Accepted samba 2:3.6.6-6+deb7u12 (source amd64 all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Mar 2017 17:58:52 -0400
Source: samba
Binary: samba samba-common-bin samba-common samba-tools smbclient swat samba-doc samba-doc-pdf libpam-smbpass libsmbclient libsmbclient-dev winbind libpam-winbind libnss-winbind samba-dbg libwbclient0 libwbclient-dev
Architecture: source amd64 all
Version: 2:3.6.6-6+deb7u12
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Roberto C. Sanchez <roberto@debian.org>
Description:
libnss-winbind - Samba nameservice integration plugins
libpam-smbpass - pluggable authentication module for Samba
libpam-winbind - Windows domain authentication integration plugin
libsmbclient - shared library for communication with SMB/CIFS servers
libsmbclient-dev - development files for libsmbclient
libwbclient-dev - Samba winbind client library - development files
libwbclient0 - Samba winbind client library
samba - SMB/CIFS file, print, and login server for Unix
samba-common - common files used by both the Samba server and client
samba-common-bin - common files used by both the Samba server and client
samba-dbg - Samba debugging symbols
samba-doc - Samba documentation
samba-doc-pdf - Samba documentation in PDF format
samba-tools - Samba testing utilities
smbclient - command-line SMB/CIFS clients for Unix
swat - Samba Web Administration Tool
winbind - Samba nameservice integration server
Changes:
samba (2:3.6.6-6+deb7u12) wheezy-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
- CVE-2017-2619: symlink race permits opening files outside share directory
* Cherry-pick the following upstream changes required for CVE-2017-2619:
- s3: smbd: Maintain a back-pointer to the fsp in struct smb_Dir.
- s3: vfs: Change vfs_dirsort.c from MALLOC -> TALLOC.
- s3: vfs: Protect against early error in SMB_VFS_NEXT_READDIR.
- s3: vfs: Use an index i rather than re-using a state variable.
- s3: vfs: Protect open_and_sort_dir() from the directory changing size.
- s3: vfs: Clean error paths in opendir and fd_opendir.
- s3: vfs: Check SMB_VFS_NEXT_OPENDIR return in dirsort_opendir().
- s3: vfs: Convert mtime from a time_t to a struct timespec.
- s3: vfs: Remove the use of dirfd inside the vfs_dirsort.c.
* CVE-2017-2619 requires the following changes:
- s3: smbd: re-open directory after dptr_CloseDir()
- s3: vfs: dirsort doesn't handle opendir of "." correctly.
- s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same
path as streams_xattr_recheck().
- vfs_streams_xattr: use fsp, not base_fsp
- s3: smbd: Create wrapper function for OpenDir in preparation for making
robust.
- s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
- s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
- s3: smbd: OpenDir_fsp() use early returns.
- s3: smbd: OpenDir_fsp() - Fix memory leak on error.
- s3: smbd: Move the reference counting and destructor setup to just before
retuning success.
- s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported
on system.
- s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
- s3: smbd: Move special handling of symlink errno's into a utility
function.
- s3: smbd: Add the core functions to prevent symlink open races.
- s3: smbd: Use the new non_widelink_open() function.
* The initial CVE-2017-2619 fix caused a regression when the configuration
option "follow symlink = no" was set, requiring these changes:
- s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496
(CVE-2017-2619).
- s3: smbd: Fix "follow symlink = no" regression part 2.
- s3: smbd: Fix "follow symlink = no" regression part 2.
* The regression fix was accompanied by these unit test changes/updates:
- s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
- s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
- s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Checksums-Sha1:
2f4d99f7ab6dd0d0feb8b7cf9c1954e2e22a84de 3093 samba_3.6.6-6+deb7u12.dsc
ed52b3ed1896627c13acc7592486d9eee0f5cd05 535109 samba_3.6.6-6+deb7u12.debian.tar.gz
1fcea62807cb6486208632f1025ae0fe874c3d61 4310740 samba_3.6.6-6+deb7u12_amd64.deb
ad6f61b738c274f16eb10561e5039638938f5881 3895238 samba-common-bin_3.6.6-6+deb7u12_amd64.deb
a11fd587a4f093d7dc15719d35a1499e397b30d5 216824 samba-common_3.6.6-6+deb7u12_all.deb
e5eba940d9d2540749b7cf82e1c20ca2a0b48aa2 5500660 samba-tools_3.6.6-6+deb7u12_amd64.deb
afa3c8a8b4becc54ae879c7fd4fc53bc3d3938f7 6031026 smbclient_3.6.6-6+deb7u12_amd64.deb
04091e90767d18835a189427f07c3deeb315ca5d 1776046 swat_3.6.6-6+deb7u12_amd64.deb
df487131fa41e0372566f81435fcd08f9accd05d 5778632 samba-doc_3.6.6-6+deb7u12_all.deb
0437e0e0b717007186991923577bc9df7814ef39 7070450 samba-doc-pdf_3.6.6-6+deb7u12_all.deb
95ecb8e9b6b024582d08845e7289a50a82a01132 699802 libpam-smbpass_3.6.6-6+deb7u12_amd64.deb
e2297a2c3fc0d01392abcbd5c4b962ad6d45adba 1569710 libsmbclient_3.6.6-6+deb7u12_amd64.deb
ae0078342aff4f97409e27075e691d7b39767b90 1905798 libsmbclient-dev_3.6.6-6+deb7u12_amd64.deb
1256c25627d1d749acc3de14adaeb5c331f764ec 2702140 winbind_3.6.6-6+deb7u12_amd64.deb
a18eff7213a115f5e34ec01bce2c2189dd7ad42c 106068 libpam-winbind_3.6.6-6+deb7u12_amd64.deb
0d9cbcab831a3595ca51a7b0757c890d26cd6630 579724 libnss-winbind_3.6.6-6+deb7u12_amd64.deb
43ee3f3266fdae8d6a8dbc4f757540220be0b18a 76506182 samba-dbg_3.6.6-6+deb7u12_amd64.deb
e6efcbf3e2c7e41dfbaaf8ab5a930b33a9bcb81b 99426 libwbclient0_3.6.6-6+deb7u12_amd64.deb
e5fe2b0534c439f691a95dc67f19bb9d6f723b67 86934 libwbclient-dev_3.6.6-6+deb7u12_amd64.deb
Checksums-Sha256:
6d127460a8bdbe333841484d8428cbb3fb6e949bbbde977618ffc6cac72cd22c 3093 samba_3.6.6-6+deb7u12.dsc
1c1ed2fb08b60bac6a49a4ab32732e91cc4f3fa9efa64fbde0a672af1c1e2bdc 535109 samba_3.6.6-6+deb7u12.debian.tar.gz
9643bfbedf32862b96f0749184be0622fe5fec5e6161d6468398c3e34224ba8b 4310740 samba_3.6.6-6+deb7u12_amd64.deb
89feb6ca5db2cc79ba9157e5e58eb4e45d9b35daedd32a484defce0a67b2ee64 3895238 samba-common-bin_3.6.6-6+deb7u12_amd64.deb
8d425ca4721c2b44e74eb309615970c7778a37780cc65a226ece50f573688b27 216824 samba-common_3.6.6-6+deb7u12_all.deb
926bb354c960f4e28fef2082c4266018d209c17f889e18097cbe440c09d35167 5500660 samba-tools_3.6.6-6+deb7u12_amd64.deb
fe8c4585c946ec1f70162a73c5423f40ca993e26314f00d13a7bd319ec0e7938 6031026 smbclient_3.6.6-6+deb7u12_amd64.deb
4eb437eb19959cc052bf37f37d6f0de980f8de968d8f58cfa363482c3d41ccfa 1776046 swat_3.6.6-6+deb7u12_amd64.deb
65b67eb1007bf32b7ed05e7ce495638ec81d35ce90d4191bf04e2abb9c6874e3 5778632 samba-doc_3.6.6-6+deb7u12_all.deb
78212be9b092fe0d76f4289627525bb99be2f80ac8ebb05fc2984cd6006297b6 7070450 samba-doc-pdf_3.6.6-6+deb7u12_all.deb
55fef85ac5f5707016308fc0ed26447f9b350141dc442e815066446c786b24c0 699802 libpam-smbpass_3.6.6-6+deb7u12_amd64.deb
dfd6f4f8275c358fff76368d270c4b005eee27100f5a8da89e482e8580195c24 1569710 libsmbclient_3.6.6-6+deb7u12_amd64.deb
7f434b8bc6602c6c41fe37de058abe166e9c34c5d9b8500370babb0e25cf3b31 1905798 libsmbclient-dev_3.6.6-6+deb7u12_amd64.deb
d61526d7688435f9a1d5c3df8a58a821e893fc534abb2e3a43120e54ecfcd90b 2702140 winbind_3.6.6-6+deb7u12_amd64.deb
261016fd2cd2f120b22f9da0443b6fd43ace3f6fdce4d1f8e3f6eb882312aa43 106068 libpam-winbind_3.6.6-6+deb7u12_amd64.deb
6874ffca8ef6d20e0f773b678d6380d7a937d2ec624858cc30419fe28a0dd28d 579724 libnss-winbind_3.6.6-6+deb7u12_amd64.deb
a2681a390c0f6d6e651be7b24a46e5d74d9b44f6de948498b0c6f529179f748b 76506182 samba-dbg_3.6.6-6+deb7u12_amd64.deb
75b245fc1b17c8cfe0ff039fee486700f4692c4f88568b5b132547daecd94626 99426 libwbclient0_3.6.6-6+deb7u12_amd64.deb
dbe1b6dde1de2d242f19f520c0e5fbb35a45bd8eba5ac0379c9d4847c6edc130 86934 libwbclient-dev_3.6.6-6+deb7u12_amd64.deb
Files:
634ee55bf6b038461e725d8da11d3b9b 3093 net optional samba_3.6.6-6+deb7u12.dsc
66e156c75fb80dc288c3be5ea3b60792 535109 net optional samba_3.6.6-6+deb7u12.debian.tar.gz
f1153b0f2445f55b0a3ca095be5e1d22 4310740 net optional samba_3.6.6-6+deb7u12_amd64.deb
3a6985f6d3ce49d759028ada41ac1212 3895238 net optional samba-common-bin_3.6.6-6+deb7u12_amd64.deb
68e1a8ca3bd7b0d41f5d1249022a28dd 216824 net optional samba-common_3.6.6-6+deb7u12_all.deb
42b78d41387eabc0d56fdda46f3e4fae 5500660 net optional samba-tools_3.6.6-6+deb7u12_amd64.deb
64b4d1faec5234ac1484862314921728 6031026 net optional smbclient_3.6.6-6+deb7u12_amd64.deb
de1102bcb0eba5a9ab5b4a075ad056f9 1776046 net optional swat_3.6.6-6+deb7u12_amd64.deb
04b3f84313bc767483ef903e213f2450 5778632 doc optional samba-doc_3.6.6-6+deb7u12_all.deb
1b5614c6538dd94f5f7c7e56668e6953 7070450 doc optional samba-doc-pdf_3.6.6-6+deb7u12_all.deb
97d4ba900092a91e05055388ee040e6b 699802 admin extra libpam-smbpass_3.6.6-6+deb7u12_amd64.deb
90acbec3091410d54ebe4f9364df9974 1569710 libs optional libsmbclient_3.6.6-6+deb7u12_amd64.deb
d9003c6653742ed6292b483f588ee63b 1905798 libdevel extra libsmbclient-dev_3.6.6-6+deb7u12_amd64.deb
a691264d5977b8fb4f29ab53761996be 2702140 net optional winbind_3.6.6-6+deb7u12_amd64.deb
3a7088f1122694669ea2df25bc97e798 106068 net optional libpam-winbind_3.6.6-6+deb7u12_amd64.deb
ec143a6dbb13e95f4fce48ee4311695f 579724 net optional libnss-winbind_3.6.6-6+deb7u12_amd64.deb
932bbbfc4b31d68969d9dc3827748d63 76506182 debug extra samba-dbg_3.6.6-6+deb7u12_amd64.deb
9de0984edbba53add01586a115754102 99426 libs optional libwbclient0_3.6.6-6+deb7u12_amd64.deb
03c627ec616231715bf22179d06d0373 86934 libdevel optional libwbclient-dev_3.6.6-6+deb7u12_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJY7NLfAAoJECzXeF7dp7IPw6sP/0L7zYOz3RUlegaIsjQI9K0O
WWIdOz2o4vKWrcmi6n9mdqHDK/sbzc2xF9m1fnGYGx1p0HFILza50KiZZyuPJ8kG
OmzUVX9SZ6orxjZDRYfwYtM3VhDWfiMHncuRX8tDxezDG5ZjGkT/VBkPBEtCNLLz
/CMlGiryBB3Q1KtRgZ8tkwjv5ilPTR1f2v8YkJDm4q7HIWK40CQiuZkSjwYAnB2L
BzMqYnlETItreFnI2IwOc7Ky5fHjITGLv3L0HiGQPAn4ELcfwGx+V7aW+/TYOTdu
v3huQcsaUVbN42KOgDI2to6waPEIUf+ZK60kNvlLsaz0pRnN7su29wLanyhqIsNN
r6SMjH0T/wGOpMTWjQ/sMDBFpVfW8lcEnuHR8H6i9X+2X54lqqoDQEMetYktU796
VFpqtWf/RjtU8InZoWPaouAoai6FFvDMFlXOqp3P0bUb0sRZyYxq4KP8IEbKO6BY
QcR/9Cpeowe0XRbvnNq6KNocJBySRptmBTlwHk13bYR/JCbxUILjYP81MDZi4jc5
rOW4M2plWgkwIKux5ewlbZkyhyNEJhM26OLVQ1XVQPvwVdv1cbQ0O3vd2uk/7mYg
5eyw2IYbYWdrUjmKQkvYTpTM2sTaeqpu0FOBFiOuBgCp8BbKWYbjP0z+WSzfnWig
pJdB5YUerSHobQNjCOgd
=5PhO
-----END PGP SIGNATURE-----
Reply to: