Bug#919712: stretch-pu: package samba/2:4.5.16+dfsg-1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Hello stable release team,
I want to upload a new version of samba on top of current stretch-security
(2:4.5.12+dfsg-2+deb9u4). The changelog is:
samba (2:4.5.16+dfsg-1) UNRELEASED; urgency=medium
* New upstream release (latest 4.5.x)
- Drop merged patches
* Fix CVE-2018-14629 regression when there're more than 20 records on a non
CNAME record.
* Fix rmdir on non-empty samba directory (Closes: #915248)
* Ignore nmbd start errors when there is no non-loopback interface
(Closes: #893762)
* Ignore nmbd start errors when there is no local IPv4 non-loopback interface
(Closes: #859526)
* s3:ntlm_auth: fix memory leak in manage_gensec_request() (Closes: #919611)
-- Mathieu Parent <sathieu@debian.org> Fri, 18 Jan 2019 07:35:15 +0100
The upstream changes are summarized in:
https://www.samba.org/samba/history/samba-4.5.13.html
The complete diff is too big, but can be obtained from the git repo:
git diff 9014cb5484b9fe550ce6547e05135626fbd5d179..faa8dd2a11501e75fee2aeeae4e943b0b17aa38c
See the attached diff of the debian directory.
I will 'dch --release' before upload. Is the version numbering correct? Should I
use stretch or stretch-security as dist?
Regards
Mathieu Parent
diff --git a/debian/changelog b/debian/changelog
index bbd5b90d9a3..a2f86eff095 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+samba (2:4.5.16+dfsg-1) UNRELEASED; urgency=medium
+
+ * New upstream release (latest 4.5.x)
+ - Drop merged patches
+ * Fix CVE-2018-14629 regression when there're more than 20 records on a non
+ CNAME record.
+ * Fix rmdir on non-empty samba directory (Closes: #915248)
+ * Ignore nmbd start errors when there is no non-loopback interface
+ (Closes: #893762)
+ * Ignore nmbd start errors when there is no local IPv4 non-loopback interface
+ (Closes: #859526)
+ * s3:ntlm_auth: fix memory leak in manage_gensec_request() (Closes: #919611)
+
+ -- Mathieu Parent <sathieu@debian.org> Fri, 18 Jan 2019 07:35:15 +0100
+
samba (2:4.5.12+dfsg-2+deb9u4) stretch-security; urgency=high
* New upstream security release
diff --git a/debian/patches/CVE-2018-14629-v4-5.patch b/debian/patches/CVE-2018-14629-v4-5.patch
index 5b1c52b30cc..79d8cf76666 100644
--- a/debian/patches/CVE-2018-14629-v4-5.patch
+++ b/debian/patches/CVE-2018-14629-v4-5.patch
@@ -191,3 +191,284 @@ index bef21f6bdaf..51a86198b54 100644
--
2.11.0
+From 6c73a2b3d77115d69f99baa2452d6539c697fc3b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 28 Nov 2018 15:21:56 +0100
+Subject: [PATCH 1/2] CVE-2018-14629 dns: fix CNAME loop prevention using
+ counter regression
+
+The loop prevention should only be done for CNAME records!
+
+Otherwise we truncate the answer records for A, AAAA or
+SRV queries, which is a bad idea if you have more than 20 DCs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dns_server/dns_query.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
+index 0c26f9f8fb5..19c4dc32faa 100644
+--- a/source4/dns_server/dns_query.c
++++ b/source4/dns_server/dns_query.c
+@@ -439,7 +439,8 @@ static struct tevent_req *handle_authoritative_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ struct dns_server *dns, const char *forwarder,
+ struct dns_name_question *question,
+- struct dns_res_rec **answers, struct dns_res_rec **nsrecs);
++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++ size_t cname_depth);
+ static WERROR handle_authoritative_recv(struct tevent_req *req);
+
+ struct handle_dnsrpcrec_state {
+@@ -455,7 +456,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ struct dns_server *dns, const char *forwarder,
+ const struct dns_name_question *question,
+ struct dnsp_DnssrvRpcRecord *rec,
+- struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++ size_t cname_depth)
+ {
+ struct tevent_req *req, *subreq;
+ struct handle_dnsrpcrec_state *state;
+@@ -471,7 +473,7 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ state->answers = answers;
+ state->nsrecs = nsrecs;
+
+- if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
++ if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+@@ -516,7 +518,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ if (dns_authoritative_for_zone(dns, new_q->name)) {
+ subreq = handle_authoritative_send(
+ state, ev, dns, forwarder, new_q,
+- state->answers, state->nsrecs);
++ state->answers, state->nsrecs,
++ cname_depth + 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+@@ -600,6 +603,8 @@ struct handle_authoritative_state {
+
+ struct dns_res_rec **answers;
+ struct dns_res_rec **nsrecs;
++
++ size_t cname_depth;
+ };
+
+ static void handle_authoritative_done(struct tevent_req *subreq);
+@@ -608,7 +613,8 @@ static struct tevent_req *handle_authoritative_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ struct dns_server *dns, const char *forwarder,
+ struct dns_name_question *question,
+- struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++ size_t cname_depth)
+ {
+ struct tevent_req *req, *subreq;
+ struct handle_authoritative_state *state;
+@@ -626,6 +632,7 @@ static struct tevent_req *handle_authoritative_send(
+ state->forwarder = forwarder;
+ state->answers = answers;
+ state->nsrecs = nsrecs;
++ state->cname_depth = cname_depth;
+
+ werr = dns_name2dn(dns, state, question->name, &dn);
+ if (tevent_req_werror(req, werr)) {
+@@ -647,7 +654,8 @@ static struct tevent_req *handle_authoritative_send(
+ subreq = handle_dnsrpcrec_send(
+ state, state->ev, state->dns, state->forwarder,
+ state->question, &state->recs[state->recs_done],
+- state->answers, state->nsrecs);
++ state->answers, state->nsrecs,
++ state->cname_depth);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+@@ -679,7 +687,8 @@ static void handle_authoritative_done(struct tevent_req *subreq)
+ subreq = handle_dnsrpcrec_send(
+ state, state->ev, state->dns, state->forwarder,
+ state->question, &state->recs[state->recs_done],
+- state->answers, state->nsrecs);
++ state->answers, state->nsrecs,
++ state->cname_depth);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+@@ -1010,7 +1019,8 @@ struct tevent_req *dns_server_process_query_send(
+
+ subreq = handle_authoritative_send(
+ state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]),
+- &in->questions[0], &state->answers, &state->nsrecs);
++ &in->questions[0], &state->answers, &state->nsrecs,
++ 0); /* cname_depth */
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+@@ -1112,7 +1122,8 @@ static void dns_server_process_query_got_auth(struct tevent_req *subreq)
+ subreq = handle_authoritative_send(state, state->ev, state->dns,
+ state->forwarders->forwarder,
+ state->question, &state->answers,
+- &state->nsrecs);
++ &state->nsrecs,
++ 0); /* cname_depth */
+
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+--
+2.19.2
+
+
+From 77fac10d0171b731bce38e5596928b6d618ed4d8 Mon Sep 17 00:00:00 2001
+From: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Date: Fri, 30 Nov 2018 18:37:27 +1300
+Subject: [PATCH 2/2] CVE-2018-14629: Tests to expose regression from dns cname
+ loop fix
+
+These tests expose the regression described by Stefan Metzmacher in
+discussion on the bugzilla paged linked below.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+---
+ python/samba/tests/dns.py | 97 +++++++++++++++++++++++++++++++++++++++
+ selftest/knownfail.d/dns | 14 +++++-
+ 2 files changed, 109 insertions(+), 2 deletions(-)
+
+diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
+index 102269c7156..65e4a3b0b3f 100644
+--- a/python/samba/tests/dns.py
++++ b/python/samba/tests/dns.py
+@@ -918,6 +918,103 @@ class TestComplexQueries(DNSTest):
+ max_recursion_depth = 20
+ self.assertEquals(len(response.answers), max_recursion_depth)
+
++ # Make sure cname limit doesn't count other records. This is a generic
++ # test called in tests below
++ def max_rec_test(self, rtype, rec_gen):
++ name = "limittestrec{0}.{1}".format(rtype, self.get_dns_domain())
++ limit = 20
++ num_recs_to_enter = limit + 5
++
++ for i in range(1, num_recs_to_enter+1):
++ ip = rec_gen(i)
++ self.make_dns_update(name, ip, rtype)
++
++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++ questions = []
++
++ q = self.make_name_question(name,
++ rtype,
++ dns.DNS_QCLASS_IN)
++ questions.append(q)
++ self.finish_name_packet(p, questions)
++
++ response = self.dns_transaction_udp(p, host=self.server_ip)
++
++ self.assertEqual(len(response.answers), num_recs_to_enter)
++
++ def test_record_limit_A(self):
++ def ip4_gen(i):
++ return "127.0.0." + str(i)
++ self.max_rec_test(rtype=dns.DNS_QTYPE_A, rec_gen=ip4_gen)
++
++ def test_record_limit_AAAA(self):
++ def ip6_gen(i):
++ return "AAAA:0:0:0:0:0:0:" + str(i)
++ self.max_rec_test(rtype=dns.DNS_QTYPE_AAAA, rec_gen=ip6_gen)
++
++ def test_record_limit_SRV(self):
++ def srv_gen(i):
++ rec = dns.srv_record()
++ rec.priority = 1
++ rec.weight = 1
++ rec.port = 92
++ rec.target = "srvtestrec" + str(i)
++ return rec
++ self.max_rec_test(rtype=dns.DNS_QTYPE_SRV, rec_gen=srv_gen)
++
++ # Same as test_record_limit_A but with a preceding CNAME follow
++ def test_cname_limit(self):
++ cname1 = "cnamelimittestrec." + self.get_dns_domain()
++ cname2 = "cnamelimittestrec2." + self.get_dns_domain()
++ cname3 = "cnamelimittestrec3." + self.get_dns_domain()
++ ip_prefix = '127.0.0.'
++ limit = 20
++ num_recs_to_enter = limit + 5
++
++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++ num_arecs_to_enter = num_recs_to_enter - 2
++ for i in range(1, num_arecs_to_enter+1):
++ ip = ip_prefix + str(i)
++ self.make_dns_update(cname3, ip, dns.DNS_QTYPE_A)
++
++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++ questions = []
++
++ q = self.make_name_question(cname1,
++ dns.DNS_QTYPE_A,
++ dns.DNS_QCLASS_IN)
++ questions.append(q)
++ self.finish_name_packet(p, questions)
++
++ response = self.dns_transaction_udp(p, host=self.server_ip)
++
++ self.assertEqual(len(response.answers), num_recs_to_enter)
++
++ # ANY query on cname record shouldn't follow the link
++ def test_cname_any_query(self):
++ cname1 = "cnameanytestrec." + self.get_dns_domain()
++ cname2 = "cnameanytestrec2." + self.get_dns_domain()
++ cname3 = "cnameanytestrec3." + self.get_dns_domain()
++
++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++
++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++ questions = []
++
++ q = self.make_name_question(cname1,
++ dns.DNS_QTYPE_ALL,
++ dns.DNS_QCLASS_IN)
++ questions.append(q)
++ self.finish_name_packet(p, questions)
++
++ response = self.dns_transaction_udp(p, host=self.server_ip)
++
++ self.assertEqual(len(response.answers), 1)
++ self.assertEqual(response.answers[0].name, cname1)
++ self.assertEqual(response.answers[0].rdata, cname2)
++
+
+ class TestInvalidQueries(DNSTest):
+
+diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
+index 916afc1af85..a9b16eaac2a 100644
+--- a/selftest/knownfail.d/dns
++++ b/selftest/knownfail.d/dns
+@@ -1,5 +1,15 @@
+ #
+-# rodc and vampire_dc require signed dns updates, so the test setup
+-# fails, but the test does run on fl2003dc
++# rodc and vampire_dc require signed dns updates, so these tests' setups
++# fail, but they pass on fl2003dc
+ ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+ ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\)
+--
+2.19.2
+
diff --git a/debian/patches/fix-rmdir.patch b/debian/patches/fix-rmdir.patch
new file mode 100644
index 00000000000..1db437695de
--- /dev/null
+++ b/debian/patches/fix-rmdir.patch
@@ -0,0 +1,47 @@
+From: Anoop C S <anoopcs@redhat.com>
+Date: Thu, 9 Aug 2018 12:28:41 +0530
+Subject: s3/libsmb: Explicitly set delete_on_close token for rmdir
+
+The current implementation of `rmdir` hopes to get the directory deleted
+on closing last open handle when FILE_DELETE_ON_CLOSE is set on it. But
+for non-empty directories Windows doesn't error out during an open call.
+Following that we internally refuse to set initial delete_on_close while
+opening a non-empty directory. This prevents us from trying to delete
+the directory when last open handle is closed.
+
+Instead of relying on FILE_DELETE_ON_CLOSE during an open we explicitly
+set delete_on_close token on directory handle once it is available. This
+ensures that NT_STATUS_DIRECTORY_NOT_EMPTY is returned for `rmdir` on
+non-empty directories while closing open directory handle.
+
+Applied-Upstream: https://github.com/samba-team/samba/commit/6b68e3eca631c04d6d57c489daf60f64732fc86d
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13204
+Bug-Debian: https://bugs.debian.org/915248
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1795772
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 237e6bb2b..d4ff8bd28 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -682,13 +682,20 @@ NTSTATUS cli_smb2_rmdir(struct cli_state *cli, const char *dname)
+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access */
+ FILE_OPEN, /* create_disposition */
+- FILE_DIRECTORY_FILE|FILE_DELETE_ON_CLOSE, /* create_options */
++ FILE_DIRECTORY_FILE, /* create_options */
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
++
++ status = cli_smb2_delete_on_close(cli, fnum, true);
++ if (!NT_STATUS_IS_OK(status)) {
++ cli_smb2_close_fnum(cli, fnum);
++ return status;
++ }
++
+ return cli_smb2_close_fnum(cli, fnum);
+ }
+
diff --git a/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch b/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch
new file mode 100644
index 00000000000..f5aa194d7c5
--- /dev/null
+++ b/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch
@@ -0,0 +1,96 @@
+From 1606ab1baf02c8d3797fdc6f347af2c8552996a0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 4 Apr 2017 11:52:56 +0200
+Subject: [PATCH] s3:ntlm_auth: fix memory leak in manage_gensec_request()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e999b798c6484de3cddad988406f97fc4cc7af79)
+
+Bug-Debian: https://bugs.debian.org/919611
+---
+ source3/utils/ntlm_auth.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 84269a139a3..d35e8f050b6 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -1290,6 +1290,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+
+ TALLOC_CTX *mem_ctx;
+
++ mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
++
+ if (*private1) {
+ state = (struct gensec_ntlm_state *)*private1;
+ } else {
+@@ -1307,6 +1309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ if (strlen(buf) < 2) {
+ DEBUG(1, ("query [%s] invalid", buf));
+ x_fprintf(x_stdout, "BH Query invalid\n");
++ talloc_free(mem_ctx);
+ return;
+ }
+
+@@ -1316,9 +1319,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ talloc_free(want_feature_list);
+ want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
+ x_fprintf(x_stdout, "OK\n");
++ talloc_free(mem_ctx);
+ return;
+ }
+- in = base64_decode_data_blob(buf + 3);
++ in = base64_decode_data_blob_talloc(mem_ctx, buf + 3);
+ } else {
+ in = data_blob(NULL, 0);
+ }
+@@ -1331,7 +1335,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ } else if ( (strncmp(buf, "OK", 2) == 0)) {
+ /* Just return BH, like ntlm_auth from Samba 3 does. */
+ x_fprintf(x_stdout, "BH Command expected\n");
+- data_blob_free(&in);
++ talloc_free(mem_ctx);
+ return;
+ } else if ( (strncmp(buf, "TT ", 3) != 0) &&
+ (strncmp(buf, "KK ", 3) != 0) &&
+@@ -1343,12 +1347,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ (strncmp(buf, "GF", 2) != 0)) {
+ DEBUG(1, ("SPNEGO request [%s] invalid prefix\n", buf));
+ x_fprintf(x_stdout, "BH SPNEGO request invalid prefix\n");
+- data_blob_free(&in);
++ talloc_free(mem_ctx);
+ return;
+ }
+
+- mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
+-
+ /* setup gensec */
+ if (!(state->gensec_state)) {
+ switch (stdio_helper_mode) {
+@@ -1478,7 +1480,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ state->set_password,
+ CRED_SPECIFIED);
+ x_fprintf(x_stdout, "OK\n");
+- data_blob_free(&in);
+ talloc_free(mem_ctx);
+ return;
+ }
+@@ -1510,10 +1511,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ neg_flags = gensec_ntlmssp_neg_flags(state->gensec_state);
+ if (neg_flags == 0) {
+ x_fprintf(x_stdout, "BH\n");
++ talloc_free(mem_ctx);
+ return;
+ }
+
+ x_fprintf(x_stdout, "GF 0x%08x\n", neg_flags);
++ talloc_free(mem_ctx);
+ return;
+ }
+
+--
+2.19.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d83fa0494bb..acf3faae401 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,15 +16,10 @@ Add-documentation-to-systemd-Unit-files.patch
fix_kill_path_in_units.patch
nmbd-requires-a-working-network.patch
provision-Update-root-DNS-servers-list.patch
-CVE-2017-12150-v4-5.patches.metze02.txt
-CVE-2017-12151-v4-5.patches.metze02.txt
-CVE-2017-12163-all-metze01.patch.txt
-s3-smbd-Chain-code-can-return-uninitialized-memory-w.patch
-s3-smbd-Fix-SMB1-use-after-free-crash-bug.-CVE-2017-.patch
-CVE-2018-1050-11343-4.5.patch
-CVE-2018-1057-v4-5.metze01.patches.txt
CVE-2018-10919.patch
CVE-2018-10858-4.6.patch
CVE-2018-14629-v4-5.patch
CVE-2018-16841-master.patch
CVE-2018-16851-master.patch
+fix-rmdir.patch
+s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch
diff --git a/debian/rules b/debian/rules
index 61271460f1b..fb4ad066066 100755
--- a/debian/rules
+++ b/debian/rules
@@ -209,7 +209,7 @@ override_dh_installchangelogs:
override_dh_installinit:
ifneq (,$(filter samba, $(shell dh_listpackages)))
dh_installinit -psamba --name smbd
- dh_installinit -psamba --name nmbd
+ dh_installinit -psamba --name nmbd --error-handler nmbd_error_handler
dh_installinit -psamba --name samba-ad-dc
dh_installinit -psamba --noscripts
dh_installinit -psamba --no-start --name reload-smbd
diff --git a/debian/samba.postinst b/debian/samba.postinst
index 787d8029986..e798f4fe19e 100644
--- a/debian/samba.postinst
+++ b/debian/samba.postinst
@@ -6,6 +6,23 @@
set -e
+nmbd_error_handler() {
+ if [ -d /sys/class/net/lo ] && ls /sys/class/net | grep -qv ^lo$; then
+ # https://bugs.debian.org/893762
+ echo 'WARNING: nmbd failed to start as there is no non-loopback interfaces available.'
+ echo 'Either add an interface or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
+ return 0
+ elif command -v ip > /dev/null && ip a show | grep '^[[:space:]]*inet ' | grep -vq ' lo$'; then
+ # https://bugs.debian.org/859526
+ echo 'WARNING: nmbd failed to start as there is no local IPv4 non-loopback interfaces available.'
+ echo 'Either add an IPv4 address or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
+ return 0
+ else
+ echo 'ERROR: nmbd failed to start.'
+ return 1 # caught by set -e
+ fi
+}
+
# We generate several files during the postinst, and we don't want
# them to be readable only by root.
umask 022
Reply to: