samba/backport-0002-CVE-2022-38023.patch

From 99c61592d4c2d2dbdf50765b085ece40c2b3099c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Dec 2022 16:05:26 +0100
Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several
 options: "yields precedence" -> "is over-riden"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
 docs-xml/smbdotconf/logon/allownt4crypto.xml                 | 2 +-
 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +-
 docs-xml/smbdotconf/security/clientschannel.xml              | 2 +-
 docs-xml/smbdotconf/security/serverschannel.xml              | 2 +-
 docs-xml/smbdotconf/winbind/requirestrongkey.xml             | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f72..06afcef73b1b 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -18,7 +18,7 @@
 
 	<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
 
-	<para>This option yields precedence to the 'reject md5 clients' option.</para>
+	<para>This option is over-ridden by the 'reject md5 clients' option.</para>
 </description>
 
 <value type="default">no</value>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb36..8bccab391cc2 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
 	<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
 	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
 
-	<para>This option yields precedence to the implementation specific restrictions.
+	<para>This option is over-ridden by the implementation specific restrictions.
 	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
 	The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
 	</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050c..d124ad481818 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
     <para>Note that for active directory domains this is hardcoded to
     <smbconfoption name="client schannel">yes</smbconfoption>.</para>
 
-    <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+    <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
 </description>
 <value type="default">yes</value>
 <value type="example">auto</value>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index bd9fea84a7e7..394ffdc36fbd 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -23,7 +23,7 @@
     <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
     </para>
 
-    <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+    <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
 
 </description>
 
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
index b17620ec8f1d..9c1c1d7af148 100644
--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -17,7 +17,7 @@
 
 	<para>Note for active directory domain this option is hardcoded to 'yes'</para>
 
-	<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
+	<para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
 
 	<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
 </description>
-- 
2.34.1
fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967 2022-12-29 07:17:40 +00:00			`From 99c61592d4c2d2dbdf50765b085ece40c2b3099c Mon Sep 17 00:00:00 2001`
			`From: Ralph Boehme <slow@samba.org>`
			`Date: Tue, 6 Dec 2022 16:05:26 +0100`
			`Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several`
			`options: "yields precedence" -> "is over-riden"`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240`

			`Signed-off-by: Ralph Boehme <slow@samba.org>`
			`Reviewed-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17692`
			`---`
			`docs-xml/smbdotconf/logon/allownt4crypto.xml \| 2 +-`
			`docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml \| 2 +-`
			`docs-xml/smbdotconf/security/clientschannel.xml \| 2 +-`
			`docs-xml/smbdotconf/security/serverschannel.xml \| 2 +-`
			`docs-xml/smbdotconf/winbind/requirestrongkey.xml \| 2 +-`
			`5 files changed, 5 insertions(+), 5 deletions(-)`

			`diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml`
			`index 03dc8fa93f72..06afcef73b1b 100644`
			`--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml`
			`+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml`
			`@@ -18,7 +18,7 @@`

			`<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>`

			`- <para>This option yields precedence to the 'reject md5 clients' option.</para>`
			`+ <para>This option is over-ridden by the 'reject md5 clients' option.</para>`
			`</description>`

			`<value type="default">no</value>`
			`diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml`
			`index 03531adbfb36..8bccab391cc2 100644`
			`--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml`
			`+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml`
			`@@ -15,7 +15,7 @@`
			`<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,`
			`winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>`

			`- <para>This option yields precedence to the implementation specific restrictions.`
			`+ <para>This option is over-ridden by the implementation specific restrictions.`
			`E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.`
			`The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.`
			`</para>`
			`diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml`
			`index 5b07da95050c..d124ad481818 100644`
			`--- a/docs-xml/smbdotconf/security/clientschannel.xml`
			`+++ b/docs-xml/smbdotconf/security/clientschannel.xml`
			`@@ -23,7 +23,7 @@`
			`<para>Note that for active directory domains this is hardcoded to`
			`<smbconfoption name="client schannel">yes</smbconfoption>.</para>`

			`- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>`
			`+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>`
			`</description>`
			`<value type="default">yes</value>`
			`<value type="example">auto</value>`
			`diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml`
			`index bd9fea84a7e7..394ffdc36fbd 100644`
			`--- a/docs-xml/smbdotconf/security/serverschannel.xml`
			`+++ b/docs-xml/smbdotconf/security/serverschannel.xml`
			`@@ -23,7 +23,7 @@`
			`<para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.`
			`</para>`

			`- <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>`
			`+ <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>`

			`</description>`

			`diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml`
			`index b17620ec8f1d..9c1c1d7af148 100644`
			`--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml`
			`+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml`
			`@@ -17,7 +17,7 @@`

			`<para>Note for active directory domain this option is hardcoded to 'yes'</para>`

			`- <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>`
			`+ <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>`

			`<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>`
			`</description>`
			`--`
			`2.34.1`