Is only Cauldron affected?

Assigning to neoclust, because, IINM, he's pushed samba more often recently than bmilne. CC'ing the latter, though.

@ bmilne

Sorry if I should have assigned to you. If so: please grab this bug :-)

Source RPM: samba => samba-4.6.7-1.mga7
Assignee: bugsquad => mageia
CC: (none) => bgmilne, geiger.david68210, marja11

The upstream announcements were made today (September 20):
https://www.samba.org/samba/latest_news.html#4.6.8

Mageia 5 and Mageia 6 are also affected, but CVE-2017-12151 doesn't affect mga5.

Summary: [UPDATE REQUEST] samba 4.6.8 CVE-2017-1215[01], CVE-2017-12163 => samba new security issues CVE-2017-1215[01] and CVE-2017-12163
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => luigiwalser

samba-4.6.8-1.mga7 uploaded for Cauldron.  4.6.8 checked into Mageia 6 SVN.  Hopefully Ubuntu or someone provides backported patches for Samba 3.5.x soon.

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Ubuntu has issued an advisory for this today (September 21):
https://usn.ubuntu.com/usn/usn-3426-1/

I'm not sure if they're still going to update 12.04LTS, but if so that'll be done separately.

Ubuntu has issued an advisory for this on November 2:
https://usn.ubuntu.com/usn/usn-3426-2/

This has the patches I've been waiting for for Mageia 5.

(In reply to David Walser from comment #5)
> Ubuntu has issued an advisory for this on November 2:
> https://usn.ubuntu.com/usn/usn-3426-2/
> 
> This has the patches I've been waiting for for Mageia 5.

Oh lovely, the source for this update has disappeared from Ubuntu's site.

The CVE-2017-15275 part of the latest security patch for 4.5.14:
https://www.samba.org/samba/ftp/patches/security/samba-4.5.14-security-2017-11-21.patch

applies fine to 3.6.25.  Unfortunately it's not the case with the CVE-2017-12150 and CVE-2017-12163 portions of the 4.4.15 patch with those fixes, so we need that Ubuntu source.

Ubuntu has issued an advisory for this on November 21:
https://usn.ubuntu.com/usn/usn-3486-2/

The link to the source still fails.

Depends on: (none) => 22030

I got patches from CVE-2017-12150 and CVE-2017-12163 from Debian.  Build submitted and will be available eventually.

Advisory:
========================

Updated samba packages fix security vulnerabilities:

Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in
certain situations. A remote attacker could use this issue to perform a man
in the middle attack. (CVE-2017-12150)

Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory
when SMB1 is being used. A remote attacker could possibly use this issue to
obtain server memory contents. (CVE-2017-12163)

Volker Lendecke discovered that Samba incorrectly cleared memory when
returning data to a client. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2017-15275)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275
https://www.samba.org/samba/security/CVE-2017-12150.html
https://www.samba.org/samba/security/CVE-2017-12163.html
https://www.samba.org/samba/security/CVE-2017-15275.html
https://usn.ubuntu.com/usn/usn-3426-2/
https://usn.ubuntu.com/usn/usn-3486-2/
========================

Updated packages in core/updates_testing:
========================
samba-server-3.6.25-2.8.mga5
samba-client-3.6.25-2.8.mga5
samba-common-3.6.25-2.8.mga5
samba-doc-3.6.25-2.8.mga5
samba-swat-3.6.25-2.8.mga5
samba-winbind-3.6.25-2.8.mga5
nss_wins-3.6.25-2.8.mga5
libsmbclient0-3.6.25-2.8.mga5
libsmbclient0-devel-3.6.25-2.8.mga5
libsmbclient0-static-devel-3.6.25-2.8.mga5
libnetapi0-3.6.25-2.8.mga5
libnetapi-devel-3.6.25-2.8.mga5
libsmbsharemodes0-3.6.25-2.8.mga5
libsmbsharemodes-devel-3.6.25-2.8.mga5
libwbclient0-3.6.25-2.8.mga5
libwbclient-devel-3.6.25-2.8.mga5
samba-virusfilter-clamav-3.6.25-2.8.mga5
samba-virusfilter-fsecure-3.6.25-2.8.mga5
samba-virusfilter-sophos-3.6.25-2.8.mga5
samba-domainjoin-gui-3.6.25-2.8.mga5

from samba-3.6.25-2.8.mga5.src.rpm

Version: 6 => 5
Whiteboard: MGA5TOO => (none)
Assignee: mageia => qa-bugs

on mga5-64

packages installed cleanly:
- lib64smbclient0-3.6.25-2.8.mga5.x86_64
- samba-client-3.6.25-2.8.mga5.x86_64
- samba-common-3.6.25-2.8.mga5.x86_64
- samba-server-3.6.25-2.8.mga5.x86_64

smbtree continues to list all available shares on the LAN

can access share on this system from an mga6 system and from another mga5 system

can access shares on an mga6 system and on another mga5 system from this system

OK for mga5-64

Whiteboard: (none) => MGA5-64-OK
CC: (none) => jim

on mga5-32 (in a vbox VM)

packages installed cleanly:
- libsmbclient0-3.6.25-2.8.mga5.i586
- samba-client-3.6.25-2.8.mga5.i586
- samba-common-3.6.25-2.8.mga5.i586
- samba-server-3.6.25-2.8.mga5.i586

smbtree continues to list available shares

can access shares on an mga6 system and on another mga5 system from this system

can access a share on this system from an mga6 system and from another mga5 system

OK for mga5-32

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

This update is now validated and can be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Why is this bug marked as depending on bug#22030 which is for mga6?

(In reply to James Kerr from comment #13)
> Why is this bug marked as depending on bug#22030 which is for mga6?

Because it fixes some of the same issues and we don't do that in older releases before newer ones.  Both updates need to be tested and they should be released together, just as if they would if I had kept them in the same bug.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0022.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED