[SCM] Samba Shared Repository - annotated tag samba-4.2.10 created

Stefan Metzmacher metze at samba.org
Tue Apr 12 19:15:05 UTC 2016

The annotated tag, samba-4.2.10 has been created
        at  8be3f396dadd6ba540006c0ce7e785d714e1992e (tag)
   tagging  343f384dd39bf05867461fde4c79167604d99f98 (commit)
  replaces  samba-4.2.9
 tagged by  Karolin Seeger
        on  Wed Mar 30 12:47:19 2016 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.2.10
Version: GnuPG v1


Andreas Schneider (4):
      s4-gensec: Check if we have delegated credentials.
      torture: Fix the usage of the MEMORY credential cache.
      torture: Correctly invalidate the memory ccache.
      torture: Free the temporary memory context

Andrew Bartlett (4):
      libsmb: Print the principal name that we failed to kinit for.
      docs: Explain that winbindd enforces smb signing by default.
      lib/tls: Add new 'tls priority' option
      lib/tls: Change default supported TLS versions.

Björn Jacke (1):
      tls: increase Diffie-Hellman group size to 2048 bits

Christian Ambach (1):
      s4:torture/ntlmssp fix a compiler warning

Günther Deschner (15):
      gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
      lib/util: globally include herrors in error.h
      ntlmssp: add some missing defines from MS-NLMP to our IDL.
      ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
      ntlmssp: properly document version defines in IDL (from MS-NLMP).
      ntlmssp: when pulling messages it is important to clear memory first.
      s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
      s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
      s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
      s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
      s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
      auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
      s4-smb_server: check for return code of cli_credentials_set_machine_account().
      s3-auth: check for return code of cli_credentials_set_machine_account().
      CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()

Jelmer Vernooij (15):
      Reduce number of places where sys.path is (possibly) updated for external module paths.
      Avoid importing TestCase and TestSkipped from testtools.
      Rename TestSkipped to Skiptest, consistent with Python 2.7.
      selftest/tests/*.py: remove use of testtools.
      Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
      Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
      Add replacement addCleanup.
      Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
      Provide TestCase.assertIsInstance for python < 2.7.
      Use samba TestCase so we get all compatibility functions on Python < 2.7.
      Run cleanup after tearDown, for consistency with Python >= 2.7.
      Handle skips when running on python2.6.
      Implement assertIsNone for Python < 2.7.
      Implement TestCase.assertIn for older versions of Python.
      Implement TestCase.assertIsNotNone for python < 2.7.

Jeremy Allison (2):
      s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
      CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec

Kamen Mazdrashki (3):
      s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
      s4-tests: Print out what the error is in delete_force()
      s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment

Ralph Boehme (13):
      CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
      CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
      CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
      CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
      CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
      CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
      CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
      CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
      CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"

Richard Sharpe (5):
      Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
      Convert all uint32/16/8 to _t in source3/libsmb.
      Convert all uses of uint32/16/8 to _t in source3/rpc_server.
      Convert all uses of uint32/16/8 to _t in source3/rpc_client.
      Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.

Stefan Metzmacher (356):
      VERSION: Bump version up to 4.2.10...
      s4:auth/gensec_gssapi: remove compiler warnings
      s4:lib/tls: add tls_cert_generate() prototype to tls.h
      s4:lib/tls: remove allow_warnings=True
      auth/kerberos: avoid compiler warnings
      auth/kerberos: remove allow_warnings=True
      s4:auth/gensec_gssapi: remove allow_warnings=True
      s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
      auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
      s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
      s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
      s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
      s4:lib/tls: fix tstream_tls_connect_send() define
      s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
      s4:libcli/ldap: conversion to tstream
      s4:auth/gensec: remove unused and untested cyrus_sasl module
      s4:auth/gensec: remove unused include of lib/socket/socket.h
      s4:auth/gensec: remove unused gensec_socket_init()
      auth/gensec: remove unused gensec_[un]wrap_packets() hooks
      s3:ntlm_auth: don't start gensec backend twice
      auth/credentials: anonymous should not try to use kerberos
      midltests: add valid/midltests_DRS_EXTENSIONS.*
      librpc/rpc: add faultcode to nt_status mappings
      librpc/rpc: add dcerpc_fault_from_nt_status()
      librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
      s4:pyrpc: add base.bind_time_features_syntax(features)
      lib/util: fix output format in dump_data*()
      librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
      python/samba/tests: don't lower case path names in connect_samdb()
      python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
      python/samba/tests: move hexdump() from DNSTest to TestCase
      python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
      s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
      libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
      s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
      s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
      python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
      s4:pyrpc: remove pointless alter_context() method
      dcerpc.idl: fix calculatin of uint16 secondary_address_size;
      heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
      heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
      heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
      heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
      heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
      heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
      auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
      s4:selftest: run rpc.netlogon.admin against also ad_dc
      s4:rpc_server: pass the remote address to gensec_set_remote_address()
      s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
      s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
      lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
      lib/util_net: add support for .ipv6-literal.net
      s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
      s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
      epmapper.idl: make epm_twr_t available in python bindings
      dcerpc.idl: make WERROR RPC faults available in ndr_print output
      librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
      s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
      s3:libads: remove unused ads_connect_gc()
      wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
      s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
      s3:librpc/gse: fix debug message in gse_init_client()
      s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
      s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
      s3:librpc/gse: don't log gss_acquire_creds failed at level 0
      s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
      s4:pygensec: make sig_size() and sign/check_packet() available
      auth/gensec: keep a pointer to a possible child/sub gensec_security context
      auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
      auth/gensec: make gensec_security_by_name() public
      s3:auth_generic: add auth_generic_client_start_by_name()
      s3:auth_generic: add auth_generic_client_start_by_sasl()
      auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
      auth/ntlmssp: add gensec_ntlmssp_server_domain()
      s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
      s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
      s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
      selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
      s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
      winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
      s3:auth_generic: make use of the top level NTLMSSP client code
      s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
      auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
      auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
      auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
      s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
      winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
      s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
      auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
      auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
      auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
      auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
      auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
      auth/ntlmssp: add ntlmssp_version_blob()
      auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
      auth/ntlmssp: use ntlmssp_version_blob() in the server
      security.idl: add LSAP_TOKEN_INFO_INTEGRITY
      ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
      ntlmssp.idl: make AV_PAIR_LIST public
      librpc/ndr: add ndr_ntlmssp_find_av() helper function
      auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
      auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
      s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
      s4:libcli/ldap: fix retry authentication after a bad password
      s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
      s4:selftest: simplify the loops over samba4.ldb.ldap
      s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: add missing TALLOC_FREE(frame) in error path
      s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
      s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
      s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
      s3:libads: keep service and hostname separately in ads_service_principal
      s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
      s3:libsmb: make use gensec based SPNEGO/NTLMSSP
      s3:libsmb: unused ntlmssp.c
      s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
      s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
      s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
      s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
      s3:libsmb: remove unused cli_session_setup_kerberos*() functions
      s3:libsmb: remove unused functions in clispnego.c
      s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
      s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
      s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
      s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
      s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
      s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
      s4:rpc_server: dcesrv_generic_session_key should only work on local transports
      selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
      selftest: add some helper scripts to mange a CA
      selftest: add config and script to create a samba.example.com CA
      selftest: add CA-samba.example.com (non-binary) files
      selftest: mark commands in manage-CA-samba.example.com.sh as DONE
      selftest: add Samba::prepare_keyblobs() helper function
      selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
      selftest: set tls crlfile if it exist
      selftest: setup information of new samba.example.com CA in the client environment
      s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
      s3:test_rpcclient_samlogon.sh: test samlogon with schannel
      s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
      s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
      s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
      s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
      s4:torture/rpc/schannel: don't use validation level 6 without privacy
      auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
      auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
      s4:rpc_server: require access to the machine account credentials
      s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
      s3:rpc_server/samr: correctly handle session_extract_session_key() failures
      s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
      CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
      CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
      CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
      CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
      CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
      CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
      CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
      CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
      CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
      CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
      CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
      CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
      CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
      CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
      CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
      CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
      CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
      CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
      CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
      CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
      CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
      CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
      CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
      CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
      CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
      CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
      CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
      CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
      CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
      CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
      CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
      CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
      CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
      CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
      CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
      CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
      CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
      CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
      CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
      CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
      CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
      CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
      CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
      CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
      CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
      CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
      CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
      CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
      CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
      CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
      CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
      CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
      CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
      CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
      CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
      CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
      CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
      CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
      CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
      CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
      CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
      CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
      CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
      CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
      CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
      CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
      CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
      CVE-2016-2113: selftest: use "tls verify peer = no_check"
      CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
      CVE-2016-2114: s4:smb2_server: fix session setup with required signing
      CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
      CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
      CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
      CVE-2016-2115: docs-xml: add "client ipc signing" option
      CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
      CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
      CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
      CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
      CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
      CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
      CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
      CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
      CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
      CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
      CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
      CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
      CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
      CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
      CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
      CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
      CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
      CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
      CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
      CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
      CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
      CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
      CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
      CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
      CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
      CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
      CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
      CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
      CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
      CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
      CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
      CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
      CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
      CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
      CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
      CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
      CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
      CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
      CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
      CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
      CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
      CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
      CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
      CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
      CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
      CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
      CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
      CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
      CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
      CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
      CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
      CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
      CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
      CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
      CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
      CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
      CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
      CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
      CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
      CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
      CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
      CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
      CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
      CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
      CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
      CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
      CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
      CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
      CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
      CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
      CVE-2015-5370: s4:rpc_server: check frag_length for requests
      CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
      CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
      CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
      CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
      CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
      CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
      CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
      CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
      CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
      CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
      CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
      CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
      CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
      CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
      CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
      CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
      CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
      CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
      CVE-2015-5370: s3:rpc_server: verify presentation context arrays
      CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
      CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
      CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
      CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
      CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
      CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
      CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
      CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
      CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
      CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
      CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
      CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
      CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
      CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
      CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
      CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
      CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
      CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
      CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
      CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
      CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
      WHATSNEW: Add release notes for Samba 4.2.10.
      VERSION: Disable git snapshots for the 4.2.10 release.

Volker Lendecke (23):
      rpc_server: Fix CID 1035534 Uninitialized scalar variable
      rpc_server: Fix CID 1035535 Uninitialized scalar variable
      asn1: Remove an unused asn1 function
      asn1: Make asn1_peek_full_tag return 0/errno
      asn1: Add overflow check to asn1_write
      asn1: Add some early returns
      asn1: Make "struct nesting" private
      asn1: Add asn1_has_error()
      lib: Use asn1_has_error()
      asn1: Add asn1_set_error()
      lib: Use asn1_set_error()
      asn1: Add asn1_extract_blob()
      lib: Use asn1_extract_blob()
      asn1: Add asn1_has_nesting
      lib: Use asn1_has_nesting
      asn1: Add asn1_current_ofs()
      lib: Use asn1_current_ofs()
      libcli: Remove a reference to asn1->ofs
      asn1: Remove a reference to asn1_data internals
      asn1: Make 'struct asn1_data' private
      spnego: Correctly check asn1_tag_remaining retval
      libsmb: Fix CID 1356312 Explicit null dereferenced
      libads: Fix CID 1356316 Uninitialized pointer read


Samba Shared Repository

More information about the samba-cvs mailing list