An update to the latest release on the 4.5 branch. This should help
us handle future security issues in 6.2 and -current. Post-6.2 we
should ideally move to samba-4.7.x
Build-tested only, now rebuilding consumers. I'd like to commit this
soonish, feedback welcome.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.238
diff -u -p -r1.238 Makefile
--- Makefile 13 Jul 2017 00:52:29 -0000 1.238
+++ Makefile 15 Sep 2017 17:03:49 -0000
@@ -1,6 +1,6 @@
# $OpenBSD: Makefile,v 1.238 2017/07/13 00:52:29 jca Exp $
-VERSION = 4.5.8
+VERSION = 4.5.13
DISTNAME = samba-${VERSION}
COMMENT-main = SMB and CIFS client and server for UNIX
@@ -15,8 +15,8 @@ PKGNAME-tevent = tevent-${TEVENT_V}
PKGNAME-util = samba-util-${VERSION}
PKGNAME-docs = samba-docs-${VERSION}
-REVISION-main = 1
-REVISION-tevent = 0
+REVISION-tevent = 1
+REVISION-ldb = 0
PKG_ARCH-docs = *
@@ -41,7 +41,7 @@ SHARED_LIBS = asn1-samba4 0.0 \
ndr 0.2 \
ndr-krb5pac 0.1 \
ndr-nbt 0.1 \
- ndr-standard 0.1 \
+ ndr-standard 1.0 \
netapi 2.0 \
pyldb-util 0.0 \
roken-samba4 0.0 \
@@ -59,8 +59,8 @@ SHARED_LIBS = asn1-samba4 0.0 \
tevent-util 0.1 \
wbclient 3.1 \
wind-samba4 0.0 \
- replace 0.0 \
- util-setid 0.0
+ replace 1.0 \
+ util-setid 1.0
CATEGORIES = net sysutils security
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.59
diff -u -p -r1.59 distinfo
--- distinfo 1 Apr 2017 11:37:38 -0000 1.59
+++ distinfo 15 Sep 2017 17:03:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.5.8.tar.gz) = 9jtlbYgjooDFDJ29a2koFs16iK3+m0eZfOaX/XW/gfA=
-SIZE (samba-4.5.8.tar.gz) = 20979104
+SHA256 (samba-4.5.13.tar.gz) = X8R2LSJZRpv7AGfBD3c3jLcg8uva8vN7XKGRjb6E0E0=
+SIZE (samba-4.5.13.tar.gz) = 21013879
Index: patches/patch-lib_ldb_wscript
===================================================================
RCS file: /cvs/ports/net/samba/patches/patch-lib_ldb_wscript,v
retrieving revision 1.5
diff -u -p -r1.5 patch-lib_ldb_wscript
--- patches/patch-lib_ldb_wscript 22 Apr 2016 11:48:36 -0000 1.5
+++ patches/patch-lib_ldb_wscript 15 Sep 2017 17:03:49 -0000
@@ -4,8 +4,9 @@ $OpenBSD: patch-lib_ldb_wscript,v 1.5 20
2. Use -Wl,no-undefined as on other platforms.
---- lib/ldb/wscript.orig Wed Apr 13 17:18:37 2016
-+++ lib/ldb/wscript Wed Apr 13 17:18:37 2016
+Index: lib/ldb/wscript
+--- lib/ldb/wscript.orig
++++ lib/ldb/wscript
@@ -53,6 +53,7 @@ def configure(conf):
conf.CONFIG_PATH('LDB_MODULESDIR', conf.SUBST_ENV_VAR('MODULESDIR') +
'/ldb')
@@ -13,8 +14,8 @@ $OpenBSD: patch-lib_ldb_wscript,v 1.5 20
+ conf.env.standalone_ldb = True
if not conf.env.standalone_ldb:
- if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
-@@ -73,8 +74,7 @@ def configure(conf):
+ #
+@@ -88,8 +89,7 @@ def configure(conf):
# we don't want any libraries or modules to rely on runtime
# resolution of symbols
Index: patches/patch-source3_rpc_server_srv_pipe_c
===================================================================
RCS file: patches/patch-source3_rpc_server_srv_pipe_c
diff -N patches/patch-source3_rpc_server_srv_pipe_c
--- patches/patch-source3_rpc_server_srv_pipe_c 24 May 2017 11:58:29 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,29 +0,0 @@
-$OpenBSD: patch-source3_rpc_server_srv_pipe_c,v 1.1 2017/05/24 11:58:29 jca
Exp $
-
-From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <[email protected]>
-Date: Mon, 8 May 2017 21:40:40 +0200
-Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
- inside
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
-
-Signed-off-by: Volker Lendecke <[email protected]>
-Reviewed-by: Jeremy Allison <[email protected]>
-Reviewed-by: Stefan Metzmacher <[email protected]>
-
-Index: source3/rpc_server/srv_pipe.c
---- source3/rpc_server/srv_pipe.c.orig
-+++ source3/rpc_server/srv_pipe.c
-@@ -476,6 +476,11 @@ bool is_known_pipename(const char *pipename, struct nd
- {
- NTSTATUS status;
-
-+ if (strchr(pipename, '/')) {
-+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
-+ return false;
-+ }
-+
- if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
- DEBUG(10, ("refusing spoolss access\n"));
- return false;
Index: patches/patch-source4_heimdal_lib_krb5_ticket_c
===================================================================
RCS file: patches/patch-source4_heimdal_lib_krb5_ticket_c
diff -N patches/patch-source4_heimdal_lib_krb5_ticket_c
--- patches/patch-source4_heimdal_lib_krb5_ticket_c 13 Jul 2017 00:52:29
-0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,19 +0,0 @@
-$OpenBSD: patch-source4_heimdal_lib_krb5_ticket_c,v 1.1 2017/07/13 00:52:29
jca Exp $
-
- CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
-
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
-
-Index: source4/heimdal/lib/krb5/ticket.c
---- source4/heimdal/lib/krb5/ticket.c.orig
-+++ source4/heimdal/lib/krb5/ticket.c
-@@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context,
- /* check server referral and save principal */
- ret = _krb5_principalname2krb5_principal (context,
- &tmp_principal,
-- rep->kdc_rep.ticket.sname,
-- rep->kdc_rep.ticket.realm);
-+ rep->enc_part.sname,
-+ rep->enc_part.srealm);
- if (ret)
- goto out;
- if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
