Package "libnss-winbind"

  samba (2:4.15.13+dfsg-0ubuntu1.10) jammy-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory disclosure via vfs_streams_xattr
    - debian/patches/CVE-2025-9640-1.patch: add torture test for inserting
      hole in stream in source3/selftest/tests.py, source4/torture/*.
    - debian/patches/CVE-2025-9640-2.patch: fix unitialized write in
      source3/modules/vfs_streams_xattr.c.
    - CVE-2025-9640
  * SECURITY UPDATE: command injection via WINS server hook script
    - debian/patches/CVE-2025-10230-1.patch: check that wins hook sanitizes
      names in python/samba/tests/usage.py, selftest/*, source4/torture/*,
      testprogs/blackbox/wins_hook_test.
    - debian/patches/CVE-2025-10230-2.patch: restrict names fed to shell in
      source4/nbt_server/wins/wins_hook.c.
    - CVE-2025-10230

 -- Marc Deslauriers <email address hidden> Thu, 09 Oct 2025 09:51:42 -0400

  samba (2:4.15.13+dfsg-0ubuntu1.9) jammy; urgency=medium

  * Fix %m macro expansion (LP: #2123902):
    - d/p/s3-libsmb-dsgetdcname-do-not-assume-local-system-uses-ipv4.patch:
      return the first IPv4 and the first IPv6 address found for each DC. This
      patch was missing from the backported set of the previous upload
    - d/t/smbclient-macro-expansion: add test to check %m macro expansion

 -- Andreas Hasenack <email address hidden> Thu, 18 Sep 2025 18:08:53 -0300

  samba (2:4.15.13+dfsg-0ubuntu1.8) jammy; urgency=medium

  * Fix config file macro expansion (LP: #2120811):
    - no change rebuild actually fixed it in all tests (ppa and local)
    - d/t/{control,smbclient-macro-expansion}: new DEP8 test for the issue

 -- Andreas Hasenack <email address hidden> Sat, 30 Aug 2025 14:01:16 -0300

  samba (2:4.15.13+dfsg-0ubuntu1.7) jammy; urgency=medium

  * Upcoming changes to Windows Server enforce security checks even on
    schannel secured NETLOGON connections causing winbind's netlogon dc
    discovery calls to fail. (LP: #2116098):
    - d/p/s3-winbindd-use-better-debug-messages-than-talloc_st.patch: use
      better debug messages than 'talloc_strdup failed'
    - d/p/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch: avoid
      using any netlogon call to get a dc name
    - d/p/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch: Fix
      internal winbind dsgetdcname calls w.r.t. domain name
    - d/p/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch: let
      discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND
    - d/p/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch: allow
      store_cldap_reply() to work with a ipv6 response
    - d/p/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch: use
      NETLOGON_NT_VERSION_AVOID_NT4EMUL

 -- Andreas Hasenack <email address hidden> Mon, 21 Jul 2025 17:31:31 -0300

  samba (2:4.15.13+dfsg-0ubuntu1.6) jammy; urgency=medium

  * d/p/lp2046994-spotlight-doesnt-work-with-latest-macos-ventura.patch: fix
    spotlight search function on macos ventura (LP: #2046994).

 -- Mitchell Dzurick <email address hidden> Fri, 05 Jan 2024 14:23:01 -0700