Bug 19985

Summary: samba new security issue CVE-2016-2125
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/709661/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: samba-3.6.25-2.5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-12-19 17:06:50 CET 
Upstream has issued an advisory today (December 19):
https://www.samba.org/samba/security/CVE-2016-2125.html

Freeze push requested for Cauldron (fixed in 4.5.3).

Patch checked into Mageia 5 SVN.
Comment 1 David Walser 2016-12-19 17:38:08 CET 
Debian has issued an advisory for this today (December 19):
https://www.debian.org/security/2016/dsa-3740

Advisory saved for later below.

Advisory:
========================

Updated samba packages fix security vulnerability:

Samba client code always requests a forwardable ticket when using Kerberos
authentication. This means the target server, which must be in the current or
trusted domain/realm, is given a valid general purpose Kerberos "Ticket
Granting Ticket" (TGT), which can be used to fully impersonate the
authenticated user or service (CVE-2016-2125).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
https://www.samba.org/samba/security/CVE-2016-2125.html
========================

Updated packages in core/updates_testing:
========================
samba-server-3.6.25-2.6.mga5
samba-client-3.6.25-2.6.mga5
samba-common-3.6.25-2.6.mga5
samba-doc-3.6.25-2.6.mga5
samba-swat-3.6.25-2.6.mga5
samba-winbind-3.6.25-2.6.mga5
nss_wins-3.6.25-2.6.mga5
libsmbclient0-3.6.25-2.6.mga5
libsmbclient0-devel-3.6.25-2.6.mga5
libsmbclient0-static-devel-3.6.25-2.6.mga5
libnetapi0-3.6.25-2.6.mga5
libnetapi-devel-3.6.25-2.6.mga5
libsmbsharemodes0-3.6.25-2.6.mga5
libsmbsharemodes-devel-3.6.25-2.6.mga5
libwbclient0-3.6.25-2.6.mga5
libwbclient-devel-3.6.25-2.6.mga5
samba-virusfilter-clamav-3.6.25-2.6.mga5
samba-virusfilter-fsecure-3.6.25-2.6.mga5
samba-virusfilter-sophos-3.6.25-2.6.mga5
samba-domainjoin-gui-3.6.25-2.6.mga5

from samba-3.6.25-2.6.mga5.src.rpm
Comment 2 David Walser 2016-12-19 19:12:17 CET 
Patched package uploaded for Mageia 5.  Advisory and package list in Comment 1.

URL: (none) => https://lwn.net/Vulnerabilities/709661/
Assignee: bugsquad => qa-bugs

Comment 3 Brian Rockwell 2016-12-29 06:13:25 CET 
ok I installed the following

The following 36 packages are going to be installed:

- clamav-0.99.2-1.mga5.x86_64
- clamav-db-0.99.2-1.mga5.noarch
- clamd-0.99.2-1.mga5.x86_64
- lib64audit-devel-2.4.4-1.mga5.x86_64
- lib64cap-devel-2.24-3.mga5.x86_64
- lib64clamav7-0.99.2-1.mga5.x86_64
- lib64ext2fs-devel-1.42.12-5.mga5.x86_64
- lib64krb53-devel-1.12.5-1.1.mga5.x86_64
- lib64ldap2.4_2-devel-2.4.40-3.1.mga5.x86_64
- lib64netapi0-3.6.25-2.6.mga5.x86_64
- lib64openssl-devel-1.0.2j-1.mga5.x86_64
- lib64pam-devel-1.1.8-10.1.mga5.x86_64
- lib64sasl2-devel-2.1.26-10.mga5.x86_64
- lib64smbclient0-3.6.25-2.6.mga5.x86_64
- lib64smbclient0-devel-3.6.25-2.6.mga5.x86_64
- lib64smbsharemodes-devel-3.6.25-2.6.mga5.x86_64
- lib64talloc-devel-2.1.5-1.mga5.x86_64
- lib64tdb-devel-1.3.8-1.mga5.x86_64
- lib64tevent-devel-0.9.28-1.mga5.x86_64
- lib64verto-devel-0.2.6-3.mga5.x86_64
- lib64wbclient-devel-3.6.25-2.6.mga5.x86_64
- lib64wrap-devel-7.6-46.mga5.x86_64
- perl-Authen-SASL-2.160.0-5.mga5.noarch
- perl-Convert-ASN1-0.270.0-3.mga5.noarch
- perl-Digest-HMAC-1.30.0-6.mga5.noarch
- perl-Digest-SHA1-2.130.0-15.mga5.x86_64
- perl-ldap-0.620.0-3.mga5.noarch
- samba-client-3.6.25-2.6.mga5.x86_64
- samba-common-3.6.25-2.6.mga5.x86_64
- samba-doc-3.6.25-2.6.mga5.noarch
- samba-domainjoin-gui-3.6.25-2.6.mga5.x86_64
- samba-server-3.6.25-2.6.mga5.x86_64
- samba-virusfilter-clamav-3.6.25-2.6.mga5.x86_64
- samba-virusfilter-fsecure-3.6.25-2.6.mga5.x86_64
- samba-virusfilter-sophos-3.6.25-2.6.mga5.x86_64
- samba-winbind-3.6.25-2.6.mga5.x86_64

201MB of additional disk space will be used.

136MB of packages will be retrieved.

Is it ok to continue?


Set up the Samba Server https://doc.mageia.org/mcc/3/en/content/draksambashare.html.  Also enabled SMB through shorewall.

I was able to map and load files from Windows 10 machine to Samba server and retrieve them back.  Seems to work to me.  Granted, I have not tested ldap or several other pieces yet.

Samba Server works though.

CC: (none) => brtians1

Comment 4 claire robinson 2016-12-29 10:18:39 CET 
That's sufficient for our purposes Brian, well done. Don't forget to add the OK. Advanced uses are beyond our remit, unless we have invested participants. 

ie. People who use it and willing to test it.
Comment 5 Brian Rockwell 2016-12-29 20:42:54 CET 
HI Claire - thanks.

I wanted to test the client as well

Finally did - 32 bit client

The following 3 packages are going to be installed:

- libsmbclient0-3.6.25-2.6.mga5.i586
- libwbclient0-3.6.25-2.6.mga5.i586
- samba-client-3.6.25-2.6.mga5.i586

76B of disk space will be freed.

4.9MB of packages will be retrieved.

I wasn't able to utilize the GUI for mounting but used the command below

mount -t cifs //<ip>/<sharename> /<local folder name>

Once I did that properly the Samba client worked fine.  90% sure it is how I had the server configured.

Whiteboard: (none) => MGA5-64-OK MGA5-32-OK

Comment 6 Lewis Smith 2016-12-30 10:51:20 CET 
Thank you for your good & prompt work, Brian.
Validating, advisory from Comment 1 uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2016-12-30 16:00:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0431.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED