[SCM] Samba Shared Repository - annotated tag samba-4.14.14 created

Jule Anger janger at samba.org
Wed Jul 27 09:59:05 UTC 2022

The annotated tag, samba-4.14.14 has been created
        at  6f2f70448882602b6f8c6bc42e59d52cc39a0d14 (tag)
   tagging  ad06fd8294503b6a27729118dd8c80558d41924a (commit)
  replaces  ldb-2.3.4
 tagged by  Jule Anger
        on  Wed Jul 27 09:29:56 2022 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.14.14


Andreas Schneider (4):
      s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
      CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
      CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
      CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function

Isaac Boukris (1):
      s4:mit-kdb: Force canonicalization for looking up principals

Jeremy Allison (2):
      CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
      CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

Joseph Sutton (78):
      CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
      CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
      CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
      CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
      selftest: Check received LDB error code when STRICT_CHECKING=0
      tests/krb5: Remove unused variable
      tests/krb5: Deduplicate AS-REQ tests
      tests/krb5: Run test_rpc against member server
      tests/krb5: Allow PasswordKey_create() to use s2kparams
      tests/krb5: Split out methods to create renewable or invalid tickets
      tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
      tests/krb5: Remove unnecessary expect_pac arguments
      tests/krb5: Add tests for invalid TGTs
      tests/krb5: Add tests for TGS requests with a non-TGT
      tests/krb5: Add TGS-REQ tests with FAST
      tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
      tests/krb5: Add tests for validation with requester SID PAC buffer
      tests/krb5: Add comments for tests that fail against Windows
      heimdal:kdc: Fix error message for user-to-user
      s4:torture: Fix typo
      heimdal:kdc: Adjust no-PAC error code to match Windows
      kdc: Adjust SID mismatch error code to match Windows
      tests/krb5: Add test for S4U2Self with wrong sname
      kdc: Match Windows error code for mismatching sname
      kdc: Always add the PAC if the header TGT is from an RODC
      tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
      Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
      kdc: Don't include extra PAC buffers in service tickets
      kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
      tests/krb5: Add a test for S4U2Self with no authorization data required
      heimdal:kdc: Always generate a PAC for S4U2Self
      selftest: Properly check extra PAC buffers with Heimdal
      heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
      kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
      kdc: Canonicalize realm for enterprise principals
      tests/krb5: Correctly determine whether tickets are service tickets
      tests/krb5: Add helper function to modify ticket flags
      selftest: Simplify krb5 test environments
      CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
      heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
      CVE-2022-2031 s4:kpasswd: Account for missing target principal
      CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
      CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
      CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
      CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
      CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
      CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
      CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
      CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
      tests/krb5: Fix enum typo
      tests/krb5: Add option for creating accounts with expired passwords
      CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
      CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
      CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
      CVE-2022-2031 tests/krb5: Add tests for kpasswd service
      CVE-2022-2031 s4:kpasswd: Correctly generate error strings
      CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
      CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
      CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
      CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
      CVE-2022-2031 s4:kpasswd: Require an initial ticket
      s4:kpasswd: Restructure code for clarity
      CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
      CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
      CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
      CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
      CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
      CVE-2022-2031 tests/krb5: Test truncated forms of server principals
      CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
      CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
      s4:kdc: Remove kadmin mode from HDB plugin
      CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
      CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
      CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
      CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
      CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
      CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
      CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust

Jule Anger (2):
      WHATSNEW: Add release notes for Samba 4.14.14.
      VERSION: Disable GIT_SNAPSHOT for the 4.14.14 release.


Samba Shared Repository

More information about the samba-cvs mailing list