Bug 13600 (CVE-2018-14629) - [SECURITY] CVE-2018-14629 CNAME loops in Samba AD DC DNS server
Summary: [SECURITY] CVE-2018-14629 CNAME loops in Samba AD DC DNS server
Status: RESOLVED FIXED
Alias: CVE-2018-14629
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 13663
  Show dependency treegraph
 
Reported: 2018-09-03 03:17 UTC by Aaron Haslett (dead mail address)
Modified: 2022-02-01 02:54 UTC (History)
10 users (show)

See Also:


Attachments
CVE for cname loop bug (1.18 KB, text/plain)
2018-09-03 05:23 UTC, Aaron Haslett (dead mail address)
no flags Details
Work in progress patch. (6.80 KB, patch)
2018-10-24 01:05 UTC, Aaron Haslett (dead mail address)
no flags Details
patch for 4.7 with CVE (2.83 KB, patch)
2018-11-06 01:22 UTC, Andrew Bartlett
dbagnall: review+
Details
patch for master with CVE (7.15 KB, patch)
2018-11-06 01:23 UTC, Andrew Bartlett
no flags Details
patch for 4.8 with CVE (2.83 KB, patch)
2018-11-06 01:24 UTC, Andrew Bartlett
dbagnall: review+
Details
patch for 4.9 with CVE (2.78 KB, patch)
2018-11-06 01:24 UTC, Andrew Bartlett
dbagnall: review+
Details
updated advisory with release versions (1.58 KB, text/plain)
2018-11-06 03:41 UTC, Andrew Bartlett
no flags Details
revised patch for master using size_t (4.16 KB, patch)
2018-11-07 22:48 UTC, Douglas Bagnall
no flags Details
revised patch for master using size_t (7.13 KB, patch)
2018-11-07 23:07 UTC, Douglas Bagnall
abartlet: review+
Details
patch for 4.7 with CVE (v2) (3.55 KB, patch)
2018-11-08 01:12 UTC, Andrew Bartlett
abartlet: review? (garming)
dbagnall: review+
asn: review+
Details
patch for master with CVE (v2) (9.01 KB, patch)
2018-11-08 01:59 UTC, Andrew Bartlett
dbagnall: review+
dbagnall: review+
asn: review+
Details
patch for master (v3 asn01) (10.68 KB, patch)
2018-11-13 08:12 UTC, Andreas Schneider
no flags Details
patch for 4.9 with CVE (v2) (3.50 KB, patch)
2018-11-19 20:35 UTC, Andrew Bartlett
garming: review+
Details
patch for 4.8 with CVE (v2) (3.55 KB, patch)
2018-11-19 20:37 UTC, Andrew Bartlett
garming: review+
Details
possible patch for 4.5 (13.84 KB, patch)
2018-11-21 04:57 UTC, Andrew Bartlett
no flags Details
Tested patch for 4.5 (6.83 KB, patch)
2018-11-23 01:42 UTC, Andrew Bartlett
abartlet: review+
Details
Possible regression fix for master (1.59 KB, patch)
2018-11-28 14:32 UTC, Stefan Metzmacher
slow: review+
Details
Possible regression fix for v4-9-test (1.59 KB, patch)
2018-11-28 14:33 UTC, Stefan Metzmacher
slow: review+
Details
Possible regression fix for v4-8-test (1.59 KB, patch)
2018-11-28 14:34 UTC, Stefan Metzmacher
slow: review+
Details
Possible regression fix for v4-7-test (1.59 KB, patch)
2018-11-28 14:34 UTC, Stefan Metzmacher
slow: review+
Details
WIP patch counting CNAMEs not answers (7.22 KB, patch)
2018-11-29 05:31 UTC, Douglas Bagnall
no flags Details
Possible regression fix for master (v2) (4.77 KB, patch)
2018-11-29 07:00 UTC, Stefan Metzmacher
dbagnall: review+
Details
tests exposing regression (3.74 KB, patch)
2018-11-30 05:55 UTC, Aaron Haslett (dead mail address)
no flags Details
tests exposing regression v2 (4.74 KB, patch)
2018-12-03 03:24 UTC, Aaron Haslett (dead mail address)
no flags Details
tests exposing regression v3 (6.31 KB, patch)
2018-12-03 04:21 UTC, Aaron Haslett (dead mail address)
dbagnall: review+
metze: review+
Details
combined fix, regression fix and test patch for 4.5 (17.62 KB, patch)
2018-12-05 04:12 UTC, Andrew Bartlett
no flags Details
combined fix, regression fix and test patch for 4.9 (12.67 KB, patch)
2018-12-06 01:04 UTC, Andrew Bartlett
abartlet: review? (garming)
metze: review+
Details
combined fix, regression fix and test patch for 4.7 (12.62 KB, patch)
2018-12-06 01:13 UTC, Andrew Bartlett
abartlet: review? (garming)
metze: review+
Details
combined fix, regression fix and test patch for 4.8 (12.62 KB, patch)
2018-12-07 08:32 UTC, Andrew Bartlett
metze: review+
Details
advisory text (v03) (1.55 KB, text/plain)
2022-02-01 00:13 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Haslett (dead mail address) 2018-09-03 03:17:35 UTC
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

Samba allows any user with write permissions on a zone to create a CNAME loop by, for example, adding a CNAME record with name "www" and data "www.zone.com" where "zone.com" is the name of the zone.  It's not possible to create a CNAME record as a low level user with samba-tool but it is possible using the ldbadd tool, so this bug is security level 6.5.

Steps (replace "domain.com" with your root domain):
1. samba-tool user create fred -UAdministrator
2. samba-tool dns add localhost domain.com www CNAME www.domain.com -UAdministrator
3. ldbsearch -H ldap://localhost -UAdministrator --cross-ncs '(&(name=www)(objectClass=dnsNode))' > dump.ldif
4. Open dump.ldif and delete non-ldif related lines and the GUID line.
5. ldbadd -H ldap://localhost dump.ldif -Ufred
6. host www.domain.com

DNS will crash, as a result of a loop-causing record that was last added by an unprivileged user.

To fix, query procedures need to be modified to include maximum query depth mechanisms (believed to be 20 on windows).  Relevant query procedures are in:
1. DNS RPC server (EnumRecords and EnumRecords2)
2. Internal DNS server
3. dlz_bind9 plugin code
4. Common dynamic DNS server code

Testing must also be conducted on a bind9 setup.
Comment 1 Aaron Haslett (dead mail address) 2018-09-03 05:23:43 UTC
Created attachment 14460 [details]
CVE for cname loop bug
Comment 2 Aaron Haslett (dead mail address) 2018-09-04 22:22:16 UTC
Created attachment 14476 [details]
CVE for cname loop bug
Comment 3 Aaron Haslett (dead mail address) 2018-09-05 01:20:40 UTC
Created attachment 14478 [details]
Completed CVE for cname loop bug
Comment 4 Aaron Haslett (dead mail address) 2018-10-24 01:05:29 UTC
Created attachment 14537 [details]
Work in progress patch.

Work in progress patch.
Comment 5 Andrew Bartlett 2018-11-06 01:22:36 UTC
Created attachment 14572 [details]
patch for 4.7 with CVE
Comment 6 Andrew Bartlett 2018-11-06 01:23:35 UTC
Created attachment 14573 [details]
patch for master with CVE
Comment 7 Andrew Bartlett 2018-11-06 01:24:06 UTC
Created attachment 14574 [details]
patch for 4.8 with CVE
Comment 8 Andrew Bartlett 2018-11-06 01:24:52 UTC
Created attachment 14575 [details]
patch for 4.9 with CVE
Comment 9 Andrew Bartlett 2018-11-06 03:41:34 UTC
Created attachment 14594 [details]
updated advisory with release versions
Comment 10 Andrew Bartlett 2018-11-06 17:53:12 UTC
Sadly the patches don't currently pass their own tests.

Further investigation needed:

[3(104)/18 at 1m27s, 1 errors] samba.tests.dns(vampire_dc:local)
Won't reply to replies.
dns_process returned WERR_INVALID_PARAMETER
UNEXPECTED(failure): samba.tests.dns.__main__.TestComplexQueries.test_cname_loop(vampire_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
  File "/data/samba/SECURITY/samba-security-wip/python/samba/tests/dns.py", line 853, in test_cname_loop
    self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
  File "/data/samba/SECURITY/samba-security-wip/python/samba/tests/dns.py", line 700, in make_dns_update
    self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
  File "/data/samba/SECURITY/samba-security-wip/bin/python/samba/tests/dns_base.py", line 73, in assert_dns_rcode_equals
    (self.errstr(rcode), self.errstr(p_errcode)))
AssertionError: Expected RCODE OK, got REFUSED
dsdb_match_for_dns_to_tombstone_time: unauthorised access
envlog: SAMBA LOG of: LOCALVAMPIREDC pid 16022
Won't reply to replies.
dns_process returned WERR_INVALID_PARAMETER
dsdb_match_for_dns_to_tombstone_time: unauthorised access

command: python /data/samba/SECURITY/samba-security-wip/python/samba/tests/dns.py $SERVER $SERVER_IP --machine-pass -U"$USERNAME%$PASSWORD" --workgroup=$DOMAIN $LOADLIST  2>&1  | python /data/samba/SECURITY/samba-security-wip/selftest/filter-subunit --fail-on-empty --prefix="samba.tests.dns." --suffix="(vampire_dc:local)"
expanded command: python /data/samba/SECURITY/samba-security-wip/python/samba/tests/dns.py localvampiredc 127.0.0.22 --machine-pass -U"Administrator%locDCpass1" --workgroup=SAMBADOMAIN $LOADLIST  2>&1  | python /data/samba/SECURITY/samba-security-wip/selftest/filter-subunit --fail-on-empty --prefix="samba.tests.dns." --suffix="(vampire_dc:local)"
ERROR: Testsuite[samba.tests.dns(vampire_dc:local)]
REASON: Exit code was 1
Comment 11 Douglas Bagnall 2018-11-07 22:48:17 UTC
Created attachment 14631 [details]
revised patch for master using size_t

strlen and strncmp deal with size_t rather than int. It probably makes no difference here but we might as well get it right.
Comment 12 Douglas Bagnall 2018-11-07 22:52:28 UTC
(In reply to Douglas Bagnall from comment #11)

The 4.[789] patches are not affected as they don't have this bit.
Comment 13 Douglas Bagnall 2018-11-07 23:07:15 UTC
Created attachment 14632 [details]
revised patch for master using size_t

The patch I meant to attach, using size_t instead of int, because that is what the functions use.
Comment 14 Douglas Bagnall 2018-11-08 01:10:28 UTC
Created attachment 14634 [details]
updated advisory with minor grammatical and formatting changes.
Comment 15 Andrew Bartlett 2018-11-08 01:12:07 UTC
Created attachment 14635 [details]
patch for 4.7 with CVE (v2)
Comment 16 Andrew Bartlett 2018-11-08 01:59:30 UTC
Created attachment 14636 [details]
patch for master with CVE (v2)
Comment 17 Karolin Seeger 2018-11-12 08:13:55 UTC
I need a second "review +" here, please.
Comment 18 Andreas Schneider 2018-11-12 08:37:09 UTC
Why is the patch with cname_self_reference() not in the backport?
Comment 19 Andrew Bartlett 2018-11-12 17:17:45 UTC
(In reply to Andreas Schneider from comment #18)
The DCE/RPC dnsserver set-time protections are a user-visible tool change that do not provide protection (due to direct LDAP access being available), but instead just make things nicer to the administrator.

Windows does not have these protections, and even if it did it just checks for a trivial loop back to itself, not a more complex loop.

Therefore this additional comfort feature is just introduced in the next major release.
Comment 20 Andrew Bartlett 2018-11-12 17:18:42 UTC
(In reply to Karolin Seeger from comment #17)
Just on the master patch, or am I confused about the rules here?
Comment 21 Karolin Seeger 2018-11-13 07:44:52 UTC
(In reply to Andrew Bartlett from comment #20)
No, for each release series, please.
The patches might be different...
It also happened before that a patch for master applied cleanly on the release branches and was wrong there.
Comment 22 Andrew Bartlett 2018-11-13 08:08:26 UTC
(In reply to Karolin Seeger from comment #21)
I'm still confused.  Douglas added the additional review today.

What more do you need?

The patches for 4.7, 4.8 and 4.9 are identical (I compared the patch files before setting that title).
Comment 23 Andreas Schneider 2018-11-13 08:12:18 UTC
Created attachment 14649 [details]
patch for master (v3 asn01)

For master the additional patch has long lines and doesn't use helper variables. See the attached patch.
Comment 24 Karolin Seeger 2018-11-13 08:16:50 UTC
(In reply to Andrew Bartlett from comment #22)
Nothing more now, thanks. :-)
Just wanted to state that 2 "review +" from team members are needed for each patch. We can discuss that, if you like.
Comment 25 Andrew Bartlett 2018-11-13 08:20:49 UTC
(In reply to Andreas Schneider from comment #23)

To do that you will need to do all the required re-testing of your modified patch, and re-spin or obsolete the series patch on the master bug.

Sadly I'm right out of time to spend on this.  

Given the nature of the change, can I suggest this be done as an additional patch in master once this is out of embargo?

If you are still keen to do this under the embargo, I can however get you access to the private gitlab server when I'm in the office tomorrow. 

Sorry,

Andrew Bartlett
Comment 26 Andrew Bartlett 2018-11-13 08:21:27 UTC
(In reply to Karolin Seeger from comment #24)
Uploader and reviewer is the rule, right?
Comment 27 Karolin Seeger 2018-11-13 08:27:03 UTC
(In reply to Andrew Bartlett from comment #26)
Works for me, but I prefer the explicit "review +".
Comment 28 Douglas Bagnall 2018-11-13 20:41:23 UTC
Comment on attachment 14649 [details]
patch for master (v3 asn01)

Andreas, I think you meant to squash this one:

From: Andreas Schneider <asn@samba.org>
Date: Tue, 13 Nov 2018 09:01:16 +0100
Subject: [PATCH 2/3] SQ

The changes there do improve the coding style, but I certainly understand Andrew's desire to avoid another cascade of pre-security testing, and also think this would work as a post-release patch.

Aaron: note Andreas' changes.
Comment 29 Douglas Bagnall 2018-11-13 20:44:46 UTC
(In reply to Douglas Bagnall from comment #28)

> this would work as a post-release patch.

Of course this is true of the whole extra master patch.
Comment 30 Karolin Seeger 2018-11-16 10:33:51 UTC
Opening bug report for vendors.
Planned release date is Tuesday, November 27 2018.
Comment 31 Mathieu Parent 2018-11-19 12:06:23 UTC
Patch doesn't apply cleanly on v4-9 (in python/samba/tests/dns.py). Easy to fix, but strange. On which baseline did you test?
Comment 32 Andrew Bartlett 2018-11-19 17:57:07 UTC
(In reply to Mathieu Parent from comment #31)
Testing was against the v4-9-test branch.
Comment 33 Andrew Bartlett 2018-11-19 20:35:54 UTC
Created attachment 14667 [details]
patch for 4.9 with CVE (v2)
Comment 34 Andrew Bartlett 2018-11-19 20:37:10 UTC
Created attachment 14668 [details]
patch for 4.8 with CVE (v2)
Comment 35 Andrew Bartlett 2018-11-19 20:39:41 UTC
Comment on attachment 14635 [details]
patch for 4.7 with CVE (v2)

I've split out the patches to be distinct for 4.7, 4.8 and 4.9. 

These are the patches that were tested, I was not correct when I said that 4.9 was identical to the the 4.8 / 4.7 patches. 

Sorry,

Andrew Bartlett
Comment 36 Andrew Bartlett 2018-11-21 04:57:13 UTC
Created attachment 14670 [details]
possible patch for 4.5

This is a backport to 4.5.  It is unclear to me why the tevent changes are needed, but they seem to be required.   This applies and works on samba 4.5.0rc1 but not v4-5-test currently (or the tests flap, which is just as likely).
Comment 37 Andrew Bartlett 2018-11-21 19:09:08 UTC
(In reply to Andrew Bartlett from comment #36)
I'm taking a break from this for a day to try and attack it again with a clear head tomorrow.

Things to check:
 - Confirm the stability or otherwise of the tests (make test TESTS=samba.tests.dns) without any changes
 - Confirm the stability or otherwise of the tests (make test TESTS=samba.tests.dns) with just the tevent changes
 - Confirm the behaviour with only the new test (no tevent changes, no fix)
 - Confirm the behaviour with only the fix
 - Confirm the behaviour with only the fix and new test
 - Confirm the behaviour with the fix, new test and tevent changes

The existing CNAME tests (regarding CNAME lookups for forwarded names) are where the failures are being seen, not the test for the actual fix.
Comment 38 Mathieu Parent 2018-11-22 05:32:24 UTC
(In reply to Andrew Bartlett from comment #37)
Thanks for this backport.

However, it seems that the [PATCH 4/4] header is missing, and it tries to patch selftest/knownfail.d/dns which doesn't exists.
Comment 39 Andrew Bartlett 2018-11-22 06:10:34 UTC
(In reply to Mathieu Parent from comment #38)
Yeah, very much a WIP.  I was bisecting back from where it fully passed to samba-4.5.0rc1.

Because we introduced the knownfail.d concept during development of Samba 4.6 so some had that file and some did not (so I patched selftest/knownfail instead). 

Hopefully I get to a more acceptable situation tomorrow.
Comment 40 Andrew Bartlett 2018-11-23 01:42:28 UTC
Created attachment 14685 [details]
Tested patch for 4.5

This should be the correct patch for Samba 4.5, currently undergoing a full autobuild.

The confusion with the 4.5 backport came from:
 - changes in the API used by the test
 - flappy tests during 4.5 for other, unrelated CNAME behaviour
Comment 41 Douglas Bagnall 2018-11-23 02:37:39 UTC
Comment on attachment 14685 [details]
Tested patch for 4.5

The fix is exactly the same, and I trust the tests.

This bit will have no effect:

>--- /dev/null
>+++ b/selftest/knownfail.d/dns
>@@ -0,0 +1,5 @@
>+#
>+# rodc and vampire_dc require signed dns updates, so the test setup
>+# fails, but the test does run on fl2003dc
>+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
>+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
Comment 42 Andrew Bartlett 2018-11-23 06:38:09 UTC
Comment on attachment 14685 [details]
Tested patch for 4.5

The patch passed a full autobuild on the Catalyst Cloud
Comment 43 Karolin Seeger 2018-11-27 09:34:28 UTC
Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address these defects.
Comment 44 Karolin Seeger 2018-11-27 09:36:55 UTC
Pushed to autobuild-master.
Comment 45 Stefan Metzmacher 2018-11-28 14:09:13 UTC
The patches introduce a regression, when there're more than 20 records on
a non CNAME record.

This happens in domains with more than 20 DCs.
Comment 46 Stefan Metzmacher 2018-11-28 14:32:46 UTC
Created attachment 14691 [details]
Possible regression fix for master
Comment 47 Stefan Metzmacher 2018-11-28 14:33:30 UTC
Created attachment 14692 [details]
Possible regression fix for v4-9-test
Comment 48 Stefan Metzmacher 2018-11-28 14:34:19 UTC
Created attachment 14693 [details]
Possible regression fix for v4-8-test
Comment 49 Stefan Metzmacher 2018-11-28 14:34:56 UTC
Created attachment 14694 [details]
Possible regression fix for v4-7-test
Comment 50 Andrew Bartlett 2018-11-28 17:08:05 UTC
(In reply to Stefan Metzmacher from comment #46)
Thanks for that.

However we are going to need a test to make sure we don't stumble on it again.

Drat.

I'll see if someone on my team can look into that this afternoon.
Comment 51 Andrew Bartlett 2018-11-28 23:07:10 UTC
(In reply to Andrew Bartlett from comment #50)
Test cases needed:

 - 21 A records
 - 21 AAAA records
 - CNAME to name with 21 A records
 - 21 SRV records
 - SRV record to name with 21 A records 
 - SRV record to CNAME loop
Comment 52 Douglas Bagnall 2018-11-29 05:31:22 UTC
Created attachment 14696 [details]
WIP patch counting CNAMEs not answers

We are working on tests.

Through not reading the bug properly I created another fix, which I don't prefer over metze's "possible regression fix" if metze's one works.
Comment 53 Stefan Metzmacher 2018-11-29 06:29:54 UTC
Comment on attachment 14696 [details]
WIP patch counting CNAMEs not answers

I like the idea and also thought about that, but I needed a quick solution
in order to fix customer problems.

Please use size_t instead of 'uint'
and don't pass *cname_count to add_response_rr(), we can increment
it in the caller.

Should we rename cname_count to cname_depth?
And we always need to pass down the value and not a pointer.
Maybe we don't even need to store it on state.
Comment 54 Stefan Metzmacher 2018-11-29 07:00:36 UTC
Created attachment 14697 [details]
Possible regression fix for master (v2)
Comment 55 Karolin Seeger 2018-11-29 07:50:10 UTC
(In reply to Karolin Seeger from comment #44)
Pushed initial fix to master (not the regression fix).
Comment 56 Douglas Bagnall 2018-11-29 21:34:26 UTC
Comment on attachment 14697 [details]
Possible regression fix for master (v2)

That is much simpler and better.
Comment 57 Douglas Bagnall 2018-11-29 21:35:43 UTC
(In reply to Douglas Bagnall from comment #56)

Though it will need this:

-	if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
-		tevent_req_done(req);
-		return tevent_req_post(req, ev);
-	}
Comment 58 Aaron Haslett (dead mail address) 2018-11-30 05:55:55 UTC
Created attachment 14704 [details]
tests exposing regression

Thanks for all the work guys, sorry for my newbie mistake.  Here's 4 out of 6 of the tests described by Andrew above.  The tests fail on the original patch, pass with Stefan's quick fix, and also pass with the more thorough patch (attachment 14697 [details]).

The last two suggested SRV tests don't help because it turns out in samba we don't do server-side following of SRV records even if the target is something in our database.  I will figure out whether this is intended behaviour on Monday.  Either way, not relevant to this discussion.

Thanks again.
Comment 59 Stefan Metzmacher 2018-11-30 09:07:46 UTC
(In reply to Douglas Bagnall from comment #57)

> Though it will need this:
>
> -	if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
> -		tevent_req_done(req);
> -		return tevent_req_post(req, ev);
> -	}

I don't understand that.

We don't need to move that, because we only increment cname_depth below
and for the non CNAME cname_depth will always be 0.
Comment 60 Douglas Bagnall 2018-12-01 07:12:41 UTC
(In reply to Stefan Metzmacher from comment #59)

I don't understand it either now.

Clearly it was too early in the morning.
Comment 61 Aaron Haslett (dead mail address) 2018-12-03 03:24:37 UTC
Created attachment 14711 [details]
tests exposing regression v2

Here's a new test patch version with a new test to make sure queries with qtype=ANY don't break any assumptions.  As it turns out, ANY queries don't follow CNAME records.
Comment 62 Aaron Haslett (dead mail address) 2018-12-03 04:21:46 UTC
Created attachment 14712 [details]
tests exposing regression v3

Adding knownfails for test environments that don't allow unsigned DNS updates.
Comment 63 Douglas Bagnall 2018-12-03 04:57:39 UTC
Comment on attachment 14712 [details]
tests exposing regression v3

The tests look correct and work as expected.

Both of metze's patches pass; master fails.
Comment 64 Stefan Metzmacher 2018-12-03 08:18:52 UTC
Comment on attachment 14712 [details]
tests exposing regression v3

Douglas can you push my 2nd version and these tests to master, so that we
can backport them from there?

Thanks!
metze
Comment 65 Andrew Bartlett 2018-12-05 04:12:19 UTC
Created attachment 14717 [details]
combined fix, regression fix and test patch for 4.5
Comment 66 Andrew Bartlett 2018-12-05 04:12:47 UTC
Comment on attachment 14717 [details]
combined fix, regression fix and test patch for 4.5

This passed a full autobuild on the Catalyst Cloud
Comment 67 Andrew Bartlett 2018-12-05 04:29:44 UTC
Regression fix and test patches for 4.7, 4.8 and 4.9 are under test here:

https://gitlab.com/samba-team/samba/merge_requests/134
https://gitlab.com/samba-team/samba/merge_requests/135
https://gitlab.com/samba-team/samba/merge_requests/136

Feel free to upload and approve those once the CI passes.
Comment 68 Andrew Bartlett 2018-12-06 01:04:35 UTC
Created attachment 14719 [details]
combined fix, regression fix and test patch for 4.9
Comment 69 Andrew Bartlett 2018-12-06 01:13:30 UTC
Created attachment 14720 [details]
combined fix, regression fix and test patch for 4.7

This starts at 3/4 because it was tested on top of attachment 14683 [details] of bug 13689 (needed for testing).
Comment 70 Andrew Bartlett 2018-12-06 01:21:27 UTC
(In reply to Andrew Bartlett from comment #67)
4.7 and 4.9 passed, 4.8 flapped and is being re-tested.
Comment 71 Andrew Bartlett 2018-12-07 08:32:07 UTC
Created attachment 14724 [details]
combined fix, regression fix and test patch for 4.8

Note, at the end of my work week I've been unable to get this patch to pass the full pipeline on GitLab CI due to unrelated flapping tests.

https://gitlab.com/samba-team/devel/samba/pipelines/38990590

Rather than persist at this, please push via a normal autobuild on sn-devel.
Comment 72 Karolin Seeger 2018-12-07 10:39:49 UTC
(In reply to Andrew Bartlett from comment #71)
Thanks, Andrew!
Pushed to v4-{9,8,7}-autobuild.
Comment 73 Karolin Seeger 2018-12-11 09:52:04 UTC
Pushed to all branches.
Closing out bug report.

Thanks!
Comment 74 Andrew Bartlett 2022-02-01 00:13:03 UTC
Created attachment 17140 [details]
advisory text (v03)
Comment 76 Andrew Bartlett 2022-02-01 02:54:07 UTC
Removing samba-vendor CC.  Please subscribe individually if you wish to follow this old and not terribly exciting security bug.

I do apologise for the noise.