summaryrefslogtreecommitdiffstats
path: root/jerry2/WHATSNEW.txt
diff options
context:
space:
mode:
Diffstat (limited to 'jerry2/WHATSNEW.txt')
-rw-r--r--jerry2/WHATSNEW.txt1588
1 files changed, 1588 insertions, 0 deletions
diff --git a/jerry2/WHATSNEW.txt b/jerry2/WHATSNEW.txt
new file mode 100644
index 00000000000..d076c510762
--- /dev/null
+++ b/jerry2/WHATSNEW.txt
@@ -0,0 +1,1588 @@
+ ==============================
+ Release Notes for Samba 2.2.10
+ July 22, 2004
+ ==============================
+
+
+######################## SECURITY RELEASE ########################
+
+Summary: Potential Buffer Overrun in Samba 2.2.x
+CVE ID: CAN-2004-0686
+ (http://cve.mitre.org/)
+
+This is the latest stable release of the Samba 2.2 code base.
+There are no further Samba 2.2.x releases planned at this time.
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 2.2.0 through 2.2.9
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Affected Samba
+2.2 installations can avoid this possible security bug by using
+the hash2 mangling method. Server installations requiring
+the hash mangling method are encouraged to upgrade to Samba v2.2.10
+or v3.0.5.
+
+
+Older releases notes for 2.2.x distributions follow
+
+ ------------------------------------------------------
+
+ =============================
+ Release Notes for Samba 2.2.9
+ May 8, 2004
+ =============================
+
+This is the latest stable release of the Samba 2.2 code base.
+This is a maintenance release of Samba 2.2.8a to address the
+problem with user password changes after applying the Microsoft
+hotfix described in KB282741 to Windows NT 4.0/200x/XP clients.
+No other changes have been applied since Samba 2.2.8a.
+
+There are no further Samba 2.2.x releases planned at this time.
+
+
+ ------------------------------------------------------
+
+ ===========================================
+ What's new in Samba 2.2.8a - 7th April 2003
+ ===========================================
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+Summary
+-------
+
+Digital Defense, Inc. has alerted the Samba Team to a serious
+vulnerability in all stable versions of Samba currently shipping.
+The Common Vulnerabilities and Exposures (CVE) project has assigned
+the ID CAN-2003-0201 to this defect.
+
+This vulnerability, if exploited correctly, leads to an anonymous
+user gaining root access on a Samba serving system. All versions
+of Samba up to and including Samba 2.2.8 are vulnerable. An active
+exploit of the bug has been reported in the wild. Alpha versions of
+Samba 3.0 and above are *NOT* vulnerable.
+
+
+Credit
+------
+
+The Samba Team would like to thank Erik Parker and the team at
+Digital Defense, Inc. for their efforts spent in the responsible
+and timely reporting of this bug.
+
+
+Patch Availability
+------------------
+
+The Samba 2.2.8a release contains only updates to address this
+security issue. A roll-up patch for release 2.2.7a and 2.0.10
+addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
+from http://www.samba.org/samba/ftp/patches/security/.
+
+
+ ========================================
+
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------
+The release notes for 2.2.8 follow:
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+Summary
+-------
+
+The SuSE security audit team, in particular Sebastian Krahmer
+<krahmer@suse.de>, has found an flaw in the Samba main smbd code which
+could allow an external attacker to remotely and anonymously gain
+Super User (root) privileges on a server running a Samba server.
+
+This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
+inclusive. This is serious problem and all sites should either
+upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
+and 445. Advice on how to protect an unpatched Samba server created by
+Andrew Tridgell, the leader of the Samba Team, is given at the end of
+this section.
+
+The SMB/CIFS protocol implemented by Samba is vulnerable to many
+attacks, even without specific security holes. The TCP ports 139 and
+the new port 445 (used by Win2k and the Samba 3.0 alpha code in
+particular) should never be exposed to untrusted networks.
+
+Description
+-----------
+
+A buffer overrun condition exists in the SMB/CIFS packet fragment
+re-assembly code in smbd which would allow an attacker to cause smbd
+to overwrite arbitrary areas of memory in its own process address
+space. This could allow a skilled attacker to inject binary specific
+exploit code into smbd.
+
+This version of Samba adds explicit overrun and overflow checks on
+fragment re-assembly of SMB/CIFS packets to ensure that only valid
+re-assembly is performed by smbd.
+
+In addition, the same checks have been added to the re-assembly
+functions in the client code, making it safe for use in other
+services.
+
+Credit
+------
+
+This security flaw was discovered and reported to the Samba Team by
+Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.
+The fix was prepared by Jeremy Allison and reviewed by engineers from
+the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
+on the Linux Vendor security mailing list.
+
+The Samba Team would like to thank SuSE and Sebastian Krahmer for
+their excellent auditing work and for drawing attention to this flaw.
+
+Patch Availability
+-----------------
+
+As this is a security issue, patches for this flaw specific to earlier
+versions of Samba will be and posted on the samba-technical@samba.org
+mailing list as requested.
+
+
+************************************
+Protecting an unpatched Samba server
+************************************
+
+ Samba Team, March 2003
+
+ This is a note on how to provide your Samba server some
+ protection against the recently discovered remote security
+ hole if you are unable to upgrade to the fixed version
+ immediately. Even if you do upgrade you might like to think
+ about the suggestions in this note to provide you with
+ additional levels of protection.
+
+
+ Using host based protection
+ ---------------------------
+
+ In many installations of Samba the greatest threat comes for
+ outside your immediate network. By default Samba will accept
+ connections from any host, which means that if you run an
+ insecure version of Samba on a host that is directly
+ connected to the Internet you can be especially vulnerable.
+
+ One of the simplest fixes in this case is to use the 'hosts
+ allow' and 'hosts deny' options in the Samba smb.conf
+ configuration file to only allow access to your server from a
+ specific range of hosts. An example might be:
+
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+
+ The above will only allow SMB connections from 'localhost'
+ (your own computer) and from the two private networks
+ 192.168.2 and 192.168.3. All other connections will be
+ refused connections as soon as the client sends its first
+ packet. The refusal will be marked as a 'not listening on
+ called name' error.
+
+
+ Using interface protection
+ --------------------------
+
+ By default Samba will accept connections on any network
+ interface that it finds on your system. That means if you
+ have a ISDN line or a PPP connection to the Internet then
+ Samba will accept connections on those links. This may not be
+ what you want.
+
+ You can change this behavior using options like the
+ following:
+
+ interfaces = eth* lo
+ bind interfaces only = yes
+
+ that tells Samba to only listen for connections on interfaces
+ with a name starting with 'eth' such as eth0, eth1, plus on
+ the loopback interface called 'lo'. The name you will need to
+ use depends on what OS you are using, in the above I used the
+ common name for ethernet adapters on Linux.
+
+ If you use the above and someone tries to make a SMB
+ connection to your host over a PPP interface called 'ppp0'
+ then they will get a TCP connection refused reply. In that
+ case no Samba code is run at all as the operating system has
+ been told not to pass connections from that interface to any
+ process.
+
+
+ Using a firewall
+ ----------------
+
+ Many people use a firewall to deny access to services that
+ they don't want exposed outside their network. This can be a
+ very good idea, although I would recommend using it in
+ conjunction with the above methods so that you are protected
+ even if your firewall is not active for some reason.
+
+ If you are setting up a firewall then you need to know what
+ TCP and UDP ports to allow and block. Samba uses the
+ following:
+
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+
+ The last one is important as many older firewall setups may
+ not be aware of it, given that this port was only added to
+ the protocol in recent years.
+
+
+ Using a IPC$ share deny
+ -----------------------
+
+ If the above methods are not suitable, then you could also
+ place a more specific deny on the IPC$ share that is used in
+ the recently discovered security hole. This allows you to
+ offer access to other shares while denying access to IPC$
+ from potentially untrustworthy hosts.
+
+ To do that you could use:
+
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+
+ this would tell Samba that IPC$ connections are not allowed
+ from anywhere but the two listed places (localhost and a
+ local subnet). Connections to other shares would still be
+ allowed. As the IPC$ share is the only share that is always
+ accessible anonymously this provides some level of protection
+ against attackers that do not know a username/password for
+ your host.
+
+ If you use this method then clients will be given a 'access
+ denied' reply when they try to access the IPC$ share. That
+ means that those clients will not be able to browse shares,
+ and may also be unable to access some other resources.
+
+ I don't recommend this method unless you cannot use one of
+ the other methods listed above for some reason.
+
+
+ Upgrading Samba
+ ---------------
+
+ Of course the best solution is to upgrade Samba to a version
+ where the bug has been fixed. If you wish to also use one of
+ the additional measures above then that would certainly be a
+ good idea.
+
+ Please check regularly on http://www.samba.org/ for updates
+ and important announcements.
+
+
+ ****************************************
+ ****************************************
+
+
+Changes since 2.2.7a
+---------------------
+
+New Parameters
+
+ * acl compatibility
+
+Additional Changes:
+ See the cvs log for SAMBA_2_2 for more details
+
+1) smbumount lazy patch from Mandrake
+2) Check for too many processes *before* the fork.
+3) make sure we don't run over the end of 'name' in unix_convert()
+4) set umask to 0 before creating socket directory.
+5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right
+ thing in interactive mode when a log file dir is also specified.
+6) Fix delete on close semantics to match W2K.
+7) Correctly return access denied on share mode deny when we can't
+ open the file.
+8) Always use safe_strcpy not pstrcpy for malloc()'d strings
+9) Fixes for HP-UX only having limited POSIX lock range
+10) Added uid/gid caching code. Reduces load on winbindd.
+11) Removed extra copy of server name in the printername field (it was
+ mangling the the name to be \\server\\\server\printer
+12) Fix dumb perror used without errno being set.
+13) Do retries correctly if the connection to the DC has failed.
+14) Correctly check for inet_addr fail.
+15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
+16) Fix for missing if (setting_acls) on default perms.
+17) Fix to cache the sidtype
+18) fix printer settings on Solaris (big-endian) print servers.
+ ASCII -> UNICODE conversion bug.
+19) Small fix check correct error return.
+20) Ensure space_avail is unsigned.
+21) patch to check for a valid [f]chmod_acl function pointer
+ before calling it. Fixes seg fault in audit VFS module
+22) When checking is_locked() new WRITE locks conflict with existing
+ READ locks even if the context is the same.
+23) Merge off-by-one crash fixes from HEAD
+24) Move off-by-one buggy malloc()/safe_strcpy() combination to
+ strdup() instead.
+25) Merge from HEAD. Use pstrcpy not safe_strcpy.
+26) Fix to allow blocking lock notification to be done rapidly (no wait
+ for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
+ (does not interfere with existing locks).
+27) Doxygen cleanups for code documentation
+28) limit the unix domain sockets used by winbindd by adding a
+ "last_access" field to winbindd connections, and will close
+ the oldest idle connection once the number of open connections goes
+ over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
+ currently)
+29) Fix a couple of string handling errors in smbd/dir.c that would
+ cause smbd to crash
+30) Fix seg fault in smbpasswd when specifying the new password
+ as a command line argument
+31) Correct 64-but file sizes issues with smbtar and smbclient
+32) Add batch mode option to pdbedit
+33) Add protection in nmbd against malformed reply packets
+34) Fix bug with sendfile profiling support in smbstatus output
+35) Correct bug in "hide unreadable" smb.conf parameter that
+ resulted in incorrect directory listings
+36) Fix bug in group enumeration in winbindd
+37) Correct build issues with libsmbclient on Solaris
+38) Fix memory leak and bad pointer dereference in password
+ changing code in smbd
+39) Fix for changing attributes on a file truncate
+40) Ensure smbd process count never gets to -1 if limiting number
+ of processes
+41) Ensure we return disk full by default on short writes
+42) Don't delete jobs submitted after the lpq time
+43) Fix reference count bug where smbds would not terminate
+ with no open resources
+44) Performance fix when using quota support on HP-UX
+45) Fixes for --with-ldapsam
+ * Default to port 389 when "ldap ssl != on"
+ * add support for rebinding to the master directory server
+ for password changes when "ldap server" points to a read-only
+ slave
+46) Add -W and -X command line flags to smbpasswd for extracting and
+ setting the machine/domain SID in secrets.tdb. See the
+ smbpasswd(8) man page for details.
+47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
+ obtained from PADL's nss_ldap library.
+48) Fix bug in samr_dispinfo query in winbindd
+49) Fix segfault in NTLMSSP password changing code for
+ guest connections
+50) Correct pstring/fstring mismatches
+51) Send level II oplock break requests synchronously to prevent
+ condition where one smbd would continually lock a share entry
+ in locking.tdb
+52) Miscellaneous cleanups for tdb error conditions and appending
+ data in a record
+53) Implement correct open file truncate semantics with DOS
+ attributes
+54) Enforce wide links = no on files as well as directories
+55) Include shared library checks for Stratus VOS
+56) Include support for CUPS printer classes and logging the remote
+ client name
+57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
+ for %a
+58) Increase the max PDU size to deal with some troublesome printer
+ drivers and Windows NT 4.0 clients
+59) increment the process counter immediately after the fork
+ (not just when we receive the first smb packet)
+60) Ensure rename sets errno correctly
+61) Unify ACL code (back-port from 3.0)
+62) Fix some further issues around off_t and large offsets
+
+
+Changes since 2.2.7
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fix for smbclient reporting negative file sizes on dir command
+ and negative statistics being reported when using put or get
+ on large files.
+2) Fix bug in determination of allocation size
+3) Fix 64bit size problems which prevented copying of files larger
+ than 2 GBytes.
+4) Fix for xcopy /s problem with old DOS clients not sending correct
+ attributes on subsequent SMBsearch calls.
+5) Fix bug in call to standard_sub_advanced giving a 0 length. This
+ fixes the string overflow in string_sub errors.
+6) Correctly handle querygroup rpcclient command
+7) fix broken incremental tar in smbtar command
+
+
+The release notes for 2.2.7 follow :
+
+IMPORTANT: Security bugfix for Samba
+------------------------------------
+
+Summary
+-------
+
+A security hole has been discovered in versions 2.2.2 through 2.2.6
+of Samba that could potentially allow an attacker to gain root access
+on the target machine. The word "potentially" is used because there
+is no known exploit of this bug, and the Samba Team has not been able to
+craft one ourselves. However, the seriousness of the problem warrants
+this immediate 2.2.7 release.
+
+In addition to addressing this security issue, Samba 2.2.7 also includes
+thirteen unrelated improvements. These improvements result from our
+process of continuous quality assurance and code review, and are part of
+the Samba team's commitment to excellence.
+
+Details
+-------
+
+There was a bug in the length checking for encrypted password change
+requests from clients. A client could potentially send an encrypted
+password, which, when decrypted with the old hashed password could be
+used as a buffer overrun attack on the stack of smbd. The attach would
+have to be crafted such that converting a DOS codepage string to little
+endian UCS2 unicode would translate into an executable block of code.
+
+All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
+to this problem. This version of Samba 2.2.7 contains a fix for this
+problem.
+
+Earlier versions of Samba are not vulnerable.
+
+There is no known exploit or exploit code for this vulnerability,
+it was discovered by a code audit by Debian Samba maintainers.
+
+Credit
+------
+
+Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris
+<peloy@debian.org> for bringing this vulnerability to our notice.
+
+Patch for Samba versions 2.2.2 to 2.2.6
+---------------------------------------
+
+The following patch applies cleanly to the above Samba versions
+and will fix the vulnerability for sites that do not wish to upgrade
+to 2.2.7 at this time.
+
+
+-------------------------------cut here---------------------------------
+--- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
++++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
+@@ -63,7 +63,7 @@
+ if(len > 128)
+ len = 128;
+ /* Password must be converted to NT unicode - null terminated. */
+- dos_struni2((char *)wpwd, (const char *)passwd, 256);
++ dos_struni2((char *)wpwd, (const char *)passwd, len);
+ /* Calculate length in bytes */
+ len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
+-------------------------------cut here---------------------------------
+
+
+
+Changes since 2.2.6
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) ensure we send the notify message in the same way it is expected
+ to be received by srv_spoolss_receive_message().
+2) attribute matching on truncate only matters when opening truncate
+ with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
+ with current NONE -> SYSTEM | HIDDEN.
+3) Fix bug in rpcclient's deldriver command
+4) Don't set global_machine_password_needs_changing if
+ lp_machine_password_timeout() is set to zero
+5) don't parse the BUFFER5 if the buffer length is zero
+6) fix core dump if pdbedit is run as non-root or smbpasswd file does
+ not exist
+7) Ensure can_delete() returns correct error code
+8) correctly return NT_STATUS_DELETE_PENDING from open code
+9) fix bug that assumed dos_unistr2 length was in ucs2 units, not
+ bytes
+10) check the long_archi name is not null when deleting a printer
+ driver. fixes core dump in smbd when using rpcclient's deldriver
+11) fix fd leak with kernel change notify on Linux 2.4 kernels
+12) must add one to the extra_data size to transfer the 0 string
+ terminator. This was causing "wbinfo --sequence" to access past
+ the end of malloced memory
+13) fix for large systems allowing more than 65536 files open in
+ NTcreate&X
+14) Fix bug in %U expansion
+
+
+
+----------------------------------------------------------------------
+The release notes for 2.2.6 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * Fixes for MS-RPC printing issues affecting Windows 2000 clients
+ * New support for smb.conf generation in SWAT
+ * Inclusion of several performance enhancements (See --with-sendfile
+ & and the modified smb.conf(5) parameters in these Release Notes)
+ * Fixes for several file locking bugs and returned status codes
+
+
+New Parameters
+--------------
+
+Refer to the smb.conf(5) man page for complete descriptions of new
+parameters.
+
+ * profile acls (S) workaround for issue with WinXP SP1
+ and roaming user profiles
+
+Removed Parameters
+------------------
+
+ * max packet (G)
+ * packet size (G)
+
+Modified Parameters
+-------------------
+
+ * max xmit (G) new default value
+ * large readwrite (G) new default value
+
+New ./configure Options
+-----------------------
+
+ --with-sendfile Enable experimental sendfile support
+ --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality
+ for Windows 2000 native mode domains
+
+
+Changes since 2.2.5
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fixed several compiler warnings caused by the use of const parameters
+2) Fixed a hang in the main smbd process caused by an EINTR in the
+ wrong place
+3) Fixed string substitutions to accept a length for sanity checks
+4) Fixed 17-bit length field in nmb header
+5) Removed non-portable inline declaration for functions
+6) Performance fix for including files with an smb.conf variable in the
+ path name
+7) Fix for parsing LPRng lpq output
+8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
+ printer properties to fail
+9) Fix for printer change notification and Windows NT clients which caused
+ the client to go into an infinite loop of refreshing the local printers
+ folder
+10) Allow trans2 and nttrans messages to be processed in oplock break state
+ which fixes a problem with oplock break requests and Win2k clients
+11) Don't crash on setfileinfo on printer fsp
+12) Memory fixes caught by Valgrind
+13) Updates to stop spurious error message in tdb
+14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
+15) Fix compilation of pam_smbpass and --with-ldap
+16) Fix compilation of smbwrapper on Solaris hosts
+17) fix logic error in a check for enabling the winbind_pam_auth_crap() code
+ & fix formatting typo in --with-winbind-auth-challenge
+18) Correcting check for ldap_start_tls()
+19) Fixed a problem with getgroups() where it could include our current
+ effective gid
+20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
+ to only attempt to delete the architecture specified by the client
+21) Don't allow TEMP attribute on directory open
+22) Restore VxFS quotas to the 2.2 branch
+23) Added basic "Wizard" functionality to SWAT
+24) Fix initial "allocation size" in NTcreate&X call
+25) Fix for open fid, "nametoolong"
+26) Exit server on receipt of a non-SMB packet. Ensure we have
+ at least smb_size bytes before processing a packet
+27) Replace inet_aton with inet_addr() to correct compile problems on Solaris
+28) Include the "account" objectclass when adding a new account to --with-ldapsam
+ in order to comply with the data model implemented by OpenLDAP 2.1.x
+29) Various fixes for POSIX compliance
+30) Correct alignment & offset bug in EnumPrinterDataEx()
+31) Fix access checks when modifying forms using a print server handle
+ (not just a printer handle)
+32) Account for case data_len == 0 in EnumPrinterDataEx()
+33) Fix logic error in blocking lock code
+34) Fixed various incorrect return codes to clients
+35) Add RESOLVE_DFSPATH to mkdir operations
+36) Fix longstanding bug in Win2k clients by clearing the shortname
+ buffer before returning ASCII short name
+37) added -t option to smbpasswd for explicitly changing a trust
+ account password when operating in security = domain
+38) installed -x option to testparm to eXclude printing all parameter
+ values that are at default settings.
+39) Fix shares/printers view in SWAT so that only Basic options are exposed
+ upon initial entry.
+40) Added 1125 & KOI8-U to codepage list in Makefile.in
+41) Include separate configure checks for *openbsd* & *freebsd* when
+ determining flags used to compile shared libraries.
+42) Merge in free list unlock on error fix
+43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
+ if we are mapping system or hidden
+44) Fix bug with stat mode open being done on read-only open with truncate
+45) Fix crash bug discovered where cli struct was being deallocated in a
+ called function
+46) Ensure we open UNIX fifo's non-blocking
+47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
+48) only lowercase global_myname in the %L substitution, not the whole string
+49) Merged Steve French's fix for OS/2 EA return error being removed
+50) Patch from Steve French to fix difference in responses to smbclient
+ //server/share ls / on Samba and Windows 2000
+51) Print error and exit if smb.conf doesn't have security=domain and
+ encrypt passwords=yes when joining domain
+52) Added final Steve French patch for "required" attributes with old dir
+ listings
+53) Initialize user_rid value in WINBIND_USERINFO structure returned by
+ the rpc version of query_user()
+54) Ensure we've failed a lock with a lock denied message before automatically
+ pushing it onto the blocking queue
+55) Add experimental --with-sendfile code
+56) alignment fix in printing code merged from HEAD
+57) Merge fix for other sids in token from HEAD
+58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
+59) fix smbclient / Win98 off by one bug
+60) Never, *ever* hold a mutex lock in the message database where there may be
+ traversals being attempted
+61) Add LDAP hack for retrieving the SAM sequence number when a member of a
+ Windows 2000 native mode domain
+62) Fix race condition when changing a machine account password as we were
+ no longer locking the secrets entry
+63) Allow '@' as a valid character in domain names
+64) remove jobs from the spool directory when using cups
+65) removed -lresolv for --enable-ldapsam
+66) Memory leak fix and correct use of negative caching in winbindd
+67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
+68) Delete printer security check was reversed
+69) Windows allows delete printer on a handle opened by an admin user, then
+ used on a pipe handle created by an anonymous user...We do to now...
+70) Make explicit the difference between a tdb key with no data attached, and
+ a non existent entry
+71) Ensure we register the 1c name on the unicast subnet.
+72) Fix inheritance problem when recursively setting ACLs on directories
+73) prevent ACL set on read-only share
+74) Ensure we never have more than MAX_PRINT_JOBS in a queue
+75) Added timeout to tdb_lock_bystring()
+76) Ensure we set FIRST+LAST flags on a bind request
+77) Add version strings to the usage message for smbcacls and smbpasswd
+78) Fix bug in the write cache code
+79) make the default printed values for boolean the same for all parameters
+80) Default all LDAP connections to v3 with compiling with --with-ldapsam
+81) Fix memory leak in smbspool
+82) Fix bug in mangling code that resulted in Win9x clients not being
+ able to execute batch files in deep, non 8.3 directory paths
+83) Fix infinite looping bug in winbindd_getgrent()
+84) Fix crash bug on 64-bit systems (merge from HEAD)
+85) Fix extended character bug when setting LanMan/NT password
+86) Negotiate same SMB read size as a Windows 2000 file server
+ to fix performance bug with NT4 clients
+
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.5 follow :
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+New/Changed parameters in 2.2.5
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* block size = <INTEGER>
+* force unknown acl user = <boolean>
+* mangling method = [hash|hash2]
+
+
+Deprecated Parameters
+---------------------
+
+The following parameters have been marked as deprecated and will be removed
+in Samba 3.0
+
+* strip dot
+* status
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.5
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Removal of several compiler warnings, incorrect Makefile dependencies,
+ and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
+ being the predominantly reported platforms
+2) Fixed winbindd crash bug on the IBM s390 running Linux
+3) Inclusion of enhanced Linux quota support
+4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
+ there is no apparent SSL support there)
+5) POSIX conformance patches
+6) Include new configure --enable-cups option (can also be disabled even
+ if CUPS libraries are installed on the system)
+7) Set reasonable default for the "passwd program" parameter using an
+ autoconf test
+8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
+9) fixed bug to prevent root account from being deleted by the
+ "delete user script"
+10) Inclusion of autoconf script for building VFS modules
+11) Add new run time options to the VFS recycle bin library (see
+ examples/VFS/recycle/README for details)
+12) Include findsmb perl script as part of the "make install" process
+13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
+ to fix a bug where printers appear at the workgroup level in the Windows
+ NT/2k APW browse list
+14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
+ details)
+15) Fix length bug that caused password changes from Windows NT/2k clients to
+ occasionally fail
+16) Correct false password expiration when using --with-ldapsam caused by
+ missing attributes in the directory
+17) added -S option to smbpasswd for storing the SID of a domain controller
+ as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
+ for details.
+18) Various fixes for UNIX CIFS extensions commands
+19) Fixed CIDR notation in "hosts allow/deny"
+20) Change semantics of an idle connection to mean "no open files and no
+ open handles". We cannot idle a connection if there are open named
+ pipe handles. This fixes scalability problem on Samba print servers
+ and NT/2k clients introduced in 2.2.4
+21) Fix germam umlaut problem when returning ACL entries
+22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
+ of running the Microsoft Access executable (msaccess.exe) and database
+ files from a Samba share documented in the 2.2.4 release
+23) Corrected signal handling relating to directory change notification and
+ kernel oplocks
+24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
+ Savings Time
+25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
+ clients not to be able to view printer properties from a Samba host
+26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
+ Windows 2k/XP clients to fail
+27) Fixed incorrect error check in mod_share_entry()
+28) Allow %S variable in MS-DFS root paths
+29) Correct a bug regarding the use of 'wbinfo -A'
+30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
+31) Store the key for a name-to-sid cache entry in upper case rather than
+ whatever case the request was made in. This gets rid of duplicate
+ cache entries.
+32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
+33) Enhanced error reporting messages of wbinfo
+34) Parameterize block size on disk size return
+35) Added new parameter to allow incoming ACLs to have owner and group forced
+ to the currently logged in user. This fixes the XCOPY /O problem
+36) Fixed bug in local_change_password() caused by reusing a struct
+ passwd* pointer
+37) Change default value for "ldap port" to 389 if "ldap ssl = no"
+38) Updated HOWTO's, manpages, and general documentation....
+39) Allow root as well as domain admins to open an LDAP connection
+40) Fixed veto files bug with ".*"
+41) Fixed uninitialized variable bug in smbpasswd that was causing a random
+ IP address to be used in the connection when joining a domain
+42) Fix for joining a domain with a netbios name of 15 characters and
+ pre-creating the account on the DC
+43) Added links to new documentation on SWAT welcome page
+
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.4 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Deprecated parameters
+---------------------
+
+The following parameters have been marked as deprecated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HP-UX versions earlier than HP-UX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HP-UX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HP-UX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HP-UX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HP-UX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HP-UX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
generated by cgit (git 2.34.1) at 2024-05-18 15:38:01 +0000