samba (2:4.3.7+dfsg-1) unstable; urgency=high
This Samba security addresses both Denial of Service and Man in
the Middle vulnerabilities.
Both of these changes implement new smb.conf options and a number
of stricter behaviours to prevent Man in the Middle attacks on our
network services, as a client and as a server.
Between these changes, compatibility with a large number of older
software versions has been lost in the default configuration.
See the release notes in WHATNEW.txt for more information.
Here are some additional hints how to work around the new stricter default
behaviors:
* As an AD DC server, only Windows 2000 and Samba 3.6 and above as
a domain member are supported out of the box. Other smb file
servers as domain members are also fine out of the box.
* As an AD DC server, with default setting of "ldap server require
strong auth", LDAP clients connecting over ldaps:// or START_TLS
will be allowed to perform simple LDAP bind only.
The preferred configuration for LDAP clients is to use SASL
GSSAPI directly over ldap:// without using ldaps:// or
START_TLS.
To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
NTLMSSP) sign/seal protection must be used by the client and
server should be configured with "ldap server require strong
auth = allow_sasl_over_tls".
Consult OpenLDAP documentation how to set sign/seal protection
in ldap.conf.
For SSSD client configured with "id_provider = ad" or
"id_provider = ldap" with "auth_provider = krb5", see
sssd-ldap(5) manual for details on TLS session handling.
* As a File Server, compatibility with the Linux Kernel cifs
client depends on which configuration options are selected, please
use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
* As a file or printer client and as a domain member, out of the
box compatibility with Samba less than 4.0 and other SMB/CIFS
servers, depends on support for SMB signing or SMB2 on the
server, which is often disabled or absent. You may need to
adjust the "client ipc signing" to "no" in these cases.
* In case of an upgrade from versions before 4.2.0, you might run
into problems as a domain member. The out of the box compatibility
with Samba 3.x domain controllers requires NETLOGON features only
available in Samba 3.2 and above.
However, all of these can be worked around by setting smb.conf
options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
wiki for details, workarounds and suggested security-improving
changes to these and other software packages.
Suggested further improvements after patching:
It is recommended that administrators set these additional options,
if compatible with their network environment:
server signing = mandatory
ntlm auth = no
Without "server signing = mandatory", Man in the Middle attacks
are still possible against our file server and
classic/NT4-like/Samba3 Domain controller. (It is now enforced on
Samba's AD DC.) Note that this has heavy impact on the file server
performance, so you need to decide between performance and
security. These Man in the Middle attacks for smb file servers are
well known for decades.
Without "ntlm auth = no", there may still be clients not using
NTLMv2, and these observed passwords may be brute-forced easily using
cloud-computing resources or rainbow tables.
-- Andrew Bartlett <abartlet+debian@catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
apt-listchanges (2.87) unstable; urgency=medium
For better integration with package management system, apt-listchanges
automatically switches to the non-interactive "text" frontend:
- when the `-y'/`--assume-yes' option is passed to apt-get
- or when DEBIAN_FRONTEND environment variable is set to "noninteractive".
The new behavior can be disabled in the configuration file (or via the
command-line parameters), refer to apt-listchanges(1) man page for details.
The "mail" frontend can optionally send e-mails in the HTML format, see the
description of `--email-format' option in the man page for more information.
For the sake of consistency the `--all' and `--show_seen' options were
renamed to `--show-all' and `--show-seen' respectively.
-- Robert Luberda <robert@debian.org> Sat, 02 Apr 2016 20:24:43 +0200
ca-certificates (20151214) unstable; urgency=medium
Removed SPI CA. Closes: #796208
Updated Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <michael@pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600
ca-certificates (20150426) unstable; urgency=medium
Update Mozilla certificate authority bundle to version 2.4.
The following certificate authorities were added (+):
+ "CFCA EV ROOT"
+ "COMODO RSA Certification Authority"
+ "Entrust Root Certification Authority - EC1"
+ "Entrust Root Certification Authority - G2"
+ "GlobalSign ECC Root CA - R4"
+ "GlobalSign ECC Root CA – R5"
+ "IdenTrust Commercial Root CA 1"
+ "IdenTrust Public Sector Root CA 1"
+ "S-TRUST Universal Root CA"
+ "Staat der Nederlanden EV Root CA"
+ "Staat der Nederlanden Root CA - G3"
+ "USERTrust ECC Certification Authority"
+ "USERTrust RSA Certification Authority" Closes: #762709
The following certificate authorities were removed (-):
- "America Online Root Certification Authority 1"
- "America Online Root Certification Authority 2"
- "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
- "GTE CyberTrust Global Root"
- "Thawte Premium Server CA"
- "Thawte Server CA"
-- Michael Shuler <michael@pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500
dosfstools (3.0.28-2) unstable; urgency=medium
In version 3.0.28, the fsck.vfat tool changed its default operating
mode to interactive repair. This mode had to be activated with the -r
option before.
Previously, the default has been an interactive repair without the
option of writing any changes back to the filesystem. Essentially the
new default is only different in that there will be a question at the
end asking whether to commit the changes to the filesystem.
-- Andreas Bombe <aeb@debian.org> Fri, 21 Aug 2015 17:15:38 +0200
iputils (3:20150815-1) unstable; urgency=medium
As of 3:20150815-1, the ping and ping6 commands are unified in a single
binary that can communicate with targets of either address family. In
order to force the use of a specific address family, you need to either
pass the argument -4 or -6 on the command line, or call the program via
one of the ping4 or ping6 names.
You will need to be particularly aware of this change if you're invoking ping
via a script as part of a monitoring or other such automated system.
-- Noah Meyerhans <noahm@debian.org> Fri, 19 Feb 2016 22:26:30 -0800
jbig2dec (0.12-1) unstable; urgency=medium
* Licensing has changed to GNU Affero General Public License (AGPL).
Please ensure that all use complies with this new license.
-- Jonas Smedegaard <dr@jones.dk> Fri, 31 Jul 2015 11:45:03 +0200
kbd (2.0.3-2) unstable; urgency=medium
The kbd init script is no longer supported. If configuration in
/etc/kbd/config and /etc/kbd/remap is unmodified there will be an
attempt to automatically clean up those files as well as the
/etc/init.d/kbd init script on upgrades, if not THEY ARE LEFT IN PLACE
and considered owned by the local admin.
Most people probably use console-setup to configure their console, but
this is not a requirement on Debian. We prefer always having something
arond that configures the console which is why we don't
unconditionally drop the above files.
You can use the following command to check if you have console-setup
installed: dpkg-query -s console-setup
If it says "...is not installed..." you might want to start using
console-setup by installing it: apt-get install console-setup
Unless you know you want to keep using the obsolete init script and
maintain it yourself you're recommended to make sure they are removed
using the following commands:
rm -f /etc/init.d/kbd /etc/kbd/config /etc/kbd/remap && rmdir /etc/kbd
update-rc.d -f kbd remove
-- Andreas Henriksson <andreas@fatal.se> Tue, 05 Jan 2016 17:55:55 +0100
libcgi-pm-perl (4.15-1) unstable; urgency=medium
From upstream Changes, 4.15:
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
[...]
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
From upstream Changes, 4.13:
- CGI::Pretty is now DEPRECATED and will be removed in a future release.
Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more
information and discussion (also GH #140 for HTML function deprecation
discussion: https://github.com/leejo/CGI.pm/issues/140)
-- gregor herrmann <gregoa@debian.org> Sat, 09 May 2015 22:01:44 +0200
pinentry-gtk2 (0.9.6-3) unstable; urgency=medium
* Since pinentry-gtk2 0.9.6, upstream now uses the default GTK text
entry widget instead of a custom text-entry widget. The GTK text
entry widget in password mode may display characters while typed based
on the setting of gtk-entry-password-hint-timeout. This value
defaults to 0 (never display), but may be overridden in
/etc/gtk-2.0/gtkrc or ~/.gtkrc-2.0. If your password entry shows the
last character typed, please ensure that this value is not set in your
system's configuration files.
See
https://developer.gnome.org/gtk2/stable/GtkSettings.html#GtkSettings--gtk-entry-password-hint-timeout
and https://bugs.debian.org/801757 for more details.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Oct 2015 20:39:25 -0400
lsb (9.20150826) unstable; urgency=low
This update drops all lsb-* compatibility packages, and is therefore an
abandon of the pursuit of LSB compatibility for Debian. Only lsb-release and
lsb-base are kept as they continue to be used throughout the archive.
-- Didier Raboud <odyx@debian.org> Wed, 26 Aug 2015 12:00:00 +0200