[SCM] Samba Shared Repository - annotated tag samba-4.15.2 created

Stefan Metzmacher metze at samba.org
Tue Nov 9 18:10:00 UTC 2021

The annotated tag, samba-4.15.2 has been created
        at  ac8c226ed9d8c067f6053c6f7f8f6457b86c2f52 (tag)
   tagging  7d0c030d4233974c4b9463dad44efdb05e6186f1 (commit)
  replaces  samba-4.15.1
 tagged by  Jule Anger
        on  Mon Nov 8 12:34:39 2021 +0100

- Log -----------------------------------------------------------------
samba: tag release samba-4.15.2


Alexander Bokovoy (1):
      CVE-2020-25717: Add FreeIPA domain controller role

Andreas Schneider (11):
      CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
      CVE-2020-25719 mit-samba: Add ks_free_principal()
      CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
      CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
      CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
      CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
      CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
      CVE-2020-25719 mit_samba: Create the talloc context earlier
      CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
      CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
      CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it

Andrew Bartlett (55):
      CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
      CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
      CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
      CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
      CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
      CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
      CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
      CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
      CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
      CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
      CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
      CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
      CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
      CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
      CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
      CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
      CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
      CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
      CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
      CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
      CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
      CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
      CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
      CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
      CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
      CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
      CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
      CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
      CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
      CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
      CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
      CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
      CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
      CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
      CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
      CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
      CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
      CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
      CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
      CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
      CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
      CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
      CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
      CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
      CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
      CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
      CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
      CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
      CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
      CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
      CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
      CVE-2020-25722 Ensure the structural objectclass cannot be changed
      CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
      Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
      CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal

Douglas Bagnall (35):
      CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
      CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
      CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
      CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
      CVE-2020-25722 samba-tool spn: accept -H for database url
      CVE-2020-25722 samba-tool spn add: remove --force option
      CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
      CVE-2020-25722 s4/provision: add host/ SPNs at the start
      CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
      CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
      CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
      CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
      CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
      CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
      CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
      CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
      CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
      CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
      CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
      CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
      CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
      CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
      CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
      CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
      CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
      CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()

Joseph Sutton (64):
      CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
      CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
      CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
      CVE-2020-25722 tests/krb5: Allow creating server accounts
      CVE-2020-25719 tests/krb5: Add is_tgt() helper method
      CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
      MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
      CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
      CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
      CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
      CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
      CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
      CVE-2020-25719 tests/krb5: Add principal aliasing test
      CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
      CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
      CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
      CVE-2020-25722 Add test for SPN deletion followed by addition
      CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
      CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
      CVE-2020-25718 tests/krb5: Fix indentation
      CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
      CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
      CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
      CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
      CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
      CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
      CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
      CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
      CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
      CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
      CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
      CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
      CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
      CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
      CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
      CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
      CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
      CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
      CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
      CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
      CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
      CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
      CVE-2020-25719 s4/torture: Expect additional PAC buffers
      CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
      CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
      CVE-2020-25719 heimdal:kdc: Require authdata to be present
      CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
      CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
      CVE-2020-25719 heimdal:kdc: Check return code
      CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
      CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
      CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
      CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
      CVE-2020-25719 heimdal:kdc: Require PAC to be present
      CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
      CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
      CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
      CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
      CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation

Jule Anger (3):
      VERSION: Bump version up to Samba 4.15.2...
      WHATSNEW: Add release notes for Samba 4.15.2.
      VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.

Nadezhda Ivanova (2):
      CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
      CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute

Ralph Boehme (1):
      CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()

Samuel Cabrero (4):
      CVE-2020-25717: loadparm: Add new parameter "min domain uid"
      CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
      CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
      CVE-2020-25717: s3:auth: Check minimum domain uid

Stefan Metzmacher (47):
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
      CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
      CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
      CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
      CVE-2020-25717: s4:torture: start with authoritative = 1
      CVE-2020-25717: s4:smb_server: start with authoritative = 1
      CVE-2020-25717: s4:auth_simple: start with authoritative = 1
      CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
      CVE-2020-25717: s3:torture: start with authoritative = 1
      CVE-2020-25717: s3:rpcclient: start with authoritative = 1
      CVE-2020-25717: s3:auth: start with authoritative = 1
      CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
      CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
      CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
      CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
      CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
      CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
      CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
      CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
      CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
      CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
      CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
      CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
      CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
      CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
      CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
      CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
      CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
      CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
      CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
      CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
      CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
      CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
      CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
      CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
      CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
      CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
      CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
      CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
      CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
      CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
      CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
      CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
      CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper


Samba Shared Repository

More information about the samba-cvs mailing list