: change nfs service
name from nfs to nfs-kernel-server
- ctdb-config: depend on /etc/ctdb/nodes file
- d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d to
allow pid file to exist
- added /var/lib/ctdb/* directories
- d/ctdb.postrm: remove leftovers from /var/lib/ctdb/*
- Add examples of NFS HA CTDB config files + helper script
[ Mathieu Parent ]
* Update d/gbp.conf, d/watch and d/README.source for 4.10
* Drop ctdb-config-depend-on-etc-default-nodes-file.patch, merged upstream
* Bump build-depends talloc >= 2.1.16, tdb >= 1.3.18, tevent >= 0.9.39 and
ldb >= 2:1.5.5
* Bump libcmocka-dev builddep to 1.1.3
* d/rules: Remove 1.5.1+really prefix from LDB_DEPENDS
* d/copyright:
- s/GPL-3+/GPL-3.0+/ and s/LGPL-3+/LGPL-3.0+/
- Move License details to end of file
- Add waf licences
- Add lib/replace licences
- Update lib/{ldb,talloc,tdb} licences
* Move to Python3 (from Ubuntu)
* Bump debhelper from old 11 to 12.
* Standards-Version: 4.4.0
* Replace all reference of /var/run to /run (Closes: #934540)
* Replace python shbang by python3 in d/*.py
-- Mathieu Parent <sathieu@debian.org> Thu, 29 Aug 2019 14:32:52 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libtevent0t64`.
Generated by dwww version 1.16 on Tue Dec 16 11:18:08 CET 2025.