docs/manpages/lmhosts.5 | 6 2 + 4 - 0 !
docs/manpages/nmbd.8 | 18 5 + 13 - 0 !
docs/manpages/ntlm_auth.1 | 6 3 + 3 - 0 !
docs/manpages/smbd.8 | 7 2 + 5 - 0 !
docs/manpages/swat.8 | 87 2 + 85 - 0 !
docs/manpages/tdbbackup.8 | 6 3 + 3 - 0 !
docs/manpages/winbindd.8 | 17 7 + 10 - 0 !
7 files changed, 24 insertions(+), 123 deletions(-)

 remove documentation parts that do not apply to debian

docs-xml/manpages-3/nmbd.8.xml | 1 0 + 1 - 0 !
docs-xml/manpages-3/samba.7.xml | 13 2 + 11 - 0 !
docs-xml/manpages-3/smb.conf.5.xml | 1 0 + 1 - 0 !
docs-xml/manpages-3/smbd.8.xml | 1 0 + 1 - 0 !
docs-xml/using_samba/appd.xml | 20 1 + 19 - 0 !
docs-xml/using_samba/ch01.xml | 6 0 + 6 - 0 !
docs-xml/using_samba/ch07.xml | 2 1 + 1 - 0 !
docs/htmldocs/manpages/nmbd.8.html | 2 1 + 1 - 0 !
docs/htmldocs/manpages/samba.7.html | 8 3 + 5 - 0 !
docs/htmldocs/manpages/smb.conf.5.html | 2 1 + 1 - 0 !
docs/htmldocs/manpages/smbd.8.html | 2 1 + 1 - 0 !
docs/manpages/nmbd.8 | 3 1 + 2 - 0 !
docs/manpages/samba.7 | 11 1 + 10 - 0 !
docs/manpages/smb.conf.5 | 3 1 + 2 - 0 !
docs/manpages/smbd.8 | 3 1 + 2 - 0 !
examples/tridge/smb.conf | 8 0 + 8 - 0 !
swat/lang/tr/help/welcome.html | 3 1 + 2 - 0 !
17 files changed, 15 insertions(+), 74 deletions(-)

 remove documentation parts that do not apply to debian

docs/manpages/smb.conf.5 | 6 2 + 4 - 0 !
libcli/auth/schannel_state_tdb.c | 2 1 + 1 - 0 !
source3/passdb/machine_sid.c | 2 1 + 1 - 0 !
source3/passdb/pdb_tdb.c | 2 1 + 1 - 0 !
source3/passdb/secrets.c | 2 1 + 1 - 0 !
source3/utils/net_idmap.c | 2 1 + 1 - 0 !
source3/winbindd/idmap_tdb2.c | 2 1 + 1 - 0 !
7 files changed, 8 insertions(+), 10 deletions(-)

 prepare the sources to better respect fhs
 This patch was historically very long but most parts have
 been integrated upstream.
 .
 The last remaining bit is the location of "private files
 We historically have them in /var/lib/samba while upstream
 has them in /etc/samba
 .
 We need to provide a migraiton path and go back to the "normal"
 file layout

source3/script/installswat.sh | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 do not install the using samba book when installing swat
 Using Samba is packaged in samba-doc, however upstream also
 installs it in SWAT install dirs

source3/pam_smbpass/README | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix examples directory location  in pam_smbpass readme

examples/LDAP/README | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 mention smbldap-tools package in examples/ldap/readme

source3/include/local.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use the pager alternative as pager is pager is undefined

source3/Makefile.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix missing symbols
 Fix missing symbols in libsmbclient (and libnss_wins), and add
 -Wl,-z,defs to the libsmbclient link options to prevent future
 instances of undefined symbols.
 .
 This should be forwarded upstream once there's a configure test
 for it.

source3/VERSION | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add "debian" as vendor suffix

docs/manpages/net.8 | 4 2 + 2 - 0 !
source3/param/loadparm.c | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 enable net usershares by default at build time
 Enable net usershares by default at build time, with a limit of
 100, and update the corresponding documentation.

source3/script/smbtar | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 avoid using bashism in smbtar

source3/configure | 24 21 + 3 - 0 !
1 file changed, 21 insertions(+), 3 deletions(-)

---

source3/Makefile.in | 12 1 + 11 - 0 !
1 file changed, 1 insertion(+), 11 deletions(-)

 do not build vfs examples

source3/include/libsmbclient.h | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 64 bit fix for libsmbclient

lib/util/debug.c | 14 8 + 6 - 0 !
nsswitch/wins.c | 2 1 + 1 - 0 !
2 files changed, 9 insertions(+), 7 deletions(-)

 nss_wins stop clobbering other daemon's log

docs-xml/manpages-3/smbspool.8.xml | 4 3 + 1 - 0 !
docs/manpages/smbspool.8 | 2 1 + 1 - 0 !
2 files changed, 4 insertions(+), 2 deletions(-)

 add mention about some user for user information in smbspool manpage

docs/htmldocs/index.html | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 drop using samba link in html documentation summary

docs/htmldocs/index.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix whatsnew.txt link in html documentation summary to fit debian files organization

buildtools/README | 12 12 + 0 - 0 !
buildtools/bin/README | 16 0 + 16 - 0 !
buildtools/update-waf.sh | 13 13 + 0 - 0 !
buildtools/wafadmin/3rdparty/ParallelDebug.py | 299 299 + 0 - 0 !
buildtools/wafadmin/3rdparty/batched_cc.py | 183 183 + 0 - 0 !
buildtools/wafadmin/3rdparty/boost.py | 343 343 + 0 - 0 !
buildtools/wafadmin/3rdparty/fluid.py | 27 27 + 0 - 0 !
buildtools/wafadmin/3rdparty/gccdeps.py | 128 128 + 0 - 0 !
buildtools/wafadmin/3rdparty/go.py | 111 111 + 0 - 0 !
buildtools/wafadmin/3rdparty/lru_cache.py | 97 97 + 0 - 0 !
buildtools/wafadmin/3rdparty/paranoid.py | 35 35 + 0 - 0 !
buildtools/wafadmin/3rdparty/swig.py | 190 190 + 0 - 0 !
buildtools/wafadmin/3rdparty/valadoc.py | 113 113 + 0 - 0 !
buildtools/wafadmin/Build.py | 1033 1033 + 0 - 0 !
buildtools/wafadmin/Configure.py | 444 444 + 0 - 0 !
buildtools/wafadmin/Constants.py | 76 76 + 0 - 0 !
buildtools/wafadmin/Environment.py | 210 210 + 0 - 0 !
buildtools/wafadmin/Logs.py | 134 134 + 0 - 0 !
buildtools/wafadmin/Node.py | 695 695 + 0 - 0 !
buildtools/wafadmin/Options.py | 288 288 + 0 - 0 !
buildtools/wafadmin/Runner.py | 236 236 + 0 - 0 !
buildtools/wafadmin/Scripting.py | 586 586 + 0 - 0 !
buildtools/wafadmin/Task.py | 1200 1200 + 0 - 0 !
buildtools/wafadmin/TaskGen.py | 612 612 + 0 - 0 !
buildtools/wafadmin/Tools/__init__.py | 4 4 + 0 - 0 !
buildtools/wafadmin/Tools/ar.py | 36 36 + 0 - 0 !
buildtools/wafadmin/Tools/bison.py | 38 38 + 0 - 0 !
buildtools/wafadmin/Tools/cc.py | 100 100 + 0 - 0 !
buildtools/wafadmin/Tools/ccroot.py | 629 629 + 0 - 0 !
buildtools/wafadmin/Tools/compiler_cc.py | 67 67 + 0 - 0 !
buildtools/wafadmin/Tools/compiler_cxx.py | 62 62 + 0 - 0 !
buildtools/wafadmin/Tools/compiler_d.py | 33 33 + 0 - 0 !
buildtools/wafadmin/Tools/config_c.py | 736 736 + 0 - 0 !
buildtools/wafadmin/Tools/cs.py | 68 68 + 0 - 0 !
buildtools/wafadmin/Tools/cxx.py | 104 104 + 0 - 0 !
buildtools/wafadmin/Tools/d.py | 535 535 + 0 - 0 !
buildtools/wafadmin/Tools/dbus.py | 34 34 + 0 - 0 !
buildtools/wafadmin/Tools/dmd.py | 64 64 + 0 - 0 !
buildtools/wafadmin/Tools/flex.py | 25 25 + 0 - 0 !
buildtools/wafadmin/Tools/gas.py | 38 38 + 0 - 0 !
buildtools/wafadmin/Tools/gcc.py | 135 135 + 0 - 0 !
buildtools/wafadmin/Tools/gdc.py | 52 52 + 0 - 0 !
buildtools/wafadmin/Tools/glib2.py | 164 164 + 0 - 0 !
buildtools/wafadmin/Tools/gnome.py | 223 223 + 0 - 0 !
buildtools/wafadmin/Tools/gnu_dirs.py | 111 111 + 0 - 0 !
buildtools/wafadmin/Tools/gob2.py | 18 18 + 0 - 0 !
buildtools/wafadmin/Tools/gxx.py | 133 133 + 0 - 0 !
buildtools/wafadmin/Tools/icc.py | 37 37 + 0 - 0 !
buildtools/wafadmin/Tools/icpc.py | 35 35 + 0 - 0 !
buildtools/wafadmin/Tools/intltool.py | 139 139 + 0 - 0 !
buildtools/wafadmin/Tools/javaw.py | 255 255 + 0 - 0 !
buildtools/wafadmin/Tools/kde4.py | 74 74 + 0 - 0 !
buildtools/wafadmin/Tools/libtool.py | 330 330 + 0 - 0 !
buildtools/wafadmin/Tools/lua.py | 25 25 + 0 - 0 !
buildtools/wafadmin/Tools/misc.py | 430 430 + 0 - 0 !
buildtools/wafadmin/Tools/msvc.py | 797 797 + 0 - 0 !
buildtools/wafadmin/Tools/nasm.py | 49 49 + 0 - 0 !
buildtools/wafadmin/Tools/ocaml.py | 298 298 + 0 - 0 !
buildtools/wafadmin/Tools/osx.py | 188 188 + 0 - 0 !
buildtools/wafadmin/Tools/perl.py | 109 109 + 0 - 0 !
buildtools/wafadmin/Tools/preproc.py | 836 836 + 0 - 0 !
buildtools/wafadmin/Tools/python.py | 413 413 + 0 - 0 !
buildtools/wafadmin/Tools/qt4.py | 505 505 + 0 - 0 !
buildtools/wafadmin/Tools/ruby.py | 120 120 + 0 - 0 !
buildtools/wafadmin/Tools/suncc.py | 76 76 + 0 - 0 !
buildtools/wafadmin/Tools/suncxx.py | 75 75 + 0 - 0 !
buildtools/wafadmin/Tools/tex.py | 251 251 + 0 - 0 !
buildtools/wafadmin/Tools/unittestw.py | 310 310 + 0 - 0 !
buildtools/wafadmin/Tools/vala.py | 308 308 + 0 - 0 !
buildtools/wafadmin/Tools/winres.py | 45 45 + 0 - 0 !
buildtools/wafadmin/Tools/xlc.py | 78 78 + 0 - 0 !
buildtools/wafadmin/Tools/xlcxx.py | 78 78 + 0 - 0 !
buildtools/wafadmin/Utils.py | 726 726 + 0 - 0 !
buildtools/wafadmin/__init__.py | 3 3 + 0 - 0 !
buildtools/wafadmin/ansiterm.py | 236 236 + 0 - 0 !
buildtools/wafadmin/pproc.py | 620 620 + 0 - 0 !
buildtools/wafadmin/py3kfixes.py | 130 130 + 0 - 0 !
77 files changed, 18050 insertions(+), 16 deletions(-)

 include waf as an extracted source directory, rather than as a one-in-a-file script.

docs/manpages/smbtorture.1 | 83 83 + 0 - 0 !
1 file changed, 83 insertions(+)

 provide a manpage for smbtorture

lib/util/util_net.c | 16 11 + 5 - 0 !
1 file changed, 11 insertions(+), 5 deletions(-)

 [patch] libutil: use ai_addrconfig only when ai_numeric is not defined

This flag prevents startup w/o ip addresses assigned to any interface.
If AI_NUMERIC is passed it should be safe to avoid it.

Signed-off-by: Andreas Schneider <asn@samba.org>

source3/modules/vfs_shadow_copy2.c | 1817 1212 + 605 - 0 !
1 file changed, 1212 insertions(+), 605 deletions(-)

 backport new shadow_copy2 implementation from master
 The shadow_copy2 vfs module in samba 3.6 doesn't work if wide links is
 disabled. This problem is fixed by a rewrite in the master branch.
 This patch is a backport of this new version to samba 3.6.
 It is based on these commits in the upstream samba git:
 dc461cade5becec21f8d1f2bb74fcf1a977a5ec2
 617b63658b02957422359a76fd8b8e4748d228ee

source3/Makefile.in | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 only export public symbols
 Force usage of the symbols list when linking shared libraries. Otherwise,
 private symbols get exported in libsmbclient and libwbclient.

librpc/ndr/ndr_basic.c | 34 22 + 12 - 0 !
1 file changed, 22 insertions(+), 12 deletions(-)

 [patch] ndr: fix push/pull data_blob with ndr_noalign

This change addresses bug 9026.
There are 3 use cases for DATA_BLOB marshalling/unmarshalling:

1)
ndr_push_DATA_BLOB and ndr_pull_DATA_BLOB when called with
LIBNDR_FLAG_ALIGN* alignment flags set, are used to push/pull padding
bytes _only_. The length is determined by the alignment required and
the current ndr offset.
e.g. dcerpc.idl:
        typedef struct {
...
                [flag(NDR_ALIGN8)]    DATA_BLOB _pad;
        } dcerpc_request;

2)
When called with the LIBNDR_FLAG_REMAINING flag, all remaining bytes in
the ndr buffer are pushed/pulled.
e.g. dcerpc.idl:
        typedef struct {
...
                [flag(NDR_REMAINING)] DATA_BLOB stub_and_verifier;
        } dcerpc_request;

3)
When called without alignment flags, push/pull a uint32 length _and_ a
corresponding byte array to/from the ndr buffer.
e.g. drsblobs.idl
        typedef [public] struct {
...
                DATA_BLOB data;
        } DsCompressedChunk;

The fix for bug 8373 changed the definition of "alignment flags", such
that when called with LIBNDR_FLAG_NOALIGN ndr_push/pull_DATA_BLOB
behaves as (1: padding bytes) rather than (3: uint32 length + byte
array).

This breaks marshalling/unmarshalling for the following structures.
eventlog.idl:
        typedef [flag(NDR_NOALIGN|NDR_PAHEX),public] struct {
...
                DATA_BLOB sid;
...
        } eventlog_Record_tdb;

ntprinting.idl:
        typedef [flag(NDR_NOALIGN),public] struct {
...
                DATA_BLOB *nt_dev_private;
        } ntprinting_devicemode;

        typedef [flag(NDR_NOALIGN),public] struct {
...
                DATA_BLOB data;
        } ntprinting_printer_data;

source3/web/swat.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] swat: use x-frame-options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin <kai@samba.org>

source3/web/cgi.c | 40 26 + 14 - 0 !
source3/web/swat.c | 2 2 + 0 - 0 !
source3/web/swat_proto.h | 1 1 + 0 - 0 !
3 files changed, 29 insertions(+), 14 deletions(-)

 [patch] swat: use additional nonce on xsrf protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin <kai@samba.org>

source3/smbd/nttrans.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

---

source3/smbd/open.c | 61 61 + 0 - 0 !
1 file changed, 61 insertions(+)

 [patch] fix bug #10229 - no access check verification on stream
 files.

https://bugzilla.samba.org/show_bug.cgi?id=10229

We need to check if the requested access mask
could be used to open the underlying file (if
it existed), as we're passing in zero for the
access mask to the base filename.

Signed-off-by: Jeremy Allison <jra@samba.org>

lib/async_req/async_sock.c | 5 5 + 0 - 0 !
libcli/util/tstream.c | 5 5 + 0 - 0 !
librpc/idl/dcerpc.idl | 1 1 + 0 - 0 !
librpc/rpc/dcerpc_util.c | 23 23 + 0 - 0 !
librpc/rpc/rpc_common.h | 1 1 + 0 - 0 !
nsswitch/libwbclient/wbc_sid.c | 7 7 + 0 - 0 !
nsswitch/wbinfo.c | 23 20 + 3 - 0 !
source3/lib/netapi/group.c | 98 98 + 0 - 0 !
source3/lib/netapi/localgroup.c | 8 7 + 1 - 0 !
source3/lib/netapi/user.c | 72 72 + 0 - 0 !
source3/lib/util_tsock.c | 5 5 + 0 - 0 !
source3/libnet/libnet_join.c | 16 16 + 0 - 0 !
source3/librpc/rpc/dcerpc_helpers.c | 4 4 + 0 - 0 !
source3/rpc_client/cli_lsarpc.c | 35 34 + 1 - 0 !
source3/rpc_client/cli_pipe.c | 42 36 + 6 - 0 !
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 1 + 1 - 0 !
source3/rpcclient/cmd_lsarpc.c | 13 10 + 3 - 0 !
source3/rpcclient/cmd_samr.c | 66 65 + 1 - 0 !
source3/smbd/lanman.c | 8 8 + 0 - 0 !
source3/utils/net_rpc.c | 47 45 + 2 - 0 !
source3/utils/net_rpc_join.c | 9 9 + 0 - 0 !
source3/winbindd/wb_lookupsids.c | 3 3 + 0 - 0 !
source3/winbindd/winbindd_msrpc.c | 10 8 + 2 - 0 !
source3/winbindd/winbindd_rpc.c | 54 41 + 13 - 0 !
source4/libcli/util/clilsa.c | 22 20 + 2 - 0 !
source4/libnet/groupinfo.c | 10 7 + 3 - 0 !
source4/libnet/groupman.c | 10 5 + 5 - 0 !
source4/libnet/libnet_join.c | 12 10 + 2 - 0 !
source4/libnet/libnet_lookup.c | 5 5 + 0 - 0 !
source4/libnet/libnet_passwd.c | 10 9 + 1 - 0 !
source4/libnet/userinfo.c | 9 7 + 2 - 0 !
source4/libnet/userman.c | 24 10 + 14 - 0 !
source4/librpc/rpc/dcerpc.c | 4 4 + 0 - 0 !
source4/librpc/rpc/dcerpc_smb.c | 6 6 + 0 - 0 !
source4/librpc/rpc/dcerpc_smb2.c | 6 6 + 0 - 0 !
source4/librpc/rpc/dcerpc_sock.c | 6 6 + 0 - 0 !
source4/winbind/wb_async_helpers.c | 26 24 + 2 - 0 !
37 files changed, 643 insertions(+), 64 deletions(-)

     dce-rpc fragment length field is incorrectly checked.
==
== CVE ID#:     CVE-2013-4408
==
== Versions:    All versions of Samba later than 3.4.0
==
== Summary:     Incorrect length checks on DCE-RPC fragment lengths
==              cause Samba client utilities including winbindd to
==              be vulnerable to buffer overrun exploits.
==
===========================================================

===========
Description
===========

Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
vulnerable to buffer overrun exploits in the client processing of
DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
fragment length in the client code.

This is a critical vulnerability as the DCE-RPC client code is part of
the winbindd authentication and identity mapping daemon, which is
commonly configured as part of many server installations (when joined
to an Active Directory Domain). A malicious Active Directory Domain
Controller or man-in-the-middle attacker impersonating an Active
Directory Domain Controller could achieve root-level access by
compromising the winbindd process.

Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
also vulnerable to a denial of service attack (server crash) due to a
similar error in the server code of those versions.

Samba server versions 3.6.0 and above (including all 3.6.x versions,
all 4.0.x versions and 4.1.x) are not vulnerable to this problem.

In addition range checks were missing on arguments returned from calls
to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
and LookupRids (samr) which could also cause similar problems.

As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of December 9th 2013).

nsswitch/pam_winbind.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] fail authentication for single group name which cannot be
 converted to sid

furthermore if more than one name is supplied and no sid is converted
then also fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300

Signed-off-by: Noel Power <noel.power@suse.com>

source3/auth/check_samsec.c | 1 1 + 0 - 0 !
source3/rpc_server/samr/srv_samr_chgpasswd.c | 55 55 + 0 - 0 !
source3/rpc_server/samr/srv_samr_nt.c | 259 82 + 177 - 0 !
source3/smbd/lanman.c | 254 0 + 254 - 0 !
source4/rpc_server/samr/samr_password.c | 126 6 + 120 - 0 !
source4/torture/rpc/samr.c | 12 10 + 2 - 0 !
6 files changed, 154 insertions(+), 553 deletions(-)

 [patch 1/3] cve-2013-4496:s3-samr: block attempts to crack passwords
 via repeated password changes

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>

source3/smbd/nttrans.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch 1/2] fsctl_get_shadow_copy_data: initialize output array to
 zero

Otherwise num_volumes and the end marker can return uninitialized data
to the client.

Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>

source3/lib/system.c | 7 2 + 5 - 0 !
1 file changed, 2 insertions(+), 5 deletions(-)

 [patch] s3: nmbd: fix bug 10633 - nmbd denial of service

The Linux kernel has a bug in that it can give spurious
wakeups on a non-blocking UDP socket for a non-deliverable packet.

When nmbd was changed to use non-blocking sockets it
became vulnerable to a spurious wakeup from poll/epoll.

Fix sys_recvfile() to return on EWOULDBLOCK/EAGAIN.

CVE-2014-0244

Signed-off-by: Jeremy Allison <jra@samba.org>

source3/lib/charcnv.c | 16 10 + 6 - 0 !
source3/libsmb/clirap.c | 4 2 + 2 - 0 !
source3/smbd/lanman.c | 4 2 + 2 - 0 !
3 files changed, 14 insertions(+), 10 deletions(-)

 [patch] s3: smbd - fix processing of packets with invalid dos charset
 conversions.

Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler

https://bugzilla.samba.org/show_bug.cgi?id=10654

Signed-off-by: Jeremy Allison <jra@samba.org>

libcli/auth/schannel_state_tdb.c | 4 4 + 0 - 0 !
source3/rpc_server/netlogon/srv_netlog_nt.c | 13 11 + 2 - 0 !
2 files changed, 15 insertions(+), 2 deletions(-)

 [patch 1/3] cve-2015-0240: s3: netlogon: ensure we don't call
 talloc_free on an uninitialized pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>

source3/smbd/vfs.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] cve-2015-5252: s3: smbd: fix symlink verification (file
 access outside the share).

Ensure matching component ends in '/' or '\0'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395

Signed-off-by: Jeremy Allison <jra@samba.org>

source3/modules/vfs_shadow_copy2.c | 47 47 + 0 - 0 !
1 file changed, 47 insertions(+)

 [patch] cve-2015-5299: s3-shadow-copy2: fix missing access check on
 snapdir

Fix originally from <partha@exablox.com>

https://bugzilla.samba.org/show_bug.cgi?id=11529

Signed-off-by: Jeremy Allison <jra@samba.org>

source3/libsmb/clidfs.c | 7 6 + 1 - 0 !
source3/libsmb/libsmb_server.c | 13 11 + 2 - 0 !
2 files changed, 17 insertions(+), 3 deletions(-)

 [patch 1/2] cve-2015-5296: s3:libsmb: force signing when requiring
 encryption in do_connect()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536

Signed-off-by: Stefan Metzmacher <metze@samba.org>

source3/smbd/vfs.c | 39 27 + 12 - 0 !
1 file changed, 27 insertions(+), 12 deletions(-)

 [patch] s3:smbd: fix a corner case of the symlink verification

Commit 7606c0db257b3f9d84da5b2bf5fbb4034cc8d77d fixes the
path checks in check_reduced_name[_with_privilege]() to
prevent unintended access via wide links.

The fix fails to correctly treat a corner case where the share
path is "/". This case is important for some real world
scenarios, notably the use of the glusterfs VFS module:

For the share path "/", the newly introduced checks deny all
operations in the share.

This change fixes the checks for the corner case.
The point is that the assumptions on which the original
checks are based are not true for the rootdir "/" case.
This is the case where the rootdir starts _and ends_ with
a slash. Hence a subdirectory does not continue with a
slash after the rootdir, since the candidate path has
been normalized.

This fix just omits the string comparison and the
next character checks in the case of rootdir "/",
which is correct because we know that the candidate
path is normalized and hence starts with a '/'.

The patch is fairly minimal, but changes indentation,
hence best viewed with 'git show -w'.

A side effect is that the rootdir="/" case needs
one strncmp less.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11647

Pair-Programmed-With: Jose A. Rivera <jarrpa@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Jose A. Rivera <jarrpa@samba.org>

source3/smbd/nttrans.c | 12 12 + 0 - 0 !
source3/smbd/trans2.c | 70 62 + 8 - 0 !
2 files changed, 74 insertions(+), 8 deletions(-)

 [patch 1/8] cve-2015-7560: s3: smbd: add refuse_symlink() function
 that can be used to prevent operations on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>