diff options
Diffstat (limited to 'jerry2/WHATSNEW.txt')
-rw-r--r-- | jerry2/WHATSNEW.txt | 1588 |
1 files changed, 1588 insertions, 0 deletions
diff --git a/jerry2/WHATSNEW.txt b/jerry2/WHATSNEW.txt new file mode 100644 index 00000000000..d076c510762 --- /dev/null +++ b/jerry2/WHATSNEW.txt @@ -0,0 +1,1588 @@ + ============================== + Release Notes for Samba 2.2.10 + July 22, 2004 + ============================== + + +######################## SECURITY RELEASE ######################## + +Summary: Potential Buffer Overrun in Samba 2.2.x +CVE ID: CAN-2004-0686 + (http://cve.mitre.org/) + +This is the latest stable release of the Samba 2.2 code base. +There are no further Samba 2.2.x releases planned at this time. + +------------- +CAN-2004-0686 +------------- + +Affected Versions: Samba 2.2.0 through 2.2.9 + +A buffer overrun has been located in the code used to support +the 'mangling method = hash' smb.conf option. Affected Samba +2.2 installations can avoid this possible security bug by using +the hash2 mangling method. Server installations requiring +the hash mangling method are encouraged to upgrade to Samba v2.2.10 +or v3.0.5. + + +Older releases notes for 2.2.x distributions follow + + ------------------------------------------------------ + + ============================= + Release Notes for Samba 2.2.9 + May 8, 2004 + ============================= + +This is the latest stable release of the Samba 2.2 code base. +This is a maintenance release of Samba 2.2.8a to address the +problem with user password changes after applying the Microsoft +hotfix described in KB282741 to Windows NT 4.0/200x/XP clients. +No other changes have been applied since Samba 2.2.8a. + +There are no further Samba 2.2.x releases planned at this time. + + + ------------------------------------------------------ + + =========================================== + What's new in Samba 2.2.8a - 7th April 2003 + =========================================== + + **************************************** + * IMPORTANT: Security bugfix for Samba * + **************************************** + +Summary +------- + +Digital Defense, Inc. has alerted the Samba Team to a serious +vulnerability in all stable versions of Samba currently shipping. +The Common Vulnerabilities and Exposures (CVE) project has assigned +the ID CAN-2003-0201 to this defect. + +This vulnerability, if exploited correctly, leads to an anonymous +user gaining root access on a Samba serving system. All versions +of Samba up to and including Samba 2.2.8 are vulnerable. An active +exploit of the bug has been reported in the wild. Alpha versions of +Samba 3.0 and above are *NOT* vulnerable. + + +Credit +------ + +The Samba Team would like to thank Erik Parker and the team at +Digital Defense, Inc. for their efforts spent in the responsible +and timely reporting of this bug. + + +Patch Availability +------------------ + +The Samba 2.2.8a release contains only updates to address this +security issue. A roll-up patch for release 2.2.7a and 2.0.10 +addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained +from http://www.samba.org/samba/ftp/patches/security/. + + + ======================================== + + +Older releases notes for 2.2.x distributions follow + +----------------------------------------------------------------- +The release notes for 2.2.8 follow: + + **************************************** + * IMPORTANT: Security bugfix for Samba * + **************************************** + +Summary +------- + +The SuSE security audit team, in particular Sebastian Krahmer +<krahmer@suse.de>, has found an flaw in the Samba main smbd code which +could allow an external attacker to remotely and anonymously gain +Super User (root) privileges on a server running a Samba server. + +This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a +inclusive. This is serious problem and all sites should either +upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 +and 445. Advice on how to protect an unpatched Samba server created by +Andrew Tridgell, the leader of the Samba Team, is given at the end of +this section. + +The SMB/CIFS protocol implemented by Samba is vulnerable to many +attacks, even without specific security holes. The TCP ports 139 and +the new port 445 (used by Win2k and the Samba 3.0 alpha code in +particular) should never be exposed to untrusted networks. + +Description +----------- + +A buffer overrun condition exists in the SMB/CIFS packet fragment +re-assembly code in smbd which would allow an attacker to cause smbd +to overwrite arbitrary areas of memory in its own process address +space. This could allow a skilled attacker to inject binary specific +exploit code into smbd. + +This version of Samba adds explicit overrun and overflow checks on +fragment re-assembly of SMB/CIFS packets to ensure that only valid +re-assembly is performed by smbd. + +In addition, the same checks have been added to the re-assembly +functions in the client code, making it safe for use in other +services. + +Credit +------ + +This security flaw was discovered and reported to the Samba Team by +Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team. +The fix was prepared by Jeremy Allison and reviewed by engineers from +the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers +on the Linux Vendor security mailing list. + +The Samba Team would like to thank SuSE and Sebastian Krahmer for +their excellent auditing work and for drawing attention to this flaw. + +Patch Availability +----------------- + +As this is a security issue, patches for this flaw specific to earlier +versions of Samba will be and posted on the samba-technical@samba.org +mailing list as requested. + + +************************************ +Protecting an unpatched Samba server +************************************ + + Samba Team, March 2003 + + This is a note on how to provide your Samba server some + protection against the recently discovered remote security + hole if you are unable to upgrade to the fixed version + immediately. Even if you do upgrade you might like to think + about the suggestions in this note to provide you with + additional levels of protection. + + + Using host based protection + --------------------------- + + In many installations of Samba the greatest threat comes for + outside your immediate network. By default Samba will accept + connections from any host, which means that if you run an + insecure version of Samba on a host that is directly + connected to the Internet you can be especially vulnerable. + + One of the simplest fixes in this case is to use the 'hosts + allow' and 'hosts deny' options in the Samba smb.conf + configuration file to only allow access to your server from a + specific range of hosts. An example might be: + + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 + + The above will only allow SMB connections from 'localhost' + (your own computer) and from the two private networks + 192.168.2 and 192.168.3. All other connections will be + refused connections as soon as the client sends its first + packet. The refusal will be marked as a 'not listening on + called name' error. + + + Using interface protection + -------------------------- + + By default Samba will accept connections on any network + interface that it finds on your system. That means if you + have a ISDN line or a PPP connection to the Internet then + Samba will accept connections on those links. This may not be + what you want. + + You can change this behavior using options like the + following: + + interfaces = eth* lo + bind interfaces only = yes + + that tells Samba to only listen for connections on interfaces + with a name starting with 'eth' such as eth0, eth1, plus on + the loopback interface called 'lo'. The name you will need to + use depends on what OS you are using, in the above I used the + common name for ethernet adapters on Linux. + + If you use the above and someone tries to make a SMB + connection to your host over a PPP interface called 'ppp0' + then they will get a TCP connection refused reply. In that + case no Samba code is run at all as the operating system has + been told not to pass connections from that interface to any + process. + + + Using a firewall + ---------------- + + Many people use a firewall to deny access to services that + they don't want exposed outside their network. This can be a + very good idea, although I would recommend using it in + conjunction with the above methods so that you are protected + even if your firewall is not active for some reason. + + If you are setting up a firewall then you need to know what + TCP and UDP ports to allow and block. Samba uses the + following: + + UDP/137 - used by nmbd + UDP/138 - used by nmbd + TCP/139 - used by smbd + TCP/445 - used by smbd + + The last one is important as many older firewall setups may + not be aware of it, given that this port was only added to + the protocol in recent years. + + + Using a IPC$ share deny + ----------------------- + + If the above methods are not suitable, then you could also + place a more specific deny on the IPC$ share that is used in + the recently discovered security hole. This allows you to + offer access to other shares while denying access to IPC$ + from potentially untrustworthy hosts. + + To do that you could use: + + [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 + + this would tell Samba that IPC$ connections are not allowed + from anywhere but the two listed places (localhost and a + local subnet). Connections to other shares would still be + allowed. As the IPC$ share is the only share that is always + accessible anonymously this provides some level of protection + against attackers that do not know a username/password for + your host. + + If you use this method then clients will be given a 'access + denied' reply when they try to access the IPC$ share. That + means that those clients will not be able to browse shares, + and may also be unable to access some other resources. + + I don't recommend this method unless you cannot use one of + the other methods listed above for some reason. + + + Upgrading Samba + --------------- + + Of course the best solution is to upgrade Samba to a version + where the bug has been fixed. If you wish to also use one of + the additional measures above then that would certainly be a + good idea. + + Please check regularly on http://www.samba.org/ for updates + and important announcements. + + + **************************************** + **************************************** + + +Changes since 2.2.7a +--------------------- + +New Parameters + + * acl compatibility + +Additional Changes: + See the cvs log for SAMBA_2_2 for more details + +1) smbumount lazy patch from Mandrake +2) Check for too many processes *before* the fork. +3) make sure we don't run over the end of 'name' in unix_convert() +4) set umask to 0 before creating socket directory. +5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right + thing in interactive mode when a log file dir is also specified. +6) Fix delete on close semantics to match W2K. +7) Correctly return access denied on share mode deny when we can't + open the file. +8) Always use safe_strcpy not pstrcpy for malloc()'d strings +9) Fixes for HP-UX only having limited POSIX lock range +10) Added uid/gid caching code. Reduces load on winbindd. +11) Removed extra copy of server name in the printername field (it was + mangling the the name to be \\server\\\server\printer +12) Fix dumb perror used without errno being set. +13) Do retries correctly if the connection to the DC has failed. +14) Correctly check for inet_addr fail. +15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined. +16) Fix for missing if (setting_acls) on default perms. +17) Fix to cache the sidtype +18) fix printer settings on Solaris (big-endian) print servers. + ASCII -> UNICODE conversion bug. +19) Small fix check correct error return. +20) Ensure space_avail is unsigned. +21) patch to check for a valid [f]chmod_acl function pointer + before calling it. Fixes seg fault in audit VFS module +22) When checking is_locked() new WRITE locks conflict with existing + READ locks even if the context is the same. +23) Merge off-by-one crash fixes from HEAD +24) Move off-by-one buggy malloc()/safe_strcpy() combination to + strdup() instead. +25) Merge from HEAD. Use pstrcpy not safe_strcpy. +26) Fix to allow blocking lock notification to be done rapidly (no wait + for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb + (does not interfere with existing locks). +27) Doxygen cleanups for code documentation +28) limit the unix domain sockets used by winbindd by adding a + "last_access" field to winbindd connections, and will close + the oldest idle connection once the number of open connections goes + over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 + currently) +29) Fix a couple of string handling errors in smbd/dir.c that would + cause smbd to crash +30) Fix seg fault in smbpasswd when specifying the new password + as a command line argument +31) Correct 64-but file sizes issues with smbtar and smbclient +32) Add batch mode option to pdbedit +33) Add protection in nmbd against malformed reply packets +34) Fix bug with sendfile profiling support in smbstatus output +35) Correct bug in "hide unreadable" smb.conf parameter that + resulted in incorrect directory listings +36) Fix bug in group enumeration in winbindd +37) Correct build issues with libsmbclient on Solaris +38) Fix memory leak and bad pointer dereference in password + changing code in smbd +39) Fix for changing attributes on a file truncate +40) Ensure smbd process count never gets to -1 if limiting number + of processes +41) Ensure we return disk full by default on short writes +42) Don't delete jobs submitted after the lpq time +43) Fix reference count bug where smbds would not terminate + with no open resources +44) Performance fix when using quota support on HP-UX +45) Fixes for --with-ldapsam + * Default to port 389 when "ldap ssl != on" + * add support for rebinding to the master directory server + for password changes when "ldap server" points to a read-only + slave +46) Add -W and -X command line flags to smbpasswd for extracting and + setting the machine/domain SID in secrets.tdb. See the + smbpasswd(8) man page for details. +47) Added (c) Luke Howard to winbind_nss_solaris.c for coded + obtained from PADL's nss_ldap library. +48) Fix bug in samr_dispinfo query in winbindd +49) Fix segfault in NTLMSSP password changing code for + guest connections +50) Correct pstring/fstring mismatches +51) Send level II oplock break requests synchronously to prevent + condition where one smbd would continually lock a share entry + in locking.tdb +52) Miscellaneous cleanups for tdb error conditions and appending + data in a record +53) Implement correct open file truncate semantics with DOS + attributes +54) Enforce wide links = no on files as well as directories +55) Include shared library checks for Stratus VOS +56) Include support for CUPS printer classes and logging the remote + client name +57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values + for %a +58) Increase the max PDU size to deal with some troublesome printer + drivers and Windows NT 4.0 clients +59) increment the process counter immediately after the fork + (not just when we receive the first smb packet) +60) Ensure rename sets errno correctly +61) Unify ACL code (back-port from 3.0) +62) Fix some further issues around off_t and large offsets + + +Changes since 2.2.7 +-------------------- + +See the cvs log for SAMBA_2_2 for more details + +1) Fix for smbclient reporting negative file sizes on dir command + and negative statistics being reported when using put or get + on large files. +2) Fix bug in determination of allocation size +3) Fix 64bit size problems which prevented copying of files larger + than 2 GBytes. +4) Fix for xcopy /s problem with old DOS clients not sending correct + attributes on subsequent SMBsearch calls. +5) Fix bug in call to standard_sub_advanced giving a 0 length. This + fixes the string overflow in string_sub errors. +6) Correctly handle querygroup rpcclient command +7) fix broken incremental tar in smbtar command + + +The release notes for 2.2.7 follow : + +IMPORTANT: Security bugfix for Samba +------------------------------------ + +Summary +------- + +A security hole has been discovered in versions 2.2.2 through 2.2.6 +of Samba that could potentially allow an attacker to gain root access +on the target machine. The word "potentially" is used because there +is no known exploit of this bug, and the Samba Team has not been able to +craft one ourselves. However, the seriousness of the problem warrants +this immediate 2.2.7 release. + +In addition to addressing this security issue, Samba 2.2.7 also includes +thirteen unrelated improvements. These improvements result from our +process of continuous quality assurance and code review, and are part of +the Samba team's commitment to excellence. + +Details +------- + +There was a bug in the length checking for encrypted password change +requests from clients. A client could potentially send an encrypted +password, which, when decrypted with the old hashed password could be +used as a buffer overrun attack on the stack of smbd. The attach would +have to be crafted such that converting a DOS codepage string to little +endian UCS2 unicode would translate into an executable block of code. + +All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable +to this problem. This version of Samba 2.2.7 contains a fix for this +problem. + +Earlier versions of Samba are not vulnerable. + +There is no known exploit or exploit code for this vulnerability, +it was discovered by a code audit by Debian Samba maintainers. + +Credit +------ + +Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris +<peloy@debian.org> for bringing this vulnerability to our notice. + +Patch for Samba versions 2.2.2 to 2.2.6 +--------------------------------------- + +The following patch applies cleanly to the above Samba versions +and will fix the vulnerability for sites that do not wish to upgrade +to 2.2.7 at this time. + + +-------------------------------cut here--------------------------------- +--- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002 ++++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002 +@@ -63,7 +63,7 @@ + if(len > 128) + len = 128; + /* Password must be converted to NT unicode - null terminated. */ +- dos_struni2((char *)wpwd, (const char *)passwd, 256); ++ dos_struni2((char *)wpwd, (const char *)passwd, len); + /* Calculate length in bytes */ + len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16); +-------------------------------cut here--------------------------------- + + + +Changes since 2.2.6 +-------------------- + +See the cvs log for SAMBA_2_2 for more details + +1) ensure we send the notify message in the same way it is expected + to be received by srv_spoolss_receive_message(). +2) attribute matching on truncate only matters when opening truncate + with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open + with current NONE -> SYSTEM | HIDDEN. +3) Fix bug in rpcclient's deldriver command +4) Don't set global_machine_password_needs_changing if + lp_machine_password_timeout() is set to zero +5) don't parse the BUFFER5 if the buffer length is zero +6) fix core dump if pdbedit is run as non-root or smbpasswd file does + not exist +7) Ensure can_delete() returns correct error code +8) correctly return NT_STATUS_DELETE_PENDING from open code +9) fix bug that assumed dos_unistr2 length was in ucs2 units, not + bytes +10) check the long_archi name is not null when deleting a printer + driver. fixes core dump in smbd when using rpcclient's deldriver +11) fix fd leak with kernel change notify on Linux 2.4 kernels +12) must add one to the extra_data size to transfer the 0 string + terminator. This was causing "wbinfo --sequence" to access past + the end of malloced memory +13) fix for large systems allowing more than 65536 files open in + NTcreate&X +14) Fix bug in %U expansion + + + +---------------------------------------------------------------------- +The release notes for 2.2.6 follow : + +There have been several fixes and internal enhancements which include: + + * Fixes for MS-RPC printing issues affecting Windows 2000 clients + * New support for smb.conf generation in SWAT + * Inclusion of several performance enhancements (See --with-sendfile + & and the modified smb.conf(5) parameters in these Release Notes) + * Fixes for several file locking bugs and returned status codes + + +New Parameters +-------------- + +Refer to the smb.conf(5) man page for complete descriptions of new +parameters. + + * profile acls (S) workaround for issue with WinXP SP1 + and roaming user profiles + +Removed Parameters +------------------ + + * max packet (G) + * packet size (G) + +Modified Parameters +------------------- + + * max xmit (G) new default value + * large readwrite (G) new default value + +New ./configure Options +----------------------- + + --with-sendfile Enable experimental sendfile support + --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality + for Windows 2000 native mode domains + + +Changes since 2.2.5 +-------------------- + +See the cvs log for SAMBA_2_2 for more details + +1) Fixed several compiler warnings caused by the use of const parameters +2) Fixed a hang in the main smbd process caused by an EINTR in the + wrong place +3) Fixed string substitutions to accept a length for sanity checks +4) Fixed 17-bit length field in nmb header +5) Removed non-portable inline declaration for functions +6) Performance fix for including files with an smb.conf variable in the + path name +7) Fix for parsing LPRng lpq output +8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing + printer properties to fail +9) Fix for printer change notification and Windows NT clients which caused + the client to go into an infinite loop of refreshing the local printers + folder +10) Allow trans2 and nttrans messages to be processed in oplock break state + which fixes a problem with oplock break requests and Win2k clients +11) Don't crash on setfileinfo on printer fsp +12) Memory fixes caught by Valgrind +13) Updates to stop spurious error message in tdb +14) Fix silly logic bug in 'make smbd processes' and 'status = no' check +15) Fix compilation of pam_smbpass and --with-ldap +16) Fix compilation of smbwrapper on Solaris hosts +17) fix logic error in a check for enabling the winbind_pam_auth_crap() code + & fix formatting typo in --with-winbind-auth-challenge +18) Correcting check for ldap_start_tls() +19) Fixed a problem with getgroups() where it could include our current + effective gid +20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc + to only attempt to delete the architecture specified by the client +21) Don't allow TEMP attribute on directory open +22) Restore VxFS quotas to the 2.2 branch +23) Added basic "Wizard" functionality to SWAT +24) Fix initial "allocation size" in NTcreate&X call +25) Fix for open fid, "nametoolong" +26) Exit server on receipt of a non-SMB packet. Ensure we have + at least smb_size bytes before processing a packet +27) Replace inet_aton with inet_addr() to correct compile problems on Solaris +28) Include the "account" objectclass when adding a new account to --with-ldapsam + in order to comply with the data model implemented by OpenLDAP 2.1.x +29) Various fixes for POSIX compliance +30) Correct alignment & offset bug in EnumPrinterDataEx() +31) Fix access checks when modifying forms using a print server handle + (not just a printer handle) +32) Account for case data_len == 0 in EnumPrinterDataEx() +33) Fix logic error in blocking lock code +34) Fixed various incorrect return codes to clients +35) Add RESOLVE_DFSPATH to mkdir operations +36) Fix longstanding bug in Win2k clients by clearing the shortname + buffer before returning ASCII short name +37) added -t option to smbpasswd for explicitly changing a trust + account password when operating in security = domain +38) installed -x option to testparm to eXclude printing all parameter + values that are at default settings. +39) Fix shares/printers view in SWAT so that only Basic options are exposed + upon initial entry. +40) Added 1125 & KOI8-U to codepage list in Makefile.in +41) Include separate configure checks for *openbsd* & *freebsd* when + determining flags used to compile shared libraries. +42) Merge in free list unlock on error fix +43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes + if we are mapping system or hidden +44) Fix bug with stat mode open being done on read-only open with truncate +45) Fix crash bug discovered where cli struct was being deallocated in a + called function +46) Ensure we open UNIX fifo's non-blocking +47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....) +48) only lowercase global_myname in the %L substitution, not the whole string +49) Merged Steve French's fix for OS/2 EA return error being removed +50) Patch from Steve French to fix difference in responses to smbclient + //server/share ls / on Samba and Windows 2000 +51) Print error and exit if smb.conf doesn't have security=domain and + encrypt passwords=yes when joining domain +52) Added final Steve French patch for "required" attributes with old dir + listings +53) Initialize user_rid value in WINBIND_USERINFO structure returned by + the rpc version of query_user() +54) Ensure we've failed a lock with a lock denied message before automatically + pushing it onto the blocking queue +55) Add experimental --with-sendfile code +56) alignment fix in printing code merged from HEAD +57) Merge fix for other sids in token from HEAD +58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD +59) fix smbclient / Win98 off by one bug +60) Never, *ever* hold a mutex lock in the message database where there may be + traversals being attempted +61) Add LDAP hack for retrieving the SAM sequence number when a member of a + Windows 2000 native mode domain +62) Fix race condition when changing a machine account password as we were + no longer locking the secrets entry +63) Allow '@' as a valid character in domain names +64) remove jobs from the spool directory when using cups +65) removed -lresolv for --enable-ldapsam +66) Memory leak fix and correct use of negative caching in winbindd +67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD +68) Delete printer security check was reversed +69) Windows allows delete printer on a handle opened by an admin user, then + used on a pipe handle created by an anonymous user...We do to now... +70) Make explicit the difference between a tdb key with no data attached, and + a non existent entry +71) Ensure we register the 1c name on the unicast subnet. +72) Fix inheritance problem when recursively setting ACLs on directories +73) prevent ACL set on read-only share +74) Ensure we never have more than MAX_PRINT_JOBS in a queue +75) Added timeout to tdb_lock_bystring() +76) Ensure we set FIRST+LAST flags on a bind request +77) Add version strings to the usage message for smbcacls and smbpasswd +78) Fix bug in the write cache code +79) make the default printed values for boolean the same for all parameters +80) Default all LDAP connections to v3 with compiling with --with-ldapsam +81) Fix memory leak in smbspool +82) Fix bug in mangling code that resulted in Win9x clients not being + able to execute batch files in deep, non 8.3 directory paths +83) Fix infinite looping bug in winbindd_getgrent() +84) Fix crash bug on 64-bit systems (merge from HEAD) +85) Fix extended character bug when setting LanMan/NT password +86) Negotiate same SMB read size as a Windows 2000 file server + to fix performance bug with NT4 clients + + + +----------------------------------------------------------------------------- +The release notes for 2.2.5 follow : + +There have been several fixes and internal enhancements which include: + +* Several compile fixes for Solaris and HP-UX +* More printing fixes for Windows NT/2k/XP clients +* New options for the VFS recycle bin library +* New internal signal handling semantics relating to directory change + notification and oplocks + +New/Changed parameters in 2.2.5 +-------------------------------- + +For more information on these parameters, see the man pages for +smb.conf(5). + +Added/changed parameters +------------------------ + +* block size = <INTEGER> +* force unknown acl user = <boolean> +* mangling method = [hash|hash2] + + +Deprecated Parameters +--------------------- + +The following parameters have been marked as deprecated and will be removed +in Samba 3.0 + +* strip dot +* status + + +Removed Parameters +------------------ + + none + + +Changes in 2.2.5 +---------------- + +See the cvs log for SAMBA_2_2 for more details + +1) Removal of several compiler warnings, incorrect Makefile dependencies, + and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20 + being the predominantly reported platforms +2) Fixed winbindd crash bug on the IBM s390 running Linux +3) Inclusion of enhanced Linux quota support +4) Correctly link against Sun LDAP libraries on Solaris 8 (even through + there is no apparent SSL support there) +5) POSIX conformance patches +6) Include new configure --enable-cups option (can also be disabled even + if CUPS libraries are installed on the system) +7) Set reasonable default for the "passwd program" parameter using an + autoconf test +8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code +9) fixed bug to prevent root account from being deleted by the + "delete user script" +10) Inclusion of autoconf script for building VFS modules +11) Add new run time options to the VFS recycle bin library (see + examples/VFS/recycle/README for details) +12) Include findsmb perl script as part of the "make install" process +13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1) + to fix a bug where printers appear at the workgroup level in the Windows + NT/2k APW browse list +14) Added support to nmblookup to return NMB flags (See nmblookup(8) for + details) +15) Fix length bug that caused password changes from Windows NT/2k clients to + occasionally fail +16) Correct false password expiration when using --with-ldapsam caused by + missing attributes in the directory +17) added -S option to smbpasswd for storing the SID of a domain controller + as the local machine SID in secrets.tdb. See the smbpasswd(8) man page + for details. +18) Various fixes for UNIX CIFS extensions commands +19) Fixed CIDR notation in "hosts allow/deny" +20) Change semantics of an idle connection to mean "no open files and no + open handles". We cannot idle a connection if there are open named + pipe handles. This fixes scalability problem on Samba print servers + and NT/2k clients introduced in 2.2.4 +21) Fix germam umlaut problem when returning ACL entries +22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug + of running the Microsoft Access executable (msaccess.exe) and database + files from a Samba share documented in the 2.2.4 release +23) Corrected signal handling relating to directory change notification and + kernel oplocks +24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight + Savings Time +25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP + clients not to be able to view printer properties from a Samba host +26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on + Windows 2k/XP clients to fail +27) Fixed incorrect error check in mod_share_entry() +28) Allow %S variable in MS-DFS root paths +29) Correct a bug regarding the use of 'wbinfo -A' +30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems +31) Store the key for a name-to-sid cache entry in upper case rather than + whatever case the request was made in. This gets rid of duplicate + cache entries. +32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id +33) Enhanced error reporting messages of wbinfo +34) Parameterize block size on disk size return +35) Added new parameter to allow incoming ACLs to have owner and group forced + to the currently logged in user. This fixes the XCOPY /O problem +36) Fixed bug in local_change_password() caused by reusing a struct + passwd* pointer +37) Change default value for "ldap port" to 389 if "ldap ssl = no" +38) Updated HOWTO's, manpages, and general documentation.... +39) Allow root as well as domain admins to open an LDAP connection +40) Fixed veto files bug with ".*" +41) Fixed uninitialized variable bug in smbpasswd that was causing a random + IP address to be used in the connection when joining a domain +42) Fix for joining a domain with a netbios name of 15 characters and + pre-creating the account on the DC +43) Added links to new documentation on SWAT welcome page + + + +----------------------------------------------------------------------------- +The release notes for 2.2.4 follow : + +There have been several fixes and internal enhancements which include: + + * More/better SPOOLSS printing functionality for Windows + NT/2k/XP clients. + * Several fixes relating to serving PC database files such + as (Access and FoxPro) from a Samba file share. + * Several improves in Samba's VFS layer which can be seen + in the inclusion of a "Recycle Bin" vfs module. See + examples/VFS/README for more details on this. + * Addition of a tool (tdbbackup) for backup/restore of Samba's + tdb's + * Continued improvements to winbind for greater scalability + and stability + * Several fixes related to Samba's MS-DFS support + * Rpcclient's various printer commands now work (again) + + +New/Changed parameters in 2.2.4 +-------------------------------- + +For more information on these parameters, see the man pages for +smb.conf(5). + +Added/changed parameters +------------------------ + +* csc policy +* inherit acls +* nt status support +* lock spin count +* lock spin time +* pid directory +* winbind use default domain + + +Deprecated parameters +--------------------- + +The following parameters have been marked as deprecated +and will be removed in Samba 3.0 + +* postscript +* printer driver +* printer driver file +* printer driver location + + +Removed Parameters +------------------ + + none + + +Changes in 2.2.4 +---------------- + +See the cvs log for SAMBA_2_2 for more details + +1) added -c option to smbpasswd +2) reworked smbpasswd internal command line option parsing +3) small various bug fixes to experimental pdb_tdb.c +4) Enforce spoolss RPCs based on the access granted at PrinterOpen() +5) Added missing access checks to [add/delete/set]form +6) Compile fixes for pam_smbpass +7) fix smbd crash when netbios session request fails from + spoolss_connect_to_client(). +8) fixed logic bug that prevent SetPrinter() from storing devmode +9) Removed extra get_printer_snum() calls from set_printer_hnd_name() +10) fix joining domain on big endian machine when using -U to smbpasswd +11) allow command line arg to override smb.conf log level +12) continue to retry to register 1b name with wins server if there is an old IP there +13) fix smbclient print crash bug +14) 9x pnp fix when the config file and driver file are different +15) force testparm to print the correct value for log level +16) fix swat to show full log level info +17) fix server GetPrinterData() fields to be more sensible +18) fix logic error in SetPrinterDataEx() +19) Only set smb_read_error if not already set +20) Fix string returns that require unicode +21) Merge of printing performance fixes from appliance +22) lpq parsing fixes +23) Back port tridge's xcopy /o fix from HEAD +24) Fix the printer change notify code (unfinished) +25) Patch for Domain users not showing up +26) Fixed SetPrinterData(magic key) to support zero length DEVMODE +27) Ensure that all methods of looking up and connecting to DC's work + using identical logic. +28) Merge in the mutex code to stop multiple domain logon failure +29) Ignore 0/0 lock +30) Fix winbindd to respect command line debuglevel as nmbd/smbd +31) Update with tdbbackup from HEAD +32) Fix for typo on solaris nss +33) Merge in the locking changes from HEAD +34) Added POSIX ACL layer into the vfs +35) Fix the returning of domain enum +36) Fix the generation of the MACHINE.SID file into the secrets.tdb. +37) Enable test for -rdynamic when building binaries +38) Remove the "stat open" code - make it inline +39) Fix the mp3 rename bug +40) Fix for Explorer DFS problems on older Windows 9X machines +41) implement OpenPrinter() opnum == 0x01 +42) Matched W2K *insane* open semantics.... +43) small fix that will prevent the "failed to marshall + R_NET_SAMLOGON" message in the logs +42) don't do checking of local passdb in smbpasswd if using -r option +43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't + try to connect to a server named '*' +44) merge rpcclient code from HEAD +45) Ensure MACHINE.SID update done before child spawns +46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works +47) Removed --with-vfs - always built if available +48) Fixed psec for 2.2 +49) Fixed the handle leak in the connection management code +50) fix disable spoolss after the switch to nt status codes +51) Added Shirish's client side caching policy change +52) Honor the specversion when parsing the the DEVICEMODE +53) fix parsing bug when DEVICEMODE's private data does not end + on a 4 byte boundary +54) do not idle an smbd when there is an open pipe +55) when a new driver is added to a Samba server, cycle through + all printers and bump the change_id for each one bound to the driver +56) allow smbclient to work with a FIFO as well (needed for KDE + ioslave) +57) various updates to pdb_nisplus.c +58) many small documentation updates +59) removed many compiler warnings + + +----------------------------------------------------------------------------- +The release notes for 2.2.3a follow : + +This is a minor bugfix release for the 2.2.3 release. The 2.2.3 +release had a problem that was visible to Windows 2000 Explorer +users in that copying files into a share that already existed +failed with "Access Denied" rather than asking the user if an +overwrite was required. This was due to an incorrect error mapping +between the UNIX EXIST error code and the NT status error. + +As Windows Explorer is a highly visible end user application a quick +bugfix release was required, hence 2.2.3a. + +Compilation on HP-UX versions earlier than HP-UX 11 has also been +corrected. + +The cvs.log file is no longer included with this release, as it adds +13Mb to the size of the release, and is easily available on the Web. + +----------------------------------------------------------------------------- +The release notes for 2.2.3 follow : + +There are several important scaling bugs that have been fixed in this release +for large server systems so an upgrade is recommended. + +LDAP update +----------- + +Much work has been done on the LDAP backend code. The configure +option --with-ldapsam is now considered to be stable. The schema +used has changed, see the file examples/LDAP/samba.schema for the +new schema. + +New documentation explaining how to set up a Samba only PDC/BDC +setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO +in the documentation tree. + +winbindd daemon extended +------------------------ + +Samba 2.2.2 was the first release to include the winbind daemon. +This code allows UNIX systems that implement the name service +switch (nss) to be entered into a Windows NT/2000 domain and +use the Domain controller for all user and group enumeration. + +Samba 2.2.3 fixes the known memory leaks in winbindd and has +been extended to work with SGI IRIX and HP-UX (11.x) in addition +to the earlier targets of Linux and Solaris. + +For more information on using winbind, see the man pages for +winbindd and wbinfo. + +Note that winbindd is not installed by default. + +New/Changed parameters in 2.2.3 +-------------------------------- + +For more information on these parameters, see the man pages for +smb.conf. + +Added/changed parameters. +------------------------- + +unix extensions + +Enables the experimental UNIX CIFS extensions in smbd. See the manpage +for more details. + +default devmode + +Some printer drivers will crash the Windows NT/2000 spooler service +if they are given a default devmode, some require it. This parameter +allows the administrator a choice of whether smbd returns such a +default devmode for a driver. + +share modes + +This parameter has been restored to allow people who wish smbd to ignore +client share modes. This is *very dangerous* and should not be set without +full knowledge of what this is designed for. + +Changes in 2.2.3 +----------------- + +1). Fixed shared library compile for Solaris with native compiler. +2). UNIX CIFS extensions code added (donated by HP). +3). Changed to using NT status codes on the wire if the client can support +this. +4). altname command to show 8.3 name added to smbclient. +5). const-safe endian macros now used. +6). client code now uses UNICODE on the wire. +7). Correctly return fault PDU's on bad handle. +8). Improved NT error code mapping table. +9). Many new point and print RPC calls added. +10). Win9x clients can now see full user list. +11). field added to identify simultaneous open files (no longer +use dev/inode/time as unique value). +12). HP-UX ACL code added (donated by HP). +13). vfs interfaces updated (again !). +14). MSDOS Code Page 866 -> 1251 mapping added. +15). winbindd now processes quit/hup signals correctly. +16). No tdb traversal done on startup/shutdown - ensures scalability. +17). Fix bug with paths for homes share. +18). Fixed copyfile for OS/2. +19). Fix group membership when groups are on more than one line. +20). Fixed core dumps in posix ACL mapping code. +21). Tidyup of UNICODE functions (put/get). +22). Move rpcclient to the new libsmb code. +23). Add missing Windows 2000 passthough trans2 calls. +24). Return check all tdb calls. +25). Make local name lookup work even if wins server is down. +26). pam session code added to winbind. +27). Added winbindd cache to all lookups. +28). Fix allocate bugs that caused file sizes to be incorrect. +29). Fixed write cache code - now safe to use. +30). Fixed winbindd memory leaks. +31). winbindd will now do name lookups (to allow non Open Source +systems to do the nsswitch WINS lookup). Fixed by SGI. +32). passdb memory leaks fixed. +33). LDAP code updates and now properly maintained. +34). Finally figured out how changeid is meant to work. +35). Downlevel printing now looks as NT does in print monitor window. +36). Many fixups in spoolss printing RPC parsing. +37). Speed up password enumeration as a PDC. +38). Fix printer changed notify messages (work from HP). +39). Fix modify timestamp on close code. +40). Fix long standing mangled names bug. +41). Fix delete on close semantics. +42). Stop opening all files with O_NONBLOCK ! +43). Use O_NOFOLLOW for systems that have it and don't want symlinks. +44). Ensure NT supplementary groups get added to user token. +45). Try and mitigate effects of DNS timeout (do less lookups). +46). Added current user connection context stack. +47). Fixes to utmp code. +48). smbw code tidyups. +49). Added tdb open log code. Several tdb fixes. + +----------------------------------------------------------------------------- +The release notes for 2.2.2 follow : + +New daemon included - winbindd +------------------------------ + +Samba 2.2.2 is the first release to include the winbind daemon. +This code allows UNIX systems that implement the name service +switch (nss) to be entered into a Windows NT/2000 domain and +use the Domain controller for all user and group enumeration. + +This allows a Samba server added to a Windows domain to serve +file and print services with *NO* local users needed in /etc/passwd +and /etc/group - all users and groups are read directly from the +Windows domain controller. In addition with pam_winbind which allows +a PAM enabled UNIX system to use a Windows domain for authentication +service this allows single sign on and account control across +UNIX and Windows systems. + +The current version of winbindd shipped in 2.2.2 does have some +memory leaks, which will be addressed for the next Samba release, +so it is advisable to monitor the winbind process. This code is +being used in production by several vendors, so the leaks are +manageable. In addition, this version of winbind does not work +correctly against a Samba PDC, due to some missing calls on the +PDC side. These problems are being addressed for the next Samba +release, but it was thought better to release the code now rather +than delay the main Samba code to match the winbind release schedule. + +For more information on using winbind, see the man pages for +winbindd and wbinfo. + +Note that winbindd is not installed by default. + +New/Changed parameters in 2.2.2 +------------------------------- + +For more information on these parameters, see the man pages for +smb.conf. + +Added/changed parameters. +------------------------- + +strict allocate + +Causes Samba not to create UNIX 'sparse' files, but to follow the +Windows behavior of always allocating on-disk space. + +use mmap + +Set to 'on' by default, only set to 'off' on HP-UX 11.x or below or other +UNIX systems that don't have coherent mmap/read-write internal caches. +You should not need to set this parameter. + +nt acl support + +This parameter has been changed to a per-share option, and is very +useful in enabling Windows 2000 SP2 to load/save profiles from a +Samba share. + +New printing parameters. +------------------------ + +disable spoolss + +Setting this parameter causes Samba to go back to the old 2.0.x +LANMAN printing behavior, for people who wish to disable the +new SPOOLSS pipe. + +use client driver + +Causes Windows NT/2000 clients to need have a local printer driver +installed and to treat the printer as local. + +New LDAP parameters. +-------------------- + +Samba 2.2.2 contains new code to maintain a Samba SAM database +on a remote LDAP server. These parameters have been added as +part of this code. These parameters are only available when Samba +has been compiled with the --with-ldapsam option. + +ldap admin dn +ldap ssl + +New SSL parameters. +------------------- + +The SSL support in Samba has been fixed. These new parameters +are part of the changes added. These parameters are only available +when Samba has been compiled with the --with-ssl option. +Please see the smb.conf man page for details. + +ssl egd socket +ssl entropy file +ssl entropy bytes + +New winbindd parameters. +------------------------ + +These parameters are used by winbindd. See the man page for +winbindd for details. + +winbind separator +winbind uid +winbind gid +winbind cache time +winbind enum users +winbind enum groups +template homedir +template shell + +Removed parameters. +------------------- + +share modes +ldap root +ldap root passwd + +New Documentation. +------------------ + +Some new README's have been added in the docs/ directory. These cover +using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2), +and how to use Samba to help prevent Windows virus spread +(docs/README.Win32-Viruses). + +Quota problems on a Linux 2.4 kernel. +------------------------------------- + +Currently the quota interfaces have diverged between the Linus +2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants +are shipped with RedHat). Running quota-enabled Samba compiled on +an Alan Cox kernel works correctly on an Alan Cox kernel (the one +shipped by default with RedHat 7.x) but fails on a Linus kernel. + +This is a mess, and hopefully Alan and Linus will sort it out soon. +In the meantime we need to ship..... + +Changes in 2.2.2 +----------------- + +1). mmap tdb code disabled on HP-UX. This should prevent the reports of +tdb corruption on HUPX. +2). Large file support set to off in Solaris 5.5 and below. +3). Better CUPS detection. +4). New SAM (password database) backends - smbpasswd (traditional), +LDAP, NIS+ and Samba TDB. +5). Quota fixups on Linux. +6). libsmbclient stand-alone code added. Can be built as a shared library +under Linux. +7). Tru64 ACL support added. +8). winbindd option added. +9). Realloc fail tidyup fixes all over the code. +10). Large improvement in hash table code efficiency - would be found with +large stat caches. +11). Error code consistency improved (still needs more work). +12). Profile shared memory support added to nmbd. +13). New Windows 2000/NT passthrough info levels added. +14). readraw/writeraw code rewritten - many bugs fixed. +15). UNIX password sync (non pam) code fixed, use correct wildcard matcher. +16). Reverse DNS lookup avoided on socket open. +17). Bug preventing nmbd re-registering names on WINS server timeout fixed. +18). Zero length byte range lock code added. Much closer to Windows semantics. +19). Alignment fault fixes for Linux/Alpha. +20). Error checking on tdb returns vastly improved. +21). Handling of delete on close fixed. No longer possible to leave 'dead' +file entries. +22). Handling of oplock break failure cleanups improved. Should not be +able to leave 'dead' entries. +23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts. +24). Misc. MS-DFS code fixes. +25). Ignore logon packets if not a PDC (needed for PDC/BDC failover). +26). winbind pam module added. +27). Order N^^2 enumeration of printers problem fixed. +28). Password backend database code re-ordered to allow different password +backends (at compile time currently). +29). Improved print driver version detection for Windows 2000. +30). Driver DEVMODE initialization fixes. +31). Improved SYSV print parse code. +32). Fixed enumeration of large numbers of users/groups from Windows clients. +Code still too slow. +33). Fix for buggy NetApp RPC pipe clients. +34). Fix for NT sending multiple SetPrinterDataEx calls. +35). Fix for logic bug where smbd could delay oplock break request messages +from other smbd daemons whilst client kept us busy. +36). Fix deadlock problem with connections tdb on enumeration. +37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways. +38). Removed unused readbmpx/writebmpx code. +39). Attempt to fix Linux 2.4.x quota mess. +40). Improved ctemp code for Windows 2000 compatibility. +41). Finally understood difference between set EOF and set allocation requests. +Added strict allocate parameter to help. +42). Correctly return name types on name to SID lookups. +43). tdb spinlock code update. +44). Use pread/pwrite on systems that have it to fix race condition in tdb code. + +----------------------------------------------------------------------------- +The release notes for 2.2.1a follow : + +This is a minor bugfix release for 2.2.1, *NOT* security related. + +1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or +Windows2000 machine into a Samba hosted PDC would fail due to our +stricter user name checking. We were disallowing user names +containing '$', which is needed when using smbpasswd to add a +machine into a domain. Automatically adding machines (using the +native Windows tools) into a Samba domain worked correctly. + +2.2.1a fixes this single problem. + +----------------------------------------------------------------------------- +The release notes for 2.2.1 follow : + +New/Changed parameters in 2.2.1 +------------------------------- + +Added parameters. +----------------- + +obey pam restrictions + +When Samba is configured to use PAM, turns on or off Samba checking +the PAM account restrictions. Defaults to off. + +pam password change + +When Samba is configured to use PAM, turns on or off Samba passing +the password changes to PAM. Defaults to off. + +large readwrite + +New option to allow new Windows 2000 large file (64k) streaming +read/write options. Needs a 64 bit underlying operating system +(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance +by 10% with Windows 2000 clients. Defaults to off. Not as tested +as some other Samba code paths. + +hide unreadable + +Prevents clients from seeing the existence of files that cannot +be read. Off by default. + +enhanced browsing + +Turn on/off the enhanced Samba browsing functionality (*1B names). +Default is "on". Can prevent eternal machines in workgroups when +WINS servers are not synchronized. + +Removed parameters. +------------------- + +domain groups +domain admin users +domain guest users + +Changes in 2.2.1 +----------------- + +1). "find" command removed for smbclient. Internal code now used. +2). smbspool updates to retry connections from Michael Sweet. +3). Fix for mapping 8859-15 characters to UNICODE. +4). Changed "security=server" to try with invalid username to prevent + account lockouts. +5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC. +6). Support for Windows 9x Nexus tools to allow security changes from Win9x. +7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network + lock tester tool for distributed databases. +8). Preliminary support added for Windows 2000 large file read/write SMBs. +9). Changed random number generator in Samba to prevent guess attacks. +10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb. + smbd's clean the tdb files on startup and shutdown. +11). Fixes for default ACLs on Solaris. +12). Tidyup of password entry caching code. +13). Correct shutdowns added for send fails. Helps tdb cleanup code. +14). Prevent invalid '/' characters in workgroup names. +15). Removed more static arrays in SAMR code. +16). Client code is now UNICODE on the wire. +17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes. +18). All tdb opens now going through logging function. +19). Add pam password changing and pam restrictions code. +20). Printer driver management improvements (delete driver). +21). Fix difference between NULL security descriptors and empty + security descriptors. +22). Fix SID returns for server roles. +23). Allow Windows 2000 mmc to view and set Samba share security descriptors. +24). Allow smbcontrol to forcibly disconnect a share. +25). tdb fixes for HP-UX, OpenBSD and other OS's that don't have a coherent + mmap/file read/write cache. +26). Fix race condition in returning create disposition for file create/open. +27). Fix NT rewriting of security descriptors to their canonical form for + ACLs. +28). Fix for Samba running on top of Linux VFAT ftruncate bug. +29). Swat fixes for being run with xinetd that doesn't set the umask. +30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft + TCP stack early ack specification error. +31). Changed lock & persistent tdb directory to /var/cache/samba by default on + RedHat and Mandrake as they clear the /var/lock/samba directory on reboot. + +----------------------------------------------------------------------------- +The release notes for 2.2.0a follow : + +SECURITY FIX +============ + +This is a security bugfix release for Samba 2.2.0. This release provides the +following two changes *ONLY* from the 2.2.0 release. + +1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com) + and described in the security advisory below. +2). Fix for the hosts allow/hosts deny parameters not being honoured. + +No other changes are being made for this release to ensure a security fix only. +For new functionality (including these security fixes) download Samba 2.2.1 +when it is available. + +The security advisory follows : + + + IMPORTANT: Security bugfix for Samba + ------------------------------------ + +June 23rd 2001 + + +Summary +------- + +A serious security hole has been discovered in all versions of Samba +that allows an attacker to gain root access on the target machine for +certain types of common Samba configuration. + +The immediate fix is to edit your smb.conf configuration file and +remove all occurances of the macro "%m". Replacing occurances of %m +with %I is probably the best solution for most sites. + +Details +------- + +A remote attacker can use a netbios name containing unix path +characters which will then be substituted into the %m macro wherever +it occurs in smb.conf. This can be used to cause Samba to create a log +file on top of an important system file, which in turn can be used to +compromise security on the server. + +The most commonly used configuration option that can be vulnerable to +this attack is the "log file" option. The default value for this +option is VARDIR/log.smbd. If the default is used then Samba is not +vulnerable to this attack. + +The security hole occurs when a log file option like the following is +used: + + log file = /var/log/samba/%m.log + +In that case the attacker can use a locally created symbolic link to +overwrite any file on the system. This requires local access to the +server. + +If your Samba configuration has something like the following: + + log file = /var/log/samba/%m + +Then the attacker could successfully compromise your server remotely +as no symbolic link is required. This type of configuration is very +rare. + +The most commonly used log file configuration containing %m is the +distributed in the sample configuration file that comes with Samba: + + log file = /var/log/samba/log.%m + +in that case your machine is not vulnerable to this attack unless you +happen to have a subdirectory in /var/log/samba/ which starts with the +prefix "log." + +Credit +------ + +Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this +vulnerability. + + +New Release +----------- + +While we recommend that vulnerable sites immediately change their +smb.conf configuration file to prevent the attack we will also be +making new releases of Samba within the next 24 hours to properly fix +the problem. Please see http://www.samba.org/ for the new releases. + +Please report any attacks to the appropriate authority. + + The Samba Team + security@samba.org + +--------------------------------------------------------------------------- + +The release notes for 2.2.0 follow : + +This is the official Samba 2.2.0 release. This version of Samba provides +the following new features and enhancements. + +Integration between Windows oplocks and NFS file opens (IRIX and Linux +2.4 kernel only). This gives complete data and locking integrity between +Windows and UNIX file access to the same data files. + +Ability to act as an authentication source for Windows 2000 clients as +well as for NT4.x clients. + +Integration with the winbind daemon that provides a single +sign on facility for UNIX servers in Windows 2000/NT4 networks +driven by a Windows 2000/NT4 PDC. winbind is not included in +this release, it currently must be obtained separately. We are +committed to including winbind in a future Samba 2.2.x release. + +Support for native Windows 2000/NT4 printing RPCs. This includes +support for automatic printer driver download. + +Support for server supported Access Control Lists (ACLs). +This release contains support for the following filesystems: + + Solaris 2.6+ + SGI Irix + Linux Kernel with ACL patch from http://acl.bestbits.at + Linux Kernel with XFS ACL support. + Caldera/SCO UnixWare + IBM AIX + FreeBSD (with external patch) + +Other platforms will be supported as resources are +available to test and implement the necessary modules. If +you are interested in writing the support for a particular +ACL filesystem, please join the samba-technical mailing +list and coordinate your efforts. + +On PAM (Pluggable Authentication Module) based systems - better debugging +messages and encrypted password users now have access control verified via +PAM - Note: Authentication still uses the encrypted password database. + +Rewritten internal locking semantics for more robustness. +This release supports full 64 bit locking semantics on all +(even 32 bit) platforms. SMB locks are mapped onto POSIX +locks (32 bit or 64 bit) as the underlying system allows. + +Conversion of various internal flat data structures to use +database records for increased performance and +flexibility. + +Support for acting as a MS-DFS (Distributed File System) server. + +Support for manipulating Samba shares using Windows client tools +(server manager). Per share security can be set using these tools +and Samba will obey the access restrictions applied. + +Samba profiling support (see below). + +Compile time option for enabling a (Virtual file system) VFS layer +to allow non-disk resources to be exported as Windows filesystems +(such as databases etc.). + +The documentation in this release has been updated and converted +from Yodl to DocBook 4.1. There are many new parameters since 2.0.7 +and some defaults have changed. + +Profiling support. +------------------ +Support for collection of profile information. A shared +memory area has been created which contains counters for +the number of calls to and the amount of time spent in +various system calls, smb transactions and nmbd activity. See +the file profile.h for a complete listing of the information +collected. Sample code for a samba pmda (collection agent +for Performance Co-Pilot) has been included in the pcp +directory. + +To enable the profile data collection code in samba, you must +compile samba with profile data support (run configure with +the --with-profiling-data option). On startup, collection of +data is disabled. To begin collecting data use the smbcontrol +program to turn on profiling (see the smbcontrol man page). +Profile information collection can be enabled for nmbd, all smbd +processes or one or more selected processes. The profiling +data collected is the aggregate for all processes that have +profiling enabled. + +With samba compiled for profile data collection, you may see +a very slight degradation in performance even with profiling +collection turned off. On initial tests with NetBench on an +SGI Origin 200 server, this degradation was not measurable +with profile collection off compared to no profile collection +compiled into samba. + +With count profile collection enabled on all clients, the +degradation was less than 2%. With full profile collection +enabled on all clients, the degradation was about 8.5%. + +===================================================================== + +If you think you have found a bug please email a report to : + + samba@samba.org + +As always, all bugs are our responsibility. + +Regards, + + The Samba Team. |