[SCM] Samba Shared Repository - annotated tag samba-4.16.4 created

Jule Anger janger at samba.org
Wed Jul 27 10:01:07 UTC 2022

The annotated tag, samba-4.16.4 has been created
        at  e0d6e97e1f3a26a0258f61b4074684b7ca9dc85d (tag)
   tagging  9618af1b66aa7503e02b25c9a0bb5b1f31baffbc (commit)
  replaces  ldb-2.5.2
 tagged by  Jule Anger
        on  Wed Jul 27 09:21:14 2022 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.16.4


Andreas Schneider (4):
      s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
      CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
      CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
      CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function

Jeremy Allison (2):
      CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
      CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

Joseph Sutton (48):
      CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
      CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
      CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
      CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
      tests/krb5: Add helper function to modify ticket flags
      selftest: Simplify krb5 test environments
      CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
      CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
      CVE-2022-2031 s4:kpasswd: Account for missing target principal
      CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
      CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
      CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
      CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
      CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
      CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
      CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
      CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
      tests/krb5: Fix enum typo
      tests/krb5: Add option for creating accounts with expired passwords
      CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
      CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
      CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
      CVE-2022-2031 tests/krb5: Add tests for kpasswd service
      CVE-2022-2031 s4:kpasswd: Correctly generate error strings
      CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
      CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
      CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
      CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
      CVE-2022-2031 s4:kpasswd: Require an initial ticket
      s4:kpasswd: Restructure code for clarity
      CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
      CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
      CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
      CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
      CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
      CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
      CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
      CVE-2022-2031 tests/krb5: Test truncated forms of server principals
      CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
      CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
      s4:kdc: Remove kadmin mode from HDB plugin
      CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
      CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
      CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
      CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
      CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
      CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
      CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust

Jule Anger (2):
      WHATSNEW: Add release notes for Samba 4.16.4.
      VERSION: Disable GIT_SNAPSHOT for the 4.16.4 release.


Samba Shared Repository

More information about the samba-cvs mailing list