[packages/samba] Up to 4.24.0; update buildrequires and options; fixes CVE-2026-20833

arekm arekm at pld-linux.org
Sat Apr 11 04:28:04 CEST 2026 

commit 93906bd4da2ea9ce3fad46d00c4f281884e066d8
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Sat Apr 11 04:27:52 2026 +0200

    Up to 4.24.0; update buildrequires and options; fixes CVE-2026-20833

 samba.spec                               | 27 ++++++++++--------
 unicodePwd-nthash-values-over-LDAP.patch | 48 +++++++++++---------------------
 2 files changed, 32 insertions(+), 43 deletions(-)
---
diff --git a/samba.spec b/samba.spec
index b90fc15..b4c5b9a 100644
--- a/samba.spec
+++ b/samba.spec
@@ -16,7 +16,6 @@
 %bcond_without	dmapi		# DMAPI support
 %bcond_without	fam		# FAM support
 %bcond_without	lttng		# lttng-ust support
-%bcond_without	spotlight	# Spotlight tracker support
 %bcond_without	systemd		# systemd integration
 %bcond_without	winexe		# winexe tool
 %bcond_with	system_heimdal	# Use system Heimdal libraries [since samba 4.4.x build fails with heimdal 1.5.x/7.x]
@@ -27,14 +26,14 @@
 %bcond_with	replace
 %bcond_without	lmdb		# LMDB module in ldb (64-bit only)
 
-%define		ver		4.23.6
+%define		ver		4.24.0
 %define		rel		1
 %define		ldb_ver		2.11.0
 %define		ldb_rel		%{ver}.%{rel}
 
 %if %{with system_libs}
-%define		talloc_ver	2:2.4.3
-%define		tdb_ver		2:1.4.14
+%define		talloc_ver	2:2.4.4
+%define		tdb_ver		2:1.4.15
 %define		tevent_ver	0.17.1
 %endif
 
@@ -58,7 +57,7 @@ Epoch:		1
 License:	GPL v3
 Group:		Networking/Daemons
 Source0:	https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.gz
-# Source0-md5:	0e3fa5f6fe1f7fa93e4f3b10f8d09ceb
+# Source0-md5:	70fbbd0189ee6e9dc92b5a2cb2fcfb1d
 Source1:	smb.init
 Source2:	samba.pamd
 Source4:	samba.sysconfig
@@ -80,7 +79,7 @@ BuildRequires:	acl-devel
 %{?with_avahi:BuildRequires:	avahi-devel}
 BuildRequires:	bison
 %{?with_ceph:BuildRequires:	ceph-devel >= 11}
-BuildRequires:	cmocka-devel >= 1.1.3
+BuildRequires:	cmocka-devel >= 1.1.8
 %if %{with winexe}
 BuildRequires:	crossmingw32-gcc
 BuildRequires:	crossmingw32-pthreads-w32
@@ -124,6 +123,7 @@ BuildRequires:	libtasn1-devel >= 3.8
 BuildRequires:	libtirpc-devel
 BuildRequires:	libunwind-devel
 BuildRequires:	liburing-devel
+BuildRequires:	libvarlink-devel >= 24
 BuildRequires:	libxslt-progs
 %{?with_lmdb:BuildRequires:	lmdb-devel >= 0.9.16}
 %{?with_lttng:BuildRequires:	lttng-ust-devel}
@@ -158,7 +158,6 @@ BuildRequires:	rpmbuild(macros) >= 2.025
 BuildRequires:	sed >= 4.0
 BuildRequires:	subunit-devel
 %{?with_systemd:BuildRequires:	systemd-devel}
-%{?with_spotlight:BuildRequires:	tracker-devel >= 2.0}
 BuildRequires:	xfsprogs-devel
 BuildRequires:	zlib-devel >= 1.2.3
 %if %{with system_libs}
@@ -169,6 +168,9 @@ BuildRequires:	talloc-devel >= %{talloc_ver}
 BuildRequires:	tdb-devel >= %{tdb_ver}
 BuildRequires:	tevent-devel >= %{tevent_ver}
 %endif
+# libbsd-devel and setproctitle-devel both declare setproctitle() with
+# incompatible prototypes; bundled lib/replace/replace.h includes both headers
+BuildConflicts:	setproctitle-devel
 Requires(post,preun):	/sbin/chkconfig
 Requires:	%{name}-common = %{epoch}:%{version}-%{release}
 Requires:	%{name}-libs = %{epoch}:%{version}-%{release}
@@ -731,6 +733,7 @@ CPPFLAGS="${CPPFLAGS:-%rpmcppflags}" \
 	--with-systemd \
 	--systemd-install-services \
 	--with-systemddir=%{systemdunitdir} \
+	--with-systemd-userdb \
 %else
 	--without-systemd \
 %endif
@@ -741,7 +744,7 @@ CPPFLAGS="${CPPFLAGS:-%rpmcppflags}" \
 	--enable-cups \
 	%{__enable_disable glusterfs} \
 	--enable-iprint \
-	%{__enable_disable spotlight}
+	--enable-spotlight
 
 %{__make} V=1
 
@@ -827,6 +830,7 @@ cp -p examples/LDAP/samba.schema $RPM_BUILD_ROOT%{schemadir}
 %py3_ocomp $RPM_BUILD_ROOT%{py3_sitedir}
 
 %find_lang pam_winbind
+%find_lang net
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -1086,6 +1090,7 @@ fi
 %attr(755,root,root) %{_libdir}/samba/vfs/acl_xattr.so
 %attr(755,root,root) %{_libdir}/samba/vfs/aio_fork.so
 %attr(755,root,root) %{_libdir}/samba/vfs/aio_pthread.so
+%attr(755,root,root) %{_libdir}/samba/vfs/aio_ratelimit.so
 %attr(755,root,root) %{_libdir}/samba/vfs/audit.so
 %attr(755,root,root) %{_libdir}/samba/vfs/btrfs.so
 %attr(755,root,root) %{_libdir}/samba/vfs/cap.so
@@ -1141,9 +1146,7 @@ fi
 %{_datadir}/samba/admx/samba.admx
 %lang(en) %{_datadir}/samba/admx/en-US
 %lang(ru) %{_datadir}/samba/admx/ru-RU
-%if %{with spotlight}
 %{_datadir}/samba/mdssvc
-%endif
 %{_datadir}/samba/setup
 %{_mandir}/man1/oLschema2ldif.1*
 %{_mandir}/man1/profiles.1*
@@ -1164,6 +1167,7 @@ fi
 %{_mandir}/man8/vfs_acl_xattr.8*
 %{_mandir}/man8/vfs_aio_fork.8*
 %{_mandir}/man8/vfs_aio_pthread.8*
+%{_mandir}/man8/vfs_aio_ratelimit.8*
 %{_mandir}/man8/vfs_audit.8*
 %{_mandir}/man8/vfs_btrfs.8*
 %{_mandir}/man8/vfs_cap.8*
@@ -1232,7 +1236,7 @@ fi
 %attr(755,root,root) %{_libdir}/samba/vfs/glusterfs_fuse.so
 %{_mandir}/man8/vfs_glusterfs_fuse.8*
 
-%files common
+%files common -f net.lang
 %defattr(644,root,root,755)
 %doc PFIF.txt README.cifs-utils README.md SECURITY.md WHATSNEW.txt
 %dir %{_sysconfdir}/samba
@@ -1621,6 +1625,7 @@ fi
 %{_includedir}/samba-4.0/util/idtree_random.h
 %{_includedir}/samba-4.0/util/signal.h
 %{_includedir}/samba-4.0/util/substitute.h
+%{_includedir}/samba-4.0/util/talloc_keep_secret.h
 %{_includedir}/samba-4.0/util/tevent_ntstatus.h
 %{_includedir}/samba-4.0/util/tevent_unix.h
 %{_includedir}/samba-4.0/util/tevent_werror.h
diff --git a/unicodePwd-nthash-values-over-LDAP.patch b/unicodePwd-nthash-values-over-LDAP.patch
index 3652829..40035b0 100644
--- a/unicodePwd-nthash-values-over-LDAP.patch
+++ b/unicodePwd-nthash-values-over-LDAP.patch
@@ -1,47 +1,31 @@
 
-Allow setting unicodePwd with NTHash vlue over LDAP
+Allow setting unicodePwd with NTHash value over LDAP
 
---- samba-4.0.7/source4/libcli/ldap/ldap_controls.c~	2013-07-02 20:19:37.554868793 +0200
-+++ samba-4.0.7/source4/libcli/ldap/ldap_controls.c	2013-07-02 21:00:47.595973713 +0200
-@@ -1260,7 +1260,7 @@ static const struct ldap_control_handler
+--- samba-4.24.0/source4/libcli/ldap/ldap_controls.c~	2026-03-18 11:09:10.000000000 +0100
++++ samba-4.24.0/source4/libcli/ldap/ldap_controls.c	2026-04-11 02:00:00.000000000 +0200
+@@ -1337,7 +1337,7 @@ static const struct ldap_control_handler
  	{ LDB_CONTROL_REVEAL_INTERNALS, NULL, NULL },
  	{ LDB_CONTROL_AS_SYSTEM_OID, NULL, NULL },
  	{ DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL },
 -	{ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL },
-+        { DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, decode_flag_request, encode_flag_request },
++	{ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, decode_flag_request, encode_flag_request },
  	{ DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID, NULL, NULL },
  	{ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL },
  	{ DSDB_CONTROL_APPLY_LINKS, NULL, NULL },
---- samba-4.0.7/source4/dsdb/samdb/ldb_modules/password_hash.c~	2013-07-02 20:01:42.731518064 +0200
-+++ samba-4.0.7/source4/dsdb/samdb/ldb_modules/password_hash.c	2013-07-02 20:39:24.909757777 +0200
-@@ -3386,10 +3386,29 @@
- 	return ldb_next_request(ac->module, mod_req);
- }
- 
-+static int password_hash_init(struct ldb_module *module)
-+{
-+	struct ldb_context *ldb;
-+	int ret;
-+
-+	ldb = ldb_module_get_ctx(module);
-+
+--- samba-4.24.0/source4/dsdb/samdb/ldb_modules/password_hash.c~	2026-03-18 11:09:10.000000000 +0100
++++ samba-4.24.0/source4/dsdb/samdb/ldb_modules/password_hash.c	2026-04-11 02:00:00.000000000 +0200
+@@ -5247,6 +5247,14 @@ static int password_hash_module_init(str
+ 		return ldb_operr(ldb);
+ 	}
+
 +	ret = ldb_mod_register_control(module, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
 +	if (ret != LDB_SUCCESS) {
 +		ldb_debug(ldb, LDB_DEBUG_ERROR,
-+				"password_hash: Unable to register control (%s) with rootdse!\n",
-+				DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
++			  "password_hash: Unable to register control (%s) with rootdse!\n",
++			  DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
 +		return ldb_operr(ldb);
 +	}
 +
-+	return ldb_next_init(module);
-+}
-+
- static const struct ldb_module_ops ldb_password_hash_module_ops = {
- 	.name          = "password_hash",
- 	.add           = password_hash_add,
--	.modify        = password_hash_modify
-+	.modify        = password_hash_modify,
-+	.init_context  = password_hash_init
- };
- 
- int ldb_password_hash_module_init(const char *version)
+ 	return ldb_next_init(module);
+ }
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/samba.git/commitdiff/93906bd4da2ea9ce3fad46d00c4f281884e066d8

More information about the pld-cvs-commit mailing list