* SECURITY UPDATE: domain user can become root on a domain member by renaming a machine account - debian/patches/CVE-2020-25717.patch: backport the el6/ol6 8-commit subset (samba 3.6.23 precedent); introduce the new "min domain uid" smb.conf parameter (default 1000) and enforce it in check_account() so a domain logon resolving to a uid below the threshold is rejected with NT_STATUS_INVALID_TOKEN, drop the DOMAIN\user to user prefix-stripping fallback in smb_getpwnam(), stop autocreating local users from check_account() and from the kerberos guest fallback by passing create=false, drop the !winbind_ping() branch in create_local_token() so a missing winbindd no longer silently switches the unix-token computation, and require a PAC in any domain mode (DC or member) inside gensec_generate_session_info_pac() returning NT_STATUS_NO_IMPERSONATION_TOKEN otherwise (the gensec hunk is the jointly tagged CVE-2020-25717+CVE-2020-25719 commit, so this update also delivers the member-server portion of CVE-2020-25719; the DC-side portion of CVE-2020-25719 is tracked separately under ELSCVE-104393) - CVE-2020-25717 * SECURITY UPDATE: privileged attribute escalation and structural objectclass change in active directory ldap server - debian/patches/CVE-2020-25722.patch: in source4/dsdb/samdb/ldb_modules/objectclass.c, capture the current structural objectclass at the start of objectclass_do_mod and reject any modify that would change it; in source4/dsdb/samdb/ldb_modules/samldb.c, factor the domain ntSecurityDescriptor lookup into samldb_get_domain_secdesc() and add samldb_check_sensitive_attributes() invoked from samldb_add() and samldb_modify() to refuse non-system writes to sidHistory, gate msDS-SecondaryKrbTgtNumber on the DS-Install-Replica extended right, and gate msDS-AllowedToDelegateTo on SePrivEnableDelegation - CVE-2020-25722