[SCM] Samba Shared Repository - annotated tag samba-4.15.9 created
Jule Anger
janger at samba.org
Wed Jul 27 10:00:20 UTC 2022
The annotated tag, samba-4.15.9 has been created
at 942fa02ef7c41d80de299b0f035ca162467cf1c8 (tag)
tagging c8fc01ca36445e87c3e503026a446416d66cd1bf (commit)
replaces ldb-2.4.4
tagged by Jule Anger
on Wed Jul 27 09:25:35 2022 +0200
- Log -----------------------------------------------------------------
samba: tag release samba-4.15.9
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg6G8ACgkQqplEL7aA
tiA/3Q//R0Bs4nuSJQP1vj+kCRgCr4/5RwSqG5GUeJGxNrCgB14GZQiiWLX74Obd
i03tjCTda1KMsBqxGFx9K3S0T39xWs3eW9ULXt/MAYb6mwYP1ExivQBBbYR5rNfW
9E9U2RA+gU6clbxPIvdQwAR7YICfgPY2sjYj0zzIhe0HtEfXE3CI8QXTDbIfxuxP
CLgnO4Bm0aJHKMd/aH6Ajb32Ml7UEj/oJQ4etU9g/DlY9zrj+JvfOAPYEQ6W+0H8
ZKuDvq2h1qjYpMq7D5VSyyi6lS0pxKG86DGYrWxwy+hempRj2k8jHefIb6KmnZAr
leJOIomBLv4T+LMfuamxoIr411RooDpi99Yw5ddhhjHCRrzhr/7Go6ImMOupG7/4
M0trrmO1Q1qvmYRY3Rp2XBtHBjiotAP3yhUvTfvLj3Dc9wTRRd89/jz6QSqRa5t7
9O+aGAqX87zV+LV0eO8FDlsiB1IQEOPRYTDyVqSKnR9PO3sCIlV6VPYT1grypHGV
JMaMniheZgkcxzb6z7Rx+NVNwBOcyvpMOwRIH5Uu9nHJAWb7l7mOSCVDe3ym2UJt
SbRFMQW+Vpk1eaKXMHrG8FlPu9Uw0U5O6QIgSSj0VvFKDPNubWoF2Fp2sugnAZ8N
btBm1phP6OrndNZSvI5v4jRjI7sEQmx7DnHJUWOgMjAY/0CzNZo=
=cAqD
-----END PGP SIGNATURE-----
Andreas Schneider (4):
s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
Isaac Boukris (1):
s4:mit-kdb: Force canonicalization for looking up principals
Jeremy Allison (2):
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Joseph Sutton (78):
CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
selftest: Check received LDB error code when STRICT_CHECKING=0
tests/krb5: Remove unused variable
tests/krb5: Deduplicate AS-REQ tests
tests/krb5: Run test_rpc against member server
tests/krb5: Allow PasswordKey_create() to use s2kparams
tests/krb5: Split out methods to create renewable or invalid tickets
tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
tests/krb5: Remove unnecessary expect_pac arguments
tests/krb5: Add tests for invalid TGTs
tests/krb5: Add tests for TGS requests with a non-TGT
tests/krb5: Add TGS-REQ tests with FAST
tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
tests/krb5: Add tests for validation with requester SID PAC buffer
tests/krb5: Add comments for tests that fail against Windows
heimdal:kdc: Fix error message for user-to-user
s4:torture: Fix typo
heimdal:kdc: Adjust no-PAC error code to match Windows
kdc: Adjust SID mismatch error code to match Windows
tests/krb5: Add test for S4U2Self with wrong sname
kdc: Match Windows error code for mismatching sname
kdc: Always add the PAC if the header TGT is from an RODC
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
kdc: Don't include extra PAC buffers in service tickets
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
tests/krb5: Add a test for S4U2Self with no authorization data required
heimdal:kdc: Always generate a PAC for S4U2Self
selftest: Properly check extra PAC buffers with Heimdal
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
kdc: Canonicalize realm for enterprise principals
tests/krb5: Correctly determine whether tickets are service tickets
tests/krb5: Add helper function to modify ticket flags
selftest: Simplify krb5 test environments
CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
CVE-2022-2031 s4:kpasswd: Account for missing target principal
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
tests/krb5: Fix enum typo
tests/krb5: Add option for creating accounts with expired passwords
CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
CVE-2022-2031 s4:kpasswd: Correctly generate error strings
CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
CVE-2022-2031 s4:kpasswd: Require an initial ticket
s4:kpasswd: Restructure code for clarity
CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
s4:kdc: Remove kadmin mode from HDB plugin
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
Jule Anger (2):
WHATSNEW: Add release notes for Samba 4.15.9.
VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release.
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list