Samba security releases have been made available:
- 4.24.3 for -current and 7.9
- 4.23.8 for 7.8
These updates address the following defects:
CVE-2026-1933: Missing access checks on reparse point operations
CVE-2026-2340: WORM vfs module does not block overwrites
CVE-2026-3012: auto-enrolment GPO installing CA certificate over http
without verification
CVE-2026-3238: Denial of service against AD DC WINS server
CVE-2026-4408: Unauthenticated Remote Code Execution in Samba DCE/RPC
SAMR server
CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing
subsystem
More information can be found at
https://www.samba.org/samba/history/samba-4.24.3.html and
https://www.samba.org/samba/history/samba-4.23.8.html.
Enclosed are 3 diffs:
current-samba-4.24.3.patch: updates Samba on current
7.9-samba-4.24.3.patch: updates Samba on 7.9
7.8-samba-4.23.8.patch: updates Samba on 7.8
These updates need FIX_EXTRACT_PERMISSIONS=Yes. Minor of libsamba-util
has been bumped.
All three diffs have been lightly run tested.
OK to commit to -current, 7.9 and 7.8?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
diff -u -p -r1.374 Makefile
--- Makefile 15 May 2026 07:31:04 -0000 1.374
+++ Makefile 26 May 2026 15:10:42 -0000
@@ -1,4 +1,4 @@
-VERSION = 4.24.2
+VERSION = 4.24.3
DISTNAME = samba-${VERSION}
EPOCH = 0
@@ -25,7 +25,7 @@ SHARED_LIBS = dcerpc 3.0 \
samba-hostconfig 19.0 \
samba-passdb 3.2 \
samba-policy 0.0 \
- samba-util 13.0 \
+ samba-util 13.1 \
samdb 6.0 \
smbclient 6.3 \
smbconf 19.1 \
@@ -54,6 +54,8 @@ WANTLIB-docs =
SITES = https://download.samba.org/pub/samba/stable/ \
https://download.samba.org/pub/samba/old-versions/
+
+FIX_EXTRACT_PERMISSIONS = Yes
MULTI_PACKAGES = -main -docs
DEBUG_PACKAGES = ${BUILD_PACKAGES}
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
diff -u -p -r1.139 distinfo
--- distinfo 15 May 2026 07:31:04 -0000 1.139
+++ distinfo 26 May 2026 15:10:42 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.24.2.tar.gz) = rCRYPycagqwyT3xvrXMn9ltZGtNJLh3M/umI4sHIHdE=
-SIZE (samba-4.24.2.tar.gz) = 43409510
+SHA256 (samba-4.24.3.tar.gz) = Sl4O0eoZK3mMhz2ZV8UKV2fBDCdnzMsA1W7MQn6U+Ok=
+SIZE (samba-4.24.3.tar.gz) = 43446520
? 7.9-samba-4.24.3.patch
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
diff -u -p -r1.372.2.1 Makefile
--- Makefile 20 May 2026 18:00:12 -0000 1.372.2.1
+++ Makefile 26 May 2026 16:05:25 -0000
@@ -1,4 +1,4 @@
-VERSION = 4.24.2
+VERSION = 4.24.3
DISTNAME = samba-${VERSION}
EPOCH = 0
@@ -25,7 +25,7 @@ SHARED_LIBS = dcerpc 3.0 \
samba-hostconfig 19.0 \
samba-passdb 3.2 \
samba-policy 0.0 \
- samba-util 13.0 \
+ samba-util 13.1 \
samdb 6.0 \
smbclient 6.3 \
smbconf 19.1 \
@@ -54,6 +54,8 @@ WANTLIB-docs =
SITES = https://download.samba.org/pub/samba/stable/ \
https://download.samba.org/pub/samba/old-versions/
+
+FIX_EXTRACT_PERMISSIONS = Yes
MULTI_PACKAGES = -main -docs
DEBUG_PACKAGES = ${BUILD_PACKAGES}
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
diff -u -p -r1.138.2.1 distinfo
--- distinfo 20 May 2026 18:00:12 -0000 1.138.2.1
+++ distinfo 26 May 2026 16:05:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.24.2.tar.gz) = rCRYPycagqwyT3xvrXMn9ltZGtNJLh3M/umI4sHIHdE=
-SIZE (samba-4.24.2.tar.gz) = 43409510
+SHA256 (samba-4.24.3.tar.gz) = Sl4O0eoZK3mMhz2ZV8UKV2fBDCdnzMsA1W7MQn6U+Ok=
+SIZE (samba-4.24.3.tar.gz) = 43446520
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
diff -u -p -r1.365.2.5 Makefile
--- Makefile 1 Mar 2026 19:38:10 -0000 1.365.2.5
+++ Makefile 26 May 2026 18:08:07 -0000
@@ -1,4 +1,4 @@
-VERSION = 4.23.6
+VERSION = 4.23.8
DISTNAME = samba-${VERSION}
EPOCH = 0
@@ -25,7 +25,7 @@ SHARED_LIBS = dcerpc 3.0 \
samba-hostconfig 17.0 \
samba-passdb 3.2 \
samba-policy 0.0 \
- samba-util 12.0 \
+ samba-util 12.1 \
samdb 5.0 \
smbclient 6.3 \
smbconf 18.0 \
@@ -54,6 +54,8 @@ WANTLIB-docs =
SITES = https://download.samba.org/pub/samba/stable/ \
https://download.samba.org/pub/samba/old-versions/
+
+FIX_EXTRACT_PERMISSIONS = Yes
MULTI_PACKAGES = -main -docs
DEBUG_PACKAGES = ${BUILD_PACKAGES}
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
diff -u -p -r1.131.2.5 distinfo
--- distinfo 1 Mar 2026 19:38:10 -0000 1.131.2.5
+++ distinfo 26 May 2026 18:08:07 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.23.6.tar.gz) = 49q9i15C3Jdmn6D67wMlEKlOSWtY9wZwguUDbYjw5wI=
-SIZE (samba-4.23.6.tar.gz) = 43306831
+SHA256 (samba-4.23.8.tar.gz) = l2EphHRW3Ft4wA+P+3ncYFxJ1qrKiyqncv0i27afrgE=
+SIZE (samba-4.23.8.tar.gz) = 43360349
Index: patches/patch-buildtools_wafsamba_samba_autoconf_py
===================================================================
RCS file:
/cvs/ports/net/samba/patches/patch-buildtools_wafsamba_samba_autoconf_py,v
diff -u -p -r1.24 patch-buildtools_wafsamba_samba_autoconf_py
--- patches/patch-buildtools_wafsamba_samba_autoconf_py 15 Sep 2025 04:27:32
-0000 1.24
+++ patches/patch-buildtools_wafsamba_samba_autoconf_py 26 May 2026 18:08:07
-0000
@@ -5,7 +5,7 @@
Index: buildtools/wafsamba/samba_autoconf.py
--- buildtools/wafsamba/samba_autoconf.py.orig
+++ buildtools/wafsamba/samba_autoconf.py
-@@ -958,6 +958,27 @@ def ADD_LDFLAGS(conf, flags, testflags=False):
+@@ -963,6 +963,27 @@ def ADD_LDFLAGS(conf, flags, testflags=False):
if not 'EXTRA_LDFLAGS' in conf.env:
conf.env['EXTRA_LDFLAGS'] = []
conf.env['EXTRA_LDFLAGS'].extend(TO_LIST(flags))
@@ -33,7 +33,7 @@ Index: buildtools/wafsamba/samba_autocon
return flags
-@@ -1029,7 +1050,7 @@ def SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS(conf):
+@@ -1034,7 +1055,7 @@ def SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS(conf):
# symbols used for fuzzers are only defined by compiler wrappers.
return
