OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2016.08 2016-07-08T08:57:25+00:00 2016-07-08T08:57:25+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2016-07-07T21:14:01+00:00 urn:sha1:c4872a4b6f999432a2aec162ec7274c5b068c64c Fixes CVE-2016-2119 https://www.samba.org/samba/security/CVE-2016-2119.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-07-02T16:50:36+00:00 Maxime Hadjinlian maxime.hadjinlian@gmail.com 2016-07-02T16:21:31+00:00 urn:sha1:3768a98f21d33d53f6358568388e6a3228bec291 Per the documentation: https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html The order of path by priorites is: /etc/tmpfiles.d/*.conf /run/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/*.conf For the user to be able to override our tmpfiles easily, it's better to place our files in /usr/lib/tmpfiles.d/ Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-06-08T05:55:19+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-06-07T23:48:44+00:00 urn:sha1:8d019a7450075539f1ea67dfbc7622ec055698f4 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-06-01T15:55:16+00:00 Peter Korsgaard peter@korsgaard.com 2016-06-01T15:55:16+00:00 urn:sha1:577021e81b0bf894d26d8127822410267b2bb411 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-05-26T20:08:36+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2016-05-17T21:19:16+00:00 urn:sha1:cfa73104fa8cc12925b56a482e7bd4b200f6be9e Now that .py files are globally compiled into .pyc files, we can get rid of the samba4 specific logic doing this compilation. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-05-16T19:25:42+00:00 Yann E. MORIN yann.morin.1998@free.fr 2016-05-16T11:52:30+00:00 urn:sha1:c6b4a5fcc4a94d3182c11665ffa6e0531addf053 With systemd, samba4 will need some special temporary files to be created on each boot, as explained in: packaging/systemd/README Install the provided template file as configuration. However, this is not enough, as even the log directory is a tmpfs in the default Buildroot configuration, so we must also create the log directory on each boot. Hence we append this to the template installed above. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-05-02T15:19:19+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-05-02T12:21:08+00:00 urn:sha1:31acaf78c56d730620cc6982a78c84711d06aaf5 Fixes a few regressions from the previous security bump. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-04-12T21:12:42+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-04-12T20:34:50+00:00 urn:sha1:8e3268a0b93f0dabb16f79b0be6e1d4c98740cc1 Fixes: CVE-2016-2118 - A man in the middle can intercept any DCERPC traffic between a client and a server in order toimpersonate the client and get the same privileges as the authenticated user account. CVE-2016-2115 - The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn't enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible. CVE-2016-2114 - Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured. CVE-2016-2113 - Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://). CVE-2016-2112 - A man in the middle is able to downgrade LDAP connections to no integrity protection. It's possible to attack client and server with this. CVE-2016-2111 - When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic. CVE-2016-2110 - The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. CVE-2015-5370 - Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-25T21:38:41+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-25T15:51:33+00:00 urn:sha1:c5977118cdd07e12c099c9aa6623aaa4860cdd79 The --with-gettext=X configure option was silently dropped from the 4.4.0 release and it errors out since it's unknown. Fixes: http://autobuild.buildroot.net/results/3c0/3c0800fd6cc7a217a866cd9cf63d5f91dcbfd306/ Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-24T21:44:14+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-23T19:24:31+00:00 urn:sha1:a58a4ec0355ae53be4eb6b46534eb03d012a5f37 libaio support is now automatic so drop the enable/disable (it will fall back to pthread aio if libaio is not present). 0002-build-improve-stack-protector-check.patch is upstream so remove it. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>