Comment 1 Arvid Requate 2020-04-21 22:53:20 CEST

Part of the upstream patches affect lib/ldb wich in Debian and UCS are provided by a separate dedicated source package. I've updated our ldb source package with the currently latest public version of the upstream tar ball and built the package with all of our svn patches:

svn r18808 | Add 04_symbols.patch for new upstream version
svn r18809 | fix typo in 04_symbols.patch
svn r18810 | add another new symbol to 04_symbols.patch

Successful build
Package: ldb           
Version: 2:1.5.6-1A~4.4.0.202004211422
Branch: ucs_4.4-0                                     
Scope: errata4.4-4

That was not good enough for Samba to find the new lib version (1.5.7), so I updated the source package once again to include the new security patches:

svn r18822 | add another new symbol to 04_symbols.patch

Successful build
Package: ldb           
Version: 2:1.5.7-1A~4.4.0.202004211800
Branch: ucs_4.4-0                                     
Scope: errata4.4-4


Then I cherry-picked samba from errata4.4-3 to errata4.4-4 and had to experiment a but with the upstream patches (in parallel to the ldb source package work):

r18806 | New upstream patches
r18811 | Update lib/ldb to 1.5.6 for new upstream patch
r18812 | Revert to upstream ldb 1.5.6 based patch
r18813 | try Debian Samba team WAF_NO_PARALLEL patch
r18814 | Fix patch
r18815 | Adjust patch context to 4.10.1
r18816 | Move commit to other quilt file
r18817 | Move commit to other quilt file
r18818 | Temporarily remove binary patch parts (test data)
r18819 | Adjust patch context to 4.10.1
r18820 | Remove WAF_NO_PARALLEL patch, doesn't help

Finally the samba Package has built successfully:

Package: samba                                                                                                                                                                 
Version: 2:4.10.1-1A~4.4.0.202004212102                                                                                                                                        
Branch: ucs_4.4-0                                                                            
Scope: errata4.4-4

After that I cherry-picked univention-ldb-modules from errata4.4-0 to errata4.4-4.

Package: univention-ldb-modules
Version: 7.0.0-4A~4.4.0.202004212249
Branch: ucs_4.4-0
Scope: errata4.4-4

Comment 2 Erik Damrose 2020-04-22 09:34:24 CEST

All S4 Test machines failed to run ucs-test tonight, there seems to be a Samba4 database problem:

[master091] 2020-04-22T00:07:42.686586	ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or directory

e.g. here: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/38/artifact/test/autotest-091-master-s4.log

Comment 3 Arvid Requate 2020-04-23 11:49:32 CEST

Ok, test failure seem to have been a result of the updated univention-ldb-modules not yet included in that test run

7202fcd1f2 | Preliminary Advisories
3cb5d4d08f | Preliminary advisory

Ready for functional QA, please reopen to finalize Advisroy with CVE details.

Comment 4 Arvid Requate 2020-04-28 10:40:34 CEST

1ef31c8323 | Advisory

Comment 5 Erik Damrose 2020-04-28 11:15:22 CEST

OK: new Patches, applied
OK: Jenkins tests
OK: advisories for samba, ldb, univention-ldb-modules (i fixed the line length)
Verified

Comment 6 Erik Damrose 2020-04-28 11:36:25 CEST

<http://errata.software-univention.de/ucs/4.4/549.html>
<http://errata.software-univention.de/ucs/4.4/550.html>
<http://errata.software-univention.de/ucs/4.4/551.html>