From edb15ffef29fbb69a4d1dfc862fe8d6a3a027347 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 May 2012 14:40:48 +1000 Subject: prepare WHATSNEW for alpha20 and mark as release --- WHATSNEW.txt | 78 ++++++++++++++++++++++++++++-------------------------------- 1 file changed, 36 insertions(+), 42 deletions(-) (limited to 'WHATSNEW.txt') diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d58ad09b5b..8798a875cc 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,4 @@ -What's new in Samba 4 alpha19 +What's new in Samba 4 alpha20 ============================= Samba 4.0 will be the next version of the Samba suite and incorporates @@ -7,10 +7,26 @@ stable 3.x series. The primary additional features over Samba 3.6 are support for the Active Directory logon protocols used by Windows 2000 and above. +SECURITY RELEASE +================ + +This is a security release in order to address CVE-2012-2111 +(Incorrect permission checks when granting/removing privileges can +compromise file server security). + +o CVE-2012-2111: + Samba 3.4.x to 3.6.4 are affected by a + vulnerability that allows arbitrary users + to modify privileges on a file server. + +This is in regards to the smbd file server, which is shipped in Samba +4.0 alpha. The AD DC is not directly impacted, as the LSA +implementation differs. + WARNINGS ======== -Samba4 alpha19 is not a final Samba release, however we are now making +Samba4 alpha20 is not a final Samba release, however we are now making good progress towards a Samba 4.0 release, of which this is a preview. Be aware the this release contains both the technology of Samba 3.6 (that you can reasonably expect to upgrade existing Samba 3.x releases @@ -55,58 +71,42 @@ programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python. -CHANGES SINCE alpha18 +CHANGES SINCE alpha19 ===================== -For a list of changes since alpha 18, please see the git log. +For a list of changes since alpha 19, please see the git log. $ git clone git://git.samba.org/samba.git $ cd samba.git -$ git log samba-4.0.0alpha18..samba-4.0.0alpha19 +$ git log samba-4.0.0alpha19..samba-4.0.0alpha20 Some major user-visible changes include: -CVE-2012-1182: - Samba 3.0.x to 3.6.3 are affected by a - vulnerability that allows remote code - execution as the "root" user. - -Portability to MacOS X. By using the CC_MD5*() routines we no longer -segfault on MacOS X. - -The source4/librpc layer has been reworked to be much more robust to -connection failures. +Improvements to the 'samba-tool domain samba3upgrade' and +samba_upgradedns tools -security=share in smbd has now been removed. +Stability improvements in the Samba4 winbind implementation (that +used in the AD DC mode). -A segfault in vfs_aio_fork for the smbd file server has been fixed +The BIND 9 DLZ plugin is now compatible with both BIND 9.8, and BIND 9.9. -ldbadd and ldbmodify now handle each ldif file in a single -transaction, when modifying a local ldb. +dbcheck and runtime protection for the fSMORoleOwner attribute. This +allows us to recover from a situation where the fSMORoleOwner is +deleted. -Further improvements to the dlz_bind9 and internal DNS servers. +Support for storing the posixAccount and other auxiliary objectClass +values (the values are not used by Samba as an AD DC at this stage, +but may be used by clients). Some major but less visible changes include: -Initial support for s3fs, using the smbd file server in the AD Domain -controller has been added (but not yet finished, so not exposed) - -Samba now only uses the _FILE_OFFSET_BITS=64 API for accessing large -files, not the _LARGEFILE64_SOURCE API. - -All Samba daemons now monitor stdin when launched in the foreground, -and shutdown when stdin is closed. We also ensure that all child -processes are clened up by a similar mechanism. This ensures that -stray processes do not hang around, particularly in make test. - -Further preparation work for moving to TDB2, a new version of Samba's core TDB -database. - -Early implementation work on the SMB 2.2 protocol client and server as +Continued early implementation work on the SMB 2.2 protocol client and server as the team improves and develops support these new protocols. -The last of the old-style krb5 ticket handling has been removed. +Initial work to build Samba using MIT kerberos in the top level waf +build system. This is not complete at this time, but good progress is +being made. KNOWN ISSUES @@ -116,12 +116,6 @@ KNOWN ISSUES from a recent release. No important database format changes have been made since alpha16. -- The BIND 9 DLZ plugin is compatible only with BIND 9.8, not BIND 9.9. - -- Systems with tdb or ldb installed as a system library may have - difficulty building this release of Samba4. The --disable-tdb2 - configure switch may be of assistance. - - Installation on systems without a system iconv (and developer headers at compile time) is known to cause errors when dealing with non-ASCII characters. -- cgit