Samba was updated to the 4.2.x codestream, bringing some new features and security fixes (bsc#973832, FATE#320709).
These security issues were fixed:
- CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862).
- CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031).
- CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032).
- CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033).
- CVE-2016-2113: TLS certificate validation were missing (bsc#973034).
- CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036).
- CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965).
Also the following fixes were done:
- Upgrade on-disk FSRVP server state to new version; (bsc#924519).
- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).
- Align fsrvp feature sources with upstream version.
- Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel; (bsc#973832).
- s3:utils/smbget: Fix recursive download; (bso#6482).
- s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489).
- docs: Add example for domain logins to smbspool man page; (bso#11643).
- s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).
- loadparm: Fix memory leak issue; (bso#11708).
- lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).
- ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'; (bso#11719).
- s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727).
- param: Fix str_list_v3 to accept ';' again; (bso#11732).
- Real memeory leak(buildup) issue in loadparm; (bso#11740).
- Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing...