[SCM] Samba Shared Repository - annotated tag samba-4.14.14 created
Jule Anger
janger at samba.org
Wed Jul 27 09:59:05 UTC 2022
The annotated tag, samba-4.14.14 has been created
at 6f2f70448882602b6f8c6bc42e59d52cc39a0d14 (tag)
tagging ad06fd8294503b6a27729118dd8c80558d41924a (commit)
replaces ldb-2.3.4
tagged by Jule Anger
on Wed Jul 27 09:29:56 2022 +0200
- Log -----------------------------------------------------------------
samba: tag release samba-4.14.14
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg6XQACgkQqplEL7aA
tiAgDQ//WEHSWIl9AcMiwLnho099BCqV4nBO3dG9azzb5tWq+/XA8XxVt+WdBjtW
o4rxUj0wG/s/ivyQl3U8rIn31S4W4UeO80C6tecOxAyHyn58K1JmcX93LFzhn3vI
jlGo3BSluWWhRfr1F1G5xLpJXkDBDU648ndAcHaV0bCxx2UaXUm+vh/2aY2M0NxO
w374c+w7OgWRnez96BUvA1QiiDY0/lhRCNUkYcTbhmlDY9Zi23uwvHzfIW0so0Gq
EC4jkVDtLKxjpk/cMiwt6mN98keXZvNK+ju1ZAnmsxG+jOAszJ5KazJgJHS4/0N9
2fX3XYD1gCZ/Svt+pDIUWxUM1KXtBz1N4RIXvY/kwhXRwV50cEIL1AS4AU1U1Nqz
kZfxkUT2MXsEroZHbi9VF6+htohSN3DfQVgH5asiUpl51uifTPngPvypoWK9a6s9
EFpweWjtSwIyCEIvNVkLegyhaWPG+G2fDfzsTm9Lq6KROmRfnf4+vASHyXjR3P6k
bX/fewwuSbrilQDYFgFU4cgN5i5uQQlrOSRs9H2KMFx8Lff3Nh6Cny3S3u4HBcgZ
wmLga1UeNiexn4cd3lU40IzT8nXlHaOAVYOier1peh7TWB3BI2XUessFLJESzwO7
rjFtR61sf9YGKm/6ifKd0S/fZIK1rUQUTOWmvKZCoHfy5DWFs0M=
=Z0W5
-----END PGP SIGNATURE-----
Andreas Schneider (4):
s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
Isaac Boukris (1):
s4:mit-kdb: Force canonicalization for looking up principals
Jeremy Allison (2):
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Joseph Sutton (78):
CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
selftest: Check received LDB error code when STRICT_CHECKING=0
tests/krb5: Remove unused variable
tests/krb5: Deduplicate AS-REQ tests
tests/krb5: Run test_rpc against member server
tests/krb5: Allow PasswordKey_create() to use s2kparams
tests/krb5: Split out methods to create renewable or invalid tickets
tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
tests/krb5: Remove unnecessary expect_pac arguments
tests/krb5: Add tests for invalid TGTs
tests/krb5: Add tests for TGS requests with a non-TGT
tests/krb5: Add TGS-REQ tests with FAST
tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
tests/krb5: Add tests for validation with requester SID PAC buffer
tests/krb5: Add comments for tests that fail against Windows
heimdal:kdc: Fix error message for user-to-user
s4:torture: Fix typo
heimdal:kdc: Adjust no-PAC error code to match Windows
kdc: Adjust SID mismatch error code to match Windows
tests/krb5: Add test for S4U2Self with wrong sname
kdc: Match Windows error code for mismatching sname
kdc: Always add the PAC if the header TGT is from an RODC
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
kdc: Don't include extra PAC buffers in service tickets
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
tests/krb5: Add a test for S4U2Self with no authorization data required
heimdal:kdc: Always generate a PAC for S4U2Self
selftest: Properly check extra PAC buffers with Heimdal
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
kdc: Canonicalize realm for enterprise principals
tests/krb5: Correctly determine whether tickets are service tickets
tests/krb5: Add helper function to modify ticket flags
selftest: Simplify krb5 test environments
CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
CVE-2022-2031 s4:kpasswd: Account for missing target principal
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
tests/krb5: Fix enum typo
tests/krb5: Add option for creating accounts with expired passwords
CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
CVE-2022-2031 s4:kpasswd: Correctly generate error strings
CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
CVE-2022-2031 s4:kpasswd: Require an initial ticket
s4:kpasswd: Restructure code for clarity
CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
s4:kdc: Remove kadmin mode from HDB plugin
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
Jule Anger (2):
WHATSNEW: Add release notes for Samba 4.14.14.
VERSION: Disable GIT_SNAPSHOT for the 4.14.14 release.
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list