+ =============================
+ Release Notes for Samba 4.0.4
+ March 19, 2013
+ =============================
+
+
+This is a security release in order to address CVE-2013-1863
+(World-writeable files may be created in additional shares on a
+Samba 4.0 AD DC).
+
+o CVE-2013-1863:
+ Administrators of the Samba 4.0 Active Directory Domain
+ Controller might unexpectedly find files created world-writeable
+ if additional CIFS file shares are created on the AD DC.
+ Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
+ defect.
+
+
+Changes since 4.0.3:
+--------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
+ Release Notes for Samba 4.0.3
+ February 05, 2013
+ =============================
+
+
+This is is the latest stable release of Samba 4.0.
+
+Major enhancements in Samba 4.0.3 include:
+
+o check_password_quality: Handle non-ASCII characters properly (bug #9105).
+o Fix ACL problem with delegation of privileges and deletion of accounts
+ over LDAP interface (bug #8909).
+o Fix 'smbd' panic triggered by unlink after open (bug #9571).
+o smbd: Fix memleak in the async echo handler (bug #9549).
+
+Known issues:
+-------------
+
+o For more details concerning the ACL problem with delegation of privileges
+ and deletion of accounts over LDAP interface (bugs #8909 and #9267)
+ regarding upgrades from older 4.0.x versions, please see
+
+ http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Upgrading
+
+ which will be filled with details once we have worked out an upgrade
+ strategy.
+
+Changes since 4.0.2:
+--------------------
+
+o Michael Adam <obnox@samba.org>
+ * BUG 9568: Document the command line options in dbwrap_tool(1).
+
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 9196: defer_open is triggered multiple times on the same request.
+ * BUG 9518: conn->share_access appears not be be reset between users.
+ * BUG 9550: sigprocmask does not work on FreeBSD to stop further signals in
+ a signal handler.
+ * BUG 9572: Fix file corruption during SMB1 read by Mac OSX 10.8.2 clients.
+ * BUG 9586: smbd[29175]: disk_free: sys_popen() failed" message logged in
+ /var/log/message many times.
+ * BUG 9587: Archive flag is always set on directories.
+ * BUG 9588: ACLs are not inherited to directories for DFS shares.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 8909: Fix ACL problem with delegation of privileges and deletion of
+ accounts over LDAP interface.
+ * BUG 9461: FSMO seize of naming role fails: NT_STATUS_IO_TIMEOUT.
+ * BUG 9564: Fix compilation of Solaris ACL module.
+ * BUG 9581: gensec: Allow login without a PAC by default.
+ * BUG 9596: Linked attribute handling should be by GUID.
+ * BUG 9598: Use pid,task_id as cluster_id in process_single just like
+ process_prefork.
+ * BUG 9609: ldb: Ensure to decrement the transaction_active whenever we
+ delete a transaction.
+ * BUG 9609: Add 'ldbdump' tool.
+ * BUG 9609: ldb: Remove no-longer-existing ltdb_unpack_data_free from
+ ldb_tdb.h.
+ * BUG 9609: ldb: Change ltdb_unpack_data to take an ldb_context.
+ * BUG 9610: dsdb: Make secrets_tdb_sync cope with -H secrets.ldb.
+
+
+o Björn Baumbach <bb@sernet.de>
+ * BUG 9512: wafsamba: Use additional xml catalog file.
+ * BUG 9517: samba_dnsupdate: Set KRB5_CONFIG for nsupdate command.
+ * BUG 9552: smb.conf(5): Update list of available protocols.
+ * BUG 9568: Add dbwrap_tool.1 manual page.
+ * BUG 9569: ntlm_auth(1): Fix format and make examples visible.
+
+
+o Ira Cooper <ira@samba.org>
+ * BUG 9575: Duplicate flags defined in the winbindd protocol.
+
+
+o Günther Deschner <gd@samba.org>
+ * BUG 9474: Downgrade v4 printer driver requests to v3.
+ * BUG 9595: s3-winbind: Fix the build of idmap_ldap.
+
+
+o David Disseldorp <ddiss@samba.org>
+ * BUG 9378: Add extra attributes for AD printer publishing.
+
+
+o Stephen Gallagher <sgallagh@redhat.com>
+ * BUG 9609: ldb: Move doxygen comments for ldb_connect to the right place.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 9541: Make use of posix_openpt.
+ * BUG 9544: Fix build of vfs_commit and plug in async pwrite support.
+ * BUG 9546: Fix aio_suspend detection on FreeBSD.
+ * BUG 9548: Correctly detect O_DIRECT.
+ * BUG 9549: smbd: Fix memleak in the async echo handler.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 8909: Fix ACL problem with delegation of privileges and deletion of
+ accounts over LDAP interface.
+ * BUG 9105: check_password_quality: Handle non-ASCII characters properly.
+ * BUG 9481: samba_upgradeprovision: fix the nTSecurityDescriptor on more
+ containers.
+ * BUG 9499: s3:smb2_negprot: set the 'remote_proto' value.
+ * BUG 9508: s4:drsuapi: Make sure we report the meta data from the cycle
+ start.
+ * BUG 9540: terminate the irpc_servers_byname() result with
+ server_id_set_disconnected().
+ * BUG 9598: Fix timeouts of some IRPC calls.
+ * BUG 9609: Fix a warning by converting from TDB_DATA to struct ldb_val.
+
+
+o Matthieu Patou <mat@matws.net>
+ * BUG 8909: Add documentation.
+ * BUG 9565: Adding additional Samba 4.0 DC to W2k8 srv AD domain (in win200
+ functional level) produces dbcheck errors.
+
+
+o Arvid Requate <requate@univention.de>
+ * BUG 9555: s4-resolve: Fix parsing of IPv6/AAAA in dns_lookup.
+
+
+o Rusty Russell <rusty@rustcorp.com.au>
+ * BUG 9609: tdb: Add '-e' option to tdbdump (and document it).
+ * BUG 9609: tdb: 'tdbdump' should log errors, and fail in that case.
+ * BUG 9609: tdb: Add tdb_rescue() to allow an emergency best-effort dump.
+
+
+o Samba-JP oota <ribbon@samba.gr.jp>
+ * BUG 9528: Remove superfluous bracket in samba.8.xml.
+ * BUG 9530: Fix typo in vfs_tsmsm.8.xml.
+
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 9574: Fix a possible null pointer dereference in spoolss.
+
+
+o Karolin Seeger <kseeger@samba.org>
+ * BUG 9591: Correct meta data in ldb manpages.
+
+
+o Pavel Shilovsky <piastry@etersoft.ru>
+ * BUG 9571: Fix 'smbd' panic triggered by unlink after open.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * BUG 9609: ldb: Fix callers for ldb_pack_data() and ldb_unpack_data().
+ * BUG 9609: ldb: move ldb_pack.c into common.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * BUG 9503: waf assumes that pythonX.Y-config is a Python script.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ =============================
+ Release Notes for Samba 4.0.2
+ January 30, 2013
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o CVE-2013-0213:
+ All current released versions of Samba are vulnerable to clickjacking in the
+ Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
+ a malicious web page via a frame or iframe and then overlaid by other content,
+ an attacker could trick an administrator to potentially change Samba settings.
+
+ In order to be vulnerable, SWAT must have been installed and enabled
+ either as a standalone server launched from inetd or xinetd, or as a
+ CGI plugin to Apache. If SWAT has not been installed or enabled (which
+ is the default install state for Samba) this advisory can be ignored.
+
+o CVE-2013-0214:
+ All current released versions of Samba are vulnerable to a cross-site
+ request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+ user's password and then tricking a user who is authenticated with SWAT into
+ clicking a manipulated URL on a different web page, it is possible to manipulate
+ SWAT.
+
+ In order to be vulnerable, the attacker needs to know the victim's password.
+ Additionally SWAT must have been installed and enabled either as a standalone
+ server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
+ not been installed or enabled (which is the default install state for Samba)
+ this advisory can be ignored.
+
+
+Changes since 4.0.1:
+====================
+
+o Kai Blin <kai@samba.org>
+ * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+ * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ =============================
+ Release Notes for Samba 4.0.1
+ January 15, 2013
+ =============================
+
+
+This is a security release in order to address CVE-2013-0172.
+
+o CVE-2013-0172:
+ Samba 4.0.0 as an AD DC may provide authenticated users with write access
+ to LDAP directory objects.
+
+ In AD, Access Control Entries can be assigned based on the objectClass
+ of the object. If a user or a group the user is a member of has any
+ access based on the objectClass, then that user has write access to that
+ object.
+
+ Additionally, if a user has write access to any attribute on the object,
+ they may have access to write to all attributes.
+
+ An important mitigation is that anonymous access is totally disabled by
+ default. The second important mitigation is that normal users are
+ typically only given the problematic per-objectClass right via the
+ "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+ does not make "authenticated users" part of this group.
+
+Changes since 4.0.0:
+====================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Bug 9554 - CVE-2013-0172 - Samba 4.0 as an AD DC may provide authenticated
+ users with write access to LDAP directory objects.
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
=============================
Release Notes for Samba 4.0.0
December 11, 2012
the infamous Kerberos PAC, and include it with the Kerberos tickets we
issue.
+When running an AD DC, you only need to run 'samba' (not smbd/nmbd/winbindd),
+as the required services are co-coordinated by this master binary.
+The tool to administer the Active Directory services is called 'samba-tool'.
+
+A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
+
+ http://wiki.samba.org/index.php/Samba4/HOWTO
+
File Services
=============
the longer term.
For pure file server work, the binaries users would expect from that
-series (smbd, nmbd, winbindd, smbpasswd) continue to be available. When
-running an AD DC, you only need to run 'samba' (not smbd/nmbd/winbindd),
-as the required services are co-coordinated by this master binary.
+series (smbd, nmbd, winbindd, smbpasswd) continue to be available.
DNS
it (for details, please refer to bug #8850).
-Running Samba 4.0 as an AD DC
-=============================
-
-A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
-
- http://wiki.samba.org/index.php/Samba4/HOWTO
-
-
Upgrading
=========
as the internal dns server (SAMBA_INTERNAL) is the default now.
+Supported features
+==================
+
+A whitepaper of currently (un-)supported features is available on the wiki:
+
+ https://wiki.samba.org/index.php/Samba_4.0_Whitepaper
+
+
######################################################################
Changes
#######
======================
o Michael Adam <obnox@samba.org>
+ * BUG 9414: Honor password complexity settings.
* BUG 9456: developer-build: Fix panic when acl_xattr fails with access
denied.
* BUG 9457: Fix "map username script" with "security=ads" and Winbind.
o Stefan Metzmacher <metze@samba.org>
+ * BUG 9414: Honor password complexity settings.
* BUG 9470: Fix MMC crashes.
* BUG 9481: Fix ACL on "cn=partitions,cn=configuration".