This update for samba to version 4.10.17 fixes the following issues: - Fixed net command unable to negotiate SMB2; ; - Update to 4.10.17 - CVE-2020-10745: Invalid DNS or NBT queries containing dots use several seconds of CPU each; ; . - CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; ; . - CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; ; . - CVE-2020-14303: Fix endless loop from empty UDP packet sent to AD DC nbt_server; ; . - CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined, ldb: Bump version to 1.5.8; ; . - Update to 4.10.16 s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer from a getenv pointer. lib:util: Fix smbclient -l basename dir; . Malicous SMB1 server can crash libsmbclient; . s3:libads: Fix ads_get_upn; . docs-xml: Fix usernames in pam_winbind manpages; . Client tools are not able to read gencache anymore since 4.10; . - Update to 4.10.15 - CVE-2020-10700: Fix use-after-free in AD DC LDAP server when ASQ and paged_results combined; ; . - CVE-2020-10704: Fix LDAP Denial of Service in Samba AD DC; ; . - Update to 4.10.14 s3: lib: nmblib. Clean up and harden nmb packet processing; . s3: VFS: full_audit. Use system session_info if called from a temporary share definition; . nmblib: Avoid undefined behaviour in handle_name_ptrs; . dsdb: Correctly handle memory in objectclass_attrs; . auth: Fix CID 1458418 Null pointer dereferences , auth: Fix CID 1458420 Null pointer dereferences ; . winbind member fails local SAM auth with empty domain name; . winbindd: Handling missing idmap in getgrgid; . lib:util: Log mkdir error on correct debug levels; . wafsamba: Do not use "rU" as the "U" is deprecated in Python 3.9; . ctdb-tcp: Make error handling for outbound connection consistent; . Starting ctdb node that was powered off hard before results in recovery loop; . - Update to 4.10.13 s3: libsmb: Ensure SMB1 cli_qpathinfo2 doesn"t return an inode number; . s3: utils: smbtree. Ensure we don"t call cli_RNetShareEnum on an SMB1 connection; . s3: libsmb: Ensure return from net_share_enum_rpc sets cli-gt;raw_status on error; . s3: smbd: SMB2 - Ensure we use the correct session_id if encrypting an interim response; . s3: smbd: Only set xconn-gt;smb1.negprot.done = true after supported_protocols[protocol].proto_reply_fn succeeds; . pygpo: Use correct method flags; . s3: Remove now unneeded call to cmdline_messaging_context; . Incomplete conversion of former parametric options; . Fix sync dosmode fallback in async dosmode codepath; . vfs_fruit returns capped resource fork length; . s3:printing: Fix %J substition; . libnet_join: Add SPNs for additional-dns-hostnames entries; . Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; . docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; . ctdb-tcp: Close inflight connecting TCP sockets after fork; . s4:dirsync: Fix interaction of dirsync and extended_dn controls; . upgradedns: Ensure lmdb lock files linked; . s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; . wscript: Remove checks for shm_open and shmget; . libsmbclient: smbc_stat doesn"t return the correct st_mode and also the uid/gid is not filled ; . replace: Only link libnsl and libsocket if required; . librpc: Fix string length checking in ndr_pull_charset_to_null; . heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; . ctdb-tcp: Drop tracking of file descriptor for incoming connections; . ctdb-scripts: Strip square brackets when gathering connection info; . - Update to 4.10.12 - CVE-2019-14902: Replication of ACLs down subtree on AD Directory not automatic; ; ; - CVE-2019-14907: lib/util: Do not print the failed to convert string into the logs; ; . - CVE-2019-19344: kcc dns scavenging: Fix use after free in dns_tombstone_records_zone; ; . - Update to 4.10.11 - CVE-2019-14861: Fix DNSServer RPC server crash; ; . - CVE-2019-14870: DelegationNotAllowed not being enforced; ; . - Update to 4.10.10 - CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code from evil server returned names; ; . - CVE-2019-14833: Use utf8 characters in the unacceptable password; ; . - CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync; ; . - CVE-2019-14833 dsdb: Send full password to check password script; ; . - Update to 4.10.9 Different Device Id for GlusterFS FUSE mount is causing data loss in CTDB cluster; . winbind: Provide passwd struct for group sid with ID_TYPE_BOTH mapping ; . smbc_readdirplus is incompatible with smbc_telldir and smbc_lseekdir; . s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls; . s4/scripting: MORE py3 compatible print functions. ldb: Release ldb 1.5.6; . undoduididx: Add quot;or laterquot; to warning about using tools from Samba 4.8; . ldb_tdb fails to check error return when parsing pack formats; . ctdb: Fix compilation on systems with glibc robust mutexes; . GPO security filtering based on the groups in Kerberos PAC ; . Fix spnego fallback from kerberos to ntlmssp in smbd server; . s3-winbindd: fix forest trusts with additional trust attributes; . vfs_glusterfs: Use pthreadpool for scheduling aio operations; . ldb: baseinfo pack format check on init; . ldb: ldbdump key and pack format version comments; . Overlinking libreplace against librt and pthread against every binary or library causes issues; . ctdb-vacuum: Process all records not deleted on a remote node; . classicupgrade: Fix uncaught exception; . fault.c: Improve fault_report message text pointing to our wiki; . s3:client:Use DEVICE_URI, instead of argv[0],for Device URI; . We should send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID negotiation context; . "pam_winbind" with "krb5_auth" or "wbinfo -K" doesn"t work for users of trusted domains/forests principalsquot; logic; . vfs_glusterfs: Enable profiling for file system operations; . vfs_gpfs: Implement special case for denying owner access to ACL; . Joining Active Directory should not use SAMR to set the password; . s3:libsmb: Do not check the SPNEGO neg token for KRB5; . Overlinking libreplace against librt and pthread against every binary or library causes issues; . "kpasswd" fails when built with MIT Kerberos; . CTDB replies can be lost before nodes are bidirectionally connected; . quot;ctdb stopquot; command completes before databases are frozen; . ctdb-tools: Stop deleted nodes from influencing ctdb nodestatus exit code; . s3:ldap: Fix join with don"t exists machine account; . - Update to 4.10.8 - CVE-2019-10197: Permissions check deny can allow user to escape from the share; ; . - CVE-2019-10197: Permissions check deny can allow user to escape from the share; ; . - Update to 4.10.7 Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; . build: Allow build when "--disable-gnutls" is set; . samba-tool: Add "import samba.drs_utils" to fsmo.py; . Fix "Error 32 determining PSOs in system" message on old DB with FL upgrade; . s4/libnet: Fix joining a Windows pre-2008R2 DC; . join: Use a specific attribute order for the DsAddEntry nTDSDSA object; . vfs_catia: Pass stat info to synthetic_smb_fname; . lookup_name: Allow own domain lookup when flags == 0; . s4 librpc rpc pyrpc: Ensure tevent_context deleted last; . DEBUGC and DEBUGADDC doesn"t print into a class specific log file; . Request to keep deprecated option quot;server schannelquot;, VMWare Quickprep requires quot;autoquot;; . dbcheck: Fallback to the default tombstoneLifetime of 180 days; . dnsProperty fails to decode values from older Windows versions; . samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; . third_party: Update waf to version 2.0.17; . netcmd: Allow "drs replicate --local" to create partitions; . ctdb-config: Depend on /etc/ctdb/nodes file; . - Update to 4.10.6 s3: winbind: Fix crash when invoking winbind idmap scripts; . smbd does not correctly parse arguments passed to dfree and quota scripts; . samba-tool dns: use bytes for inet_ntop; . samba-tool domain provision: Fix --interactive module in python3; . ldb_kv: Skip @ records early in a search full scan; . docs: Improve documentation of quot;lanman authquot; and quot;ntlm authquot; connection; . python/ntacls: Use correct quot;state directoryquot; smb.conf option instead of quot;state dirquot;; . registry: Add a missing include; . Fix SMB guest authentication; . AppleDouble conversion breaks Resourceforks; . vfs_fruit makes direct use of syscalls like mmap and pread; . s3:mdssvc: Fix flex compilation error; . s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly:; . dsdb:samdb: schemainfo update with relax control; . s3:util: Move static file_pload function to lib/util; . smbd: Fix a panic; . ldap server: Generate correct referral schemes; . s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; . s4 dsdb: Fix use after free in samldb_rename_search_base_callback; . dsdb/repl: we need to replicate the whole schema before we can apply it; . ldb: Release ldb 1.5.5; . Schema replication fails if link crosses chunk boundary backwards; . "samba-tool domain schemaupgrade" uses relax control and skips the schemaInfo update provision; . dsdb_audit: avoid printing quot;... remote host [Unknown] SID [] ...quot;; . python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; . s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; . Using Kerberos credentials to print using spoolss doesn"t work; . wafsamba: Use native waf timer; . ctdb-scripts: Fix tcp_tw_recycle existence check; . This update for ldb to version 1.5.8 fixes the following issues: - Update to 1.5.8 - CVE-2020-10730: Fixed a null de-reference in AD DC LDAP server when ASQ and VLV combined . - Update to 1.5.7 - CVE-2020-10700: Fixed a use-after-free in AD DC LDAP server when ASQ and paged_results combined . - Update to 1.5.6 - Fix segfault parsing new pack formats or invalid packed data - Check for new pack formats during startup - Making ldbdump print out pack format info and keys so we have low level visibility for testing in python - Update to 1.5.5 LDAP_REFERRAL_SCHEME_OPAQUE was added Skip @ records early in a search full scan