This repository has been archived by the owner on Dec 14, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
samba36: Apply numerous security patches backported to 3.6 by Openwrt
These fixes address the following CVEs: CVE-2015-5252 CVE-2015-5370 CVE-2015-5296 CVE-2015-5299 CVE-2015-7560 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118
- Loading branch information
Showing
156 changed files
with
5,127 additions
and
1,968 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
release/src/router/samba36/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<samba:parameter name="allow dcerpc auth level connect" | ||
context="G" | ||
type="boolean" | ||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | ||
<description> | ||
<para>This option controls whether DCERPC services are allowed to | ||
be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, | ||
but no per message integrity nor privacy protection.</para> | ||
|
||
<para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc, | ||
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para> | ||
|
||
<para>This option yields precedence to the implentation specific restrictions. | ||
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. | ||
While others like samr and lsarpc have a hardcoded default of <constant>no</constant>. | ||
</para> | ||
</description> | ||
|
||
<value type="default">no</value> | ||
<value type="example">yes</value> | ||
|
||
</samba:parameter> |
23 changes: 23 additions & 0 deletions
23
release/src/router/samba36/docs-xml/smbdotconf/security/clientipcsigning.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<samba:parameter name="client ipc signing" | ||
context="G" | ||
type="enum" | ||
enumlist="enum_smb_signing_vals" | ||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | ||
<description> | ||
<para>This controls whether the client is allowed or required to use SMB signing for IPC$ | ||
connections as DCERPC transport inside of winbind. Possible values | ||
are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> | ||
and <emphasis>disabled</emphasis>. | ||
</para> | ||
|
||
<para>When set to auto, SMB signing is offered, but not enforced and if set | ||
to disabled, SMB signing is not offered either.</para> | ||
|
||
<para>Connections from winbindd to Active Directory Domain Controllers | ||
always enforce signing.</para> | ||
</description> | ||
|
||
<related>client signing</related> | ||
|
||
<value type="default">mandatory</value> | ||
</samba:parameter> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
release/src/router/samba36/docs-xml/smbdotconf/security/rawntlmv2auth.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<samba:parameter name="raw NTLMv2 auth" | ||
context="G" | ||
type="boolean" | ||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | ||
<description> | ||
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> | ||
<manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without | ||
extended security (without SPNEGO) to use NTLMv2 authentication.</para> | ||
|
||
<para>If this option, <command moreinfo="none">lanman auth</command> | ||
and <command moreinfo="none">ntlm auth</command> are all disabled, | ||
then only clients with SPNEGO support will be permitted. | ||
That means NTLMv2 is only supported within NTLMSSP.</para> | ||
</description> | ||
|
||
<related>lanman auth</related> | ||
<related>ntlm auth</related> | ||
<value type="default">no</value> | ||
</samba:parameter> |
15 changes: 15 additions & 0 deletions
15
release/src/router/samba36/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<samba:parameter name="winbind sealed pipes" | ||
context="G" | ||
type="boolean" | ||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | ||
<description> | ||
<para>This option controls whether any requests from winbindd to domain controllers | ||
pipe will be sealed. Disabling sealing can be useful for debugging | ||
purposes.</para> | ||
|
||
<para>The behavior can be controlled per netbios domain | ||
by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> | ||
</description> | ||
|
||
<value type="default">yes</value> | ||
</samba:parameter> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
/* | ||
Unix SMB/CIFS implementation. | ||
simple bitmap functions | ||
Copyright (C) Andrew Tridgell 1992-1998 | ||
This program is free software; you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation; either version 3 of the License, or | ||
(at your option) any later version. | ||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
|
||
/* The following definitions come from lib/bitmap.c */ | ||
|
||
struct bitmap { | ||
uint32_t *b; | ||
unsigned int n; | ||
}; | ||
|
||
struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n); | ||
int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src); | ||
bool bitmap_set(struct bitmap *bm, unsigned i); | ||
bool bitmap_clear(struct bitmap *bm, unsigned i); | ||
bool bitmap_query(struct bitmap *bm, unsigned i); | ||
int bitmap_find(struct bitmap *bm, unsigned ofs); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.