From 7344b360c0bca5c567af18fcddbd8c9a60c084a0 Mon Sep 17 00:00:00 2001 From: taca Date: Sat, 19 Sep 2020 14:00:54 +0000 Subject: net/samba4: update to 4.12.7 Update samba4 package to 4.12.7. ============================== Release Notes for Samba 4.12.7 September 18, 2020 ============================== This is a security release in order to address the following defect: o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon"). The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC). Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below). The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable. However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf. Note each domain controller needs the correct settings in its smb.conf. Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file. The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix. Some domains employ third-party software that will not work with a 'server schannel = yes'. For these cases patches are available that allow specific machines to use insecure netlogon. For example, the following smb.conf: server schannel = yes server require schannel:triceratops$ = no server require schannel:greywacke$ = no will allow only "triceratops$" and "greywacke$" to avoid schannel. More details can be found here: https://www.samba.org/samba/security/CVE-2020-1472.html --- net/samba4/Makefile | 5 ++--- net/samba4/distinfo | 10 +++++----- 2 files changed, 7 insertions(+), 8 deletions(-) (limited to 'net/samba4') diff --git a/net/samba4/Makefile b/net/samba4/Makefile index 818d1babde7..69471b69a01 100644 --- a/net/samba4/Makefile +++ b/net/samba4/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.108 2020/09/11 17:18:09 jperkin Exp $ +# $NetBSD: Makefile,v 1.109 2020/09/19 14:00:54 taca Exp $ -DISTNAME= samba-4.12.6 -PKGREVISION= 2 +DISTNAME= samba-4.12.7 CATEGORIES= net MASTER_SITES= https://download.samba.org/pub/samba/stable/ diff --git a/net/samba4/distinfo b/net/samba4/distinfo index d40cd3d9ca6..d806f7c85d4 100644 --- a/net/samba4/distinfo +++ b/net/samba4/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.51 2020/08/18 07:39:31 adam Exp $ +$NetBSD: distinfo,v 1.52 2020/09/19 14:00:54 taca Exp $ -SHA1 (samba-4.12.6.tar.gz) = 52b3da01a95ec7c12a2bbe5de872ba299d62bb58 -RMD160 (samba-4.12.6.tar.gz) = 842bbb9000a7d46d551f7b6ce5b35f0087221916 -SHA512 (samba-4.12.6.tar.gz) = 16a4ced3942bc6d51e80db257e8caeaa426980f66caf2aaf2324f091ec5063bc6b9029d90ff2f321b68be4cede7555d1ebf142405105468bd581e7a7bf9f0be5 -Size (samba-4.12.6.tar.gz) = 18224870 bytes +SHA1 (samba-4.12.7.tar.gz) = b56b8390064572dd2024b23ca931fc82678ead2d +RMD160 (samba-4.12.7.tar.gz) = 6947298acc9871f6c3245b1966b18ad490625c3e +SHA512 (samba-4.12.7.tar.gz) = 5afb1f24b029e665bb4f6bd7b7cf915243476b09b304942b2105586fa99adc6a19b46b4753ca116e230e5bb7b82e011fbe296c62bc70a8a897e56aece55a7f0b +Size (samba-4.12.7.tar.gz) = 18230157 bytes SHA1 (patch-buildtools_wafsamba_samba__conftests.py) = d927db17124d2bb5b382885e70a41f84c3929926 SHA1 (patch-buildtools_wafsamba_samba__install.py) = d801340617da325e3bb70a90350e45cc8e383c2d SHA1 (patch-buildtools_wafsamba_samba__pidl.py) = e4c0ed3dacfcf5613a5b397b3c6cf88509497da7 -- cgit v1.2.3