Ubuntu has issued an advisory on May 4: http://www.ubuntu.com/usn/usn-2950-3/ Patched package uploaded for Mageia 5. Advisory: ---------------------------------------- The last security update for the samba package, MGASA-2016-0151, introduced some regressions which have been fixed by this update. References: http://advisories.mageia.org/MGASA-2016-0151.html http://www.ubuntu.com/usn/usn-2950-3/ ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- samba-server-3.6.25-2.4.mga5 samba-client-3.6.25-2.4.mga5 samba-common-3.6.25-2.4.mga5 samba-doc-3.6.25-2.4.mga5 samba-swat-3.6.25-2.4.mga5 samba-winbind-3.6.25-2.4.mga5 nss_wins-3.6.25-2.4.mga5 libsmbclient0-3.6.25-2.4.mga5 libsmbclient0-devel-3.6.25-2.4.mga5 libsmbclient0-static-devel-3.6.25-2.4.mga5 libnetapi0-3.6.25-2.4.mga5 libnetapi-devel-3.6.25-2.4.mga5 libsmbsharemodes0-3.6.25-2.4.mga5 libsmbsharemodes-devel-3.6.25-2.4.mga5 libwbclient0-3.6.25-2.4.mga5 libwbclient-devel-3.6.25-2.4.mga5 samba-virusfilter-clamav-3.6.25-2.4.mga5 samba-virusfilter-fsecure-3.6.25-2.4.mga5 samba-virusfilter-sophos-3.6.25-2.4.mga5 samba-domainjoin-gui-3.6.25-2.4.mga5 from samba-3.6.25-2.4.mga5.src.rpm
*** Bug 18459 has been marked as a duplicate of this bug. ***
CC: (none) => s.puch
Ubuntu has issued another advisory with regression fixes today (May 18): http://www.ubuntu.com/usn/usn-2950-4/ Patched package uploaded for Mageia 5. Advisory: ---------------------------------------- The last security update for the samba package, MGASA-2016-0151, introduced some regressions which have been fixed by this update. References: http://advisories.mageia.org/MGASA-2016-0151.html http://www.ubuntu.com/usn/usn-2950-3/ http://www.ubuntu.com/usn/usn-2950-4/ ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- samba-server-3.6.25-2.5.mga5 samba-client-3.6.25-2.5.mga5 samba-common-3.6.25-2.5.mga5 samba-doc-3.6.25-2.5.mga5 samba-swat-3.6.25-2.5.mga5 samba-winbind-3.6.25-2.5.mga5 nss_wins-3.6.25-2.5.mga5 libsmbclient0-3.6.25-2.5.mga5 libsmbclient0-devel-3.6.25-2.5.mga5 libsmbclient0-static-devel-3.6.25-2.5.mga5 libnetapi0-3.6.25-2.5.mga5 libnetapi-devel-3.6.25-2.5.mga5 libsmbsharemodes0-3.6.25-2.5.mga5 libsmbsharemodes-devel-3.6.25-2.5.mga5 libwbclient0-3.6.25-2.5.mga5 libwbclient-devel-3.6.25-2.5.mga5 samba-virusfilter-clamav-3.6.25-2.5.mga5 samba-virusfilter-fsecure-3.6.25-2.5.mga5 samba-virusfilter-sophos-3.6.25-2.5.mga5 samba-domainjoin-gui-3.6.25-2.5.mga5 from samba-3.6.25-2.5.mga5.src.rpm
Interesting. The patch does exactly the same what I mentioned as work around in Bug 18457 by setting 'client ipc signing = auto'. # rpm -qa | grep samba samba-common-3.6.25-2.4.mga5 samba-client-3.6.25-2.4.mga5 samba-server-3.6.25-2.4.mga5 # # testparm -v > smb-3.6.25-2.4.conf # urpmi -v ./samba-server-3.6.25-2.5.mga5.i586.rpm ./samba-common-3.6.25-2.5.mga5.i586.rpm ./samba-client-3.6.25-2.5.mga5.i586.rpm # rpm -qa | grep samba samba-client-3.6.25-2.5.mga5 samba-common-3.6.25-2.5.mga5 samba-server-3.6.25-2.5.mga5 # # testparm -v > smb-3.6.25-2.5.conf # diff smb-3.6.25-2.4.conf smb-3.6.25-2.5.conf 91,92c91,92 < client signing = required < client ipc signing = required --- > client signing = auto > client ipc signing = auto # What I wonder about: If 'server signing' is still set to default (disabled) what means that the server will not offer signing, then reducing 'client ipc signing' from mandatory to auto means that signing will never be used at all? In other words the additional security which should be introduced with CVE-2016-2115 is now configured as the behaviour before isn't it? What do I miss? At least it works on my system as before the update MGASA-2016-0151. MGA5-32
Whiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGAA-2016-0078.html
Status: NEW => RESOLVEDResolution: (none) => FIXED