UbuntuUpdates.org

Package "winbind"

Name: winbind

Description:

service to resolve user and group information from Windows NT servers
Latest version: 2:4.19.5+dfsg-4ubuntu9.4
Release: noble (24.04)
Level: updates
Repository: main
Head package: samba
Homepage: https://www.samba.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "winbind"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "winbind" in Noble

Repository Area Version
base main 2:4.19.5+dfsg-4ubuntu9
security main 2:4.19.5+dfsg-4ubuntu9.4

Changelog

Version: 2:4.19.5+dfsg-4ubuntu9.4 2025-10-16 17:07:34 UTC

  samba (2:4.19.5+dfsg-4ubuntu9.4) noble-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory disclosure via vfs_streams_xattr
    - debian/patches/CVE-2025-9640-1.patch: add torture test for inserting
      hole in stream in source3/selftest/tests.py, source4/torture/*.
    - debian/patches/CVE-2025-9640-2.patch: fix unitialized write in
      source3/modules/vfs_streams_xattr.c.
    - CVE-2025-9640
  * SECURITY UPDATE: command injection via WINS server hook script
    - debian/patches/CVE-2025-10230-1.patch: check that wins hook sanitizes
      names in python/samba/tests/usage.py, selftest/*, source4/torture/*,
      testprogs/blackbox/wins_hook_test.
    - debian/patches/CVE-2025-10230-2.patch: restrict names fed to shell in
      source4/nbt_server/wins/wins_hook.c.
    - CVE-2025-10230

 -- Marc Deslauriers <email address hidden> Thu, 09 Oct 2025 09:43:22 -0400
Source diff to previous version
CVE-2025-9640 A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows
CVE-2025-10230 Command injection via WINS server hook script

Version: 2:4.19.5+dfsg-4ubuntu9.3 2025-08-15 01:07:09 UTC

  samba (2:4.19.5+dfsg-4ubuntu9.3) noble; urgency=medium

  * Upcoming changes to Windows Server enforce security checks even on
    schannel secured NETLOGON connections causing winbind's netlogon dc
    discovery calls to fail. (LP: #2116098):
    - d/p/s3-winbindd-use-better-debug-messages-than-talloc_st.patch: use
      better debug messages than 'talloc_strdup failed'
    - d/p/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch: avoid
      using any netlogon call to get a dc name
    - d/p/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch: Fix
      internal winbind dsgetdcname calls w.r.t. domain name
    - d/p/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch: let
      discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND
    - d/p/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch: allow
      store_cldap_reply() to work with a ipv6 response
    - d/p/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch: use
      NETLOGON_NT_VERSION_AVOID_NT4EMUL

 -- Andreas Hasenack <email address hidden> Mon, 21 Jul 2025 17:37:16 -0300
Source diff to previous version
2116098 Windows security hardening locks out schannel'ed netlogon dc calls

Version: 2:4.19.5+dfsg-4ubuntu9.2 2025-07-16 17:07:36 UTC

  samba (2:4.19.5+dfsg-4ubuntu9.2) noble; urgency=medium

  * DEP8 test updates:
    - d/t/samba-ad-dc-provisioning-internal-dns: add MOTD GPO test
    - d/t/samba-ad-dc-provisioning-internal-dns: force samba-tool to use
      kerberos when interrogating the DNS server, otherwise it will prompt for
      a password
  * d/p/fix-motd-gpo-list-empty.patch: fix crash when listing an empty MOTD
    GPO (LP: #2107395)
  * d/p/fix-update-motd-gpo.patch: replace patch with upstream's version, which
    includes another fix for the case of updating an existing MOTD GPO
    (LP: #2107395)
2107395 Updating MOTD GPO adds new text instead of replacing existing one


About   -   Send Feedback to @ubuntu_updates