Debian Patches
Status for samba/2:4.17.12+dfsg-0+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-nfs-service-name-to-nfs-kernel-server.patch | fix nfs related service names Upstream defines nfs related service names based on the Linux distribution. This patch fixes the names for Debian and derivatives. Update by Andreas Hasenack <andreas@canonical.com> (LP: #1961840): Use nfsconf(8) if it's available, instead of parsing the old config files in /etc/default/nfs-* diff --git a/ctdb/config/events/legacy/06.nfs.script b/ctdb/config/events/legacy/06.nfs.script index b937d433254..943b5005bd9 100755 |
Rafael David Tinoco <rafaeldtinoco@gmail.com> | no | debian | 2022-09-09 | |
| s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch | s3:winbindd: avoid using any netlogon call to get a dc name | Stefan Metzmacher <metze@samba.org> | not-needed | debian upstream | upstream, https://gitlab.com/samba-team/samba/-/commit/f86a4bf6848ade2db7229d182576db3320c3ece7 | 2025-05-09 |
| s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch | s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND We may get NT_STATUS_NOT_FOUND when the name can't be resolved and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4 addresses... |
Stefan Metzmacher <metze@samba.org> | not-needed | upstream, https://gitlab.com/samba-team/samba/-/commit/e47ce1d10b13d8ef165c70984e6e490f4c2a64c2 | 2024-10-11 | |
| s3-winbindd-use-better-debug-messages-than-talloc_st.patch | s3:winbindd: use better debug messages than 'talloc_strdup failed' Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224 |
Stefan Metzmacher <metze@samba.org> | not-needed | upstream, https://gitlab.com/samba-team/samba/-/commit/814ae222ca15ff7093a71639cdcc97b9937670ce | 2024-01-26 | |
| s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch | s3:libsmb: allow store_cldap_reply() to work with a ipv6 response Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 |
Stefan Metzmacher <metze@samba.org> | not-needed | upstream | upstream, https://gitlab.com/samba-team/samba/-/commit/712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2 | 2024-05-07 |
| heimdal-to-support-KEYRING-ccache.patch | Configure builtin heimdal to support KEYRING ccache | Łukasz Stelmach <l.stelmach@samsung.com> | no | 2023-04-03 | ||
| CVE-2018-14628/06-python-descriptor-let-samba-tool-dbch.patch | CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers (cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2016-01-29 | |
| s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch | s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL In 2024 we always want an active directory response... |
Stefan Metzmacher <metze@samba.org> | not-needed | upstream | upstream, https://gitlab.com/samba-team/samba/-/commit/2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42 | 2024-02-15 |
| libsmbclient-ensure-lfs-221618.patch | ensure libsmbclient.h is being used with LFS enabled We build samba with LFS (Large File Support) even on 32bits. This means some types like off_t are 64-bit wide, again, even on a 32bit host. libsmbclient.h uses off_t in function prototypes, and thes prototypes muct match those which were used at samba compile time - if some other source includes libsmbclient.h without LFS, it'll get wrong prototypes and the resulting binary will most likely crash when using libsmbclient functions. Detect and error-out this at compile time. We can not do anything with this in the public header since it is alredy too late to redefine things, since we can't guarantee we're the first header a program #includes, and at the time this libsmbclient.h is included, off_t can already be defined so our (re)define of _FILE_OFFSET_BITS does nothing already. Patching libsmbclient.h to use off64_t means client program should change their off_t to off64_t too when storing file offsets returning from libsmbclient, so this is not an option too. With this change, we will error out even if the user source does not use any off_t-related functions. Namely, it was ok to #include <libsmbclient.h> and use smbc_open/smbc_read/ smbc_write/smbc_close without _F_O_B=64, - neither of these functions uses off_t. smbc_lseek and others doesn't work, but if a program does not use them anyway, whole thing will just work even without enabling LFS. Ideally we can probably check each individual function which is being affected, by replacing it with #error if sizeof(off_t) < 8. But this requires quite some hackery... diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h index 84c98089251..1a6ea599cfa 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | debian | 2022-04-02 | |
| hurd-compat.patch | hurd compatibility changes Hurd does not define PIPE_BUF, so lib/tevent/testsuite.c fails to compile (yes, this file is used as part of *samba* testsuite, not tevent testsuite). Define it to a safe minimal value like 512 bytes. Hurd does not provide SA_NOCLDWAIT define, so lib/util/tests/tfork.c does not compile. This is only needed during testing to omit zombie process generation, which has only cosmetic effect. Define it to be 0. Based on prior work and ideas by Samuel Thibault. diff --git a/lib/tevent/testsuite.c b/lib/tevent/testsuite.c index 8894e445203..27f873cd484 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-11-03 | ||
| README_nosmbldap-tools.patch | Mention smbldap-tools package in examples/LDAP/README | Christian Perrier <bubulle@debian.org> | not-needed | debian | ||
| smbclient-pager.patch | Use the pager alternative as pager is PAGER is undefined | Steve Langasek <vorlon@debian.org> | not-needed | debian | ||
| usershare.patch | Enable net usershares by default at build time Enable net usershares by default at build time, with a limit of 100, and update the corresponding documentation. |
Mathias Gug <mathiaz@ubuntu.com>, Steve Langasek <vorlon@debian.org> | not-needed | debian | ||
| heimdal-rfc3454.txt | Patch in symbol table from rfc3454, for Heimdal scripts | Brian May <bam@debian.org> | not-needed | |||
| add-so-version-to-private-libraries | Add so version number to private libraries for dpkg-shlibdeps We also want dpkg-shlibdeps to generate correct dependency information for the private libraries in our binary packages, but dpkg-shlibdeps only works when the library has a version number. |
Jeroen Dekkers <jeroen@dekkers.ch> | not-needed | vendor | ||
| smbd.service-Run-update-apparmor-samba-profile-befor.patch | [PATCH] smbd.service: Run update-apparmor-samba-profile before start | Mathieu Parent <math.parent@gmail.com> | no | debian | 2019-02-21 | |
| fruit-disable-useless-size_t-overflow-check.patch | [PATCH] fruit: disable useless size_t overflow check As has been said several times in https://bugzilla.samba.org/show_bug.cgi?id=13622 , the check 'bandsize > SIZE_MAX/nbands' is useless. But it is also wrong, in 2 ways: first, nbands might be 0 (when no bands has been allocated yet), and second, there's no point in comparing this with SIZE_MAX, since size_t on 32bit platforms is a 32bit integer, while bandsize is off_t which is 64bits (samba always enables LFS). This check causes the module to fail when bandsize*nbands exceeds 32bits, which has been reported for example at https://bugs.debian.org/974868 . Whole thing can't overflow because it is already guarded by time_machine_max_size. Or at the very least, by current disk sizes... :) |
Michael Tokarev <mjt@tls.msk.ru> | no | debian | 2022-11-17 | |
| ctdb-config-enable-syslog-by-default.patch | CTDB uses /var/log/ctdb/ directory for the default log files. With syslog disabled, systemd journal is not able to correctly inform errors happening during service initialization. Upstream community creates generic config files to be used by different distributions, so this change makes no big difference to be accepted by upstream. With this patch the end user will be able to identify initialization errors by executing: systemctl status ctdb.service or to follow ctdb logs by executing: journalctl -f -u ctdb - |
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> | no | debian | 2022-03-24 | |
| Force-LDB-as-standalone.patch | [PATCH] Force LDB as standalone | Mathieu Parent <math.parent@gmail.com> | no | 2021-12-19 | ||
| use-bzero-instead-of-memset_s.diff | use bzero() instead of memset_s() lib/replace/replace.h header defines ZERO_STRUCT macro which uses memset_s() function (which is similar to memset() but can not be optimized out by the compiler). Glibc has bzero() with similar property, while memset_s() have is implemented in lib/replace/replace.c, - this way, some binaries needlessly link with libreplace-samba4 just to get rep_memset_s() symbol. By using bzero() instead, this endless linkage is eliminated, so we can package, for example, libldb (which uses ZERO_STRUCT) without it linking to libreplace-samba4. out by the compiler - this is the original goal of using memset_s(). diff --git a/lib/replace/replace.h b/lib/replace/replace.h index 8609d84322c..28db8d425a3 100644 |
no | ||||
| ctdb_etcd_lock-path.patch | fix pathname for ctdb_etcd_lock Specify the actual installation path for this helper script. diff --git a/ctdb/doc/ctdb-etcd.7.xml b/ctdb/doc/ctdb-etcd.7.xml index f84989f854f..fcb3d0c3b5f 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-02 | ||
| ctdb-create-piddir.patch | create ctdb pid directory (which is /run/ctdb/). Create it in the systemd service file (using RuntimeDirectory directive) and in the sysv-init script. diff --git a/ctdb/config/ctdb.init b/ctdb/config/ctdb.init index 7fe8f0085ae..57fd0dda63d 100755 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-09-09 | ||
| silence-waf-uselib_local.diff | silence uselib_local warning produced by waf During config/build process in verbose mode, waf produces about 2k repetitions of this warning: compat: "uselib_local" is deprecated, replace by "use" which clutters the build log. Comment this warning out for now until it will be fixed properly. diff --git a/buildtools/wafsamba/samba_waf18.py b/buildtools/wafsamba/samba_waf18.py index e2a078bd3a0..dfd53a012d1 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-03 | ||
| meaningful-error-if-no-samba-ad-provision.patch | print meaningful error message if samba-ad-provision is not installed | Michael Tokarev <mjt@tls.msk.ru> | no | 2022-12-02 | ||
| meaningful-error-if-no-python3-markdown.patch | print meaningful error message if python3-markdown is not installed | Michael Tokarev <mjt@tls.msk.ru> | no | 2022-12-02 | ||
| disable-setuid-confchecks.patch | disable setuid configure checks For some strange reason, when running reprotest test on salsa-ci, which apparently is running as root, - on the *second* build only the configure fails (after successfully built package the first time). The configure test tries to change gid and verifies it actually changed (not that the syscall exist), - and that fails. Since it is extremely uncommon to configure the build process as root, salsa-ci test environment details are quite deep down the line, and we know the syscall actually works, just disable the probe, pretending we are not root. diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c index 30a29f535b1..451ad396965 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-08 | ||
| move-msg.sock-from-var-lib-samba-to-run-samba.patch | move msg.sock from /var/lib/samba to /run/samba This moves a socket directory from /var/lib/samba to /run/samba. https://lists.samba.org/archive/samba-technical/2022-April/137322.html diff --git a/source3/lib/messages.c b/source3/lib/messages.c index 8641a9dad56..bf866e65e44 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-26 | ||
| testparm-do-not-fail-if-pid-dir-does-not-exist.patch | testparm: do not fail if /run/samba does not exist testparm explicitly fails if $piddir or $lockdir does not exist. However, the daemons which actually use these directories, will create it on demand, there is no need to fail even simple testparm operations if the dirs are not there. This change lets to (pre)configure samba without bothering to pre-create the directories which are overwise needed only to fulfil testparm criteria. |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-26 | ||
| add-missing-libs-deps.diff | add missing libs deps Lots of samba libraries has incomplete dependencies listed in wscript files. This usually is not a problem since the link line includes dependencies of their dependencies of their dependencies, and somewhere down that line all immediate dependencies which are missing are actually present. But sometimes this becomes a problem when a library does not declare direct dependency on at least one private library which it actually uses: in case no private library is listed as direct dependency, private library directory is not put into RUNPATH of the resulting binary, so the binary can not find its own dependencies. Fix a few such places, including one library which is a part of public abi (libsmbldap). diff --git a/lib/util/wscript_build b/lib/util/wscript_build index 2f31e8fa5b1..08a77b8940c 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | debian | 2022-05-19 | |
| spelling.patch | Various spelling fixes Various spelling fixes in the code which sneaks into binaries. diff --git a/bootstrap/config.py b/bootstrap/config.py index a00b253ae77..84330a2106a 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | |||
| unwrap-getresgid-typo.patch | uwrap: Fix getresgid wrapping typo This was making e.g. p11-kit crash on getresgid() call. diff --git a/third_party/uid_wrapper/uid_wrapper.c b/third_party/uid_wrapper/uid_wrapper.c index f04642a..2e2c9e6 100644 |
yes | upstream | |||
| ctdb-use-run-instead-of-var-run.patch | ctdb: use /run/ctdb instead of /var/run/ctdb Whole upstream path assignment needs a review. |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-12-02 | ||
| s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch | s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name when winbind calls to dsgetdcname internally, make sure to prefer the DNS domain name if we have it. Makes DNS lookups much more likely to succeed. Guenther Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 |
=?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | not-needed | debian upstream | upstream, https://gitlab.com/samba-team/samba/-/commit/2560c9b3224816ffd371a62103f65b3aca301ad5 | 2025-07-02 |
| CVE-2018-14628/01-python-descriptor-add-get_deletedobjects_descriptor.patch | CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() samba-tool drs clone-dc-database was quite useful to find the true value of nTSecurityDescriptor of the CN=Delete Objects containers. Only the auto inherited SACL is available via a ldap search. (cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2016-01-29 | |
| CVE-2018-14628/02-python-provision-make-DELETEDOBJECTS_DESCRIPTOR-availab.patch | CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files (cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2016-01-29 | |
| CVE-2018-14628/03-s4-setup-set-the-correct-nTSecurityDescriptor-on-the-CN.patch | CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container This revealed a bug in our dirsync code, so we mark test_search_with_dirsync_deleted_objects as knownfail. (cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2016-01-29 | |
| CVE-2018-14628/04-s4-dsdb-remove-unused-code-in-dirsync_filter_entry.patch | CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() This makes the next change easier to understand. (cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2023-06-26 | |
| CVE-2018-14628/05-dbchecker-use-get_deletedobjects_descriptor-for-missing.patch | CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container (cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db) |
Stefan Metzmacher <metze@samba.org> | yes | upstream | 2023-06-07 | |
| CVE-2025-10230/s4-tests-check-that-wins-hook-sanitizes-names.patch | CVE-2025-10230: s4/tests: check that wins hook sanitizes names An smb.conf can contain a 'wins hook' parameter, which names a script to run when a WINS name is changed. The man page says The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. Legal names contain only letters, digits, hyphens, underscores and periods. but it turns out the legality check is not performed if the WINS server in question is the source4 nbt one. It is not expected that people will run this server, but they can. This is bad because the name is passed unescaped into a shell command line, allowing command injection. For this test we don't care whether the WINS server is returning an error code, just whether it is running the wins hook. The tests show it often runs the hook it shouldn't, though some characters are incidentally blocked because the name has to fit in a DN before it gets to the hook, and DNs have a few syntactic restrictions (e.g., blocking '<', '>', and ';'). The source3 WINS server that is used by Samba when not run as a DC is not affected and not here tested. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2025-09-09 | |
| CVE-2025-10230/s4-wins-restrict-names-fed-to-shell.patch | CVE-2025-10230: s4:wins: restrict names fed to shell If the "wins hook" smb.conf parameter is set, the WINS server will attempt to execute that value in a shell command line when a client asks to modify a name. The WINS system is a trusting one, and clients can claim any NETBIOS name they wish. With the source3 nmbd WINS server (since the 1999 commit now called 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be run for names that contain shell metacharacters. This restriction has not been present on the source4 nbt WINS server, which is the WINS server that will be used in the event that an Active Directory Domain Controller is also running WINS. This allowed an unauthenticated client to execute arbitrary commands on the server. This commit brings the nmbd check into the nbt WINS server, so that the wins hook will only be run for names that contain only letters, digits, hyphens, underscores and periods. This matches the behaviour described in the smb.conf man page. The source3 nmbd WINS server has another layer of protection, in that it uses the smb_run() exec wrapper that tries to escape arguments. We don't do that here. |
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | yes | upstream | 2025-09-03 | |
| CVE-2025-9640/Add-torture-test-for-inserting-hole-in-stream.patch | CVE-2025-9640: Add torture test for inserting hole in stream This commit adds an smb torture test for inserting a hole into an alternate data stream and then verifying that hole contains null bytes. |
Andrew Walker <andrew.walker@truenas.com> | yes | upstream | 2025-08-28 | |
| CVE-2025-9640/s3-modules-vfs_streams_xattr-fix-unitialized-write.patch | CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write This commit fixes a situation in which vfs_streams_xattr could write unitialized memory into alternate data streams if the user writes to an offset that is beyond the current end of file to insert a hole in it. |
Andrew Walker <andrew.walker@truenas.com> | yes | upstream | 2025-08-28 |
All known versions for source package 'samba'
- 2:4.23.4+dfsg-1 (sid)
- 2:4.23.3+dfsg-1 (forky)
- 2:4.23.3+dfsg-1~bpo13+1 (trixie-backports)
- 2:4.22.6+dfsg-0+deb13u1 (trixie)
- 2:4.22.6+dfsg-0+deb13u1~bpo12+1 (bookworm-backports)
- 2:4.17.12+dfsg-0+deb12u3 (bookworm-proposed-updates)
- 2:4.17.12+dfsg-0+deb12u2 (bookworm, bookworm-updates)
- 2:4.17.12+dfsg-0+deb12u1 (bookworm-security)