Your message dated Tue, 05 Apr 2022 13:36:06 +0000 with message-id <e1nbjlq-000aw3...@fasolo.debian.org> and subject line Bug#1004690: fixed in samba 2:4.16.0+dfsg-1 has caused the Debian Bug report #1004690, regarding samba: CVE-2021-20316 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004690: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004690 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: samba Version: 2:4.13.14+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=14842 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:4.13.13+dfsg-1~deb11u2 Control: found -1 2:4.9.5+dfsg-5+deb10u2 Hi, The following vulnerability was published for samba. CVE-2021-20316[0]: | Symlink race error can allow metadata read and modify outside of the | exported share. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-20316 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20316 [1] https://www.samba.org/samba/security/CVE-2021-20316.html [2] https://bugzilla.samba.org/show_bug.cgi?id=14842 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: samba Source-Version: 2:4.16.0+dfsg-1 Done: Michael Tokarev <m...@tls.msk.ru> We believe that the bug you reported is fixed in the latest version of samba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated samba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 05 Apr 2022 16:01:25 +0300 Source: samba Architecture: source Version: 2:4.16.0+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Samba Maintainers <pkg-samba-ma...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Closes: 862338 878612 953530 975882 988197 998423 1004690 1004691 1004692 1005642 1006875 Changes: samba (2:4.16.0+dfsg-1) experimental; urgency=medium . * New upstream major release. Closes: #1004690, CVE-2021-20316: Fileserver symlink metadata share escape Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape Closes: #1004692, CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists Closes: #1005642 (windows client data corruption due to cache poisoning) Closes: #988197 (legacy printing support, 47d79d7e7e406f7dd2) Closes: #998423 (coredump connecting from macos to shares with var substs) * Notable changes in 4.16 series compared to 4.13: - modular VFS (see The_New_VFS.txt) - publishing printers in AD is more complete - group policies for winbindd cilents (like linux systems) - certificate auto enrollement in AD group policy - large list of improvements in samba-tool - SMB1 protocol has been deprecated, some subcommands has been removed - more consistend options/subcommands in samba commands * d/rules: export PYTHONHASHSEED=1. This makes lots of sporadic build-time debian-specific failures to go away, by preserving order of waf hashes * refresh patches, update build-depend versions (talloc, tdb, tevent) * refresh lintian-overrides files, add many new overrides * build-depend on python3-markdown * build-depend on libjson-perl for new heimdal bits * more consistent internal lib naming; refresh file lists everywhere * samba: install new rpc_* services, install samba-dcerpc * refresh symbols files * build libldb from samba sources, not from separate source (this moves ldb plugins from /usr/lib/$triple/ldb/plugin/ldb/ to /usr/lib/$triple/samba/ldb/ - the same where dsdb modules are). * optimizations for d/make_shlibs; also allow one to specify explicit version for some packages * as per clarifications for waf --{bundled,builtin}-libraries, remove now-wrong usage there. This also fixes build failures with current samba sources * d/rules: various optimizations to reduce startup costs by eliminating unnecessary external command calls during d/rules read by make. Including caching of LDB version information in d/ldb-version.mk file. This does not affect the buildd processing much (and does not affect runtime at all), but helps with build procedure debugging. * d/rules: numerous small fixes, cleanups and other changes, including: - clean up the install target - remove some now-irrelevant parts - fix no-glusterfs-build on non-linux * change build procedure: instead of `waf build', run `waf install'. `waf build' builds samba to be run from the build dir, and `waf install' rebuilds/relinks everything again for production. Build the production variant only, no build-dir one. * samba-common-bin.postinst: explicitly mkdir /run/samba before invoking samba binaries (Closes: #953530) * in the salsa git repository of samba, stop keeping debian patches in applied form, keep them in d/patches/ only as most other packages do. * move single python (helper) module, libsamba-policy, together with 2 internal libraries used by it, from samba-libs package to python3-samba. This makes samba-libs to be free from python-related files, and makes python3-samba to be the only python-providing package. Closes: #1006875, #878612, #862338 * also move dckeytab python module from samba to python3-samba (actually stop moving it from python3-samba to samba to incorrectly avoid a circular dependency). Also verify that python3-samba does not depend on samba package. * weak-crypto-allowed-clarify.diff: clarify "weak crypto is allowed" testparm message (Closes: #975882) * spelling.patch: fix many common spelling mistakes in the source * ctdb: simplify/cleanup instllation of READMEs/examples * d/control: remove breaks/replaces/depends on ancient versions of some packages (ancient dpkg version in Pre-Depends, ancient samba-libs) * d/rules: rework wrong shlibdeps handling * move helper programs from /usr/lib/$multiarch/ to /usr/libexec/ where they belongs. This should not affect users. * smbclient: re-do the fix for an old bug, #221618. The original "fix" did not fix anything (it is too late already to #define _FILE_OFFSET_BITS when all types has already been defined). From now on, raise an error if off_t is less than 64bits (it should >=64 when #include'ing <libsmbclient.h> with proper LFS defines). In theory this can break some sources which either included libsmbclient.h without a reason or which didn't use any of the functions which deals with off_t (smbc_lseek etc), - which did not explicitly enable LFS on a 32bit system. Please email us if you faced such situation. * drop 07_private_lib patch: we do not need to force rpath for private libraries into every samba binary, upstream build system does a good job here. Checksums-Sha1: ac4dcf7872c3fd7367b88b8e3065a93f1b26d2c8 4265 samba_4.16.0+dfsg-1.dsc 41afac83620ded6de15b3fe74f7505f0a0cc5148 18124712 samba_4.16.0+dfsg.orig.tar.xz 81d9b4f61332ec1a04a578cd9b98ea8fb8770967 259416 samba_4.16.0+dfsg-1.debian.tar.xz 176ab81041f9d7e7a31bba072d87eb5395273f01 8757 samba_4.16.0+dfsg-1_source.buildinfo Checksums-Sha256: 14d65b1408a4c0b3c2a6eb128f741b741b08291431cc6f17cb6ae19a7ec010f8 4265 samba_4.16.0+dfsg-1.dsc 440096f6743ab83a838a0a736c74f3505b9a5e0a416d01c616e47c260ed8058d 18124712 samba_4.16.0+dfsg.orig.tar.xz 16715dee5a9ac1dbd21f885894c82f4d67b2ffb1fc318165d957231aa1d0f075 259416 samba_4.16.0+dfsg-1.debian.tar.xz 8d1b3100872eeee8342557bb51a196f053e39858ea1ba1475d93c489423ab82c 8757 samba_4.16.0+dfsg-1_source.buildinfo Files: 17cdb99e5329eea8c1ee694614d8f25d 4265 net optional samba_4.16.0+dfsg-1.dsc fd69b391b0ba348d61c243dab194efbc 18124712 net optional samba_4.16.0+dfsg.orig.tar.xz 2aedfb68b3005f957ad30f29cd1722cc 259416 net optional samba_4.16.0+dfsg-1.debian.tar.xz 355fc7b692fea393d738ce05b6a391ca 8757 net optional samba_4.16.0+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmJMPngPHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5ZZucH/RGoWcAz9XjQmtApfhBdSxMniHVy/eNYDeoR u4u/33oU/Kwtm2keIxzeAjr88HEIxU9vCPKhreE/7skioclvQHS4/OfZNOSa7q0z Qj8RKMo3qoNhZaYrPZJ12zkj+cmnIoqEVa8mgMnvVl4VGg9TfegxMbtNN0sWGtAk yICDIJcn3IQ6/BTfXt2SVstiIHKz5L56xHVBx2LRfZZQfynGP9d/VHxWIo2EBHhi Q6BVTcrqk3BJ436oKe3QDOL08aCOFypLTh9+zhov56WkbcN5aVqd5qQSNM6ng4Xp 2veROWwV9ngzPF3H+G8WyXZo9aJesRlqFOPr2/jDd3tARkgjL70= =f4yZ -----END PGP SIGNATURE-----
--- End Message ---
