OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2016.05 2016-05-16T19:25:42+00:00 2016-05-16T19:25:42+00:00 Yann E. MORIN yann.morin.1998@free.fr 2016-05-16T11:52:30+00:00 urn:sha1:c6b4a5fcc4a94d3182c11665ffa6e0531addf053 With systemd, samba4 will need some special temporary files to be created on each boot, as explained in: packaging/systemd/README Install the provided template file as configuration. However, this is not enough, as even the log directory is a tmpfs in the default Buildroot configuration, so we must also create the log directory on each boot. Hence we append this to the template installed above. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-05-02T15:19:19+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-05-02T12:21:08+00:00 urn:sha1:31acaf78c56d730620cc6982a78c84711d06aaf5 Fixes a few regressions from the previous security bump. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-04-12T21:12:42+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-04-12T20:34:50+00:00 urn:sha1:8e3268a0b93f0dabb16f79b0be6e1d4c98740cc1 Fixes: CVE-2016-2118 - A man in the middle can intercept any DCERPC traffic between a client and a server in order toimpersonate the client and get the same privileges as the authenticated user account. CVE-2016-2115 - The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn't enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible. CVE-2016-2114 - Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured. CVE-2016-2113 - Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://). CVE-2016-2112 - A man in the middle is able to downgrade LDAP connections to no integrity protection. It's possible to attack client and server with this. CVE-2016-2111 - When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic. CVE-2016-2110 - The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. CVE-2015-5370 - Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-25T21:38:41+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-25T15:51:33+00:00 urn:sha1:c5977118cdd07e12c099c9aa6623aaa4860cdd79 The --with-gettext=X configure option was silently dropped from the 4.4.0 release and it errors out since it's unknown. Fixes: http://autobuild.buildroot.net/results/3c0/3c0800fd6cc7a217a866cd9cf63d5f91dcbfd306/ Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-24T21:44:14+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-23T19:24:31+00:00 urn:sha1:a58a4ec0355ae53be4eb6b46534eb03d012a5f37 libaio support is now automatic so drop the enable/disable (it will fall back to pthread aio if libaio is not present). 0002-build-improve-stack-protector-check.patch is upstream so remove it. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-03-16T21:19:36+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-16T14:34:40+00:00 urn:sha1:74e0ba60f79e04d7147bd6d2a4a1797c605542ac Even though it's inherited by the python dependency it's more clear this way for graph-depends, since it's used by the waf buildsystem. And even though we have a hard dependency on python for the distro this python could ostensibly be 3.x which isn't compatible with the bundled waf series (1.5.x) in samba (as of current shipping version and upcoming 4.4.x series). Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-15T21:45:06+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-11T14:32:19+00:00 urn:sha1:7bd9dbc13af7e03747f52e9d1fd52fc863696bf6 It's been deprecated for a year now so remove it. [Peter: drop !samba dependency from samba4] Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-08T21:33:23+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-08T21:31:20+00:00 urn:sha1:52be26e90c08caf78617deb4f1af6746af0f5b95 Fixes: CVE-2015-7560 - Authenticated client could cause Samba to overwrite ACLs with incorrect owner/group. CVE-2016-0771 - Malicious request can cause the Samba internal DNS server to crash or unintentionally return uninitialized memory. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-02T20:25:00+00:00 Peter Korsgaard peter@korsgaard.com 2016-03-02T20:25:00+00:00 urn:sha1:28cd1ed30aa4959c744ee37a6070cf22a66fb31f Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-02-23T20:26:41+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-02-23T17:34:02+00:00 urn:sha1:0cf5ac0e76cc20aac6278e4031eeced236b8f0c4 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>