[ubuntu/resolute-proposed] samba 2:4.23.4+dfsg-1ubuntu1 (Accepted)
Andreas Hasenack
andreas.hasenack at canonical.com
Tue Jan 13 12:42:20 UTC 2026
samba (2:4.23.4+dfsg-1ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2126006). Remaining changes:
- Ubuntu i386 binary compatibility:
+ d/control: enable the liburing vfs module, except on i386 where
liburing is not available
+ python3-samba depends on python3-cryptography, which Ubuntu doesn't
build on i386 (LP #2099895):
- d/control: don't recommend python3-samba on i386
- d/rules: don't build python3-samba on ubuntu i386
- d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
samba AD DC provisioning and domain join tests with internal DNS
(LP #1977746, LP #2011745)
- d/control: make samba-vfs-modules-extra a transitional package.
The glusterfs vfs module (the only vfs module shipped in it
previously) is now in bin:samba-vfs-glusterfs. Can be dropped
after 26.04.
- d/control: have the (now transitional) samba-vfs-modules package
depend on samba-vfs-ceph, so that upgrades retain the ceph vfs
module
- d/control: samba-vfs-modules and samba-vfs-modules-extra, now
transitional packages, should only depend on the new samba-vfs-ceph and
samba-vfs-glusterfs packages on the architectures where those two
packages are built (LP #2076682)
- d/control: samba-vfs-modules i386 adjustments:
+ samba-vfs-modules-extra was not built before for 32bit architectures,
adjust Architectures line
+ samba-vfs-modules: this one was build for 32bit architectures before,
so we need the conditional Depends for ceph
- d/p/fix-motd-gpo-list-empty.patch: fix crash when listing an empty MOTD
GPO
- d/t/samba-ad-dc-provisioning-internal-dns: add MOTD GPO test
- d/t/{control,smbclient-macro-expansion}: add test for macro expansion
(related to LP #2120811)
* Dropped:
- SECURITY UPDATE: uninitialized memory disclosure via vfs_streams_xattr
+ debian/patches/CVE-2025-9640-1.patch: add torture test for inserting
hole in stream in source3/selftest/tests.py, source4/torture/*.
+ debian/patches/CVE-2025-9640-2.patch: fix unitialized write in
source3/modules/vfs_streams_xattr.c.
+ CVE-2025-9640
[Fixed upstream in 4.23.2]
- SECURITY UPDATE: command injection via WINS server hook script
+ debian/patches/CVE-2025-10230-1.patch: check that wins hook sanitizes
names in python/samba/tests/usage.py, selftest/*, source4/torture/*,
testprogs/blackbox/wins_hook_test.
+ debian/patches/CVE-2025-10230-2.patch: restrict names fed to shell in
source4/nbt_server/wins/wins_hook.c.
+ CVE-2025-10230
[Fixed upstream in 4.23.2]
- d/control: adjust breaks/replaces for file move that Debian did in
4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
file conflict in a dist-upgrade from earlier Ubuntu releases, like
Kinetic (LP #2024663)
[Only needed for upgrades from jammy to noble]
- d/control: don't have bin:samba recommend bin:samba-ad-dc (LP #2101838)
[In 2:4.23.0+dfsg-1]
* Added:
- d/control, d/samba-libs.install: remove the pkg.samba.builtin-ngtcp2
build profile and the build dependency on libngtcp2 because it's in
universe, and switch to the builtin version shipped with samba.
- d/t/control: certain tests don't work on i386 in Ubuntu
samba (2:4.23.4+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15809:
samba-bgqd: rework man page
- https://bugzilla.samba.org/show_bug.cgi?id=15897:
Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
- https://bugzilla.samba.org/show_bug.cgi?id=15926:
Samba 4.22 breaks Time Machine
- https://bugzilla.samba.org/show_bug.cgi?id=15936:
samba-bgqd can't find [printers] share
- https://bugzilla.samba.org/show_bug.cgi?id=15947:
mdssvc doesn't support $time.iso dates before 1970
- https://bugzilla.samba.org/show_bug.cgi?id=15950:
ctdb can crash with inconsistent cluster lock configuration
- https://bugzilla.samba.org/show_bug.cgi?id=15955:
Winbind can hang forever in gssapi if there are network issues
- https://bugzilla.samba.org/show_bug.cgi?id=15961:
libldb requires linking libreplace on Linux
- https://bugzilla.samba.org/show_bug.cgi?id=15963:
* d/patches: remove revert-ldb-use-hexchars_upper-from-replace.h.patch
(applied upstream)
samba (2:4.23.3+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15926:
Samba 4.22 breaks Time Machine
- https://bugzilla.samba.org/show_bug.cgi?id=15927:
Spotlight search restriction for shares incomplete and
default search searches in too many attributes
- https://bugzilla.samba.org/show_bug.cgi?id=15930:
Searching for numbers doesn't work with Spotlight
- https://bugzilla.samba.org/show_bug.cgi?id=15931:
rpcd_mdssvc may crash because name mangling is not initialized
- https://bugzilla.samba.org/show_bug.cgi?id=15933:
Only increment lease epoch if a lease was granted
- https://bugzilla.samba.org/show_bug.cgi?id=15935:
Crash in ctdbd on failed updateip
- https://bugzilla.samba.org/show_bug.cgi?id=15940:
vfs_recycle does not update mtime
- https://bugzilla.samba.org/show_bug.cgi?id=15943:
samba-log-parser fails with UnicodeDecodeError:
'utf-8' codec can't decode byte
samba (2:4.23.2+dfsg-1) unstable; urgency=medium
* new upstream security release:
* CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr
https://www.samba.org/samba/security/CVE-2025-9640.html
* CVE-2025-10230: Command injection via WINS server hook script
https://www.samba.org/samba/security/CVE-2025-10230.html
samba (2:4.23.1+dfsg-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream stable/bugfix release (Closes: #1116050):
- https://bugzilla.samba.org/show_bug.cgi?id=15904:
CTDB does not support PCP 7.0.0
- https://bugzilla.samba.org/show_bug.cgi?id=15914:
winbind can crash at startup
- https://bugzilla.samba.org/show_bug.cgi?id=15919:
vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev
for fsync_send
- https://bugzilla.samba.org/show_bug.cgi?id=15920:
Incomplete bind configuration causes DLZ plugin to crash
- https://bugzilla.samba.org/show_bug.cgi?id=15921:
CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set
* d/control: describe the forgotten mitkrb5 build profile
* d/control: Standards-Version: 4.7.2 (no changes)
* d/control: sort python build-deps together
* d/control: clarify some :native usages and add non-:native
alternatives for gcc-mingw*
* d/control: clarify python3-dev:native, libpython3-dev:host
* usershare.patch: remove
* d/samba.postinst: add `usershare max shares` parameter on upgrade
* debian/samba{,-libs}.lintian-overrides: remove unused
hardening-no-fortify-functions overrides
[ Grzegorz Szymaszek ]
* d/smb.conf: delete trailing spaces in comments
samba (2:4.23.0+dfsg-3) unstable; urgency=medium
* libmscat-deps.patch (Closes: #1103869)
* disable building undocumented dumpmscat binary, but provide
pkg.samba.dumpmscat build profile to enable buildig it
* enable system libngtcp2 (for !pkg.samba.builtin-ngtcp2 build profile)
* d/control: describe all current build profiles
* d/smb.conf: disable netbios by default
* d/samba.postinst: remove hunk for samba << 4.16.0 (pre-bookworm)
concerning socket directory
* d/samba.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning handling of samba spool dir
* d/samba.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning masking of services
* d/winbind.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning masking of services
* d/samba-common.postinst: actually clean-up old debconf entries
* d/changelog: fix typo in previous entry
samba (2:4.23.0+dfsg-2) unstable; urgency=medium
* d/rules: override dh_gencontrol for arch build only
(no need to do that for indep build)
* d/samba-libs.install: libquic is linux-specific
* d/samba-libs.install: ngtcp2 is linux-specific, not non-hurd
* d/control: build-depend on :native variant of mingw gcc/tools
(helps building for bookworm where these tools aren't M-A:foreign)
samba (2:4.23.0+dfsg-1) unstable; urgency=medium
* new upstream release
* d/watch: 4.23
* d/gbp.conf: switch to 4.23 upstream branch
* d/rules: tevent=0.17.1 tdb=1.4.14
* libads-fix-get_kdc_ip_string.patch: remove (included upstream)
* d/copyright: remove entries for two removed files
* d/libpam-winbind.install: install message catalogs
* d/samba-common-bin.install: install message catalog(s) for the net command
* d/libsmbclient0.symbols,d/libtevent0t64.symbols: add new symbols
* d/libtdb1.symbols: add new version
* d/samba-dsdb-modules.install: add new AD module (trust_notify.so)
* d/samba-libs.install: refresh private libraries list (-1, +4 libs)
* d/samba-libs.preinst: remove, used in distant past
for upgrades from ancient versions
* d/control: stop recommending samba-ad-dc (and python3-samba)
from samba package (was needed for transition)
* d/control: stop recommending attr by samba
* d/control: remove pre-bookworm (samba<<4.17) breaks/replaces
* d/control: stop samba from being dependent on procps
(ps was used in initscript long ago)
* d/control: stop ctdb from being dependent on psmisc and sudo
* stop ctdb from depending on time package
* d/libnss-winbind.triggers: remove, ldconfig call is generated by genshlibs
* d/rules: explicitly specify --pythondir= & --pythonarchdir=
(so it doesn't install to /usr/lib/python3.13/site-packages/)
* d/rules,d/lib{nss,pam}-winbind.install: use ${SYSLIBDIR}
for /lib vs /usr/lib, stop using dh_movetousr
Date: Fri, 09 Jan 2026 16:59:09 -0300
Changed-By: Andreas Hasenack <andreas.hasenack at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/samba/2:4.23.4+dfsg-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Fri, 09 Jan 2026 16:59:09 -0300
Source: samba
Built-For-Profiles: noudeb
Architecture: source
Version: 2:4.23.4+dfsg-1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas.hasenack at canonical.com>
Closes: 1103869 1116050
Launchpad-Bugs-Fixed: 2126006
Changes:
samba (2:4.23.4+dfsg-1ubuntu1) resolute; urgency=medium
.
* Merge with Debian unstable (LP: #2126006). Remaining changes:
- Ubuntu i386 binary compatibility:
+ d/control: enable the liburing vfs module, except on i386 where
liburing is not available
+ python3-samba depends on python3-cryptography, which Ubuntu doesn't
build on i386 (LP #2099895):
- d/control: don't recommend python3-samba on i386
- d/rules: don't build python3-samba on ubuntu i386
- d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
samba AD DC provisioning and domain join tests with internal DNS
(LP #1977746, LP #2011745)
- d/control: make samba-vfs-modules-extra a transitional package.
The glusterfs vfs module (the only vfs module shipped in it
previously) is now in bin:samba-vfs-glusterfs. Can be dropped
after 26.04.
- d/control: have the (now transitional) samba-vfs-modules package
depend on samba-vfs-ceph, so that upgrades retain the ceph vfs
module
- d/control: samba-vfs-modules and samba-vfs-modules-extra, now
transitional packages, should only depend on the new samba-vfs-ceph and
samba-vfs-glusterfs packages on the architectures where those two
packages are built (LP #2076682)
- d/control: samba-vfs-modules i386 adjustments:
+ samba-vfs-modules-extra was not built before for 32bit architectures,
adjust Architectures line
+ samba-vfs-modules: this one was build for 32bit architectures before,
so we need the conditional Depends for ceph
- d/p/fix-motd-gpo-list-empty.patch: fix crash when listing an empty MOTD
GPO
- d/t/samba-ad-dc-provisioning-internal-dns: add MOTD GPO test
- d/t/{control,smbclient-macro-expansion}: add test for macro expansion
(related to LP #2120811)
* Dropped:
- SECURITY UPDATE: uninitialized memory disclosure via vfs_streams_xattr
+ debian/patches/CVE-2025-9640-1.patch: add torture test for inserting
hole in stream in source3/selftest/tests.py, source4/torture/*.
+ debian/patches/CVE-2025-9640-2.patch: fix unitialized write in
source3/modules/vfs_streams_xattr.c.
+ CVE-2025-9640
[Fixed upstream in 4.23.2]
- SECURITY UPDATE: command injection via WINS server hook script
+ debian/patches/CVE-2025-10230-1.patch: check that wins hook sanitizes
names in python/samba/tests/usage.py, selftest/*, source4/torture/*,
testprogs/blackbox/wins_hook_test.
+ debian/patches/CVE-2025-10230-2.patch: restrict names fed to shell in
source4/nbt_server/wins/wins_hook.c.
+ CVE-2025-10230
[Fixed upstream in 4.23.2]
- d/control: adjust breaks/replaces for file move that Debian did in
4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
file conflict in a dist-upgrade from earlier Ubuntu releases, like
Kinetic (LP #2024663)
[Only needed for upgrades from jammy to noble]
- d/control: don't have bin:samba recommend bin:samba-ad-dc (LP #2101838)
[In 2:4.23.0+dfsg-1]
* Added:
- d/control, d/samba-libs.install: remove the pkg.samba.builtin-ngtcp2
build profile and the build dependency on libngtcp2 because it's in
universe, and switch to the builtin version shipped with samba.
- d/t/control: certain tests don't work on i386 in Ubuntu
.
samba (2:4.23.4+dfsg-1) unstable; urgency=medium
.
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15809:
samba-bgqd: rework man page
- https://bugzilla.samba.org/show_bug.cgi?id=15897:
Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
- https://bugzilla.samba.org/show_bug.cgi?id=15926:
Samba 4.22 breaks Time Machine
- https://bugzilla.samba.org/show_bug.cgi?id=15936:
samba-bgqd can't find [printers] share
- https://bugzilla.samba.org/show_bug.cgi?id=15947:
mdssvc doesn't support $time.iso dates before 1970
- https://bugzilla.samba.org/show_bug.cgi?id=15950:
ctdb can crash with inconsistent cluster lock configuration
- https://bugzilla.samba.org/show_bug.cgi?id=15955:
Winbind can hang forever in gssapi if there are network issues
- https://bugzilla.samba.org/show_bug.cgi?id=15961:
libldb requires linking libreplace on Linux
- https://bugzilla.samba.org/show_bug.cgi?id=15963:
* d/patches: remove revert-ldb-use-hexchars_upper-from-replace.h.patch
(applied upstream)
.
samba (2:4.23.3+dfsg-1) unstable; urgency=medium
.
* new upstream stable/bugfix release:
- https://bugzilla.samba.org/show_bug.cgi?id=15926:
Samba 4.22 breaks Time Machine
- https://bugzilla.samba.org/show_bug.cgi?id=15927:
Spotlight search restriction for shares incomplete and
default search searches in too many attributes
- https://bugzilla.samba.org/show_bug.cgi?id=15930:
Searching for numbers doesn't work with Spotlight
- https://bugzilla.samba.org/show_bug.cgi?id=15931:
rpcd_mdssvc may crash because name mangling is not initialized
- https://bugzilla.samba.org/show_bug.cgi?id=15933:
Only increment lease epoch if a lease was granted
- https://bugzilla.samba.org/show_bug.cgi?id=15935:
Crash in ctdbd on failed updateip
- https://bugzilla.samba.org/show_bug.cgi?id=15940:
vfs_recycle does not update mtime
- https://bugzilla.samba.org/show_bug.cgi?id=15943:
samba-log-parser fails with UnicodeDecodeError:
'utf-8' codec can't decode byte
.
samba (2:4.23.2+dfsg-1) unstable; urgency=medium
.
* new upstream security release:
* CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr
https://www.samba.org/samba/security/CVE-2025-9640.html
* CVE-2025-10230: Command injection via WINS server hook script
https://www.samba.org/samba/security/CVE-2025-10230.html
.
samba (2:4.23.1+dfsg-1) unstable; urgency=medium
.
[ Michael Tokarev ]
* new upstream stable/bugfix release (Closes: #1116050):
- https://bugzilla.samba.org/show_bug.cgi?id=15904:
CTDB does not support PCP 7.0.0
- https://bugzilla.samba.org/show_bug.cgi?id=15914:
winbind can crash at startup
- https://bugzilla.samba.org/show_bug.cgi?id=15919:
vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev
for fsync_send
- https://bugzilla.samba.org/show_bug.cgi?id=15920:
Incomplete bind configuration causes DLZ plugin to crash
- https://bugzilla.samba.org/show_bug.cgi?id=15921:
CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set
* d/control: describe the forgotten mitkrb5 build profile
* d/control: Standards-Version: 4.7.2 (no changes)
* d/control: sort python build-deps together
* d/control: clarify some :native usages and add non-:native
alternatives for gcc-mingw*
* d/control: clarify python3-dev:native, libpython3-dev:host
* usershare.patch: remove
* d/samba.postinst: add `usershare max shares` parameter on upgrade
* debian/samba{,-libs}.lintian-overrides: remove unused
hardening-no-fortify-functions overrides
.
[ Grzegorz Szymaszek ]
* d/smb.conf: delete trailing spaces in comments
.
samba (2:4.23.0+dfsg-3) unstable; urgency=medium
.
* libmscat-deps.patch (Closes: #1103869)
* disable building undocumented dumpmscat binary, but provide
pkg.samba.dumpmscat build profile to enable buildig it
* enable system libngtcp2 (for !pkg.samba.builtin-ngtcp2 build profile)
* d/control: describe all current build profiles
* d/smb.conf: disable netbios by default
* d/samba.postinst: remove hunk for samba << 4.16.0 (pre-bookworm)
concerning socket directory
* d/samba.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning handling of samba spool dir
* d/samba.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning masking of services
* d/winbind.postinst: remove hunk for samba << 4.17.4-3 (pre-bookworm)
concerning masking of services
* d/samba-common.postinst: actually clean-up old debconf entries
* d/changelog: fix typo in previous entry
.
samba (2:4.23.0+dfsg-2) unstable; urgency=medium
.
* d/rules: override dh_gencontrol for arch build only
(no need to do that for indep build)
* d/samba-libs.install: libquic is linux-specific
* d/samba-libs.install: ngtcp2 is linux-specific, not non-hurd
* d/control: build-depend on :native variant of mingw gcc/tools
(helps building for bookworm where these tools aren't M-A:foreign)
.
samba (2:4.23.0+dfsg-1) unstable; urgency=medium
.
* new upstream release
* d/watch: 4.23
* d/gbp.conf: switch to 4.23 upstream branch
* d/rules: tevent=0.17.1 tdb=1.4.14
* libads-fix-get_kdc_ip_string.patch: remove (included upstream)
* d/copyright: remove entries for two removed files
* d/libpam-winbind.install: install message catalogs
* d/samba-common-bin.install: install message catalog(s) for the net command
* d/libsmbclient0.symbols,d/libtevent0t64.symbols: add new symbols
* d/libtdb1.symbols: add new version
* d/samba-dsdb-modules.install: add new AD module (trust_notify.so)
* d/samba-libs.install: refresh private libraries list (-1, +4 libs)
* d/samba-libs.preinst: remove, used in distant past
for upgrades from ancient versions
* d/control: stop recommending samba-ad-dc (and python3-samba)
from samba package (was needed for transition)
* d/control: stop recommending attr by samba
* d/control: remove pre-bookworm (samba<<4.17) breaks/replaces
* d/control: stop samba from being dependent on procps
(ps was used in initscript long ago)
* d/control: stop ctdb from being dependent on psmisc and sudo
* stop ctdb from depending on time package
* d/libnss-winbind.triggers: remove, ldconfig call is generated by genshlibs
* d/rules: explicitly specify --pythondir= & --pythonarchdir=
(so it doesn't install to /usr/lib/python3.13/site-packages/)
* d/rules,d/lib{nss,pam}-winbind.install: use ${SYSLIBDIR}
for /lib vs /usr/lib, stop using dh_movetousr
Checksums-Sha1:
8e009c19da76968adecc95ae15212770f677b78c 6184 samba_4.23.4+dfsg-1ubuntu1.dsc
95590bdf5b26c774ebb7fab678929d5f30c8d082 25728028 samba_4.23.4+dfsg.orig.tar.xz
19752cb697d245e9399233e971e75713577b3a62 210380 samba_4.23.4+dfsg-1ubuntu1.debian.tar.xz
fc14ae869eae6aae49dbaaa11928489ca3031e16 6868 samba_4.23.4+dfsg-1ubuntu1_source.buildinfo
Checksums-Sha256:
98eb94c4f265bb4e1852ac6b7e57dfcb816911d2919f451affb5589f91b1f293 6184 samba_4.23.4+dfsg-1ubuntu1.dsc
81069f19a5f3def2d279f0895e15b3693c6a5daf2dde7745b9830f68ece36ec6 25728028 samba_4.23.4+dfsg.orig.tar.xz
4f107878a486241a1e9444929476e48bc65f8e43ad95d2649d4f943b3ca92ad4 210380 samba_4.23.4+dfsg-1ubuntu1.debian.tar.xz
7a7b34b969e11ccb99c79c5572c3dc05215c3f9895abe47a7cb91fc436c59373 6868 samba_4.23.4+dfsg-1ubuntu1_source.buildinfo
Files:
85a90dcc3fab1841db8acfed3e8626b2 6184 net optional samba_4.23.4+dfsg-1ubuntu1.dsc
89c58ebef7528ceab416121b52cf3af3 25728028 net optional samba_4.23.4+dfsg.orig.tar.xz
a7b43e8c3186cfc60d045b97e0a4388c 210380 net optional samba_4.23.4+dfsg-1ubuntu1.debian.tar.xz
494a0ca0bba24a428a6d626a1c5e8b2b 6868 net optional samba_4.23.4+dfsg-1ubuntu1_source.buildinfo
Original-Maintainer: Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>
Vcs-Git: https://git.launchpad.net/~ahasenack/ubuntu/+source/samba
Vcs-Git-Commit: b4c726affd6f0b60dcdc7604516d74de2d11d4a9
Vcs-Git-Ref: refs/heads/resolute-samba-merge-1
More information about the Resolute-changes
mailing list