DThis is a security release in order to address the following defects: o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should) o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) o CVE-2017-12163 (Server memory information leak over SMB1) ======= Details ======= o CVE-2017-12150: A man in the middle attack may hijack client connections. o CVE-2017-12151: A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3. o CVE-2017-12163: Client with write access to a share can cause server memory contents to be written into a file or printer. For more details and workarounds, please see the security advisories: o https://www.samba.org/samba/security/CVE-2017-12150.html o https://www.samba.org/samba/security/CVE-2017-12151.html o https://www.samba.org/samba/security/CVE-2017-12163.html
Is only Cauldron affected? Assigning to neoclust, because, IINM, he's pushed samba more often recently than bmilne. CC'ing the latter, though. @ bmilne Sorry if I should have assigned to you. If so: please grab this bug :-)
Source RPM: samba => samba-4.6.7-1.mga7Assignee: bugsquad => mageiaCC: (none) => bgmilne, geiger.david68210, marja11
Summary: [UPDATE REQUEST] samba 4.6.8 CVE-2017-12150: => [UPDATE REQUEST] samba 4.6.8 CVE-2017-1215[01], CVE-2017-12163
The upstream announcements were made today (September 20): https://www.samba.org/samba/latest_news.html#4.6.8 Mageia 5 and Mageia 6 are also affected, but CVE-2017-12151 doesn't affect mga5.
Summary: [UPDATE REQUEST] samba 4.6.8 CVE-2017-1215[01], CVE-2017-12163 => samba new security issues CVE-2017-1215[01] and CVE-2017-12163Whiteboard: (none) => MGA6TOO, MGA5TOOCC: (none) => luigiwalser
samba-4.6.8-1.mga7 uploaded for Cauldron. 4.6.8 checked into Mageia 6 SVN. Hopefully Ubuntu or someone provides backported patches for Samba 3.5.x soon.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Ubuntu has issued an advisory for this today (September 21): https://usn.ubuntu.com/usn/usn-3426-1/ I'm not sure if they're still going to update 12.04LTS, but if so that'll be done separately.
Ubuntu has issued an advisory for this on November 2: https://usn.ubuntu.com/usn/usn-3426-2/ This has the patches I've been waiting for for Mageia 5.
Depends on: (none) => 22030
Depends on: 22030 => (none)
(In reply to David Walser from comment #5) > Ubuntu has issued an advisory for this on November 2: > https://usn.ubuntu.com/usn/usn-3426-2/ > > This has the patches I've been waiting for for Mageia 5. Oh lovely, the source for this update has disappeared from Ubuntu's site.
The CVE-2017-15275 part of the latest security patch for 4.5.14: https://www.samba.org/samba/ftp/patches/security/samba-4.5.14-security-2017-11-21.patch applies fine to 3.6.25. Unfortunately it's not the case with the CVE-2017-12150 and CVE-2017-12163 portions of the 4.4.15 patch with those fixes, so we need that Ubuntu source.
Ubuntu has issued an advisory for this on November 21: https://usn.ubuntu.com/usn/usn-3486-2/ The link to the source still fails.
I got patches from CVE-2017-12150 and CVE-2017-12163 from Debian. Build submitted and will be available eventually. Advisory: ======================== Updated samba packages fix security vulnerabilities: Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in certain situations. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2017-12150) Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory when SMB1 is being used. A remote attacker could possibly use this issue to obtain server memory contents. (CVE-2017-12163) Volker Lendecke discovered that Samba incorrectly cleared memory when returning data to a client. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2017-15275) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275 https://www.samba.org/samba/security/CVE-2017-12150.html https://www.samba.org/samba/security/CVE-2017-12163.html https://www.samba.org/samba/security/CVE-2017-15275.html https://usn.ubuntu.com/usn/usn-3426-2/ https://usn.ubuntu.com/usn/usn-3486-2/ ======================== Updated packages in core/updates_testing: ======================== samba-server-3.6.25-2.8.mga5 samba-client-3.6.25-2.8.mga5 samba-common-3.6.25-2.8.mga5 samba-doc-3.6.25-2.8.mga5 samba-swat-3.6.25-2.8.mga5 samba-winbind-3.6.25-2.8.mga5 nss_wins-3.6.25-2.8.mga5 libsmbclient0-3.6.25-2.8.mga5 libsmbclient0-devel-3.6.25-2.8.mga5 libsmbclient0-static-devel-3.6.25-2.8.mga5 libnetapi0-3.6.25-2.8.mga5 libnetapi-devel-3.6.25-2.8.mga5 libsmbsharemodes0-3.6.25-2.8.mga5 libsmbsharemodes-devel-3.6.25-2.8.mga5 libwbclient0-3.6.25-2.8.mga5 libwbclient-devel-3.6.25-2.8.mga5 samba-virusfilter-clamav-3.6.25-2.8.mga5 samba-virusfilter-fsecure-3.6.25-2.8.mga5 samba-virusfilter-sophos-3.6.25-2.8.mga5 samba-domainjoin-gui-3.6.25-2.8.mga5 from samba-3.6.25-2.8.mga5.src.rpm
Version: 6 => 5Whiteboard: MGA5TOO => (none)Assignee: mageia => qa-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
on mga5-64 packages installed cleanly: - lib64smbclient0-3.6.25-2.8.mga5.x86_64 - samba-client-3.6.25-2.8.mga5.x86_64 - samba-common-3.6.25-2.8.mga5.x86_64 - samba-server-3.6.25-2.8.mga5.x86_64 smbtree continues to list all available shares on the LAN can access share on this system from an mga6 system and from another mga5 system can access shares on an mga6 system and on another mga5 system from this system OK for mga5-64
Whiteboard: (none) => MGA5-64-OKCC: (none) => jim
on mga5-32 (in a vbox VM) packages installed cleanly: - libsmbclient0-3.6.25-2.8.mga5.i586 - samba-client-3.6.25-2.8.mga5.i586 - samba-common-3.6.25-2.8.mga5.i586 - samba-server-3.6.25-2.8.mga5.i586 smbtree continues to list available shares can access shares on an mga6 system and on another mga5 system from this system can access a share on this system from an mga6 system and from another mga5 system OK for mga5-32
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
This update is now validated and can be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Why is this bug marked as depending on bug#22030 which is for mga6?
(In reply to James Kerr from comment #13) > Why is this bug marked as depending on bug#22030 which is for mga6? Because it fixes some of the same issues and we don't do that in older releases before newer ones. Both updates need to be tested and they should be released together, just as if they would if I had kept them in the same bug.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0022.html
Status: NEW => RESOLVEDResolution: (none) => FIXED