A security release is tentatively planned for November 20th 2018
Created attachment 14580 [details] combined patch for master
Created attachment 14581 [details] combined patch for 4.9
Created attachment 14582 [details] combined patch for 4.8
Created attachment 14583 [details] combined patch for 4.7
The patches here are uploaded to facilitate an autobuild of all four trees of the combined branch. The authoritative patches are in the other bugs.
Created attachment 14585 [details] combined patch for master (v2)
Created attachment 14586 [details] combined patch for master (v3)
Created attachment 14587 [details] combined patch for 4.9 (v3)
Created attachment 14588 [details] combined patch for 4.8 (v3)
Created attachment 14589 [details] combined patch for 4.7 (v3)
Created attachment 14592 [details] combined patch for master (v4) The 4.9 patches needed re-spinning
Created attachment 14593 [details] combined patch for 4.9 (v4)
Created attachment 14601 [details] combined patch for master (v5)
Created attachment 14602 [details] combined patch for 4.9 (v5)
Created attachment 14608 [details] combined patch for master (v6)
Created attachment 14609 [details] combined patch for 4.9 (v6)
Created attachment 14610 [details] combined patch for 4.8 (v6)
Created attachment 14611 [details] combined patch for 4.7 (v6)
Created attachment 14612 [details] combined patch for master (v7)
Created attachment 14618 [details] combined patch for master (v8)
Created attachment 14619 [details] combined patch for 4.9 (v8)
Created attachment 14620 [details] combined patch for 4.8 (v8)
Created attachment 14621 [details] combined patch for 4.7 (v8)
Created attachment 14622 [details] script to produce patches This script helps me produce all the right patches, given git branches
The patches for Samba 4.8 passed a private autobuild
The patches for Samba 4.9 passed a private autobuild
The v8 patches have now passed on 4.7, 4.8 and 4.9.
Created attachment 14637 [details] combined patch for master (v9) excluding CVE-2018-16857
Created attachment 14638 [details] combined patch for 4.9 (v9) excluding CVE-2018-16857
This security release is ready. All the component patches are signed off (this is just a summary set).
(In reply to Andrew Bartlett from comment #29) The 4.9 patch (v9) passed a full autobuild
Comment on attachment 14637 [details] combined patch for master (v9) excluding CVE-2018-16857 I can confirm that the master patch amounts to the sum of the constituent bugs. I didn't have time to do the same for 4.9.
Waiting for "review +" flags here.
(In reply to Karolin Seeger from comment #33) These are 'just' the roll-up (but on the inverse, they are what I ran the autobuild on). The reviews are all set on the patches for the release versions on the bugs.
Comment on attachment 14621 [details] combined patch for 4.7 (v8) Summarising the backport patches: * 4.7 and 4.8 are the same. * 4.9 adds the CVE-2018-16852 DNS NULL pointer deref patch (and a trivial whitespace change) * master adds the MIT krb5 warning and the self-referencing CNAME "comfort" patch.
Please note the combined patches (originally created to aid autobuild runs) do not include the patches for CVE-2018-16857. This is deliberate.
Opening bug report for vendors. Planned release date is Tuesday, November 27 2018.
Comment on attachment 14637 [details] combined patch for master (v9) excluding CVE-2018-16857 This name change on the patch description just clarifies the earlier comment where it might be noticed by vendors in a rush. This last CVE was added after final testing of the main set was completed, and was tested independently.
(In reply to Andrew Bartlett from comment #38) Additionally, CVE-2018-16857 is a 4.9/master only issue.
Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address these defects.