All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit branch/2022.02.x] package/samba4: security bump version to 4.15.11
@ 2022-11-08 19:59 Peter Korsgaard
  0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-11-08 19:59 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=faddef26a9d12701e872d32b18263227f9246f0b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x

Added patch from Gentoo to fix uClibc build:
access.c:(.text+0x1e8): undefined reference to `innetgr'

Release notes:
https://www.samba.org/samba/history/samba-4.15.8.html

https://www.samba.org/samba/history/samba-4.15.9.html
o CVE-2022-2031:  Samba AD users can bypass certain restrictions associated with
                  changing passwords.
                  https://www.samba.org/samba/security/CVE-2022-2031.html

o CVE-2022-32744: Samba AD users can forge password change requests for any user.
                  https://www.samba.org/samba/security/CVE-2022-32744.html

o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
                  or modify request.
                  https://www.samba.org/samba/security/CVE-2022-32745.html

o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
                  process with an LDAP add or modify request.
                  https://www.samba.org/samba/security/CVE-2022-32746.html

o CVE-2022-32742: Server memory information leak via SMB1.
                  https://www.samba.org/samba/security/CVE-2022-32742.html

https://www.samba.org/samba/history/samba-4.15.10.html

https://www.samba.org/samba/history/samba-4.15.11.html
o CVE-2022-3437:  There is a limited write heap buffer overflow in the GSSAPI
                  unwrap_des() and unwrap_des3() routines of Heimdal (included
                  in Samba).
                  https://www.samba.org/samba/security/CVE-2022-3437.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8941d02bf1da1574b8db65a104566a080e85308b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...05-samba-4.16.2-fix-build-without-innetgr.patch | 34 ++++++++++++++++++++++
 package/samba4/samba4.hash                         |  4 +--
 package/samba4/samba4.mk                           |  2 +-
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch b/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch
new file mode 100644
index 0000000000..b338596d7a
--- /dev/null
+++ b/package/samba4/0005-samba-4.16.2-fix-build-without-innetgr.patch
@@ -0,0 +1,34 @@
+# Gentoo bug 855047
+
+Fixes uClibc build when uClibc was build without netgroup support.
+Upstream enables netgroup support based on getdomainname() being
+present:
+https://github.com/samba-team/samba/commit/f179184a2be2ddd38f463fcc12252f8d24e529f8#diff-b8d1bc25b89846e70ecb61cb296a8f5c50c9a0a1b62e46790fae81aa9d5bfaaeR632
+
+Downloaded from
+https://gitweb.gentoo.org/repo/gentoo.git/tree/net-fs/samba/files/samba-4.16.2-fix-musl-without-innetgr.patch
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- a/lib/util/access.c
++++ b/lib/util/access.c
+@@ -115,7 +115,7 @@ static bool string_match(const char *tok,const char *s)
+ 			return true;
+ 		}
+ 	} else if (tok[0] == '@') { /* netgroup: look it up */
+-#ifdef HAVE_NETGROUP
++#if defined(HAVE_NETGROUP) && defined(HAVE_INNETGR)
+ 		DATA_BLOB tmp;
+ 		char *mydomain = NULL;
+ 		char *hostname = NULL;
+--- a/source3/auth/user_util.c
++++ b/source3/auth/user_util.c
+@@ -135,7 +135,7 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
+
+ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
+ {
+-#ifdef HAVE_NETGROUP
++#if defined(HAVE_NETGROUP) && defined(HAVE_INNETGR)
+ 	char nis_domain_buf[256];
+ 	const char *nis_domain = NULL;
+ 	char *lowercase_user = NULL;
diff --git a/package/samba4/samba4.hash b/package/samba4/samba4.hash
index ac28c35614..f845a31290 100644
--- a/package/samba4/samba4.hash
+++ b/package/samba4/samba4.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-# https://download.samba.org/pub/samba/stable/samba-4.15.7.tar.asc
-sha256  76d0096c16ed0265b337d5731f3c0b32eed3adab6fa8b7585c055b287cd05d6b  samba-4.15.7.tar.gz
+# https://download.samba.org/pub/samba/stable/samba-4.15.11.tar.asc
+sha256  2f305980d49c7723cbef281fff2b81a2eeafae51e58b5172bb43d9693ef8953b  samba-4.15.11.tar.gz
 sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
diff --git a/package/samba4/samba4.mk b/package/samba4/samba4.mk
index c90fdd006c..814bf0bbaa 100644
--- a/package/samba4/samba4.mk
+++ b/package/samba4/samba4.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SAMBA4_VERSION = 4.15.7
+SAMBA4_VERSION = 4.15.11
 SAMBA4_SITE = https://download.samba.org/pub/samba/stable
 SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz
 SAMBA4_INSTALL_STAGING = YES
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-11-08 20:02 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-08 19:59 [Buildroot] [git commit branch/2022.02.x] package/samba4: security bump version to 4.15.11 Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.