[SCM] Samba Shared Repository - annotated tag samba-4.15.13 created
Jule Anger
janger at samba.org
Thu Dec 15 16:30:49 UTC 2022
The annotated tag, samba-4.15.13 has been created
at 98d538ce7afc999a8198f839cd4cda97acb5bde1 (tag)
tagging 861b4f9fde0128609abcb4eafce6192fbf0a959a (commit)
replaces samba-4.15.12
tagged by Jule Anger
on Thu Dec 15 17:08:50 2022 +0100
- Log -----------------------------------------------------------------
samba: tag release samba-4.15.13
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRpIACgkQqplEL7aA
tiDeQg//XZIydI6R5nJmiTuxcEJam+BAgll0kXihX7UmNXyngBYAdJoHHwmaQTsJ
bhCq/+zTFX6Udb53yQVuXB2amxm1H0IzyzafjCvX+xnrJ6bO29WnFQGFB6fG4Pu5
H3YcuexusmkehpZXmjQJk8nKmUgslyilqXNBOU9I10XUS8n4ehNBrPvVEIV/D1UH
GMe1Vuct6rbSVH2nDZQwpkB0WYqxGOpBCBvAkcvXGaB2bDibYODYjtdzyyafHNk7
54yA7v4yL/6dDZoIyHeui7Dj2hK5iFE+Ik5oSNS20DXmODtX3EVsJsn5x9cfKln/
hbfEtI3rEBU5SW7u+ovbm+yeiRrN1GJn90CtoRdIBqpVEa3rc+URNR+62mp20bMA
LVLnnu1xnF9yZS0ivj+H/6MmMBPjc4zKexoT1/px9KGjMQC2APmyPhrM6mDcbr2Q
VagHQh7H6aid6sEODdu+J88q7INTOdkTdEwp89foZxd4b+KEPqLEw1RV6M2PoRl4
Tha/W9sCrt7dNu1aT433xFomtZtll3/O1HWQyYba5hNtoWf2oq0BRj3qdwLSZ4+u
Cu5oRQC6edYXEKn9C4SJKjglb7UOnPeChXg4QmmFwAEwJj/opmcaDNkBfPDYM+QH
doelZoQR1v+jwYZK7yMjGirLFTq2gRW5KSYK9lCOTQiUPijj9QM=
=ykFd
-----END PGP SIGNATURE-----
Andreas Schneider (3):
CVE-2022-37966 s3:param: Fix old-style function definition
CVE-2022-37966 s3:client: Fix old-style function definition
CVE-2022-37966 s3:utils: Fix old-style function definition
Andrew Bartlett (6):
selftest: make filter-subunit much more efficient for large knownfail lists
CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
Joseph Sutton (22):
CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC
CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
CVE-2022-37966 tests/krb5: Update supported enctype checking
CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT
CVE-2022-37967 Add new PAC checksum
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
CVE-2022-37966 third_party/heimdal: Fix error message typo
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key()
CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
CVE-2022-37966 kdc: Assume trust objects support AES by default
tests/krb5: Add test requesting a service ticket expiring post-2038
tests/krb5: Add test requesting a TGT expiring post-2038
Jule Anger (3):
VERSION: Bump version up to Samba 4.15.13...
WHATSNEW: Add release notes for Samba 4.15.13.
VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.
Luke Howard (1):
kdc: avoid re-encoding KDC-REQ-BODY
Nicolas Williams (4):
CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
CVE-2022-45141 source4/heimdal: Fix check-des
CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
Ralph Boehme (2):
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
Stefan Metzmacher (61):
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
CVE-2022-38023 testparm: warn about server/client schannel != yes
CVE-2022-38023 testparm: warn about unsecure schannel related options
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
CVE-2022-37966 s3:libads: no longer reference des encryption types
CVE-2022-37966 s3:libnet: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
CVE-2022-37966 s4:kdc: use the strongest possible keys
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
CVE-2022-37966 python:tests/krb5: test much more etype combinations
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
CVE-2022-37966 samba-tool: add 'domain trust modify' command
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list