From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Subject: [Buildroot] [git commit branch/2022.02.x] package/samba4: security bump version to 4.15.11
Date: Tue, 8 Nov 2022 20:59:29 +0100 [thread overview]
Message-ID: <20221108200212.46C3F8071F@busybox.osuosl.org> (raw)
commit: https://git.buildroot.net/buildroot/commit/?id=faddef26a9d12701e872d32b18263227f9246f0b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Added patch from Gentoo to fix uClibc build:
access.c:(.text+0x1e8): undefined reference to `innetgr'
Release notes:
https://www.samba.org/samba/history/samba-4.15.8.html
https://www.samba.org/samba/history/samba-4.15.9.html
o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
o CVE-2022-32744: Samba AD users can forge password change requests for any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
o CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
https://www.samba.org/samba/history/samba-4.15.10.html
https://www.samba.org/samba/history/samba-4.15.11.html
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8941d02bf1da1574b8db65a104566a080e85308b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...05-samba-4.16.2-fix-build-without-innetgr.patch | 34 ++++++++++++++++++++++
package/samba4/samba4.hash | 4 +--
package/samba4/samba4.mk | 2 +-
3 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch b/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch
new file mode 100644
index 0000000000..b338596d7a
--- /dev/null
+++ b/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch
@@ -0,0 +1,34 @@
+# Gentoo bug 855047
+
+Fixes uClibc build when uClibc was build without netgroup support.
+Upstream enables netgroup support based on getdomainname() being
+present:
+https://github.com/samba-team/samba/commit/f179184a2be2ddd38f463fcc12252f8d24e529f8#diff-b8d1bc25b89846e70ecb61cb296a8f5c50c9a0a1b62e46790fae81aa9d5bfaaeR632
+
+Downloaded from
+https://gitweb.gentoo.org/repo/gentoo.git/tree/net-fs/samba/files/samba-4.16.2-fix-musl-without-innetgr.patch
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- a/lib/util/access.c
++++ b/lib/util/access.c
+@@ -115,7 +115,7 @@ static bool string_match(const char *tok,const char *s)
+ return true;
+ }
+ } else if (tok[0] == '@') { /* netgroup: look it up */
+-#ifdef HAVE_NETGROUP
++#if defined(HAVE_NETGROUP) && defined(HAVE_INNETGR)
+ DATA_BLOB tmp;
+ char *mydomain = NULL;
+ char *hostname = NULL;
+--- a/source3/auth/user_util.c
++++ b/source3/auth/user_util.c
+@@ -135,7 +135,7 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
+
+ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
+ {
+-#ifdef HAVE_NETGROUP
++#if defined(HAVE_NETGROUP) && defined(HAVE_INNETGR)
+ char nis_domain_buf[256];
+ const char *nis_domain = NULL;
+ char *lowercase_user = NULL;
diff --git a/package/samba4/samba4.hash b/package/samba4/samba4.hash
index ac28c35614..f845a31290 100644
--- a/package/samba4/samba4.hash
+++ b/package/samba4/samba4.hash
@@ -1,4 +1,4 @@
# Locally calculated after checking pgp signature
-# https://download.samba.org/pub/samba/stable/samba-4.15.7.tar.asc
-sha256 76d0096c16ed0265b337d5731f3c0b32eed3adab6fa8b7585c055b287cd05d6b samba-4.15.7.tar.gz
+# https://download.samba.org/pub/samba/stable/samba-4.15.11.tar.asc
+sha256 2f305980d49c7723cbef281fff2b81a2eeafae51e58b5172bb43d9693ef8953b samba-4.15.11.tar.gz
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
diff --git a/package/samba4/samba4.mk b/package/samba4/samba4.mk
index c90fdd006c..814bf0bbaa 100644
--- a/package/samba4/samba4.mk
+++ b/package/samba4/samba4.mk
@@ -4,7 +4,7 @@
#
################################################################################
-SAMBA4_VERSION = 4.15.7
+SAMBA4_VERSION = 4.15.11
SAMBA4_SITE = https://download.samba.org/pub/samba/stable
SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz
SAMBA4_INSTALL_STAGING = YES
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
reply other threads:[~2022-11-08 20:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221108200212.46C3F8071F@busybox.osuosl.org \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.