Difference between revisions of "Samba Features added/changed (by release)"

(added security fixes 3.0.25)
(3.0.25)
Line 313: Line 313:
 
===3.0.25===
 
===3.0.25===
  
* CVE-2007-2444
+
* CVE-2007-2444 Versions: Samba 3.0.23d - 3.0.25pre2 Local SID/Name translation bug can result in user privilege elevation
Versions: Samba 3.0.23d - 3.0.25pre2
 
Local SID/Name translation bug can result in
 
user privilege elevation
 
  
* CVE-2007-2446
+
* CVE-2007-2446 Versions: Samba 3.0.0 - 3.0.24 Multiple heap overflows allow remote code execution
Versions: Samba 3.0.0 - 3.0.24
+
* CVE-2007-2447 Versions: Samba 3.0.0 - 3.0.24 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution
Multiple heap overflows allow remote code execution
 
 
 
* CVE-2007-2447
 
Versions: Samba 3.0.0 - 3.0.24
 
Unescaped user input parameters are passed as
 
arguments to /bin/sh allowing for remote command
 
execution
 
  
 
===3.0.23{c}===
 
===3.0.23{c}===

Revision as of 14:49, 16 May 2007

New features by version

3.0.25

  • Significant improvements in the winbind off-line logon support.
  • Support for secure DDNS updates as part of the 'net ads join' process.
  • Rewritten IdMap interface which allows for TTL based caching and per domain backends.
  • New plug-in interface for the "winbind nss info" parameter.
  • New file change notify subsystem which is able to make use of inotify on Linux.
  • Support for passing Windows security descriptors to a VFS plug-in allowing for multiple Unix ACL implements to running side by side on the Same server.
  • Improved compatibility with Windows Vista clients including improved read performance with Linux servers.
  • Man pages for IdMap and VFS plug-ins.

3.0.23{a,b,c,d}

  • Stability fixes for winbindd
  • Portability fixes on FreeBSD and Solaris operating systems.
  • New "createupn" option to "net ads join"
  • Rewritten Kerberos keytab generation when 'use kerberos keytab = yes'
  • Improved 'make test'
  • New offline mode in winbindd
  • New Kerberos support for pam_winbind.so
  • New handling of unmapped users and groups
  • New non-root share management tools
  • Improved support for local and BUILTIN groups
  • Winbind IDMAP integration with RFC2307 schema objects supported by Windows 2003 R2
  • Rewritten 'net ads join' to mimic Windows XP without requiring administrative rights to join a domain

3.0.21{a,b,c}

  • Complete NTLMv2 support by consolidating authentication mechanism used at the CIFS and RPC layers.
  • The capability to manage Unix services using the Win32 Service Control API.
  • The capability to view external Unix log files via the Microsoft Event Viewer.
  • New libmsrpc share library for application developers.
  • Rewrite of CIFS oplock implementation.
  • Performance Counter external daemon.
  • Winbindd auto-detection query methods when communicating with a domain controller.
  • The ability to enumerate long share names in libsmbclient applications.

3.0.20{a,b}

  • Support for several new Win32 rpc pipes.
  • Improved support for OS/2 clients.
  • New 'net rpc service' tool for managing Win32 services.
  • Capability to set the owner on new files and directory based on the parent's ownership.
  • Experimental, asynchronous IO file serving support.
  • Completed Support for Microsoft Print Migrator.
  • New Winbind IDmap plugin (ad) for retrieving uid and gid from AD servers which maintain the SFU user and group attributes.
  • Rewritten support for POSIX pathnames when utilizing the Linux CIFS fs client.
  • New asynchronous winbindd.
  • Support for Microsoft Print Migrator.
  • New Windows NT registry file I/O library.
  • New user right (SeTakeOwnershipPrivilege) added.
  • New "net share migrate" options.

3.0.14a

Release 3.0.14a is a pure bugfix release which fixed a "show stopper".

Please note, the release policy has changed at this point.

3.0.14

3.0.13

3.0.12

  • Performance enhancements when serving directories containing large number of files.
  • MS-DFS support added to smbclient.
  • More performance improvements when using Samba/OpenLDAP based DC's via the 'ldapsam:trusted=yes' option.
  • Support for the Novell NDS universal password when using the ldapsam passdb backend.
  • New 'net rpc trustdom {add,del}' functionality to eventually replace 'smbpasswd {-a,-x} -i'.
  • New libsmbclient functionality.

3.0.11

  • Winbindd performance improvements.
  • More 'net rpc vampire' functionality.
  • Support for the Windows privilege model to assign rights to specific SIDs.
  • New administrative options to the 'net rpc' command.

3.0.10

Release 3.0.10 is a fix for security issues described in CAN-2004-1154.

3.0.9

Release 3.0.9 is a pure bigfix release which fixes printing problems from Windows 9x, roaming profile updates and unknown symbols for kde



Changes in smb.conf

3.0.025

Parameter Name Description Default
change notify timeout Removed n/a
change notify New Yes
debug prefix timestamp New No
fam change notify Removed n/a
idmap domains New ""
idmap alloc backend New ""
New 900
New 120
kernel change notify Per share Yes
lock spin count Removed n/a
max stat cache size Modified 1024KB
printjob username New %U
winbind normalize names New no

3.0.23{a,b}

Parameter Name Description Default
acl group control Deprecated No
add port command New ""
change notify timeout Changed Scope ""
dmapi support New No
dos filemode Modified No
enable asu support Changed default No
enable core files New Yes
enable privileges Changed default Yes
enable rid algorithm Removed ""
fam change notify New Yes
hosts equiv Removed ""
host msdfs Changed default Yes
msdfs root Changed default Yes
open files database hash size New 10007
passdb expand explicit Changed default No
strict locking Changed default auto
usershare allow guests New No
usershare max shares New 0
usershare owner only New Yes
usershare path New ${lockdir}
usershare prefix allow list New ""
usershare prefix deny list New ""
usershare template share New ""
winbind enum users Changed default No
winbind enum groups Changed default No
winbind nested groups Changed default Yes
winbind offline logon New No
winbind refresh tickets New No
winbind max idle children Removed ""
wins partners Removed ""

3.0.21{a,b,c}

  • dfree cache time (New)
  • dfree command (Per share)
  • eventlog list (New)
  • iprint server (New)
  • map read only (New)
  • passdb expand explicit (New)
  • rename user script (New)
  • reset on zero vc (New)
  • svcctl list (Renamed from 'enable svcctl')

3.0.20{a,b}

  • acl check permissions (New)
  • acl group control (New)
  • acl map full control (New)
  • aio read size (New)
  • aio write size (New)
  • enable asu support (New)
  • inherit owner (New)
  • ldap filter (Removed)
  • map to guest (Modified (new value added))
  • max stat cache size (New)
  • min password length (Removed)
  • printer admin (Deprecated)
  • username map script (New)
  • winbind enable local accounts (Removed)
  • winbindd nss info (New)

3.0.14

  • dos filetimes (Enabled by default)

3.0.13

3.0.12

  • allocation roundup size (New)
  • log nt token command (New)
  • write cache (Deprecated)

3.0.11

  • afs token lifetime (New)
  • enable privileges (New)
  • ldap password sync (Alias)
  • min password length (Deprecated)
  • winbind enable local accounts (Deprecated)

3.0.10

3.0.9

Securty- and bugfixes by version

3.0.25

  • CVE-2007-2444 Versions: Samba 3.0.23d - 3.0.25pre2 Local SID/Name translation bug can result in user privilege elevation
  • CVE-2007-2446 Versions: Samba 3.0.0 - 3.0.24 Multiple heap overflows allow remote code execution
  • CVE-2007-2447 Versions: Samba 3.0.0 - 3.0.24 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution

3.0.23{c}

  • Authentication failures in pam_winbind when the AD domain policy is set to not expire passwords.
  • Authorization failures when using smb.conf options such as "valid users" with the smb

3.0.23{b}

  • Ambiguity with unqualified names in smb.conf parameters such as "force user" and "valid users".
  • Errors in 'net ads join' caused by bad IP address in the list of domain controllers.
  • SMB signing errors in the client and server code.
  • Domain join failures when using smbpasswd on a Samba PDC.

3.0.23{a}

  • Failure to strip the domain name from groups when 'winbind use default domain = yes'
  • Failure in pam_winbind to correctly parse arguments.
  • Bad token creation of local users on member servers not running winbindd.
  • Failure to add users or groups to ACLs using the Windows object picker.
  • Failure in file serving code when 'kernel oplocks = yes'.

Upgrade issues by version