From ac3ce22fe960b9b6c6368a0b5bf95a1ae0180ae7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:41:10 +0100
Subject: [PATCH] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in
 nsupdate-gss

This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
 source4/scripting/bin/nsupdate-gss | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916f286..509220d5a1d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
     my $flags = 
 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+	GSS_C_INTEG_FLAG;
 
 
     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
-- 
2.11.4.GIT