https://bugzilla.samba.org/show_bug.cgi?id=CVE-2018-10919 is the original bug.

Is Microsoft AD also impacted?  This seems like a specification-level flaw, but Microsoft might have already mitigated it in their LDAP server.

The problem is that we check for SEARCH_FLAG_CONFIDENTIAL (in check_search_ops_access()) only *after* the filter expression has been evaluated. That means it might be possible to infer whether an expression such as "(msFVE-RecoveryPassword=a*)" matched the filter by conjoining to it an expensive expression, which, due to short-circuiting &, would only be evaluated if the first expression matched. I haven't come up with a practical attack, though, nor tested whether Windows is vulnerable.

Demi, I wrote 

> A security researcher writes:

in case you did not want to be acknowledged. If that is the case, let me know, and I will hide this part of the conversation.

Otherwise, let us know of any affiliations you want mentioned.

I work for Invisible Things Lab.

Also I noticed that secret attributes are still encrypted during LDAP filter processing.  Could confidential attributes be treated the same way?

Confidential attributes must be handled differently from secret attributes, because whether they are visible on an object or not depends on the rights the user has to that object. They need to be checked per-object, not per-search like secret attributes are, and I have a fix that aims to do this.

(In reply to Joseph Sutton from comment #7)
I still think it is better to not decrypt confidential attributes unless actually needed by a given LDAP query.  I also question if searches on the contents (as opposed to existence) of e.g. msFVE-RecoveryPassword make any sense.

What do you mean by "decrypt" in this case? Confidential attributes are stored in plaintext in the database, as is any normal attribute.

I agree that searching on the contents of msFVE-RecoveryPassword might not make much sense, but Windows supports it (assuming you have the rights to view the attribute) and we try to match whatever Windows does. We also don't know the semantics of all confidential attributes (or user-added ones), and there could be confidential attributes for which a search of the contents makes sense.

 CVSS v3.1 Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5)

Created attachment 17760 [details]
Advisory v1 without release versions

(In reply to Joseph Sutton from comment #9)
Fair point — consider the case where government ID number is used as an attribute.

Comment on attachment 17760 [details]
Advisory v1 without release versions

Perhaps these phrases could be made clearer:
"after the object match" -> "only after matching objects against the filter"
"preventing disclosure" -> "preventing unauthorized disclosure"
"timing other" -> "other timing"

We might leave out mention of substring/prefix matches (the attack is not limited to substring matches, although they certainly make it easier).

We might also want to mention that full confidentiality cannot be expected for indexed attributes.

(In reply to Joseph Sutton from comment #13)
What are indexed attributes?  If confidentiality of msFVE-RecoveryPassword, msFVE-KeyPackage, msTPM-OwnerInformation, or msPKI-DPAPIMasterKeys cannot be expected, that is a serious problem and needs to be fixed.  It would be better to *not* index confidential attributes (and require a table scan or similar if they do get queried, which is unlikely) than to leak their contents.

(In reply to Demi Marie Obenour from comment #14)
None of the AD confidential attributes are indexed by default. You can verify this with a search like the following, which finds all schema attributes that are confidential and indexed:

bin/ldbsearch -U$USERNAME%$PASSWORD -H ldap://$SERVER -b CN=Schema,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))'
# returned 0 records
# 0 entries
# 0 referrals

The concern therefore only applies to attributes added by users themselves. If we were to address this, we would do so by ignoring SEARCH_FLAG_ATTINDEX if SEARCH_FLAG_CONFIDENTIAL was also set (which we may as well do, I suppose).

Created attachment 17767 [details]
Updated v2 advisory

Comment on attachment 17767 [details]
Updated v2 advisory

Looks good, apart from a stray parenthesis in "redaction of the LDAP filter (query" and a stray comma in "read access controlled, information".

Created attachment 17768 [details]
Advisory v3

Created attachment 17769 [details]
Advisory v4

(In reply to Andrew Bartlett from comment #16)

> However this approach allows a timing attack using LDAP filters against
> confidential or otherwise access controlled attributes, with this
> approach disclosing an access controlled value in seconds.

What about this?

> However, this approach allows using LDAP filters to perform a timing
> attack against confidential or otherwise access controlled attributes.
> Any authenticated user can obtain any access controlled or confidential
> attribute value in seconds.
> 
> Examples of confidential data stored in Active Directory include BitLocker
> recovery keys, TPM owner passwords, and certificate secret keys stored
> with Credential Roaming.

Something like this might also be a useful addition:

> The attack can be run in parallel to
> disclose multiple confidential attributes (on the same object or on
> different objects) concurrently.

A concrete amount of time would be nice, but also likely to vary greatly
depending on the environment.

Given that updating Samba will (obviously) not restore the confidentiality
of already-leaked data, what about adding a recommendation such as the
following?

> In addition to updating Samba, it is strongly recommended that steps be
> taken to ensure that data that may have been leaked from confidential
> or otherwise access-controlled attributes is no longer useful.  Such
> steps may include, but are not limited to, re-encrypting BitLocker
> encrypted drives, changing TPM passwords, and revoking and re-issuing
> certificates that are stored by Credential Roaming (with new secret keys).

Is it possible to determine if the attack has been exploited by log
analysis?

Created attachment 17770 [details]
Advisory v5

Created attachment 17771 [details]
Advisory v6

Demi,

Thanks so much for your continuing feedback on the advisory and this issue.  We have substantially reworked the advisory in this update.

(In reply to Andrew Bartlett from comment #22)

> Thanks so much for your continuing feedback on the advisory and this issue.
You’re welcome!

> We have substantially reworked the advisory in this update.
Would it be possible to mention the speed of the attack?  Timing attacks are easy to dismiss as theoretical even when they are not.  Explicitly stating that an attribute can be recovered in seconds would make the severity of the attack clear.

Also a couple of typos:

- “be taken, including ensure” → “be taken to ensure”
- “except the highly” → “except at the highly”

“but not the contents” might be clearer as “but not to obtain the contents”.

Finally, is it possible that Group Managed Service Account secrets could have been replicated in from a Windows domain controller?

(In reply to Demi Marie Obenour from comment #23)
Thanks for the further feedback.  I'll fix the typo/grammatical issues.

I agree about the timing attack thing, and you will actually notice that we removed all mention of this being a timing attack, as you rightly point out that these are sometimes dismissed as hard.

The new text tries to avoid that drop by simply mentioning that they can be recovered.  I also don't want to be more specific at this point.

Created attachment 17773 [details]
Advisory v7

Created attachment 17778 [details]
Proposed patch for master v1

This patch disables the LDAP timeout test, which would now complete too quickly to trigger a timeout.

(In reply to Joseph Sutton from comment #26)
Thanks so much for this work Joseph and for all the effort and collaboration to substantially rework the patch.

Between us we were able to reduce the performance cost to at most 20% while addressing this issue, with some tests actually coming out faster.  

We have a further proposal that actually results in a net gain on the indexed search tests, but this alters the information stored in the DB and would not be appropriate for the security release. 

I'll work tomorrow to replace the timeout test in large_ldap.py using a different approach to overload the server - this patch series actually improves the handling there so much that the query is no longer slow!

Other than the need to deal with the tiemout test, I'm very happy with the changes, and have looked over them carefully a number of times now, with a particular eye not just for correctness, but also that other should be able to follow the changes.  

Joseph, I thank you in particular for your patience today as we did that work.

Andrew Bartlett

Created attachment 17789 [details]
Patch for master (v2)

This patch for master addresses some other disclosure issues around MATCH_IN_CHAIN and reinstates the timeout test.

(In reply to Andrew Bartlett from comment #27)
I was not expecting the patch series to be so large, but if a naive implementation would have a nasty performance hit (and it seems that it would) then it makes sense.  I can’t say I understand all of the changes, but the test improvements are very much consistent with the high quality I have come to expect from Samba.

I also agree that leaking isDeleted and isRecycled is unlikely to lead to attacks in practice.

Created attachment 17791 [details]
Patch v2 backported to Samba 4.18.  Includes only the fully required commits.

Created attachment 17792 [details]
Patch v2 backported to Samba 4.17.  Includes only the fully required commits.

Created attachment 17793 [details]
Patch v2 backported to Samba 4.16.  Includes only the fully required commits.

Created attachment 17799 [details]
Patch for master v3

Updated patch for master corrects authorship and adds the reviewed-by markers required for the gitlab MR process once this is public.

Created attachment 17800 [details]
Patch v3 backported to Samba 4.18. Includes only the fully required commits.

The test basis for the CI was 4.18.0rc4

I'll sort out a v4 of these patches with both Review markers and correct authorship, which was somehow disturbed during development, on Monday.

Created attachment 17804 [details]
Patch for master v6

Created attachment 17805 [details]
Patch v6 backported to Samba 4.18. Includes only the fully required commits.

Created attachment 17806 [details]
Patch v6 backported to Samba 4.17. Includes only the fully required commits.

Created attachment 17807 [details]
Patch v6 backported to Samba 4.16. Includes only the fully required commits.

Created attachment 17808 [details]
Advisory v8

The advisory is updated to mention the performance cost.

Should the summary mention something like this?

> The fix in 4.6.16, 4.7.9, 4.8.4, and 4.9.7 for
> CVE-2018-10919 (Confidential attribute disclosure via
> LDAP filters) was insufficient.  An attacker may be
> able to obtain confidential information, including
> (but not limited to) BitLocker recovery keys, from a
> Samba AD DC.

(In reply to Demi Marie Obenour from comment #41)
Thanks for your continuing feedback.

I looked over the likely cases, in particular for the way Samba is actually used, and I think bitlocker recovery keys are the main risk.  The rest is covered pretty well in the rest of the advisory. 

This bug will also be made public after the new Samba version is released.

Created attachment 17819 [details]
Patch for master v7

Created attachment 17820 [details]
Patch v7 backported to Samba 4.18. Includes only the fully required commits.

Created attachment 17821 [details]
Patch v7 backported to Samba 4.17. Includes only the fully required commits.

Created attachment 17822 [details]
Patch v7 backported to Samba 4.16. Includes only the fully required commits.

Created attachment 17834 [details]
Patch v7 backported to Samba 4.16 as v7.1. Includes only the fully required commits.

Assigning to Jule for next security release.

We will make a Samba security release for this issue on Wednesday 29 March

Created attachment 17845 [details]
Script to detect confidential attrs in use

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

This bug was referenced in samba v4-16-stable (Release samba-4.16.10):

ae3d2737949d9702c5526490c2155740a96a9adb
bf7b9d9d5e4fd837f5528dc7140082423131d2b5
8712a2dc972fd336fa6d3c5f6fdc4901b01e8c41
26b79d2749b49b4b2e9d517e34aaa750ac552426
c91b81ecc9228be6db6817f876c19b6ba87da4f1
9469c41895ab88e0ef09ff0e175f38c53e704cd1
0f8a3344501e3c07a690e8cf6783eddf5cb4d845
c3419c288c612743d42179d46091e28ba4c9939b
7153af801e59f4cfee54ae020bfca13c73f63e93
6519d1d8fa1e1154a388a3bff319da2b0387f157
891ffeaf99d150e2a5707d71825e5533570aa974
873d4e465f333c487dc1bee748054b6b606c299b
7982090641e5199d2bbece3b7aa50f3e7342db12
7c2d0e0a06e6c3523f1ad3fba514505ca094f2fd
4addeaaf5da96ac8f620a0c27c2a576b17747dd2
4bbdd6709bfe2ba31cee8968751a48a6d454f19e
d096cd4ed92bd96523c2dbe42e99fa17783a7395
a4193a790354414542eb8d049b0f77b9005f51cb
f8a674088ac2e5d5ba6e2913ad4902db02b547f8
e3b8d0a650b6b743f2aa37581f73625dc5b35680
1c9736510f3ca93cb50a5230ce839c3c8c16cd9b
0b0d8a8ece6ac0d18c7cbdb726d2c46cd6c88997
95be170f9978ed255f1b8cbcdf28de4475cdc96c
e46739cb89763812c29b8e5180e55cb60cbfbca7
134c659d4025b2d85c825456fa0c81b47a9a8bb4
9447c4e81e04df5b8d775fb62f3440f0d9076002
353d3df3dd56e691b6a968c9b716f2a31e8bcfc4
58b4a0e3eb7579a389be139bbc6dce8c2eab90bc
d60683e5e9daf243e9a2acc203b567c3a6c92567
a74571b49f5476cde430f11cd7bc256f17925fe8
1cfaa078ffcbd915f8494cd98b375dd2598010ec
c64b48b2b2652d6a8241105d570904219a98d226
979997992a436cd32d1818e1c6c94faeedfe2b9f
19785d023e3524f7aa3fa2ad707432b51076d56e
3a38d702397f25cb356a7f71c328b49e00fc1aca
4acabb3c285615c7a5b6155760a9f301b190a9d7

This bug was referenced in samba v4-17-stable (Release samba-4.17.7):

eb20778b5e66c4e011c9c264ddb8d29180fe6e89
a91fc6e9f1def8bed920efba9c1bd1f4713eb3ca
a8c573012f54e74e86deec6ac2bd84e2450dad03
50a678be1a655dfc08d7bc0f74487b14e79cb0d3
9c8bbbf3b57319ccf14df76d43096a453e1ebedb
7f98e3abdc48195e1ab1b56222d7beae4aa2a215
cbf8f1c2eb80123736ac4f356171639a0754fda4
188e988721065cf16565820e7483067947bd40a6
132028692f3bc491795e96dc6b1b440ed808ee2e
b4f3aa03e2fdc89d50053e20723722b63c9ba7ec
43746e79f67a57d63f824d1b3b0c19b4117af6cb
d97e92efafc7a9dd6c9143c74178be3aa549dd19
ddf1ed69d8fd56b929e5d8d41fdbe513849c30f5
ec3737404e6aa9ee79fd27fd2eeba0d840fc624c
4ed84d8fabee352fbe542849b01e83f486389a0a
78a7f247dba26ddeffe7a388108cf6c9618d437e
2ea5bbc269e3d7796247ccf428e082f383d51ec8
d9a20068a3dd9905763c5f5991eb8e555da94605
65249df5259d5f17d040ca92a1ac2585621e7c29
a45fc44c39c8d956c03ef4acaaceee6c3523556a
efd1cfab96ff439a712897b945fe20ac8358f2c4
64604c41c19e03b6d7f4240894cb4c9ffd9b9406
bfab55ebb69ba1d03c7caee627978513f2825202
1ef0183057348be265c986f1d212f512d08c59f0
2e3ed6cfd24cb5f4d75d248cca1eb791c6c44250
c1921f5ae0840c455ad18b2fa19839242bd8a3e8
8811e67cb2e9046f0654f5be53e95fa0a4d1af73
bd69d5e962674f4921887ac551e28c9b4c71feae
b98f8c1af7770b49a447fdcc67ea64d98454955f
e08188bb9847b4c34d62f7c812d58b07105f5756
d148a7dd88d4bcc596225be2795fc969284dfd08
07fffb3e90621c47050929e3ca2232f5a222954e
eaeb3dc461fe2913c3e7ff3db802d37dd7c699c8
f17179189c6364c2b0e202e8b839c7879a2b747a
0313aa744f12b70f7446ca3d104a8b5f5052bade
6b92716e7f89e22cedbf196b97a0203c54608e7a

This bug was referenced in samba v4-18-stable (Release samba-4.18.1):

680b865f183d3103cd7d465e6b921fb5f28627b8
64da379aa95de1cd36d72f9aee59372318115e2d
90b5fddb8269de4fc8ca33dda3c9f0f3a7aee075
88b5d9215c6f712ad1932604e2830edd111a5618
1b1f6dd488704bca529f6cc70761dd4972998b8f
ce9b66c664257b699b744836c431e7d6a3bdd845
5a33688dda2518df9ec9c54717a2f86d90ce10fe
9222e613f667e57dc88765c1441c410b11077790
04de06f18fe8ecd4469f584223c676651be46b6d
ba135dceead75e3c4ba309a4d1ce54e593e129dc
78a7b155cc2b50d5dea8a3e0588f646100ea0a92
15723d6ff5eaa7f8e7e2803ffeab97f36289f2fe
d2244ec1d3ee414d53d031fa4d846782b5ce9a1a
feb7ef495c85e724e0dafe66d6d63d8f19e7374b
4b956377c666b199823d791efe9241de80f05faa
7689a2caeb4d804b671cdffbc4251279dd7d3783
5f6e01c029d17eb277e6e3d81b14d3b79ea71463
5c4086d51f5424d153327c3d310add754730b499
f20992d7fc9ad6289958e83d3b4fb6fa72510ddf
c23689e97a46a72a0d53085c72aaec5185aec001
2603728b14d069d285f7d10a5d5f157aef13e936
db65f5f76287afcd4ca4037a7029b63744317e5f
9c9a03d020addea342b48eb962c8ba7749fbc74c
c1cb8021392206ce89b4d5b2705c78e8126710da
e54fc56e23879bfea023cac1de081625089f8fbf
e7065304bd0ea8440e53dda0480ee88574587a42
b0168c2ed0cb5709fc9a5e2a3d6c00e67cefff13
358894675d188b06cc0d24299012c898b394f99f
7f37b4ce6b5ecf05df6e62563f82e13ab93aa7a4
ad4c220411233d6cbd19885a8a0a91bbec762619
7e69ecbdc3a48a93b0ba31c3349456c49389d722
afad0829b16fa202723bb8381bb795e772d87edc
d564a5c816642269e0b6d0b37319fd47646487c0
0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
12617e0ec483d9308714e6e6f2f3ad8c69adeec6

This bug was referenced in samba v4-16-test:

ae3d2737949d9702c5526490c2155740a96a9adb
bf7b9d9d5e4fd837f5528dc7140082423131d2b5
8712a2dc972fd336fa6d3c5f6fdc4901b01e8c41
26b79d2749b49b4b2e9d517e34aaa750ac552426
c91b81ecc9228be6db6817f876c19b6ba87da4f1
9469c41895ab88e0ef09ff0e175f38c53e704cd1
0f8a3344501e3c07a690e8cf6783eddf5cb4d845
c3419c288c612743d42179d46091e28ba4c9939b
7153af801e59f4cfee54ae020bfca13c73f63e93
6519d1d8fa1e1154a388a3bff319da2b0387f157
891ffeaf99d150e2a5707d71825e5533570aa974
873d4e465f333c487dc1bee748054b6b606c299b
7982090641e5199d2bbece3b7aa50f3e7342db12
7c2d0e0a06e6c3523f1ad3fba514505ca094f2fd
4addeaaf5da96ac8f620a0c27c2a576b17747dd2
4bbdd6709bfe2ba31cee8968751a48a6d454f19e
d096cd4ed92bd96523c2dbe42e99fa17783a7395
a4193a790354414542eb8d049b0f77b9005f51cb
f8a674088ac2e5d5ba6e2913ad4902db02b547f8
e3b8d0a650b6b743f2aa37581f73625dc5b35680
1c9736510f3ca93cb50a5230ce839c3c8c16cd9b
0b0d8a8ece6ac0d18c7cbdb726d2c46cd6c88997
95be170f9978ed255f1b8cbcdf28de4475cdc96c
e46739cb89763812c29b8e5180e55cb60cbfbca7
134c659d4025b2d85c825456fa0c81b47a9a8bb4
9447c4e81e04df5b8d775fb62f3440f0d9076002
353d3df3dd56e691b6a968c9b716f2a31e8bcfc4
58b4a0e3eb7579a389be139bbc6dce8c2eab90bc
d60683e5e9daf243e9a2acc203b567c3a6c92567
a74571b49f5476cde430f11cd7bc256f17925fe8
1cfaa078ffcbd915f8494cd98b375dd2598010ec
c64b48b2b2652d6a8241105d570904219a98d226
979997992a436cd32d1818e1c6c94faeedfe2b9f
19785d023e3524f7aa3fa2ad707432b51076d56e
3a38d702397f25cb356a7f71c328b49e00fc1aca
4acabb3c285615c7a5b6155760a9f301b190a9d7

This bug was referenced in samba v4-17-test:

eb20778b5e66c4e011c9c264ddb8d29180fe6e89
a91fc6e9f1def8bed920efba9c1bd1f4713eb3ca
a8c573012f54e74e86deec6ac2bd84e2450dad03
50a678be1a655dfc08d7bc0f74487b14e79cb0d3
9c8bbbf3b57319ccf14df76d43096a453e1ebedb
7f98e3abdc48195e1ab1b56222d7beae4aa2a215
cbf8f1c2eb80123736ac4f356171639a0754fda4
188e988721065cf16565820e7483067947bd40a6
132028692f3bc491795e96dc6b1b440ed808ee2e
b4f3aa03e2fdc89d50053e20723722b63c9ba7ec
43746e79f67a57d63f824d1b3b0c19b4117af6cb
d97e92efafc7a9dd6c9143c74178be3aa549dd19
ddf1ed69d8fd56b929e5d8d41fdbe513849c30f5
ec3737404e6aa9ee79fd27fd2eeba0d840fc624c
4ed84d8fabee352fbe542849b01e83f486389a0a
78a7f247dba26ddeffe7a388108cf6c9618d437e
2ea5bbc269e3d7796247ccf428e082f383d51ec8
d9a20068a3dd9905763c5f5991eb8e555da94605
65249df5259d5f17d040ca92a1ac2585621e7c29
a45fc44c39c8d956c03ef4acaaceee6c3523556a
efd1cfab96ff439a712897b945fe20ac8358f2c4
64604c41c19e03b6d7f4240894cb4c9ffd9b9406
bfab55ebb69ba1d03c7caee627978513f2825202
1ef0183057348be265c986f1d212f512d08c59f0
2e3ed6cfd24cb5f4d75d248cca1eb791c6c44250
c1921f5ae0840c455ad18b2fa19839242bd8a3e8
8811e67cb2e9046f0654f5be53e95fa0a4d1af73
bd69d5e962674f4921887ac551e28c9b4c71feae
b98f8c1af7770b49a447fdcc67ea64d98454955f
e08188bb9847b4c34d62f7c812d58b07105f5756
d148a7dd88d4bcc596225be2795fc969284dfd08
07fffb3e90621c47050929e3ca2232f5a222954e
eaeb3dc461fe2913c3e7ff3db802d37dd7c699c8
f17179189c6364c2b0e202e8b839c7879a2b747a
0313aa744f12b70f7446ca3d104a8b5f5052bade
6b92716e7f89e22cedbf196b97a0203c54608e7a

This bug was referenced in samba v4-18-test:

680b865f183d3103cd7d465e6b921fb5f28627b8
64da379aa95de1cd36d72f9aee59372318115e2d
90b5fddb8269de4fc8ca33dda3c9f0f3a7aee075
88b5d9215c6f712ad1932604e2830edd111a5618
1b1f6dd488704bca529f6cc70761dd4972998b8f
ce9b66c664257b699b744836c431e7d6a3bdd845
5a33688dda2518df9ec9c54717a2f86d90ce10fe
9222e613f667e57dc88765c1441c410b11077790
04de06f18fe8ecd4469f584223c676651be46b6d
ba135dceead75e3c4ba309a4d1ce54e593e129dc
78a7b155cc2b50d5dea8a3e0588f646100ea0a92
15723d6ff5eaa7f8e7e2803ffeab97f36289f2fe
d2244ec1d3ee414d53d031fa4d846782b5ce9a1a
feb7ef495c85e724e0dafe66d6d63d8f19e7374b
4b956377c666b199823d791efe9241de80f05faa
7689a2caeb4d804b671cdffbc4251279dd7d3783
5f6e01c029d17eb277e6e3d81b14d3b79ea71463
5c4086d51f5424d153327c3d310add754730b499
f20992d7fc9ad6289958e83d3b4fb6fa72510ddf
c23689e97a46a72a0d53085c72aaec5185aec001
2603728b14d069d285f7d10a5d5f157aef13e936
db65f5f76287afcd4ca4037a7029b63744317e5f
9c9a03d020addea342b48eb962c8ba7749fbc74c
c1cb8021392206ce89b4d5b2705c78e8126710da
e54fc56e23879bfea023cac1de081625089f8fbf
e7065304bd0ea8440e53dda0480ee88574587a42
b0168c2ed0cb5709fc9a5e2a3d6c00e67cefff13
358894675d188b06cc0d24299012c898b394f99f
7f37b4ce6b5ecf05df6e62563f82e13ab93aa7a4
ad4c220411233d6cbd19885a8a0a91bbec762619
7e69ecbdc3a48a93b0ba31c3349456c49389d722
afad0829b16fa202723bb8381bb795e772d87edc
d564a5c816642269e0b6d0b37319fd47646487c0
0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
12617e0ec483d9308714e6e6f2f3ad8c69adeec6

This bug was referenced in samba master:

5fd0811ffacea0d9e872320842be53cb3f9045c1
6d2d1e7df436dcd2514edf444c904e549cf58f5a
a7222faade7757eeb2f8617b2f24706093257c17
17feef18bf5427a7a2706ca94f29274fd353e8a4
ca9c467e413faa6ed3d78009cea969fc8411b764
a43977499c0de2878cf7828b53691e9331e360a2
1debb6584e4fead70e5031ed89a96d7def635efe
294a4f6e286b98899de0cf8f041a90f747884c20
b18ed9ae97507c10e47aa22734ef1d65625839fe
721493f4bde7f5811b0b4499d0502a1962bc849c
784a342785f2aca5bc01e61d210bb6bc103499ff
131d4176044e54e0e5a94b9c57491bb1594d202c
f25b1756aacbaabfd75e270cc3fecbf6d17c29fd
fffea5900172f1df02426ba6ed7ca9b7750ffaf7
f154fad3c1b0a831882a0e5f657b6de06aa0986d
d3fa2cb5ddd679a74848f7d77d6ad5174cb9b580
16487691c02b97e6c7d07fe1ae6653f089feabff
f995c3805ddd2dd2f0722100a676fbe35f5b5e82
fdeb6ea15c76cc005b2ec03ba830d1e00f4596e1
5c334918a22a66adc75508dd0e2be3756c350fa8
da8138c50e65988d8f2e6848b479abfce8e9784b
748bbbe70d23d5fe0a7d9610ce1192d2c2d8dcee
d5d0e71279790fdcf7e72749210b42b2faaa53f7
3a70c6464de38266744f8c725d03bafa13d3e3f4
197633cc2ad2ac7e98013be093cbbb2fce083b4e
9f31e4139c12262f5626108c6a883f07c4dd314e
449c2e99e27b472fa87153e17b25446cd35a5577
15eac7676b2fad66021fe5b4fbc4c6f5a14d9ea3
f188b6a978f6741352df018059fcf1c758a58027
f6e93e2b3d9b7e351f622a2275746474196ec2fa
9b8dd83fd0270a25b24bec87fce25c965c6ad7a0
dfe7b05730425e9f1b0616bb7757dbf77bae6cd2
82d2ec786f7e75ff6f34eb3357964345b10de091

This bug was referenced in samba master:

94f11c3c21bc3b8a34d376ab99becd2c6260af62

This bug was referenced in samba v4-19-test:

94f11c3c21bc3b8a34d376ab99becd2c6260af62

This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):

94f11c3c21bc3b8a34d376ab99becd2c6260af62