git.samba.org - metze/samba/wip.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Fri, 20 Nov 2015 13:06:18 +0000 (14:06 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 12 Apr 2016 17:25:22 +0000 (19:25 +0200)
commit	2063692367429d0767153b6a0d22627cb2c27d5f
tree	0c4576e300380df406a64a346b34f99cf3765417	tree
parent	83c71586dc4d46ecc4a129e23f11aa192ca8002f	commit \| diff

CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response

We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

nsswitch/libwbclient/wbc_pam.c		diff \| blob \| history
nsswitch/winbind_struct_protocol.h		diff \| blob \| history
source3/winbindd/winbindd_ccache_access.c		diff \| blob \| history