| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 07_private_lib | Always specify rpath for private libraries | Jelmer Vernooij <jelmer@samba.org> | no | 2012-02-24 | ||
| bug_221618_precise-64bit-prototype.patch | 64 bit fix for libsmbclient | Christian Perrier <bubulle@debian.org> | yes | debian | ||
| README_nosmbldap-tools.patch | Mention smbldap-tools package in examples/LDAP/README | Christian Perrier <bubulle@debian.org> | not-needed | debian | ||
| smbclient-pager.patch | Use the pager alternative as pager is PAGER is undefined | Steve Langasek <vorlon@debian.org> | not-needed | debian | ||
| usershare.patch | Enable net usershares by default at build time Enable net usershares by default at build time, with a limit of 100, and update the corresponding documentation. |
Mathias Gug <mathiaz@ubuntu.com>, Steve Langasek <vorlon@debian.org> | not-needed | debian | ||
| VERSION.patch | Add "Debian" as vendor suffix | Eloy A. Paris <peloy@debian.org> | not-needed | |||
| add-so-version-to-private-libraries | Add so version number to private libraries for dpkg-shlibdeps We also want dpkg-shlibdeps to generate correct dependency information for the private libraries in our binary packages, but dpkg-shlibdeps only works when the library has a version number. |
Jeroen Dekkers <jeroen@dekkers.ch> | not-needed | vendor | ||
| heimdal-rfc3454.txt | Patch in symbol table from rfc3454, for Heimdal scripts | Brian May <bam@debian.org> | no | |||
| smbd.service-Run-update-apparmor-samba-profile-befor.patch | [PATCH] smbd.service: Run update-apparmor-samba-profile before start | Mathieu Parent <math.parent@gmail.com> | no | debian | 2019-02-21 | |
| fix-nfs-service-name-to-nfs-kernel-server.patch | fix nfs related service names Upstream defines nfs related service names based on the Linux distribution. This patch fixes the names for Debian and derivatives. =================================================================== |
Rafael David Tinoco <rafaeldtinoco@gmail.com> | no | debian | 2018-08-05 | |
| Rename-mdfind-to-mdsearch.patch | [PATCH] Rename mdfind to mdsearch GNUstep as an mdfind binary, and both should be co-instalable. |
Mathieu Parent <math.parent@gmail.com> | yes | upstream | 2020-07-04 | |
| ctdb-config-enable-syslog-by-default.patch | CTDB uses /var/log/ctdb/ directory for the default log files. With syslog disabled, systemd journal is not able to correctly inform errors happening during service initialization. Upstream community creates generic config files to be used by different distributions, so this change makes no big difference to be accepted by upstream. With this patch the end user will be able to identify initialization errors by executing: systemctl status ctdb.service or to follow ctdb logs by executing: journalctl -f -u ctdb - |
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> | no | debian | 2018-06-27 | |
| 0100-CVE-2020-25718-ldb-attrib_handler-casefold-simplify-.patch | [PATCH 100/361] CVE-2020-25718 ldb/attrib_handler casefold: simplify space dropping As seen in CVE-2021-20277, ldb_handler_fold() has been making mistakes when collapsing spaces down to a single space. This patch fixes the way it handles internal spaces (CVE-2021-20277 was about leading spaces), and involves a rewrite of the parsing loop. The bug has a detailed description of the problem. Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 7 03:16:39 UTC 2021 on sn-devel-184 (cherry picked from commit 24ddc1ca9cad95673bdd8023d99867707b37085f) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2020-12-08 | |
| 0101-CVE-2020-25718-ldb_match-trailing-chunk-must-match-e.patch | [PATCH 101/361] CVE-2020-25718 ldb_match: trailing chunk must match end of string A wildcard search is divided into chunks by the asterisks. While most chunks match the first suitable string, the last chunk matches the last possible string (unless there is a trailing asterisk, in which case this distinction is moot). We always knew this in our hearts, but we tried to do it in a funny complicated way that stepped through the string, comparing here and there, leading to CVE-2019-3824 and missed matches (bug 14044). With this patch, we just jump to the end of the string and compare it. As well as being correct, this should also improve performance, as the previous algorithm involved a quadratic loop of erroneous memmem()s. See https://tools.ietf.org/html/rfc4517 (cherry picked from commit cc098f1cad04b2cfec4ddd6b2511cd5a600f31c6) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-03-03 | |
| 0102-CVE-2020-25718-ldb-fix-ldb_comparison_fold-off-by-on.patch | [PATCH 102/361] CVE-2020-25718 ldb: fix ldb_comparison_fold off-by-one overrun We run one character over in comparing all the bytes in two ldb_vals. In almost all circumstances both ldb_vals would have an allocated '\0' in the overrun position, but it is best not to rely on that. (cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-03-06 | |
| 0103-CVE-2020-25718-pyldb-catch-potential-overflow-error-.patch | [PATCH 103/361] CVE-2020-25718 pyldb: catch potential overflow error in py_timestring (cherry picked from commit 71e8b24b8a031de26b21539e36a60f459257d2fd) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-01-19 | |
| 0104-CVE-2020-25718-ldb_match-remove-redundant-check.patch | [PATCH 104/361] CVE-2020-25718 ldb_match: remove redundant check We already ensure the no-trailing-asterisk case ends at the end of the string. (cherry picked from commit fa93339978040eab52b2722c1716028b48d8d084) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-03-03 | |
| 0105-CVE-2020-25718-pyldb-Fix-Message.items-for-a-message.patch | [PATCH 105/361] CVE-2020-25718 pyldb: Fix Message.items() for a message containing elements Previously, message elements were being freed before the call to Py_BuildValue(), resulting in an exception being raised. Additionally, only the first element of the returned list was ever assigned to. (cherry picked from commit 3e4ec0a90a222c1cff4a91912afc703ca4cbbb0e) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-05-28 | |
| 0106-CVE-2020-25718-lib-ldb-Add-missing-break-in-switch-s.patch | [PATCH 106/361] CVE-2020-25718 lib:ldb: Add missing break in switch statement (cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd) |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-02-01 | |
| 0107-CVE-2020-25718-ldb.h-remove-undefined-async_ctx-func.patch | [PATCH 107/361] CVE-2020-25718 ldb.h: remove undefined async_ctx function signatures These functions do not exist. (cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2020-12-19 | |
| 0108-CVE-2020-25718-ldb-correct-comments-in-attrib_hander.patch | [PATCH 108/361] CVE-2020-25718 ldb: correct comments in attrib_handers val_to_int64 c.f. the identical static function in lib/ldb-samba/ldif_handlers.c (cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-03-06 | |
| 0109-CVE-2020-25718-ldb-improve-comments-for-ldb_module_c.patch | [PATCH 109/361] CVE-2020-25718 ldb: improve comments for ldb_module_connect_backend() There is no flags argument. There are more URI forms. (cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-01-29 | |
| 0110-CVE-2020-25718-pyldb-fix-a-typo.patch | [PATCH 110/361] CVE-2020-25718 pyldb: fix a typo (cherry picked from commit 6fcde09f093db5d26c582a3c28531265f06b9fde) |
=?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de> | yes | upstream | 2021-01-18 | |
| 0111-CVE-2020-25718-lib-ldb-Use-C99-initializers-for-buil.patch | [PATCH 111/361] CVE-2020-25718 lib:ldb: Use C99 initializers for builtin_popt_options[] (cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414) |
Andreas Schneider <asn@samba.org> | yes | upstream | 2020-12-17 | |
| 0112-CVE-2020-25718-lib-ldb-samba-Improve-calculate_popt_.patch | [PATCH 112/361] CVE-2020-25718 lib:ldb-samba: Improve calculate_popt_array_length() Note that memcmp() doesn't work well with padding bytes. So avoid it! (gdb) ptype/o struct poptOption /* offset | size */ type = struct poptOption { /* 0 | 8 */ const char *longName; /* 8 | 1 */ char shortName; /* XXX 3-byte hole */ /* 12 | 4 */ unsigned int argInfo; /* 16 | 8 */ void *arg; /* 24 | 4 */ int val; /* XXX 4-byte hole */ /* 32 | 8 */ const char *descrip; /* 40 | 8 */ const char *argDescrip; /* total size (bytes): 48 */ (cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def) |
Andreas Schneider <asn@samba.org> | yes | upstream | 2020-12-17 | |
| 0113-CVE-2020-25718-ldb_controls-control_to_string-avoids.patch | [PATCH 113/361] CVE-2020-25718 ldb_controls: control_to_string avoids crash Otherwise a malformed control with unexpected NULL data will segfault ldb_control_to_string(), though this is not very likely to affect anyone in practice as converting controls to strings is rarely necessary. If it happens at all in Samba it is in Python code. Found by Honggfuzz using fuzz_ldb_parse_control. Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184 (cherry picked from commit 2aace18f170644da9c293342a6df5e5b2ae8da25) |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2020-07-24 | |
| 0114-CVE-2020-25718-lib-Add-hex_byte-to-replace.h.patch | [PATCH 114/361] CVE-2020-25718 lib: Add "hex_byte()" to replace.h This is required in quite a few places, and replace.h has things like ZERO_STRUCT already, so this is not completely outplaced. (cherry picked from commit c8d9ce3f7c8c486ab21e320a0adcb71311dcb453) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-01-04 | |
| 0115-CVE-2020-25718-ldb-Use-hex_byte-in-ldb_binary_decode.patch | [PATCH 115/361] CVE-2020-25718 ldb: Use hex_byte() in ldb_binary_decode() (cherry picked from commit b6a57c49c00a778f954aaf10db6ebe6dca8f5ae2) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-01-04 | |
| 0116-CVE-2020-25718-ldb_kv_index-fix-empty-initializer-co.patch | [PATCH 116/361] CVE-2020-25718 ldb_kv_index: fix empty initializer compile warning (cherry picked from commit c862ad64aea31d1d5ec66385bb50d9b97e609071) |
=?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de> | yes | upstream | 2020-10-19 | |
| 0117-CVE-2020-25718-ldb-version-2.2.3.patch | [PATCH 117/361] CVE-2020-25718 ldb: version 2.2.3 Backport all C code changes from ldb-2.4.1 to be available for Samba 4.13.x |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-11-02 | |
| 0118-CVE-2020-25717-winbind.idl-rename-wbint_TransID.type.patch | [PATCH 118/361] CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint This makes it clear that it's a hint from the parent to the child. (cherry picked from commit 1576421dbdd2cfe9a47516224cb54bf15ba51132) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0119-CVE-2020-25717-s3-passdb-use-ID_TYPE_-instead-of-WBC.patch | [PATCH 119/361] CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* Currently these enums have the same values, but that will change in future. (cherry picked from commit 58e9b62222ad62c81cdf11d704859a227cb2902b) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0120-CVE-2020-25717-test_idmap_tdb_common-correctly-initi.patch | [PATCH 120/361] CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function (cherry picked from commit f5eec89011cf7b577375d83247524587f170b592) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2019-03-21 | |
| 0121-CVE-2020-25717-winbindd-idmap-apply-const-to-struct-.patch | [PATCH 121/361] CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers (cherry picked from commit 95b0dac0af5bc7ee85c6c8099dda135c36c9684b) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2019-03-21 | |
| 0122-CVE-2020-25717-winbindd-idmap-apply-const-to-struct-.patch | [PATCH 122/361] CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers (cherry picked from commit 7518a0ca32cade2b8b9eac0e2b5416ae685ffcff) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2019-03-21 | |
| 0123-CVE-2020-25717-wb_queryuser-avoid-idmap_child-and-us.patch | [PATCH 123/361] CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead This is the only aspect we need here. (cherry picked from commit 7dbe5b4897448aa71b5a8a2175850b4010316b88) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0124-CVE-2020-25717-wb_xids2sids-avoid-idmap_child-and-us.patch | [PATCH 124/361] CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead This is the only aspect we need here. (cherry picked from commit 5cc21a9d319e00397ad98900d81ffb9d1d70514f) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0125-CVE-2020-25717-wb_sids2xids-avoid-idmap_child-and-us.patch | [PATCH 125/361] CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead This is the only aspect we need here. (cherry picked from commit 1694de1ae6ce63377d0afc47e84e55e4745905d7) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-10 | |
| 0126-CVE-2020-25717-winbindd-add-and-use-idmap_child_pid.patch | [PATCH 126/361] CVE-2020-25717 winbindd: add and use idmap_child_pid() We should avoid calling idmap_child() as much as possible. (cherry picked from commit 2103543629004a3a22e7bf60305bb15bf3b316be) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0127-CVE-2020-25717-winbindd-add-and-use-is_idmap_child.patch | [PATCH 127/361] CVE-2020-25717 winbindd: add and use is_idmap_child() We should avoid calling idmap_child() as much as possible. (cherry picked from commit cd9a9702c1f97c47bd3447e2014eeff3e56268cf) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0128-CVE-2020-25717-winbindd-add-generic-wb_parent_idmap_.patch | [PATCH 128/361] CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers This is more or less a copy of wb_xids2sids_init_dom_maps_send/recv, but it's more generic and doesn't imply global state. It also closes a initialization race by using a tevent_queue to serialize the calls. In the next commits we'll replace wb_xids2sids_init_dom_maps_send/recv. We'll also use the new function in the wb_sids2xids code. (cherry picked from commit 209e81a2ea8c972ee57e2f0c9579da843c0e2ac7) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0129-CVE-2020-25717-wb_xids2sids-make-use-of-the-new-wb_p.patch | [PATCH 129/361] CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers (cherry picked from commit a8f57c94fc2294c309ecb18ea79d0acac86c495b) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0130-CVE-2020-25717-wb_sids2xids-call-wb_parent_idmap_set.patch | [PATCH 130/361] CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step This isn't really used yet, but it will in the next commits. Also idmap_child_handle() will soon assert that wb_parent_idmap_setup_send/recv() was called before it's used. (cherry picked from commit d42aaeba6e0820acd17f204ff7ab6d1aede1b303) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0131-CVE-2020-25717-wb_queryuser-explain-why-wb_parent_id.patch | [PATCH 131/361] CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed (cherry picked from commit 82fd07793f065e150729848566e7c30f4f4d472e) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0132-CVE-2020-25717-winbindd-assert-wb_parent_idmap_setup.patch | [PATCH 132/361] CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() (cherry picked from commit b8c74b7b46d1c7f6b66e565ee08f8c88d6dc2cc4) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0133-CVE-2020-25717-winbindd-defer-the-setup_child-from-i.patch | [PATCH 133/361] CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() At startup we trigger a wb_parent_idmap_setup_send() and make sure setup_child() is called just before wb_parent_idmap_setup_recv() finished. This makes sure our view of the idmap config in the parent matches what we have in the child. (cherry picked from commit 28e020c0a863411cfa95e3b1ed943d922b8635bd) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0134-CVE-2020-25717-wb_sids2xids-split-out-wb_sids2xids_n.patch | [PATCH 134/361] CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() Put the code that calls the per-domain idmap backend in its own function. This makes further reconstruction easier. (cherry picked from commit 79c1d3aaf6d465a8edd1871edb85211f8715fea1) |
Ralph Boehme <slow@samba.org> | yes | upstream | 2020-07-03 | |
| 0135-CVE-2020-25717-wb_sids2xids-maintain-struct-wbint_Tr.patch | [PATCH 135/361] CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache Entries with domain_index == UINT32_MAX are valid cache entries. In the following commits we'll fill in missing entries step by step until all entries are marked as filled. (cherry picked from commit 04956350a5725325954b2caba662ecd6dace7829) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-10 | |
| 0136-CVE-2020-25717-wb_sids2xids-rename-non_cached-to-loo.patch | [PATCH 136/361] CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' This array is used to pass to wb_lookupsids_send() and that will be the only reason to have this in future. For now it's used for all non cached sids, but that will also change in the next commits. (cherry picked from commit 797b11f198e819300007997ce536bc6d05f19843) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-10 | |
| 0137-CVE-2020-25717-wb_sids2xids-move-more-checks-to-wb_s.patch | [PATCH 137/361] CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() For the first run this is a no-op, but it simplified the caller. We'll call wb_sids2xids_next_sids2unix() in a few more places in future and it's easier to have this all within wb_sids2xids_next_sids2unix(). (cherry picked from commit 231c8d04b19a1c17937f988d142ca5c0f889d4e0) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0138-CVE-2020-25717-wb_sids2xids-inline-wb_sids2xids_extr.patch | [PATCH 138/361] CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() Instead of re-creating the dom_ids element, we just use a pre-allocated map_ids_in array. This is a bit tricky as we need to use map_ids_out as a copy of map_ids_in, because the _ids argument of dcerpc_wbint_Sids2UnixIDs_send() in [in,out], which means that _ids->ids is changed between dcerpc_wbint_Sids2UnixIDs_send() and dcerpc_wbint_Sids2UnixIDs_recv()! If the domain doesn't need any mappings, we'll move to the next domain early, for now this can't happend but it will in future. (cherry picked from commit f6bb0ed21f82f2cf1f238f9f00cd049ecf8673af) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0139-CVE-2020-25717-wb_sids2xids-refactor-wb_sids2xids_do.patch | [PATCH 139/361] CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit Here we don't change the logic. It will make the following changes easier. (cherry picked from commit cda61f592a0b33d36da8da9b6837312396cceec4) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0140-CVE-2020-25717-wb_sids2xids-change-i-to-li-in-wb_sid.patch | [PATCH 140/361] CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() With all the indexes we have into various array, this makes clear 'li' is the index into the state->lookup_sids array. This makes the following changes easier to review. (cherry picked from commit 19c8b6a8b188e45a6342a3d1308085800388a38e) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0141-CVE-2020-25717-wb_sids2xids-directly-use-state-all_i.patch | [PATCH 141/361] CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results In order to translate the indexes from state->lookup_sids[] for wb_lookupsids_send/recv() and state->map_ids.ids[] for dcerpc_wbint_Sids2UnixIDs_send/recv() back to state->all_ids.ids[] or state->sids[] we have state->tmp_idx[]. This simplifies wb_sids2xids_recv() a lot and make further restructuring much easier. (cherry picked from commit 374acc2e5fcc3c4b40f41906d0349499e3304841) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0142-CVE-2020-25717-wb_sids2xids-fill-cache-as-soon-as-po.patch | [PATCH 142/361] CVE-2020-25717 wb_sids2xids: fill cache as soon as possible After adding entries to the cache we can mark them as filled from the cache by setting its domain_index to UINT32_MAX. This will allow further changes to fill the results into state->all_ids in steps. (cherry picked from commit 3f4626ea6d235470195918b77af35ac2cfeb227c) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-10 | |
| 0143-CVE-2020-25717-wb_sids2xids-build-state-idmap_doms-b.patch | [PATCH 143/361] CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config In future we'll try to avoid wb_lookupsids_send() and only call it if needed. The domain name passed should be only relevant to find the correct idmap backend, and these should all be available in wb_parent_idmap_config as it was created before the idmap child was forked. (cherry picked from commit c55f4f37589130a0d8952489da175bbcf53f6748) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-10 | |
| 0144-CVE-2020-25717-winbindd-allow-idmap-backends-to-mark.patch | [PATCH 144/361] CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE This must only be used between winbindd parent and child! It must not leak into outside world. Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint, while others may only need ID_TYPE_BOTH in order to validate that the domain exists. This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent in future and only do that on demand. (cherry picked from commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-15 | |
| 0145-CVE-2020-25717-wb_sids2xids-defer-skip-wb_lookupsids.patch | [PATCH 145/361] CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE We try to give a valid hint for predefined sids and pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid. In most cases the idmap child/backend does not require a type_hint as mappings already exist. This is a speed up as we no longer need to contact a domain controller. It's also possible to accept kerberos authentication without reaching out to a domain controller at all (if the idmap backend doesn't need a hint). Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184 (cherry picked from commit 54b4d2d3cb307019a260d15c6e6b4a3fb7fc337c) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-09-11 | |
| 0146-CVE-2020-25717-s3-idmap_hash-reliable-return-ID_TYPE.patch | [PATCH 146/361] CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH idmap_hash used to bounce back the requested type, which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED before as the winbindd parent always used a lookupsids. When the lookupsids failed because of an unknown domain, the idmap child weren't requested at all and the caller sees ID_TYPE_NOT_SPECIFIED. This module should have supported ID_TYPE_BOTH since samba-4.1.0, similar to idmap_rid and idmap_autorid. Now that the winbindd parent will pass ID_TYPE_BOTH in order to indicate that the domain exists, it's better to always return ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_BOTH. In order to request a type_hint it will return ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that the parent at least assures that the domain sid exists. And the caller still gets ID_TYPE_NOT_SPECIFIED if the domain doesn't exist. Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184 (cherry picked from commit d8339056eef2845805f573bd8b0f3323370ecc8f) Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-14-test): Wed Jan 27 17:06:51 UTC 2021 on sn-devel-184 (cherry picked from commit 99673b77b069674a6145552eb870de8829dfa503) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2020-10-23 | |
| 0147-CVE-2020-25717-winbindd-call-wb_parent_idmap_setup_s.patch | [PATCH 147/361] CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() (cherry picked from commit 39c2ec72cb77945c3eb611fb1d7d7e9aad52bdfd) (cherry picked from commit 7d1dd87a6538f8c7f1e4938b0ff52cbd231fff90) |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-08-31 | |
| 0148-CVE-2020-25717-winbind-ensure-wb_parent_idmap_setup_.patch | [PATCH 148/361] CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Sep 2 15:20:06 UTC 2021 on sn-devel-184 (cherry picked from commit d0f6d54354b02f5591706814fbd1e4844788fdfa) (cherry picked from commit 446f89510f2e55a551e2975a6cbf01c6a023ba0c) |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-08-20 | |
| 0149-CVE-2020-25717-auth_sam-use-pdb_get_domain_info-to-l.patch | [PATCH 149/361] CVE-2020-25717 auth_sam: use pdb_get_domain_info to look up DNS forest information When Samba is used as a part of FreeIPA domain controller, Windows clients for a trusted AD forest may try to authenticate (perform logon operation) as a REALM\name user account. Fix auth_sam plugins to accept DNS forest name if we are running on a DC with PASSDB module providing domain information (e.g. pdb_get_domain_info() returning non-NULL structure). Right now, only FreeIPA or Samba AD DC PASSDB backends return this information but Samba AD DC configuration is explicitly ignored by the two auth_sam (strict and netlogon3) modules. Detailed logs below: [2020/11/11 09:23:53.281296, 1, pid=42677, effective(65534, 65534), real(65534, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:482(ndr_print_function_debug) netr_LogonSamLogonWithFlags: struct netr_LogonSamLogonWithFlags in: struct netr_LogonSamLogonWithFlags server_name : * server_name : '\\master.ipa.test' computer_name : * computer_name : 'AD1' credential : * credential: struct netr_Authenticator cred: struct netr_Credential data : 529f4b087c5f6546 timestamp : Wed Nov 11 09:23:55 AM 2020 UTC return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : 204f28f622010000 timestamp : Fri May 2 06:37:50 AM 1986 UTC logon_level : NetlogonNetworkTransitiveInformation (6) logon : * logon : union netr_LogonLevel(case 6) network : * network: struct netr_NetworkInfo identity_info: struct netr_IdentityInfo domain_name: struct lsa_String length : 0x0010 (16) size : 0x01fe (510) string : * string : 'IPA.TEST' parameter_control : 0x00002ae0 (10976) 0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0: MSV1_0_UPDATE_LOGON_STATISTICS 0: MSV1_0_RETURN_USER_PARAMETERS 0: MSV1_0_DONT_TRY_GUEST_ACCOUNT 1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 1: MSV1_0_RETURN_PASSWORD_EXPIRY 1: MSV1_0_USE_CLIENT_CHALLENGE 0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY 1: MSV1_0_RETURN_PROFILE_PATH 0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY 1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0: MSV1_0_DISABLE_PERSONAL_FALLBACK 1: MSV1_0_ALLOW_FORCE_GUEST 0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED 0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY 0: MSV1_0_ALLOW_MSVCHAPV2 0: MSV1_0_S4U2SELF 0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U 0: MSV1_0_SUBAUTHENTICATION_DLL_EX logon_id : 0x0000000000884ef2 (8933106) account_name: struct lsa_String length : 0x000e (14) size : 0x000e (14) string : * string : 'idmuser' workstation: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' challenge : 417207867bd33c74 nt: struct netr_ChallengeResponse length : 0x00c0 (192) size : 0x00c0 (192) data : * data: ARRAY(192) [0000] A5 24 62 6E 31 DF 69 66 9E DC 54 D6 63 4C D6 2F .$bn1.if ..T.cL./ [0010] 01 01 00 00 00 00 00 00 50 37 D7 60 0C B8 D6 01 ........ P7.`.... [0020] 15 1B 38 4F 47 95 4D 62 00 00 00 00 02 00 0E 00 ..8OG.Mb ........ [0030] 57 00 49 00 4E 00 32 00 30 00 31 00 36 00 01 00 W.I.N.2. 0.1.6... [0040] 06 00 41 00 44 00 31 00 04 00 18 00 77 00 69 00 ..A.D.1. ....w.i. [0050] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e. [0060] 73 00 74 00 03 00 20 00 61 00 64 00 31 00 2E 00 s.t... . a.d.1... [0070] 77 00 69 00 6E 00 32 00 30 00 31 00 36 00 2E 00 w.i.n.2. 0.1.6... [0080] 74 00 65 00 73 00 74 00 05 00 18 00 77 00 69 00 t.e.s.t. ....w.i. [0090] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e. [00A0] 73 00 74 00 07 00 08 00 50 37 D7 60 0C B8 D6 01 s.t..... P7.`.... [00B0] 06 00 04 00 02 00 00 00 00 00 00 00 00 00 00 00 ........ ........ lm: struct netr_ChallengeResponse length : 0x0018 (24) size : 0x0018 (24) data : * data : 000000000000000000000000000000000000000000000000 validation_level : 0x0006 (6) flags : * flags : 0x00000000 (0) 0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT 0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP 0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN 0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST In such case checks for a workgroup name will not match the DNS forest name used in the username specification: [2020/11/11 09:23:53.283055, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:200(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [IPA.TEST]\[idmuser]@[] with the new password interface [2020/11/11 09:23:53.283073, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:203(auth_check_ntlm_password) check_ntlm_password: mapped user is: [IPA.TEST]\[idmuser]@[] [2020/11/11 09:23:53.283082, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:213(auth_check_ntlm_password) check_ntlm_password: auth_context challenge created by fixed [2020/11/11 09:23:53.283091, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:216(auth_check_ntlm_password) challenge is: [2020/11/11 09:23:53.283099, 5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../lib/util/util.c:678(dump_data) [0000] 41 72 07 86 7B D3 3C 74 Ar..{.<t [2020/11/11 09:23:53.283113, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:209(auth_sam_netlogon3_auth) auth_sam_netlogon3_auth: Check auth for: [IPA.TEST]\[idmuser] [2020/11/11 09:23:53.283123, 5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:234(auth_sam_netlogon3_auth) auth_sam_netlogon3_auth: IPA.TEST is not our domain name (DC for IPA) [2020/11/11 09:23:53.283131, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password) auth_check_ntlm_password: sam_netlogon3 had nothing to say and overall authentication attempt will fail: auth_winbind will complain that this domain is not a trusted one and refuse operating on it: [2020/11/11 09:23:53.283784, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:742(process_request_send) process_request_send: process_request: Handling async request smbd(42677):PAM_AUTH_CRAP [2020/11/11 09:23:53.283796, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:110(winbindd_pam_auth_crap_send) [42677]: pam auth crap domain: [IPA.TEST] user: idmuser [2020/11/11 09:23:53.283810, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam.c:409(find_auth_domain) Authentication for domain [IPA.TEST] refused as it is not a trusted domain [2020/11/11 09:23:53.283825, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done) process_request_done: [smbd(42677):PAM_AUTH_CRAP]: NT_STATUS_NO_SUCH_USER [2020/11/11 09:23:53.283844, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:855(process_request_written) process_request_written: [smbd(42677):PAM_AUTH_CRAP]: delivered response to client (cherry picked from commit 2a8b672652dcbcf55ec59be537773d76f0f14d0a) |
Alexander Bokovoy <ab@samba.org> | yes | upstream | 2020-11-11 | |
| 0150-CVE-2020-25717-lookup_name-allow-lookup-names-prefix.patch | [PATCH 150/361] CVE-2020-25717 lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC In FreeIPA deployment with active Global Catalog service, when a two-way trust to Active Directory forest is established, Windows systems can look up FreeIPA users and groups. When using a security tab in Windows Explorer on AD side, a lookup over a trusted forest might come as realm\name instead of NetBIOS domain name: |
Alexander Bokovoy <ab@samba.org> | no | 2020-11-10 | ||
| 0151-CVE-2020-25717-auth_generic-fix-empty-initializer-co.patch | [PATCH 151/361] CVE-2020-25717 auth_generic: fix empty initializer compile warning (cherry picked from commit cce4e8012c5eafb6d98111b92923d748d72d077b) |
=?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de> | yes | upstream | 2020-10-18 | |
| 0152-CVE-2020-25717-selftest-Pass-down-the-machine-accoun.patch | [PATCH 152/361] CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member (cherry picked from commit fbe68dcbb783409589cdefd8ee551c9971c51f08) Needed as preparation for CVE-2020-25717 |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-05-11 | |
| 0153-CVE-2020-25717-selftest-Only-set-netbios-aliases-for.patch | [PATCH 153/361] CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env The provision_ad_member() function is reused by different setup_ad_member*() functions. Each environment needs to have unique netbios aliases as they are all in the same network. The aliases should only be set for the 'ad_member' environment. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jun 11 01:26:36 UTC 2021 on sn-devel-184 (cherry picked from commit e165dcc770ec58c3749d653d6cb85f6ecf9479d6) |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-06-10 | |
| 0154-CVE-2020-25717-auth3-Simplify-check_samba4_security.patch | [PATCH 154/361] CVE-2020-25717 auth3: Simplify check_samba4_security() First set up "server_info" in a local variable and once it's fully set up, assign it to the out parameter "pserver_info". Pointer dereferencing obfuscates the code for me. (cherry picked from commit 062a0c14c6ee0b74e7619af73747df59c5e67672) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-14 | |
| 0155-CVE-2020-25717-auth-Simplify-DEBUG-statements-in-mak.patch | [PATCH 155/361] CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm() (cherry picked from commit 8536bf7fce41c43bbed25f7ed4ce5775a1b9c0d5) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-13 | |
| 0156-CVE-2020-25717-auth4-Make-auth_anonymous-pseudo-asyn.patch | [PATCH 156/361] CVE-2020-25717 auth4: Make auth_anonymous pseudo-async (cherry picked from commit 759573136876ef2b1b1c7484f99570d7de957e0d) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-14 | |
| 0157-CVE-2020-25717-auth4-Make-auth_developer-pseudo-asyn.patch | [PATCH 157/361] CVE-2020-25717 auth4: Make auth_developer pseudo-async This is a simpler approach to really just wrap the code. (cherry picked from commit 43a1e42815718591faa8d526319b96d089a758fa) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-14 | |
| 0158-CVE-2020-25717-auth4-Make-auth_unix-pseudo-async.patch | [PATCH 158/361] CVE-2020-25717 auth4: Make auth_unix pseudo-async (cherry picked from commit a6f42ab8a778b9863990da3112c2e868cd006303) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-14 | |
| 0159-CVE-2020-25717-auth4-Make-auth_sam-pseudo-async.patch | [PATCH 159/361] CVE-2020-25717 auth4: Make auth_sam pseudo-async (cherry picked from commit f852fb4cd4e2bcd676a9ea104c5bf00979771eed) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-15 | |
| 0160-CVE-2020-25717-auth4-Remove-sync-check_password-from.patch | [PATCH 160/361] CVE-2020-25717 auth4: Remove sync check_password from auth_operations Remove complexity in the data structures, and pushes the async-ness one level down. (cherry picked from commit 254af19ba89b4c42e5f45ec731e6577d2fcc6736) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-14 | |
| 0161-CVE-2020-25719-selftest-knownfail_mit_kdc-Add-pointl.patch | [PATCH 161/361] CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly | Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-11-02 | |
| 0162-CVE-2020-25722-selftest-Move-self.assertRaisesLdbErr.patch | [PATCH 162/361] CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase This is easier to reason with regarding which cases should work and which cases should fail, avoiding issues where more success than expected would be OK because a self.fail() was missed in a (cherry picked from commit 298515cac2f35082483c2b4e4b7dbfe4df1d2e0c) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-13 | |
| 0163-CVE-2020-25722-selftest-Modernise-user_account_contr.patch | [PATCH 163/361] CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU We set and use a single self.OU to ensure consistancy and reduce string duplication. (cherry picked from commit 8b078bbf8717b9407cdbc1588dd065164ab78e1b) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0164-CVE-2020-25722-selftest-Use-addCleanup-rather-than-t.patch | [PATCH 164/361] CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py self.addCleanup() is called regardless of the test failure or error status and so is more reliable, particularly during development. (cherry picked from commit 8c455268165f0bbfce17407df2c1746a0e03f828) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0165-CVE-2020-25722-pydsdb-Add-API-to-return-strings-of-k.patch | [PATCH 165/361] CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags (cherry picked from commit fb6c0b9e2a10c9559d3e056bb020bd2c990da998) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0177-CVE-2020-25722-selftest-allow-for-future-failures-in.patch | [PATCH 177/361] CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind This allows for any failures here to be handled via the knownfail system. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-20 | |
| 0166-CVE-2020-25722-selftest-Use-DynamicTestCase-in-user_.patch | [PATCH 166/361] CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify() This is a nice easy example of how the test generation code works, and it combined nicely with the earlier patch to return string names from the UF_ constants. (cherry picked from commit 8701ce492fc3a209035b152961d8c17e801b082a) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0167-CVE-2020-25722-selftest-Replace-internal-loop-in-tes.patch | [PATCH 167/361] CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass This generates a single test per bit which is easier to debug. Elsewhere we use this pattern where we want to be able to put some cases in a knownfail, which is otherwise not possible. (cherry picked from commit 60f1b6cf0ef0bf6736d8db9c53fa48fe9f3d8e75) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0168-CVE-2020-25722-selftest-Replace-internal-loop-in-tes.patch | [PATCH 168/361] CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass This generates a single test per bit which is easier to debug. Elsewhere we use this pattern where we want to be able to put some cases in a knownfail, which is otherwise not possible. (cherry picked from commit 17ae0319db53a7b88e7fb44a9e2fd4bf1d1daa0e) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0169-CVE-2020-25722-selftest-Update-user_account_control-.patch | [PATCH 169/361] CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019 This gets us closer to passing against Windows 2019, without making major changes to what was tested. More tests are needed, but it is important to get what was being tested tested again. Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT) are now required on all objects, this can't be omitted any more. Also for UF_NORMAL_ACCOUNT for these accounts without a password set |UF_PASSWD_NOTREQD must be included. Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184 (cherry picked from commit d12cb47724c2e8d19a28286d4c3ef72271a002fd) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-30 | |
| 0170-CVE-2020-25722-selftest-Use-self.assertRaisesLdbErro.patch | [PATCH 170/361] CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test This changes most of the simple pattern with self.samdb.modify() to use the wrapper. Some other calls still need to be converted, while the complex decision tree tests should remain as-is for now. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Oct 4 21:55:43 UTC 2021 on sn-devel-184 (cherry picked from commit b45190bdac7bd9dcefd5ed88be4bd9a97a712664) |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-16 | |
| 0184-CVE-2020-25722-selftest-priv_attrs-Mention-that-thes.patch | [PATCH 184/361] CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-28 | |
| 0171-CVE-2020-17049-tests-krb5-Check-account-name-and-SID.patch | [PATCH 171/361] CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184 (cherry picked from commit c174e9ebe715aad6910d53c1f427a0512c09d651) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0172-CVE-2020-25722-dsdb-Tests-for-our-known-set-of-privi.patch | [PATCH 172/361] CVE-2020-25722 dsdb: Tests for our known set of privileged attributes This, except for where we choose to disagree, does pass against Windows 2019. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-10 | |
| 0173-CVE-2020-25722-dsdb-Move-krbtgt-password-setup-after.patch | [PATCH 173/361] CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed This allows the add of an RODC, before setting the password, to avoid this module, which helps isolate testing of security around the msDS-SecondaryKrbTgtNumber attribute. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-12 | |
| 0174-CVE-2020-25722-dsdb-Restrict-the-setting-of-privileg.patch | [PATCH 174/361] CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify The remaining failures in the priv_attrs (not the strict one) test are due to missing objectclass constraints on the administrator which should be addressed, but are not a security issue. A better test for confirming constraints between objectclass and userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would be user_account_control.py. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-08-13 | |
| 0175-CVE-2020-25722-selftest-Extend-priv_attrs-test-work-.patch | [PATCH 175/361] CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-13 | |
| 0176-CVE-2020-25722-selftest-Test-combinations-of-account.patch | [PATCH 176/361] CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user The idea here is to split out the restrictions seen on Windows 2019 at the schema level, as seen when acting as an administrator. These pass against Windows 2019 except for the account type swapping which is not wanted. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-13 | |
| 0178-CVE-2020-25722-selftest-Catch-possible-errors-in-Pas.patch | [PATCH 178/361] CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() This allows future patches to restrict changing the account type without triggering an error. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-20 | |
| 0179-CVE-2020-25722-selftest-Catch-errors-from-samdb.modi.patch | [PATCH 179/361] CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests This will allow these to be listed in a knownfail shortly. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-17 | |
| 0180-CVE-2020-25722-dsdb-objectclass-computer-becomes-UF_.patch | [PATCH 180/361] CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default There are a lot of knownfail entries added with this commit. These all need to be addressed and removed in subsequent commits which will restructure the tests to pass within this new reality. This default applies even to users with administrator rights, as changing the default based on permissions would break to many assumptions. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-16 | |
| 0181-CVE-2020-25722-dsdb-Improve-privileged-and-unprivile.patch | [PATCH 181/361] CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC This helps ensure we cover off all the cases that matter for objectclass/trailing-doller/userAccountControl |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0182-CVE-2020-25722-dsdb-Add-tests-for-modifying-objectCl.patch | [PATCH 182/361] CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0183-CVE-2020-25722-dsdb-Prohibit-mismatch-between-UF_-ac.patch | [PATCH 183/361] CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass. There are a lot of knownfail entries added with this commit. These all need to be addressed and removed in subsequent commits which will restructure the tests to pass within this new reality. The restriction is not applied to users with administrator rights, as this breaks a lot of tests and provides no security benefit. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0185-CVE-2020-25722-selftest-Adapt-selftest-to-restrictio.patch | [PATCH 185/361] CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types This makes many of our tests pass again. We do not pass against Windows 2019 on all as this does not have this restriction at this time. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0186-CVE-2020-25722-dsdb-samldb_objectclass_trigger-is-on.patch | [PATCH 186/361] CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation This makes the code less indented and simpler to understand. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-22 | |
| 0187-CVE-2020-25722-dsdb-Add-restrictions-on-computer-acc.patch | [PATCH 187/361] CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $ | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-22 | |
| 0188-CVE-2020-25722-selftest-Adapt-sam.py-test_isCritical.patch | [PATCH 188/361] CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT by default and so this test must adapt. The changes to this test passes against Windows 2019 except for the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0189-CVE-2020-25722-samdb-Fill-in-isCriticalSystemObject-.patch | [PATCH 189/361] CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0190-CVE-2020-25722-selftest-Split-test_userAccountContro.patch | [PATCH 190/361] CVE-2020-25722 selftest: Split test_userAccountControl into unit tests The parts that create and delete a single object can be safely split out into an individual test. At this point the parts that fail against Windows 2019 are: _ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') _ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') _ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') _ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') _ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>') |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0198-CVE-2020-25721-krb5pac-Add-new-buffers-for-samAccoun.patch | [PATCH 198/361] CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-27 | |
| 0191-CVE-2020-25722-selftest-Adjust-sam.py-test_userAccou.patch | [PATCH 191/361] CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality We now enforce that a trust account must be a user. These can not be added over LDAP anyway, and our C code in the RPC server gets this right in any case. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0192-CVE-2020-25722-selftest-New-objects-of-objectclass-c.patch | [PATCH 192/361] CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0193-CVE-2020-25722-selftest-Adapt-sam.py-test-to-userAcc.patch | [PATCH 193/361] CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0194-CVE-2020-25722-selftest-adapt-ldap.py-sam.py-test_al.patch | [PATCH 194/361] CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour Objects of objectclass computer are computers by default now and this changes the sAMAccountType and primaryGroupID as well as userAccountControl |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-21 | |
| 0195-CVE-2020-25722-selftest-Allow-self.assertRaisesLdbEr.patch | [PATCH 195/361] CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0196-CVE-2020-25722-selftest-user_account_control-Allow-a.patch | [PATCH 196/361] CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors This favors a test that confirms we got an error over getting exactly the right error, at least for now. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0197-CVE-2020-25722-selftest-user_account_control-more-wo.patch | [PATCH 197/361] CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock This new restriction breaks a large number of assumptions in the tests, like that you can remove some UF_ flags, because it turns out doing so will make the 'computer' a 'user' again, and this will fail. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-22 | |
| 0199-CVE-2020-25718-tests-krb5-Allow-tests-accounts-to-re.patch | [PATCH 199/361] CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0200-CVE-2020-25719-CVE-2020-25717-tests-krb5-Modify-get_.patch | [PATCH 200/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange() | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-18 | |
| 0201-CVE-2020-25719-CVE-2020-25717-tests-krb5-Add-pac_req.patch | [PATCH 201/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket() | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-18 | |
| 0202-CVE-2020-25722-tests-krb5-Allow-creating-server-acco.patch | [PATCH 202/361] CVE-2020-25722 tests/krb5: Allow creating server accounts | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-08 | |
| 0203-CVE-2020-25719-tests-krb5-Add-is_tgt-helper-method.patch | [PATCH 203/361] CVE-2020-25719 tests/krb5: Add is_tgt() helper method | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-09-30 | |
| 0204-CVE-2020-25719-tests-krb5-Add-method-to-get-unique-u.patch | [PATCH 204/361] CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-19 | |
| 0205-MS-CVE-2020-17049-tests-krb5-Allow-tests-to-pass-if-.patch | [PATCH 205/361] MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0206-CVE-2020-25721-tests-krb5-Check-PAC-buffer-types-whe.patch | [PATCH 206/361] CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0207-CVE-2020-25719-CVE-2020-25717-tests-krb5-Refactor-cr.patch | [PATCH 207/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service This allows us to use get_tgt() and get_service_ticket() to obtain tickets, which simplifies the logic. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0208-CVE-2020-25719-CVE-2020-25717-tests-krb5-Allow-creat.patch | [PATCH 208/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0209-CVE-2020-25722-tests-krb5-Add-KDC-tests-for-3-part-S.patch | [PATCH 209/361] CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0210-CVE-2020-25721-ndrdump-Add-tests-for-PAC-with-UPN_DN.patch | [PATCH 210/361] CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-13 | |
| 0211-CVE-2020-25719-tests-krb5-Add-tests-for-requiring-an.patch | [PATCH 211/361] CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-18 | |
| 0212-CVE-2020-25719-tests-krb5-Add-a-test-for-making-an-S.patch | [PATCH 212/361] CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-19 | |
| 0213-CVE-2020-25719-tests-krb5-Add-principal-aliasing-tes.patch | [PATCH 213/361] CVE-2020-25719 tests/krb5: Add principal aliasing test | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-19 | |
| 0214-CVE-2020-25718-tests-krb5-Add-tests-for-RODC-printed.patch | [PATCH 214/361] CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0215-CVE-2020-25719-tests-krb5-Add-tests-for-including-au.patch | [PATCH 215/361] CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-28 | |
| 0216-CVE-2020-25721-tests-krb5-Add-tests-for-extended-PAC.patch | [PATCH 216/361] CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0217-CVE-2020-25719-CVE-2020-25717-tests-krb5-Add-tests-f.patch | [PATCH 217/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-08-24 | |
| 0218-CVE-2020-25719-CVE-2020-25717-selftest-remove-gensec.patch | [PATCH 218/361] CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings [jsutton@samba.org Added knownfail entries] |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-22 | |
| 0219-CVE-2020-25719-CVE-2020-25717-tests-krb5-Adapt-tests.patch | [PATCH 219/361] CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0220-CVE-2020-25717-s3-winbindd-make-sure-we-default-to-r.patch | [PATCH 220/361] CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback to the local SAM that silently ignores the domain name part for users. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-04 | |
| 0221-CVE-2020-25717-s4-auth-ntlm-make-sure-auth_check_pas.patch | [PATCH 221/361] CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback to the local SAM that silently ignores the domain name part for users. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-04 | |
| 0222-CVE-2020-25717-s4-torture-start-with-authoritative-1.patch | [PATCH 222/361] CVE-2020-25717: s4:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0223-CVE-2020-25717-s4-smb_server-start-with-authoritativ.patch | [PATCH 223/361] CVE-2020-25717: s4:smb_server: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0224-CVE-2020-25717-s4-auth_simple-start-with-authoritati.patch | [PATCH 224/361] CVE-2020-25717: s4:auth_simple: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0225-CVE-2020-25717-s3-ntlm_auth-start-with-authoritative.patch | [PATCH 225/361] CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0226-CVE-2020-25717-s3-torture-start-with-authoritative-1.patch | [PATCH 226/361] CVE-2020-25717: s3:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0227-CVE-2020-25717-s3-rpcclient-start-with-authoritative.patch | [PATCH 227/361] CVE-2020-25717: s3:rpcclient: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0228-CVE-2020-25717-s3-auth-start-with-authoritative-1.patch | [PATCH 228/361] CVE-2020-25717: s3:auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0266-CVE-2020-25722-pytest-test-setting-servicePrincipalN.patch | [PATCH 266/361] CVE-2020-25722 pytest: test setting servicePrincipalName over ldap | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-08-06 | |
| 0229-CVE-2020-25717-auth-ntlmssp-start-with-authoritative.patch | [PATCH 229/361] CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-26 | |
| 0230-CVE-2020-25717-loadparm-Add-new-parameter-min-domain.patch | [PATCH 230/361] CVE-2020-25717: loadparm: Add new parameter "min domain uid" [abartlet@samba.org Backported from master/4.15 due to conflicts with other new parameters] |
Samuel Cabrero <scabrero@samba.org> | yes | upstream | 2021-09-28 | |
| 0231-CVE-2020-25717-selftest-Add-ad_member_no_nss_wb-envi.patch | [PATCH 231/361] CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment This environment creates an AD member that doesn't have 'nss_winbind' configured, while winbindd is still started. For testing we map a DOMAIN\root user to the local root account and unix token of the local root user. [abartlet@samba.org backported to Samba 4.14 without offline tests in Samba3.pm] |
Samuel Cabrero <scabrero@samba.org> | yes | upstream | 2021-10-05 | |
| 0232-CVE-2020-25717-selftest-Add-a-test-for-the-new-min-d.patch | [PATCH 232/361] CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter [abartlet@samba.org Fixed knowfail per instruction from metze] |
Samuel Cabrero <scabrero@samba.org> | yes | upstream | 2021-10-05 | |
| 0233-CVE-2020-25717-s3-auth-let-auth3_generate_session_in.patch | [PATCH 233/361] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors Mapping everything to ACCESS_DENIED makes it hard to debug problems, which may happen because of our more restrictive behaviour in future. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-08 | |
| 0234-CVE-2020-25717-s3-auth-Check-minimum-domain-uid.patch | [PATCH 234/361] CVE-2020-25717: s3:auth: Check minimum domain uid [abartlet@samba.org Removed knownfail on advice from metze] |
Samuel Cabrero <scabrero@samba.org> | yes | upstream | 2021-09-28 | |
| 0297-CVE-2020-25719-tests-krb5-Don-t-expect-a-kvno-for-us.patch | [PATCH 297/361] CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0235-CVE-2020-25717-s3-auth-we-should-not-try-to-autocrea.patch | [PATCH 235/361] CVE-2020-25717: s3:auth: we should not try to autocreate the guest account We should avoid autocreation of users as much as possible. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-08 | |
| 0236-CVE-2020-25717-s3-auth-no-longer-let-check_account-a.patch | [PATCH 236/361] CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users So far we autocreated local user accounts based on just the account_name (just ignoring any domain part). This only happens via a possible 'add user script', which is not typically defined on domain members and on NT4 DCs local users already exist in the local passdb anyway. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-08 | |
| 0237-CVE-2020-25717-s3-auth-remove-fallbacks-in-smb_getpw.patch | [PATCH 237/361] CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() So far we tried getpwnam("DOMAIN\account") first and always did a fallback to getpwnam("account") completely ignoring the domain part, this just causes problems as we mix "DOMAIN1\account", "DOMAIN2\account", and "account"! As we require a running winbindd for domain member setups we should no longer do a fallback to just "account" for users served by winbindd! For users of the local SAM don't use this code path, as check_sam_security() doesn't call check_account(). The only case where smb_getpwnam("account") happens is when map_username() via ("username map [script]") mapped "DOMAIN\account" to something without '\', but that is explicitly desired by the admin. |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-10-08 | |
| 0238-CVE-2020-25717-s3-lib-add-lp_allow_trusted_domains-l.patch | [PATCH 238/361] CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() is_allowed_domain() is a central place we already use to trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so we can add additional logic there. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-09-21 | |
| 0239-CVE-2020-25717-s3-auth-don-t-let-create_local_token-.patch | [PATCH 239/361] CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so we should better fail a request instead of silently alter the behaviour, which results in a different unix token, just because winbindd might be restarted. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-04 | |
| 0240-CVE-2020-25717-Add-FreeIPA-domain-controller-role.patch | [PATCH 240/361] CVE-2020-25717: Add FreeIPA domain controller role As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain controller role. It means that role won't result in ROLE_STANDALONE. |
Alexander Bokovoy <ab@samba.org> | yes | upstream | 2020-11-11 | |
| 0241-CVE-2020-25719-CVE-2020-25717-auth-gensec-always-req.patch | [PATCH 241/361] CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set on the service account, which can only be explicitly configured, but that's an invalid configuration! We still try to support standalone servers in an MIT realm, as legacy setup. [jsutton@samba.org Removed knownfail entries] |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-05 | |
| 0242-CVE-2020-25719-CVE-2020-25717-s4-auth-remove-unused-.patch | [PATCH 242/361] CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() We'll require a PAC at the main gensec layer already. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-11 | |
| 0243-CVE-2020-25717-s3-ntlm_auth-fix-memory-leaks-in-ntlm.patch | [PATCH 243/361] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() | Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-09-21 | |
| 0244-CVE-2020-25717-s3-ntlm_auth-let-ntlm_auth_generate_s.patch | [PATCH 244/361] CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-09-21 | |
| 0245-CVE-2020-25717-s3-auth-let-auth3_generate_session_in.patch | [PATCH 245/361] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() This consolidates the code paths used for NTLMSSP and Kerberos! I checked what we were already doing for NTLMSSP, which is this: a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx() b) as a domain member we require a valid response from winbindd, otherwise we'll return NT_STATUS_NO_LOGON_SERVERS c) we call make_server_info_wbcAuthUserInfo(), which internally calls make_server_info_info3() d) auth_check_ntlm_password() calls smb_pam_accountcheck(unix_username, rhost), where rhost is only an ipv4 or ipv6 address (without reverse dns lookup) e) from auth3_check_password_send/auth3_check_password_recv() server_returned_info will be passed to auth3_generate_session_info(), triggered by gensec_session_info(), which means we'll call into create_local_token() in order to transform auth_serversupplied_info into auth_session_info. For Kerberos gensec_session_info() will call auth3_generate_session_info_pac() via the gensec_generate_session_info_pac() helper function. The current logic is this: a) gensec_generate_session_info_pac() is the function that evaluates the 'gensec:require_pac', which defaulted to 'no' before. b) auth3_generate_session_info_pac() called wbcAuthenticateUserEx() in order to pass the PAC blob to winbindd, but only to prime its cache, e.g. netsamlogon cache and others. Most failures were just ignored. c) If the PAC blob is available, it extracted the PAC_LOGON_INFO from it. d) Then we called the horrible get_user_from_kerberos_info() function: - It uses a first part of the tickets principal name (before the @) as username and combines that with the 'logon_info->base.logon_domain' if the logon_info (PAC) is present. - As a fallback without a PAC it's tries to ask winbindd for a mapping from realm to netbios domain name. - Finally is falls back to using the realm as netbios domain name With this information is builds 'userdomain+winbind_separator+useraccount' and calls map_username() followed by smb_getpwnam() with create=true, Note this is similar to the make_server_info_info3() => check_account() => smb_getpwnam() logic under 3. - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name instead of the ip address as rhost. - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the guest account. e) We called create_info3_from_pac_logon_info() f) make_session_info_krb5() calls gets called and triggers this: - If get_user_from_kerberos_info() mapped to guest, it calls make_server_info_guest() - If create_info3_from_pac_logon_info() created a info3 from logon_info, it calls make_server_info_info3() - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with a fallback to make_server_info_pw() From there it calls create_local_token() I tried to change auth3_generate_session_info_pac() to behave similar to auth_winbind.c together with auth3_generate_session_info() as a domain member, as we now rely on a PAC: a) As domain member we require a PAC and always call wbcAuthenticateUserEx() and require a valid response! b) we call make_server_info_wbcAuthUserInfo(), which internally calls make_server_info_info3(). Note make_server_info_info3() handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest() internally. c) Similar to auth_check_ntlm_password() we now call smb_pam_accountcheck(unix_username, rhost), where rhost is only an ipv4 or ipv6 address (without reverse dns lookup) d) From there it calls create_local_token() As standalone server (in an MIT realm) we continue with the already existing code logic, which works without a PAC: a) we keep smb_getpwnam() with create=true logic as it also requires an explicit 'add user script' option. b) In the following commits we assert that there's actually no PAC in this mode, which means we can remove unused and confusing code. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-04 | |
| 0246-CVE-2020-25717-selftest-configure-ktest-env-with-win.patch | [PATCH 246/361] CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid The 'ktest' environment was/is designed to test kerberos in an active directory member setup. It was created at a time we wanted to test smbd/winbindd with kerberos without having the source4 ad dc available. This still applies to testing the build with system krb5 libraries but without relying on a running ad dc. As a domain member setup requires a running winbindd, we should test it that way, in order to reflect a valid setup. As a side effect it provides a way to demonstrate that we can accept smb connections authenticated via kerberos, but no connection to a domain controller! In order get this working offline, we need an idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which should be the default choice. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-05 | |
| 0247-CVE-2020-25717-s3-auth-let-auth3_generate_session_in.patch | [PATCH 247/361] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode We should be strict in standalone mode, that we only support MIT realms without a PAC in order to keep the code sane. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-05 | |
| 0248-CVE-2020-25717-s3-auth-simplify-get_user_from_kerber.patch | [PATCH 248/361] CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument This code is only every called in standalone mode on a MIT realm, it means we never have a PAC and we also don't have winbindd arround. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-08 | |
| 0249-CVE-2020-25717-s3-auth-simplify-make_session_info_kr.patch | [PATCH 249/361] CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments This is only ever be called in standalone mode with an MIT realm, so we don't have a PAC/info3 structure. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-10-08 | |
| 0250-CVE-2020-25722-Add-test-for-SPN-deletion-followed-by.patch | [PATCH 250/361] CVE-2020-25722 Add test for SPN deletion followed by addition [abartlet@samba.org Removed transaction hooks, these do nothing over remote LDAP] |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-18 | |
| 0251-CVE-2020-25722-s4-dsdb-tests-Add-missing-self.fail-c.patch | [PATCH 251/361] CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls Without these calls the tests could pass if an expected error did not occur. [abartlet@samba.org Included in backport as changing ACLs while ACL tests are not checking for unexpected success would be bad] |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-08 | |
| 0252-CVE-2020-25722-s4-acl-test-Control-Access-Rights-hon.patch | [PATCH 252/361] CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute Validate Writes and Control Access Rights should only grant access if the object is of the type listed in the Right's appliesTo attribute. Tests to verify this behavior |
Nadezhda Ivanova <nivanova@symas.com> | yes | upstream | 2021-10-25 | |
| 0253-CVE-2020-25722-s4-acl-Make-sure-Control-Access-Right.patch | [PATCH 253/361] CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Validate Writes and Control Access Rights only grant access if the object is of the type listed in the Right's appliesTo attribute. For example, even though a Validated-SPN access may be granted to a user object in the SD, it should only pass if the object is of class computer This patch enforces the appliesTo attribute classes for access checks from within the ldb stack. |
Nadezhda Ivanova <nivanova@symas.com> | yes | upstream | 2021-10-18 | |
| 0254-CVE-2020-25722-Check-all-elements-in-acl_check_spn-n.patch | [PATCH 254/361] CVE-2020-25722 Check all elements in acl_check_spn() not just the first one Thankfully we are aleady in a loop over all the message elements in acl_modify() so this is an easy and safe change to make. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-11-01 | |
| 0255-CVE-2020-25722-Check-for-all-errors-from-acl_check_e.patch | [PATCH 255/361] CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn() We should not fail open on error. |
Andrew Bartlett <abartlet@samba.org> | no | upstream | 2021-11-01 | |
| 0256-CVE-2020-25722-pytests-add-reverse-lookup-dict-for-L.patch | [PATCH 256/361] CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes You can give ldb_err() it a number, an LdbError, or a sequence of numbers, and it will return the corresponding strings. Examples: ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS" LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS" expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, ldb.ERR_INVALID_CREDENTIALS) try: foo() except ldb.LdbError as e: self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}") |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-04 | |
| 0257-CVE-2020-25722-pytest-assertRaisesLdbError-invents-a.patch | [PATCH 257/361] CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy This makes it easier to convert tests that don't have good messages. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-24 | |
| 0258-CVE-2020-25722-s4-dsdb-cracknames-always-free-tmp_ct.patch | [PATCH 258/361] CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-08-11 | |
| 0259-CVE-2020-25722-s4-cracknames-lookup_spn_alias-doesn-.patch | [PATCH 259/361] CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-08-10 | |
| 0260-CVE-2020-25722-samba-tool-spn-accept-H-for-database-.patch | [PATCH 260/361] CVE-2020-25722 samba-tool spn: accept -H for database url Following the convention and making testing easier |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-07-28 | |
| 0261-CVE-2020-25722-samba-tool-spn-add-remove-force-optio.patch | [PATCH 261/361] CVE-2020-25722 samba-tool spn add: remove --force option This did not actually *force* the creation of a duplicate SPN, it just ignored the client-side check for the existing copy. Soon we are going to enforce SPN uniqueness on the server side, and this --force will not work. This will make the --force test fail, and if that tests fail, so will others that depend the duplicate values. So we remove those tests. It is wrong-headed to try to make duplicate SPNs in any case, which is probably why there is no sign of anyone ever having used this option. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-08-27 | |
| 0262-CVE-2020-25722-tests-blackbox-samba-tool-spn-non-adm.patch | [PATCH 262/361] CVE-2020-25722 tests: blackbox samba-tool spn non-admin test It is soon going to be impossible to add duplicate SPNs (short of going behind DSDB's back on the local filesystem). Our test of adding SPNs on non-admin users doubled as the test for adding a duplicate (using --force). As --force is gone, we add these tests on Guest after the SPN on Administrator is gone. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-09-01 | |
| 0263-CVE-2020-25722-s4-provision-add-host-SPNs-at-the-sta.patch | [PATCH 263/361] CVE-2020-25722 s4/provision: add host/ SPNs at the start There are two reasons for this. Firstly, leaving SPNs unclaimed is dangerous, as someone else could grab them first. Secondly, in some circumstances (self join) we try to add a DNS/ SPN a little bit later in provision. Under the rules we are introducing for CVE-2020-25722, this will make our later attempts to add HOST/ fail. This causes a few errors in samba4.blackbox.dbcheck.* tests, which assert that revivified old domains match stored reference versions. Now they don't, because they have servicePrincipalNames. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-28 | |
| 0264-CVE-2020-25722-blackbox-upgrades-tests-ignore-SPN-fo.patch | [PATCH 264/361] CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp We need to have the SPNs there before someone else nabs them, which makes the re-provisioned old releases different from the reference versions that we keep for this comparison. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-28 | |
| 0265-CVE-2020-25722-pytest-test-sAMAccountName-userPrinci.patch | [PATCH 265/361] CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap Because the sam account name + the dns host name is used as the default user principal name, we need to check for collisions between these. Fixes are coming in upcoming patches. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-09-13 | |
| 0267-CVE-2020-25722-s4-cracknames-add-comment-pointing-to.patch | [PATCH 267/361] CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling These need to stay a little bit in sync. The reverse comment is there. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-08-12 | |
| 0268-CVE-2020-25722-s4-dsdb-samldb-add-samldb_get_single_.patch | [PATCH 268/361] CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper This takes a string of logic out of samldb_unique_attr_check() that we are going to need in other places, and that would be very tedious to repeat. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0269-CVE-2020-25722-s4-dsdb-samldb-unique_attr_check-uses.patch | [PATCH 269/361] CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr() | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0270-CVE-2020-25722-s4-dsdb-samldb-check-for-clashes-in-U.patch | [PATCH 270/361] CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames We already know duplicate sAMAccountNames and UserPrincipalNames are bad, but we also have to check against the values these imply in each other. For example, imagine users with SAM account names "Alice" and "Bob" in the realm "example.com". If they do not have explicit UPNs, by the logic of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice@example.com" and "bob@example.com", respectively. If Bob's UPN gets set to "alice@example.com", it will clash with Alice's implicit one. Therefore we refuse to allow a UPN that implies an existing SAM account name and vice versa. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0271-CVE-2020-25722-s4-dsdb-samldb-check-sAMAccountName-f.patch | [PATCH 271/361] CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters This only for the real account name, not the account name implicit in a UPN. It doesn't matter if a UPN implies an illegal sAMAccountName, since that is not going to conflict with a real one. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0272-CVE-2020-25722-s4-dsdb-samldb-check-for-SPN-uniquene.patch | [PATCH 272/361] CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases Not only should it not be possible to add a servicePrincipalName that is already present in the domain, it should not be possible to add one that is implied by an entry in sPNMappings, unless the user is adding an alias to another SPN and has rights to alter that one. For example, with the default sPNMappings, cifs/ is an alias pointing to host/, meaning if there is no cifs/example.com SPN, the host/example.com one will be used instead. A user can add the cifs/example.com SPN only if they can also change the host/example.com one (because adding the cifs/ effectively changes the host/). The reverse is refused in all cases, unless they happen to be on the same object. That is, if there is a cifs/example.com SPN, there is no way to add host/example.com elsewhere. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0273-CVE-2020-25722-s4-dsdb-samldb-reject-SPN-with-too-fe.patch | [PATCH 273/361] CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0274-CVE-2020-25722-s4-dsdb-modules-add-dsdb_get_expected.patch | [PATCH 274/361] CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values() This function collects a superset of all the new values for the specified attribute that could result from an ldb add or modify message. In most cases -- where there is a single add or modify -- the exact set of added values is returned, and this is done reasonably efficiently using the existing element. Where it gets complicated is when there are multiple elements for the same attribute in a message. Anything added before a replace or delete will be included in these results but may not end up in the database if the message runs its course. Examples: sequence result 1. ADD the element is returned (exact) 2. REPLACE the element is returned (exact) 3. ADD, ADD both elements are concatenated together (exact) 4. ADD, REPLACE both elements are concatenated together (superset) 5. REPLACE, ADD both elements are concatenated together (exact) 6. ADD, DEL, ADD adds are concatenated together (superset) 7. REPLACE, REPLACE both concatenated (superset) 8. DEL, ADD last element is returned (exact) Why this? In the past we have treated dsdb_get_single_valued_attr() as if it returned the complete set of possible database changes, when in fact it only returned the last non-delete. That is, it could have missed values in examples 3-7 above. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0275-CVE-2020-25722-s4-dsdb-samldb-samldb_get_single_valu.patch | [PATCH 275/361] CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values using dsdb_get_expected_new_values(). |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0276-CVE-2020-25722-s4-dsdb-samldb-samldb_sam_accountname.patch | [PATCH 276/361] CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values Using dsdb_get_expected_new_values(). |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-22 | |
| 0277-CVE-2020-25722-s4-dsdb-samldb-samldb_schema_add_hand.patch | [PATCH 277/361] CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0278-CVE-2020-25722-s4-dsdb-samldb-samldb_schema_add_hand.patch | [PATCH 278/361] CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0279-CVE-2020-25722-s4-dsdb-samldb-samldb_prim_group_chan.patch | [PATCH 279/361] CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0280-CVE-2020-25722-s4-dsdb-samldb-samldb_user_account_co.patch | [PATCH 280/361] CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values There is another call to dsdb_get_expected_new_values() in this function that we change in the next commit. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0298-CVE-2020-25719-tests-krb5-Expect-renew-till-element-.patch | [PATCH 298/361] CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0281-CVE-2020-25722-s4-dsdb-samldb-_user_account_control_.patch | [PATCH 281/361] CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value dsdb_get_single_valued_attr() was finding the last non-delete element for userAccountControl and changing its value to the computed value. Unfortunately, the last non-delete element might not be the last element, and a subsequent delete might remove it. Instead we just add a replace on the end. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0282-CVE-2020-25722-s4-dsdb-samldb-samldb_pwd_last_set_ch.patch | [PATCH 282/361] CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0283-CVE-2020-25722-s4-dsdb-samldb-samldb_lockout_time-ch.patch | [PATCH 283/361] CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0284-CVE-2020-25722-s4-dsdb-samldb-samldb_group_type_chan.patch | [PATCH 284/361] CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0285-CVE-2020-25722-s4-dsdb-samldb-samldb_service_princip.patch | [PATCH 285/361] CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0286-CVE-2020-25722-s4-dsdb-samldb-samldb_fsmo_role_owner.patch | [PATCH 286/361] CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0287-CVE-2020-25722-s4-dsdb-samldb-samldb_fsmo_role_owner.patch | [PATCH 287/361] CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0288-CVE-2020-25722-s4-dsdb-pwd_hash-password_hash_bypass.patch | [PATCH 288/361] CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0289-CVE-2020-25722-s4-dsdb-pwd_hash-rework-pwdLastSet-by.patch | [PATCH 289/361] CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass This tightens the logic a bit, in that a message with trailing DELETE elements is no longer accepted when the bypass flag is set. In any case this is an unlikely scenario as this is an internal flag set by a private control in pdb_samba_dsdb_replace_by_sam(). |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-20 | |
| 0290-CVE-2020-25722-s4-dsdb-util-remove-unused-dsdb_get_s.patch | [PATCH 290/361] CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr() Nobody uses it now. It never really did what it said it did. Almost every use was wrong. It was a trap. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2021-10-21 | |
| 0291-CVE-2020-25722-selftest-Adapt-ldap.py-tests-to-new-o.patch | [PATCH 291/361] CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0292-CVE-2020-25718-tests-krb5-Fix-indentation.patch | [PATCH 292/361] CVE-2020-25718 tests/krb5: Fix indentation | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0293-CVE-2020-25719-krb5pac.idl-Add-PAC_ATTRIBUTES_INFO-P.patch | [PATCH 293/361] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0294-CVE-2020-25719-krb5pac.idl-Add-PAC_REQUESTER_SID-PAC.patch | [PATCH 294/361] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0295-CVE-2020-25719-tests-krb5-Provide-expected-parameter.patch | [PATCH 295/361] CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt() | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0296-CVE-2020-25719-tests-krb5-Allow-update_pac_checksums.patch | [PATCH 296/361] CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0299-CVE-2020-25719-tests-krb5-Return-ticket-from-_tgs_re.patch | [PATCH 299/361] CVE-2020-25719 tests/krb5: Return ticket from _tgs_req() | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0300-CVE-2020-25719-tests-krb5-Use-correct-credentials-fo.patch | [PATCH 300/361] CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0301-CVE-2020-25719-tests-krb5-Adjust-PAC-tests-to-prepar.patch | [PATCH 301/361] CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0302-CVE-2020-25719-tests-krb5-Adjust-expected-error-code.patch | [PATCH 302/361] CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0303-CVE-2020-25719-tests-krb5-tests-krb5-Adjust-expected.patch | [PATCH 303/361] CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0304-CVE-2020-25719-tests-krb5-Extend-_get_tgt-method-to-.patch | [PATCH 304/361] CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0305-CVE-2020-25719-tests-krb5-Add-_modify_tgt-method-for.patch | [PATCH 305/361] CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets https://bugzilla.samba.org/show_bug.cgi?id=14561 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2021-10-27 | ||
| 0306-CVE-2020-25719-tests-krb5-Add-testing-for-PAC_TYPE_A.patch | [PATCH 306/361] CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0315-CVE-2020-25719-s4-torture-Expect-additional-PAC-buff.patch | [PATCH 315/361] CVE-2020-25719 s4/torture: Expect additional PAC buffers | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0307-CVE-2020-25719-tests-krb5-Add-testing-for-PAC_TYPE_R.patch | [PATCH 307/361] CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0308-CVE-2020-25719-tests-krb5-Add-EXPECT_PAC-environment.patch | [PATCH 308/361] CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0309-CVE-2020-25719-tests-krb5-Add-expected-parameters-to.patch | [PATCH 309/361] CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets If multiple calls to get_tgt() or get_service_ticket() specify different expected parameters, we want to perform the request again so that the checking can be performed, rather than reusing a previously obtained ticket and potentially skipping checks. It should be fine to cache tickets with the same expected parameters, as tickets that fail to be obtained will not be stored in the cache, so the checking will happen for every call. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0310-CVE-2020-25719-tests-krb5-Add-tests-for-PAC-attribut.patch | [PATCH 310/361] CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0311-CVE-2020-25719-tests-krb5-Add-tests-for-PAC-REQUEST-.patch | [PATCH 311/361] CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0312-CVE-2020-25719-tests-krb5-Add-tests-for-requester-SI.patch | [PATCH 312/361] CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0313-CVE-2020-25719-tests-krb5-Add-test-for-user-to-user-.patch | [PATCH 313/361] CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0314-CVE-2020-25719-tests-krb5-Add-tests-for-mismatched-n.patch | [PATCH 314/361] CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0316-CVE-2020-25722-pytest-Raise-an-error-when-adding-a-d.patch | [PATCH 316/361] CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0317-CVE-2020-25719-mit-samba-Make-ks_get_principal-inter.patch | [PATCH 317/361] CVE-2020-25719 mit-samba: Make ks_get_principal() internally public | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-12 | |
| 0318-CVE-2020-25719-mit-samba-Add-ks_free_principal.patch | [PATCH 318/361] CVE-2020-25719 mit-samba: Add ks_free_principal() [abartlet@samba.org As submitted in patch to Samba bugzilla to address this issue as https://attachments.samba.org/attachment.cgi?id=16724 on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725] |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-14 | |
| 0319-CVE-2020-25719-mit-samba-If-we-use-client_princ-alwa.patch | [PATCH 319/361] CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry [abartlet@samba.org backported due to support for MIT KDB < 10 in Samba 4.14] |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-12 | |
| 0320-CVE-2020-25719-mit-samba-Add-mit_samba_princ_needs_p.patch | [PATCH 320/361] CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-12 | |
| 0321-CVE-2020-25719-mit-samba-Handle-no-DB-entry-in-mit_s.patch | [PATCH 321/361] CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac() | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-12 | |
| 0322-CVE-2020-25719-mit-samba-Rework-PAC-handling-in-kdb_.patch | [PATCH 322/361] CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data() | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-07-12 | |
| 0323-CVE-2020-25719-mit_samba-The-samba_princ_needs_pac-c.patch | [PATCH 323/361] CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry This does the same check as the hdb plugin now. The client check is already done earlier. |
Andreas Schneider <asn@samba.org> | yes | upstream | 2021-08-09 | |
| 0324-CVE-2020-25719-mit_samba-Create-the-talloc-context-e.patch | [PATCH 324/361] CVE-2020-25719 mit_samba: Create the talloc context earlier | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-08-09 | |
| 0325-CVE-2020-25719-s4-kdc-Remove-trailing-spaces-in-pac-.patch | [PATCH 325/361] CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-08-06 | |
| 0326-CVE-2020-25719-s4-kdc-Add-samba_kdc_validate_pac_blo.patch | [PATCH 326/361] CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob() | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-08-09 | |
| 0327-CVE-2020-25719-s4-kdc-Check-if-the-pac-is-valid-befo.patch | [PATCH 327/361] CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it | Andreas Schneider <asn@samba.org> | yes | upstream | 2021-08-09 | |
| 0328-CVE-2020-25719-s4-kdc-Add-KDC-support-for-PAC_ATTRIB.patch | [PATCH 328/361] CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0329-CVE-2020-25719-heimdal-kdc-Require-authdata-to-be-pr.patch | [PATCH 329/361] CVE-2020-25719 heimdal:kdc: Require authdata to be present | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-18 | |
| 0330-CVE-2020-25718-kdc-Remove-unused-samba_kdc_get_pac_b.patch | [PATCH 330/361] CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob() | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-30 | |
| 0331-CVE-2020-25718-s4-rpc_server-Change-sid-list-functio.patch | [PATCH 331/361] CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid This is instead of an array of struct dom_sid *. The reason is that auth_user_info_dc has an array of struct dom_sid (the user token) and for checking if an RODC should be allowed to print a particular ticket, we want to reuse that a rather then reconstruct it via tokenGroups. This also avoids a lot of memory allocation. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0332-CVE-2020-25718-s4-rpc_server-Obtain-the-user-tokenGr.patch | [PATCH 332/361] CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier This will allow the creation of a common helper routine that takes the token SID list (from tokenGroups or struct auth_user_info_dc) and returns the allowed/denied result. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0333-CVE-2020-25718-s4-rpc_server-Put-RODC-reveal-never-r.patch | [PATCH 333/361] CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0334-CVE-2020-25718-s4-rpc_server-Put-msDS-KrbTgtLinkBL-a.patch | [PATCH 334/361] CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common While these checks were not in the NETLOGON case, there is no sense where an RODC should be resetting a bad password count on either a UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0335-CVE-2020-25718-s4-rpc_server-Confirm-that-the-RODC-h.patch | [PATCH 335/361] CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0336-CVE-2020-25718-s4-rpc_server-Provide-wrapper-samdb_c.patch | [PATCH 336/361] CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to() This shares the lookup of the tokenGroups attribute. There will be a new caller that does not want to do this step, so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list() rather than part of it |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0337-CVE-2020-25718-s4-rpc_server-Remove-unused-attribute.patch | [PATCH 337/361] CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check In particular the objectGUID is no longer used, and in the NETLOGON case the special case for msDS-KrbTgtLink does not apply. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0338-CVE-2020-25718-s4-rpc_server-Explain-why-we-use-DSDB.patch | [PATCH 338/361] CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0339-CVE-2020-25718-s4-rpc_server-Add-in-debug-messages-i.patch | [PATCH 339/361] CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing These are added for the uncommon cases. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0340-CVE-2020-25718-dsdb-Bring-sid_helper.c-into-common-c.patch | [PATCH 340/361] CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c These common routines will assist the KDC to do the same access checking as the RPC servers need to do regarding which accounts a RODC can act with regard to. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0341-CVE-2020-25718-kdc-Confirm-the-RODC-was-allowed-to-i.patch | [PATCH 341/361] CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-01 | |
| 0342-CVE-2020-25718-kdc-Return-ERR_POLICY-if-RODC-krbtgt-.patch | [PATCH 342/361] CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-04 | |
| 0343-CVE-2020-25719-kdc-Avoid-races-and-multiple-DB-looku.patch | [PATCH 343/361] CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check Looking up the DB twice is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. The client record has already been bound to the the original client by the SID check in the PAC. Likewise by looking up server only once we ensure that the keys looked up originally are in the record we confirm the SID for here. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-08 | |
| 0344-CVE-2020-25721-auth-Fill-in-the-new-HAS_SAM_NAME_AND.patch | [PATCH 344/361] CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-09-27 | |
| 0353-CVE-2020-25719-heimdal-kdc-Require-PAC-to-be-present.patch | [PATCH 353/361] CVE-2020-25719 heimdal:kdc: Require PAC to be present | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0345-CVE-2020-25722-Ensure-the-structural-objectclass-can.patch | [PATCH 345/361] CVE-2020-25722 Ensure the structural objectclass cannot be changed If the structural objectclass is allowed to change, then the restrictions locking an object to remaining a user or computer will not be enforcable. Likewise other LDAP inheritance rules, which allow only certain child objects can be bypassed, which can in turn allow creation of (unprivileged) users where only DNS objects were expected. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-20 | |
| 0346-CVE-2020-25719-s4-kdc-Add-KDC-support-for-PAC_REQUES.patch | [PATCH 346/361] CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0347-CVE-2020-25719-heimdal-kdc-Check-return-code.patch | [PATCH 347/361] CVE-2020-25719 heimdal:kdc: Check return code | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0348-CVE-2020-25719-heimdal-kdc-Move-fetching-krbtgt-entr.patch | [PATCH 348/361] CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection This allows us to use it when validating user-to-user. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-26 | |
| 0349-CVE-2020-25719-heimdal-kdc-Use-sname-from-request-ra.patch | [PATCH 349/361] CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0350-CVE-2020-25719-heimdal-kdc-Check-name-in-request-aga.patch | [PATCH 350/361] CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0351-CVE-2020-25719-heimdal-kdc-Verify-PAC-in-TGT-provide.patch | [PATCH 351/361] CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-27 | |
| 0352-CVE-2020-25722-kdc-Do-not-honour-a-request-for-a-3-p.patch | [PATCH 352/361] CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC | Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-10-04 | |
| 0354-CVE-2020-25718-tests-krb5-Only-fetch-RODC-account-cr.patch | [PATCH 354/361] CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0355-CVE-2020-25719-tests-krb5-Add-tests-for-using-a-tick.patch | [PATCH 355/361] CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0356-CVE-2020-25718-heimdal-kdc-Add-comment-about-tests-f.patch | [PATCH 356/361] CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-10-29 | |
| 0357-Revert-CVE-2020-25719-heimdal-kdc-Require-authdata-t.patch | [PATCH 357/361] Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present" This reverts an earlier commit that was incorrect. It is not Samba practice to include a revert, but at this point in the patch preperation the ripple though the knownfail files is more trouble than can be justified. It is not correct to refuse to parse all tickets with no authorization data, only for the KDC to require that a PAC is found, which is done in "heimdal:kdc: Require PAC to be present" |
Andrew Bartlett <abartlet@samba.org> | no | 2021-11-02 | ||
| 0358-CVE-2020-25719-selftest-Always-expect-a-PAC-in-TGS-r.patch | [PATCH 358/361] CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal This is tested in other places already, but this ensures a global check that a TGS-REP has a PAC, regardless. |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-11-02 | |
| 0359-CVE-2020-25722-pytests-Give-computer-accounts-unique.patch | [PATCH 359/361] CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs | Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-11-02 | |
| 0360-CVE-2020-25722-selftest-Add-test-for-duplicate-servi.patch | [PATCH 360/361] CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-02 | |
| 0361-CVE-2020-25722-selftest-Ensure-check-for-duplicate-s.patch | [PATCH 361/361] CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation If one of the objectClass checks passed, samldb_add() could return through one of the samldb_fill_*() functions and skip the servicePrincipalName uniqueness checking. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-02 | |
| CVE-2021-23192-only-4.13-v2.patch | [PATCH 1/9] CVE-2021-23192 rpc: Give dcerpc_util.c its own header (cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c) |
Volker Lendecke <vl@samba.org> | yes | upstream | 2021-04-02 | |
| CVE-2021-3738-dsdb-crash-4.13-v03.patch | [PATCH 01/11] CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() This will make it easier to reuse. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-08-05 | |
| CVE-2016-2124-v4-13-metze02.patches.txt | [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2016-11-24 | |
| 0001-CVE-2022-0336-pytest-Add-a-test-for-an-SPN-conflict-.patch | [PATCH 1/2] CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN This test currently fails, as re-adding an SPN means that later checks do not run. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2022-01-18 | |
| 0002-CVE-2022-0336-s4-dsdb-samldb-Don-t-return-early-when.patch | [PATCH 2/2] CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object If an added SPN already exists on an object, we still want to check the rest of the element values for conflicts. |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2022-01-18 | |
| 0001-CVE-2021-44142-libadouble-add-defines-for-icon-lengt.patch | [PATCH 1/5] CVE-2021-44142: libadouble: add defines for icon lengths From https://www.ietf.org/rfc/rfc1740.txt |
Ralph Boehme <slow@samba.org> | yes | upstream | 2022-01-13 | |
| 0002-CVE-2021-44142-smbd-add-Netatalk-xattr-used-by-vfs_f.patch | [PATCH 2/5] CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs This is an internal xattr that should not be user visible. [slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c] |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-11-20 | |
| 0003-CVE-2021-44142-libadouble-harden-ad_unpack_xattrs.patch | [PATCH 3/5] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, which is used for parsing ._ AppleDouble sidecar files, and the buffer ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all buffer out-of-bounds access checks in ad_unpack_xattrs(). |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-11-26 | |
| 0004-CVE-2021-44142-libadouble-add-basic-cmocka-tests.patch | [PATCH 4/5] CVE-2021-44142: libadouble: add basic cmocka tests [slow@samba.org: conflict due to missing test in selftest/tests.py] |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-11-25 | |
| 0005-CVE-2021-44142-libadouble-harden-parsing-code.patch | [PATCH 5/5] CVE-2021-44142: libadouble: harden parsing code | Ralph Boehme <slow@samba.org> | yes | upstream | 2022-01-13 | |
| 0001-CVE-2020-25727-idmap_nss-verify-that-the-name-of-the.patch | [PATCH 1/6] CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain We already check the sid belongs to the domain, but checking the name too feels better and make it easier to understand. (cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-11-12 | |
| 0002-CVE-2020-25717-tests-krb5-Add-method-to-automaticall.patch | [PATCH 2/6] CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials (cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-12 | |
| 0003-CVE-2020-25717-nsswitch-nsstest.c-Lower-non-existent.patch | [PATCH 3/6] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts (cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-12 | |
| 0004-CVE-2020-25717-selftest-turn-ad_member_no_nss_wb-int.patch | [PATCH 4/6] CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss In reality environments without 'nss_winbind' make use of 'idmap_nss'. For testing, DOMAIN/bob is mapped to the local 'bob', while DOMAIN/jane gets the uid based on the local 'jane' vis idmap_nss. [metze@samba.org avoid to create a new ad_member_idmap_nss environment and merge it with ad_member_no_nss_wb instead] (cherry picked from commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-12 | |
| 0005-CVE-2020-25717-tests-krb5-Add-a-test-for-idmap_nss-m.patch | [PATCH 5/6] CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs [metze@samba.org removed unused tests for a feature that was removed before merging] (cherry picked from commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7) |
Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2021-11-12 | |
| 0006-CVE-2020-25717-s3-auth-Fallback-to-a-SID-UID-based-m.patch | [PATCH 6/6] CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails Before the CVE-2020-25717 fixes we had a fallback from getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and unpredictable. Now we do the fallback based on sid_to_uid() followed by getpwuid() on the returned uid. This obsoletes 'username map [script]' based workaround adviced for CVE-2020-25717, when nss_winbindd is not used or idmap_nss is actually used. In future we may decide to prefer or only do the SID/UID based lookup, but for now we want to keep this unchanged as much as possible. [metze@samba.org moved the new logic into the fallback codepath only in order to avoid behavior changes as much as possible] Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184 (cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e) Autobuild-User(v4-13-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-13-test): Wed Nov 17 15:50:53 UTC 2021 on sn-devel-184 |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-11-12 | |
| s3-winbindd-fix-allow-trusted-domains-no-regression.patch | [PATCH 289/314] s3:winbindd: fix "allow trusted domains = no" regression add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 (cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184 |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2021-11-09 | |
| bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch | [PATCH 2/4] s3: smbd: Create and use a common function for generating a fileid - create_clock_itime(). This first gets the clock_gettime_mono() value, converts to an NTTIME (as this is what is stored in the dos attribute EA), then mixes in 8 bits of randomness shifted up by 55 bits to cope with poor resolution clocks to avoid duplicate inodes. Using 8 bits of randomness on top of an NTTIME gives us around 114 years headroom. We can now guarentee returning a itime-based fileid in a normal share (storing dos attributes in an EA). Remove knownfail.d/fileid-unique Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jan 8 06:35:22 UTC 2022 on sn-devel-184 (cherry picked from commit 23fbf0bad0332a0ae0d4dc3c8f6df6e7ec46b88b) |
Jeremy Allison <jra@samba.org> | yes | upstream | 2022-01-05 | |
| IPA-DC-add-missing-checks.patch | [PATCH 290/314] IPA DC: add missing checks When introducing FreeIPA support, two places were forgotten: - schannel gensec module needs to be aware of IPA DC - _lsa_QueryInfoPolicy should treat IPA DC as PDC Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184 (cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5) Autobuild-User(v4-13-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-13-test): Mon Nov 15 15:33:17 UTC 2021 on sn-devel-184 |
Alexander Bokovoy <ab@samba.org> | yes | upstream | 2021-11-12 | |
| CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch | [PATCH 297/314] CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) |
Ralph Boehme <slow@samba.org> | yes | upstream | 2021-11-26 | |
| dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch | [PATCH 298/314] dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. (cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7) Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-13-test): Wed Dec 8 16:49:25 UTC 2021 on sn-devel-184 |
Andrew Bartlett <abartlet@samba.org> | yes | upstream | 2021-11-12 | |
| s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch | [PATCH 302/314] s3: smbd: Fix mkdir race condition allows share escape in Samba 4.13.X and below: CVE-2021-43566 | Jeremy Allison <jra@samba.org> | yes | upstream | 2021-09-21 | |
| bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch | [PATCH 1/4] lib: util: Add a function nt_time_to_unix_timespec_raw(). Not yet used. Does no checks on the converted values. A later cleanup will allow us to move nt_time_to_unix_timespec() and nt_time_to_full_timespec() to use common code. (cherry picked from commit 29d69c22a0d945193ce3dac27e1083dbc5c53f03) |
Jeremy Allison <jra@samba.org> | yes | upstream | 2022-01-06 | |
| bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch | [PATCH 3/4] s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..). CLOCK_MONOTONIC (which we previously used) is reset when the system is rebooted. CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP changes (for Linux we should probably use CLOCK_TAI instead but that is Linux-specific). For most systems CLOCK_REALTIME will be good enough. (cherry picked from commit 920611f0bc98229ac4a5ee127af7f99216075341) |
Jeremy Allison <jra@samba.org> | yes | upstream | 2022-01-10 | |
| bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch | [PATCH 4/4] s3: includes: Make the comments describing itime consistent. Always use "invented" time. It gets confusing if we call it "imaginary" or "instantiation" in different places. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184 (cherry picked from commit 745af26a1a6531b2e906aa7c1c0355cbab658441) Autobuild-User(v4-14-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-14-test): Wed Jan 12 12:26:56 UTC 2022 on sn-devel-184 |
Jones Syue <jonessyue@qnap.com> | yes | upstream | 2022-01-10 | |
| bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch | [PATCH] s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor. (cherry picked from commit b4d8c62c4e8191e05fd03dd096a0bc989e224ed3) |
Jeremy Allison <jra@samba.org> | yes | upstream | 2021-08-23 | |
| bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch | [PATCH] s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error. Just return the status - if create_conn_struct_as_root() fails the connection struct never gets returned. Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Aug 25 17:09:23 UTC 2021 on sn-devel-184 (cherry picked from commit 857045f3a236dea125200dd09279d677e513682b) |
Jeremy Allison <jra@samba.org> | yes | upstream | 2021-08-23 | |
| CVE-2022-32742-bug-15085-4.13.patch | [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test. Reproduces the test code in: Add knownfail. |
Jeremy Allison <jra@samba.org> | yes | upstream | 2022-06-07 | |
| ldb-memory-bug-15096-4.13-v3.patch | [PATCH 01/18] CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo | Joseph Sutton <josephsutton@catalyst.net.nz> | yes | upstream | 2022-06-14 | |
| kpasswd_bugs_v15_4-13.patch | [PATCH 01/79] s4:mit-kdb: Force canonicalization for looking up principals See also https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148 Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184 (cherry picked from commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b) [jsutton@samba.org Removed MIT knownfail changes] |
Isaac Boukris <iboukris@gmail.com> | no | 2020-09-19 |