- Update to latest stable bugfix and security release (closes: 44965).
- Fixed a compilation error on Linux/aarch64 (GitHub#197).
- Fixed a potential crash introduced in the fix for (GitHub#134):
+ If a user's sudoers entry did not have any RunAs user's set, running
"sudo -U otheruser -l" would dereference a NULL pointer.
- Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
a I/O files when the "iolog_file" sudoers setting contains six or more Xs.
- Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
sudoedit) that could allow a malicious user with sudoedit privileges to edit
arbitrary files.
- Fix property tabs size policy to looks more pretty.
- Enable both user and machine attributes during GPO creating.
- Fix availability of the Ok button when:
+ a policy name is missing in the policy create dialog;
+ group name is missing in the renaming ou dialog;
+ user name is missing in rename user dialog.
- Add support of create and delete symlinks in user home directory for mapped
network drives in cifs applier
- Fix file copy applier support of delete files with substitution
- Add user policies for drive maps symlinks in home directory.
- Add warning when disabling network manager.
- Fix correction of option name open ldap tls connections in russian.
- Fix typo in cups.service
- Update to maintenance release of Samba 4.16 with fixes of the Samba CVE for
the Windows Kerberos Elevation of Privilege Vulnerability disclosed by
Microsoft on Nov 8 2022 (CVE-2022-37967, CVE-2022-37966).
- Security fixes:
+ CVE-2022-37966: A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96
(Samba#13135, Samba#15219, Samba#15237).
https://www.samba.org/samba/security/CVE-2022-37966.html
+ CVE-2022-37967: A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with (Samba#15231).
https://www.samba.org/samba/security/CVE-2022-37967.html
+ CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak (Samba#15240).
https://www.samba.org/samba/security/CVE-2022-38023.html
- Action menu: Block inheritance feature is added to organizational
unit context menu. Also limited group policy tab is returned.
- Console: Bug with empty group policy object crushing is fixed.
- Console: Non-deletable group policy containers dont dissapear
from GUI after deletion attempt now. Warning message popups instead
of error log dialog.
- Misc: "Order" column is added to policy organizational unit results.
Sort is performed with this column by default.
- Console: Fix crash in policy tree after changing properties
for organizational units.
- Misc: Fix description bar squishing scope pane, when selected
item's name is too long and description bar needs to display it.
- Toolbar: Fix icons for "create" actions for organizational units,
users and groups in toolbar.
- Misc: Add trimming to full name autofill.
- Misc: Add trimming to attribute sAMAccountName edit in create
dialog for computers.
- Misc: Add "find gpo" action to policy tree. It implements group
policy objects search functional.
- Misc: Improve "Import Query" action. So it's possible to
import multiple queries at the same time.
- Fixed mapped drive maps for user and add support for machine
+ Added label option support
+ Fixed letters collisions and assigning as Windows
- Replaced cifs applier mountpoints into shown gvfs directories:
+ /media/gpupdate/Drive - for system shares
+ /media/gpupdate/.Drive - for system hidden shares
+ /run/media/USERNAME/DriveUser - for user shares
+ /run/media/USERNAME/.DriveUser - for user hidden shares
- Added network shares support for user
- Fixed bug (closes: 44026) for chromium applier
- Added keylist handling when generating firefox settings (closes: 44209)
- Added a check of the need to scroll DC (scrolling DCs disabled by default!)
- Added the ability to generate rules for all polkit actions
- Added applier for Yandex.Browser
- Fix libnss-systemd postinstall scriptlet for compatibility with libnss-role
conflict in order of modules in group NSS database (closes: #44505).
- Fix postuninstall scriptlets for cleanup systemd and mymachines NSS modules.
- Add role-usershares control allow or disallow for group users using of
samba usershares as privilege.
- Add compatibility support for sambashare group as common privilege assigned
to usershares group (Closes: #44379).
- Update samba defaults from samba-4.16.6-alt1 release.
- Update restore script with default configuration files actually placed in
default directory as in the user's system.
- Don't treat a missing include file as an error in handle_include().
This behavior differs between the source3 and source4 parts of Samba.
So, it should be the same and just not an error (Closes #44214).
- Update to latest 2.8 major release.
- Important fixes:
+ A regression when running sss_cache when no SSSD domain is enabled would
produce a syslog critical message was fixed.
+ Several fixes in D-Bus infopipe functions:
ListByName(), Groups.ListByName() and Groups.ListByDomainAndName().
- Update to latest stable bugfix and security release (fixes: CVE-2022-43995).
- Major improvements from latest Sisyphus release:
+ For ptrace-based intercept mode, sudo will now attempt to verify that the
command path name, arguments and environment have not changed from the time
when they were authorized by the security policy. The new intercept_verify
sudoers setting can be used to control this behavior.
+ Sudo now supports passing the execve(2) system call the NULL pointer for the
argv and/or envp arguments when in intercept mode. Linux treats a NULL pointer
like an empty array.
+ Neovim has been added to the list of visudo editors that support passing the
line number on the command line.
+ Added a new -N (no-update) command line option to sudo which can be used to
prevent sudo from updating the user's cached credentials.
+ PAM approval modules are no longer invoked when running sub-commands in
intercept mode unless the intercept_authenticate option is set. There is a
substantial performance penalty for calling into PAM for each command run.
PAM approval modules are still called for the initial command.
+ Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2)
if available.
+ The XDG_CURRENT_DESKTOP environment variable is now preserved by default.
This makes it possible for graphical applications to choose the correct theme
when run via sudo.
+ The cvtsudoers manual now documents the JSON and CSV output formats.
+ The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers
settings can be used to support more fine-grained I/O logging. The sudo
front-end no longer allocates a pseudo-terminal when running a command if the
I/O logging plugin requests logging of stdin, stdout, or stderr but not
terminal input/output.
+ Added the -I option to visudo which only edits the main sudoers file.
Include files are not edited unless a syntax error is found.
- Update to maintenance release of Samba 4.16 (Samba#15134)
- Security fixes:
+ CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
- Add samba-usershares package for support for non-root user shares.
- Default smb.conf simplified - homes, printers and print$ shares enabled by
default. Original large default example smb.conf replaced to smb.conf.example.
- Fix sudowheel control to be more flexible and supported the default 'ALL:ALL'
Runas_Spec with group alias specified.
- Fix initialization error in post-scripts for sudoreplay and sudowheel controls
during first installation process (closes: 41907).
- Improve errors treatment.
- Rename source files from plugin to modules in common style.
- Add support loading backends prototype with interfaces from
alterator_manager_interface in modules.
- AD GPO: Fix support processing referrals for hostname
- New features
+ Introduced the dbus function
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
listing upto limit users matching the filter attr=value.
+ sssctl is now able to create, list and delete indexes on the local caches.
Indexes are useful for the new D-Bus ListByAttr() function.
+ sssctl is now able to read and set each component's debug level
independently.
- Important fixes
+ domains option in [sssd] section can now be completely omitted if domains
are enabled via domains/enabled option.
- New options:
+ core_dumpable, ldap_enumeration_refresh_offset,
subdomain_refresh_interval_offset, dyndns_refresh_interval_offset
refresh_expired_interval_offset, ldap_purge_cache_offset.
- Configuration changes:
+ Option 'ad_machine_account_password_renewal_opts' now accepts an optional
third part as the maximum deviation in the provided period (first part) and
initial delay (second part). If the period and initial delay are provided
but not the offset, the offset is assumed to be 0. If no part is provided,
the default is 86400:750:300.
+ override_homedir now recognizes the %h template which is replaced by the
original home directory retrieved from the identity provider, but in lower
case.
- Add support LDAP add/mod operation to set/change password:
+ fix unable to join to active directory after KB5008380/CVE-2021-42287 with
option '--ldap-passwd';
+ https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
- Add support fall back to LDAPS if CLDAP ping was not successful
+ If the --use-ldaps option is used and there is no reply on the CLDAP 389/udp
port adcli will try to send the request to the LDAPS port 636/tcp.
- Fix write SID before secret to Samba's db looks like 'net changesecretpw'
- Add passwd-user sub-command for (re)set a user password.
- Add dont-expire-password option for computer.
- Fixed possible crash in getaddrinfo()
- Fixed issues with processes closing all fds when forking
- Fixed issues with setgrent() and endpwent() nss module support
- Update Policy templates for Firefox 103 and Firefox ESR 102.1
- While these templates will work for Firefox ESR 91, they contain
new policies that are not in Firefox ESR 91:
+ ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
+ StartDownloadsInTempDirectory
+ UseSystemPrintDialog
- Update to latest 2.7 major release.
- Lock-free client support will be only built if libc provides
pthread_key_create() and pthread_once().
For glibc this means version 2.34+
- Add requirement of adcli to sssd-ad.
- Update to latest stable release of Samba 4.16
- Major fixes:
+ Possible use after free of connection_struct when iterating
smbd_server_connection->connections (Samba#15128).
+ Spotlight RPC service returns wrong response when Spotlight is
disabled on a share (Samba#15086).
+ acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr (Samba#15126).
+ Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197 (Samba#15153).
+ Missing READ_LEASE break could cause data corruption (Samba#15148).
+ rpcclient can crash using setuserinfo(2) (Samba#15124).
+ Samba fails to build with glibc 2.36 caused by including
<sys/mount.h> in libreplace (Samba#15132).
+ SMB1 negotiation can fail to handle connection errors (Samba#15152).
+ samba-tool domain join segfault when joining a samba ad domain (Samba#15078).
- Add support (Heimdal only) of "ignore requester sid" global option for the
correct operation of trust relationships with oldest versions of MS AD without
KB5008380 Authentication updates (CVE-2021-42287).
- Update to latest stable release of Samba 4.16
- Major fixes:
+ New samba-dcerpcd binary to provide DCERPC in the member server setup.
+ Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support.
+ Certificate Auto Enrollment support with internal group policy mechanism.
+ Ability to add ports to dns forwarder addresses in internal DNS backend.
+ Older SMB1 protocol SMBCopy command removed.
+ SMB1 server-side wildcard expansion removed.
+ SMB1 protocol has been deprecated, particularly older dialects.
+ No longer using Linux mandatory locks for sharemodes.
- Add support of ALT releases in rpmdev-bumpspec
- Adopt for ALT first spectemplates: dummy, lib and minimal
- Adopt rpmdev-newspec support for ALT specific rpm
- Update to security release of Samba 4.15
- Security fixes:
+ CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords (Samba#15047).
+ CVE-2022-32744: Samba AD users can forge password change requests for any
user (Samba#15074).
+ CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
or modify request (Samba#15008).
+ CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request (Samba#15009).
+ CVE-2022-32742: Server memory information leak via SMB1 (Samba#15085).
- Update to maintenance release of Samba 4.15 with latest bugfixes:
+ Setting fruit:resource = stream in vfs_fruit causes a panic (Samba#15099).
+ Fix logging dsdb audit to specific files (Samba#15076).
+ Fix vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had
been deleted (Samba#15069).
+ Remove netgroups support (Samba#15087).
+ Fix smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS (Samba#15100).
+ Fix out-by-4 error in smbd read reply max_send clamp (Samba#14443).
+ s3:libads: Check if we have a valid sockaddr (Samba#15106).
+ smbd: Make non_widelink_open() robust for non-cwd dirfsp (Samba#15105).
- Update to latest 2.7 major release:
+ CLIENT: use thread local storage for socket to a.void the need for a lock.
+ SSS_CLIENT: got rid of code duplication.
+ SSS_CLIENT: mem-cache: fixed missing error code.
+ PAM P11: fixed minor mem-leak.
