Accepted samba 2:4.5.16+dfsg-1+deb9u3 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 21 Nov 2020 21:31:22 -0500
Source: samba
Binary: samba samba-libs samba-common samba-common-bin smbclient samba-testsuite registry-tools libparse-pidl-perl samba-dev python-samba samba-dsdb-modules samba-vfs-modules libsmbclient libsmbclient-dev winbind libpam-winbind libnss-winbind libwbclient0 libwbclient-dev ctdb
Architecture: source
Version: 2:4.5.16+dfsg-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Roberto C. Sanchez <roberto@debian.org>
Description:
ctdb - clustered database to store temporary data
libnss-winbind - Samba nameservice integration plugins
libpam-winbind - Windows domain authentication integration plugin
libparse-pidl-perl - IDL compiler written in Perl
libsmbclient - shared library for communication with SMB/CIFS servers
libsmbclient-dev - development files for libsmbclient
libwbclient-dev - Samba winbind client library - development files
libwbclient0 - Samba winbind client library
python-samba - Python bindings for Samba
registry-tools - tools for viewing and manipulating the Windows registry
samba - SMB/CIFS file, print, and login server for Unix
samba-common - common files used by both the Samba server and client
samba-common-bin - Samba common files used by both the server and the client
samba-dev - tools for extending Samba
samba-dsdb-modules - Samba Directory Services Database
samba-libs - Samba core libraries
samba-testsuite - test suite from Samba
samba-vfs-modules - Samba Virtual FileSystem plugins
smbclient - command-line SMB/CIFS clients for Unix
winbind - service to resolve user and group information from Windows NT ser
Changes:
samba (2:4.5.16+dfsg-1+deb9u3) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* Fix CVE-2020-10704: An unauthorized user can trigger a denial of service
via a stack overflow in the AD DC LDAP server
* Fix CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba
AD DC LDAP Server with ASQ, VLV and paged_results
* Fix CVE-2020-10745: Denial of service resulting from abuse of compression
of replies to NetBIOS over TCP/IP name resolution and DNS packets causing
excessive CPU load on the Samba AD DC.
* Fix CVE-2020-10760: The use of the paged_results or VLV controls against
the Global Catalog LDAP server on the AD DC will cause a use-after-free.
* Fix CVE-2020-14303: Denial of service resulting from CPU spin and and
inability to process further requests once the AD DC NBT server receives
an empty (zero-length) UDP packet to port 137.
* Fix CVE-2020-1472:
- Unauthenticated domain controller compromise by subverting Netlogon
cryptography.
+ switch "client schannel" default to "yes" instead of "auto".
+ switch "server schannel" default to "yes" instead of "auto".
- Unauthenticated domain controller compromise by subverting Netlogon
cryptography (ZeroLogon).
+ For compatibility reasons, allow specifying an insecure netlogon
configuration per machine. See the following link for examples:
https://www.samba.org/samba/security/CVE-2020-1472.html
+ Add additional server checks for the protocol attack in the
client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results
when running the proof-of-concept exploit.
* Fix CVE-2020-14318: Missing handle permissions check in ChangeNotify
* Fix CVE-2020-14323: Unprivileged user can crash winbind via invalid
lookupsids DoS
* Fix CVE-2020-14383: DNS server crash via invalid records resulting from
uninitialized variables
Checksums-Sha1:
8e8da487e7f57f80e7cba00ac472f191ca0018e7 3978 samba_4.5.16+dfsg-1+deb9u3.dsc
107ceb75fc284388f5b21f9cfe5ca368c5e6f1c2 301140 samba_4.5.16+dfsg-1+deb9u3.debian.tar.xz
b21e8475ab47dbcd2801e9046e9b0479ad3fbccb 21142 samba_4.5.16+dfsg-1+deb9u3_amd64.buildinfo
Checksums-Sha256:
a5ba6558a8486d3b9d1333c6ed841a0bd4d61f4aeb13bfd0f7e7450ad83a32d8 3978 samba_4.5.16+dfsg-1+deb9u3.dsc
cacedc32248e577a22d99d03a5cddcbd3da61754192adcfac22040ae4b8679df 301140 samba_4.5.16+dfsg-1+deb9u3.debian.tar.xz
dd47e9d748d4af77d7053eda5f425a52b344dc17937cb44b68069a18af4d4caa 21142 samba_4.5.16+dfsg-1+deb9u3_amd64.buildinfo
Files:
b0ac1cbc7b7ae28ac3b951273f28782e 3978 net optional samba_4.5.16+dfsg-1+deb9u3.dsc
4b1575a29dcfe22378aabbb3007cf77c 301140 net optional samba_4.5.16+dfsg-1+deb9u3.debian.tar.xz
403f5429fe17d39c488461f85a676d7a 21142 net optional samba_4.5.16+dfsg-1+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAl+50P8ACgkQldFmTdL1
kUKdwQ//cofw0csooHkmE1qgKyZmLOvzKB6F78H+9NKjZgUxJXqfQ0q630QIyZT/
ltpEFsV5o8yfx+zP/HEI9n+ndnWM9vLkKRm5o883ROyA1zruGyejVFnJU8csZ7pR
xdrooilUub2secIq8lsdUf8ul4yjkG2jgH9At55CDI2Zs/RFrtAYcb0im3K83+13
8+ixpxbyDZOaEXmYPCfaTHFsi8dVuELI23SnCN8fda26HUq4XITiS62SBzcR8uaD
pkgspD+bqm1srlZD6KzSESbBDCh6l3M0wU+XOHaDxVxgpF10mi2MC0i3Gp02r0p+
gka0C46uhx19stZJcBty0FYpHaWtQdXvfKoYaRiOydLVWE4KwDBGWr4D8tOtaPGq
tJ/dqXldDnuq+r4X+RUUt6ar6ZmSK5tligy950jTz7BeqXbzVGcC3O9cBo8v/g2W
6ShCP4VkIKjwTyK416ydvBg3axotvllTI2lBN3avHnFI74xNslOMOKYQP4kymoe+
bOobJ5VW4vydmsXhw+hG9M1QJs1z4JC5chPEXAXkPZ9gjrmXBJc+kf0jg6nwm5Dk
rf5L6vj38NsICEHSLQiDe3gvEqu1sspjx9LpBtCJcn+21LOnrfuOZ13e0WaOERdV
AfIqMY9s9W696E3Uw0Pl6YJKFi3fEIaHQm/NsMHP1/GcXFOJxiM=
=s4wC
-----END PGP SIGNATURE-----