Upstream has issued advisories on December 16: https://www.samba.org/samba/security/CVE-2015-3223.html https://www.samba.org/samba/security/CVE-2015-5330.html https://www.samba.org/samba/security/CVE-2015-5296.html https://www.samba.org/samba/security/CVE-2015-5299.html https://www.samba.org/samba/security/CVE-2015-5252.html For Mageia 5, the impacts are as follows: Issues CVE-2015-3223 and CVE-2015-5330 affect ldb. Issues CVE-2015-5296, CVE-2015-5299, and CVE-2015-5252 affect samba. In Cauldron, one additional issue also affects samba: https://www.samba.org/samba/security/CVE-2015-8467.html ldb should be updated to 1.1.24 and samba should be updated to 4.3.3: https://www.samba.org/samba/history/samba-4.3.3.html Reproducible: Steps to Reproduce:
Other updates that go along with this for CVE-2015-5330 are tevent 0.9.26, talloc 2.1.5, and tdb 1.3.8. Fedora has issued advisories for this today (December 18): https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.html https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174077.html https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174079.html https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174080.html https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174078.html
LWN reference for CVE-2015-5330: http://lwn.net/Vulnerabilities/668535/
URL: (none) => http://lwn.net/Vulnerabilities/668541/
OpenSuSE has issued an advisory for this today (December 24): http://lists.opensuse.org/opensuse-updates/2015-12/msg00107.html
what about updating samba to the lastest samba 3 release ?
(In reply to Nicolas Lécureuil from comment #4) > what about updating samba to the lastest samba 3 release ? Samba 3 is EOL upstream as of early this year. We already have the last one. We need to update to Samba 4 now.
Ubuntu has apparently backported patches for the samba CVEs to Samba 3.6.x for Ubuntu 12.04LTS; see here: http://www.ubuntu.com/usn/usn-2855-2/ We could possibly revert the samba4 update for now and just update ldb.
Ubuntu patches apply perfectly. Mageia 5 samba SVN reverted to samba3 and Ubuntu patches are added. One is for CVE-2015-5330, so I guess it also affects samba. We need to get the other supporting lib packages fully updated and built and then build samba. It looks like ldb now has a 1.1.25 available. I haven't checked if the others have been updated again yet.
talloc, tdb, tevent, and ldb updates built. samba coming next. libtalloc2-2.1.5-1.mga5 libtalloc-devel-2.1.5-1.mga5 python-talloc-2.1.5-1.mga5 libpytalloc-util2-2.1.5-1.mga5 libpytalloc-util-devel-2.1.5-1.mga5 libtdb1-1.3.8-1.mga5 tdb-utils-1.3.8-1.mga5 libtdb-devel-1.3.8-1.mga5 python-tdb-1.3.8-1.mga5 libtevent0-0.9.28-1.mga5 libtevent-devel-0.9.28-1.mga5 python-tevent-0.9.28-1.mga5 libldb1-1.1.26-1.mga5 ldb-utils-1.1.26-1.mga5 libldb-devel-1.1.26-1.mga5 python-ldb-1.1.26-1.mga5 libpyldb-util1-1.1.26-1.mga5 libpyldb-util-devel-1.1.26-1.mga5 from SRPMS: talloc-2.1.5-1.mga5.src.rpm tdb-1.3.8-1.mga5.src.rpm tevent-0.9.28-1.mga5.src.rpm ldb-1.1.26-1.mga5.src.rpm
Updated and patched packages uploaded for Mageia 5. Advisory: ======================== Updated ldb and samba packages fix security vulnerabilities: A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests (CVE-2015-3223). Versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path (CVE-2015-5252). Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this, a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection (CVE-2015-5296). Versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module, which could allow unauthorized users to access snapshots (CVE-2015-5299). A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server (CVE-2015-5330). The talloc, tdb, tevent, and ldb packages have been updated to their lastest versions, and the samba package has been patched to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5330 https://www.samba.org/samba/security/CVE-2015-3223.html https://www.samba.org/samba/security/CVE-2015-5252.html https://www.samba.org/samba/security/CVE-2015-5296.html https://www.samba.org/samba/security/CVE-2015-5299.html https://www.samba.org/samba/security/CVE-2015-5330.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00107.html http://www.ubuntu.com/usn/usn-2855-2/ ======================== Updated packages in core/updates_testing: ======================== libtalloc2-2.1.5-1.mga5 libtalloc-devel-2.1.5-1.mga5 python-talloc-2.1.5-1.mga5 libpytalloc-util2-2.1.5-1.mga5 libpytalloc-util-devel-2.1.5-1.mga5 libtdb1-1.3.8-1.mga5 tdb-utils-1.3.8-1.mga5 libtdb-devel-1.3.8-1.mga5 python-tdb-1.3.8-1.mga5 libtevent0-0.9.28-1.mga5 libtevent-devel-0.9.28-1.mga5 python-tevent-0.9.28-1.mga5 libldb1-1.1.26-1.mga5 ldb-utils-1.1.26-1.mga5 libldb-devel-1.1.26-1.mga5 python-ldb-1.1.26-1.mga5 libpyldb-util1-1.1.26-1.mga5 libpyldb-util-devel-1.1.26-1.mga5 samba-server-3.6.25-2.1.mga5 samba-client-3.6.25-2.1.mga5 samba-common-3.6.25-2.1.mga5 samba-doc-3.6.25-2.1.mga5 samba-swat-3.6.25-2.1.mga5 samba-winbind-3.6.25-2.1.mga5 nss_wins-3.6.25-2.1.mga5 libsmbclient0-3.6.25-2.1.mga5 libsmbclient0-devel-3.6.25-2.1.mga5 libsmbclient0-static-devel-3.6.25-2.1.mga5 libnetapi0-3.6.25-2.1.mga5 libnetapi-devel-3.6.25-2.1.mga5 libsmbsharemodes0-3.6.25-2.1.mga5 libsmbsharemodes-devel-3.6.25-2.1.mga5 libwbclient0-3.6.25-2.1.mga5 libwbclient-devel-3.6.25-2.1.mga5 samba-virusfilter-clamav-3.6.25-2.1.mga5 samba-virusfilter-fsecure-3.6.25-2.1.mga5 samba-virusfilter-sophos-3.6.25-2.1.mga5 samba-domainjoin-gui-3.6.25-2.1.mga5 from SRPMS: talloc-2.1.5-1.mga5.src.rpm tdb-1.3.8-1.mga5.src.rpm tevent-0.9.28-1.mga5.src.rpm ldb-1.1.26-1.mga5.src.rpm samba-3.6.25-2.1.mga5.src.rpm
Assignee: mageia => qa-bugsSeverity: normal => major
MGA5-64 on Lenovo B50 KDE and MGA5-32 on Acer D620Xfce No installation issues. I have samba server running on both (swithed off firrewall and restarted) I have a Samba server running in my main PC (none of the above) with all the standard updates installed (no testing repos allowed). On both test machines: at the cli smbtree shows all samba servers and the shares all connection attempts to any other server than itself with smbclient (or smbclient3 for that matter) fail with NT_STATUS-UNSUCCESSFUL But using MCC I see can can connect and mount the shares of the main PC (standard packages) and open the files in the share, despite the smbclient error to this server. I can see and mount the shares of the test machines on my main PC,and open the files therein, so the server side seems OK, but I fail to do the same between the two test machines.
CC: (none) => herman.viaene
David, any idea about the smbclient errors?
Whiteboard: (none) => feedback
The "-R host" option might help; it's probably just NetBIOS name resolution not working.
Whiteboard: feedback => (none)
Advisory uploaded.
Whiteboard: (none) => advisory
If you're going to test smbclient (which is a reasonable thing to do), make sure you figure out how to use it successfully before installing the update. It has lots of possible errors and things that can go wrong. I did smbclient //file-server/share -U username where file-server is the name of our file-server (which it could look up via DNS, its DNS domain is the one in my /etc/resolv.conf), the Windows domain was already configured in the /etc/samba/smb.conf file (otherwise you have to specify it in the command), share was the name of an active share on the server, and username is my Windows/AD username. Works fine before and after the update.
Whiteboard: advisory => advisory MGA5-32-OK
I have two mga5-64 systems with samba installed on each. On both systems, I installed from testing: - lib64smbclient0-3.6.25-2.1.mga5.x86_64 - lib64talloc2-2.1.5-1.mga5.x86_64 - lib64tdb1-1.3.8-1.mga5.x86_64 - lib64tevent0-0.9.28-1.mga5.x86_64 - lib64wbclient0-3.6.25-2.1.mga5.x86_64 - nss_wins-3.6.25-2.1.mga5.x86_64 - samba-client-3.6.25-2.1.mga5.x86_64 - samba-common-3.6.25-2.1.mga5.x86_64 - samba-server-3.6.25-2.1.mga5.x86_64 and restarted samba # systemctl restart smb The packages installed cleanly After updating, on each system: - I can mount and use a shared folder on the other, using a command such as: mount -t cifs -o user=jim //192.168.0.3/jim-home /mnt/ecs-jim - dolphin can access a shared folder on the other - I can access a shared folder on the other using smbclient, for example: smbclient //192.168.0.3/jim-home -U jim Is this sufficient testing to OK for mga5-64? (I no longer have any Windows systems to test with.)
mount -t cifs uses the cifs-utils package, which isn't part of this update, but if the server side of that connection is running the updated packages, that's a valid test, and smbclient is part of this update, so yes that's sufficient testing. I've added the OK. Feel free to validate it.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
This update is now validated and the packages can be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0094.html
Status: NEW => RESOLVEDResolution: (none) => FIXED