SUSE has issued an advisory today (September 12): https://lists.suse.com/pipermail/sle-security-updates/2022-September/012209.html It doesn't look like the upstream fixes have made it into any stable releases yet. Mageia 8 is also affected.
Status comment: (none) => Patches available from upstreamWhiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OO5PL2WBIOJ6AX5KEDZSYH6ILAFYPCOW/
Assinging to the registered maintainer
Assignee: bugsquad => bgmilneCC: (none) => marja11
Fedora has issued an advisory for this today (September 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YOHL3O2H4FYUTUK2D4PURO24UAX3EBPW/
Having read both bug reports: * https://bugzilla.samba.org/show_bug.cgi?id=15103 * https://bugzilla.samba.org/show_bug.cgi?id=14833 The Samba team doesn't think these are sufficiently serious to justify them doing a security release, but they have been fixed in 4.17.0.
I guess that's why SUSE had to backport the patches.
Samba has issued advisories today (October 25): https://www.samba.org/samba/security/CVE-2022-3437.html https://www.samba.org/samba/security/CVE-2022-3592.html The issues are fixed upstream in 4.15.11, 4.16.6, and 4.17.2: https://www.samba.org/samba/history/samba-4.15.11.html https://www.samba.org/samba/history/samba-4.16.6.html https://www.samba.org/samba/history/samba-4.17.2.html Mageia 8 is also affected.
Summary: samba new security issues CVE-2022-1615 and CVE-2022-32743 => samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, and CVE-2022-32743
Status: NEW => ASSIGNED
I've just submitted 4.16.6 to cauldron. Mageia 8 currently has 4.14.x, for which there aren't patches. I propose upgrading Mageia 8 to 4.16.6 here (along with any tight dependencies such as tdb). The other option is upgrading to 4.15.11, but I don't see any advantage to that over upgrading to 4.16.6. Once the Mageia 8 updates are out, I'll upgrade cauldron to 4.17.x (if version freeze hasn't hit), I was waiting for these updates before upgrading.
Don't forget to address CVE-2022-1615 and CVE-2022-32743, as the fixes might not be in 4.16.6.
To go to 4.16.6, we need: talloc_version: 2.3.2->2.3.3 (or 2.3.4) tdb_version: 1.4.3->1.4.6 (or 1.4.7) tevent_version: 0.10.2->0.11.0 (or 0.12.1) ldb_version: 2.3.4->2.5.2 I've submitted all of these, along with samba and sssd, to core/updates_testing for 8: talloc-2.3.4-1.mga8 tdb-1.4.7-2.mga8 tevent-0.12.1-1.mga8 ldb-2.5.2-1.mga8 samba-4.16.6-1.mga8 sssd-2.4.0-1.5.mga8 > Don't forget to address CVE-2022-1615 and CVE-2022-32743, as the fixes might not be in 4.16.6. It appears these weren't backported. But, there may be problems with doing that, see https://gitlab.com/samba-team/samba/-/merge_requests/2778, which says: > Of course it is possible some distributors backported CVE-2022- 1615 given the CVE tag but not your fix.
CC: (none) => bgmilneAssignee: bgmilne => qa-bugs
Assignee: qa-bugs => bgmilne
SUSE already backported the fixes to 4.15, so we should be able to do something here. I can't access that gitlab link.
> SUSE already backported the fixes to 4.15, so we should be able to do something here. The implication from the bug report is that in doing so they have broken printing. > I can't access that gitlab link. I didn't do anything special there, not logged in, and I can read it. The summary is: > This is related to the fix for https://bugzilla.samba.org/show_bug.cgi?id=15103 samba-bgqd is aborting and preventing samba printing from working. We've gotten lots of reports of this. I don't think we should: * Ship a backported fix for CVE-2022-1615 and (not serious) that may break printing * Wait for CVE-2022-1615 (not serious) to be fixed in 4.16.x before we fix CVE-2022-3592 (serious) The only other alternative is to ship 4.17.x, but we hadn't done that yet (even in cauldron) in order to work on this instead.
Ok, what about CVE-2022-32743?
> Ok, what about CVE-2022-32743? There are a lot of patches for that, which haven't been backported to 4.16.x, if we want to fix this, the best may be to update to 4.17.x. Considering CVE-2022-42898, we need to update to either 4.16.7 (which I have ready to submit) or 4.17.3 (which will require updates to some other libraries.
We could also use SUSE's patch(es) for 4.15.x. Upgrading to 4.17.x is fine if it's not disruptive.
Samba has issued an advisory on November 15: https://www.samba.org/samba/security/CVE-2022-42898.html The issue is fixed upstream in 4.17.3, 4.16.7 and 4.15.12: https://www.samba.org/samba/history/samba-4.15.12.html https://www.samba.org/samba/history/samba-4.16.7.html https://www.samba.org/samba/history/samba-4.17.3.html
Summary: samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, and CVE-2022-32743 => samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, CVE-2022-32743, and CVE-2022-42898
(In reply to David Walser from comment #15) > Samba has issued an advisory on November 15: > https://www.samba.org/samba/security/CVE-2022-42898.html > > The issue is fixed upstream in 4.17.3, 4.16.7 and 4.15.12: > https://www.samba.org/samba/history/samba-4.15.12.html > https://www.samba.org/samba/history/samba-4.16.7.html > https://www.samba.org/samba/history/samba-4.17.3.html Fedora has issued an advisory for this on November 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RWT32WRO3GIUCYYBMM7WJSBXB7UVCOAU/
(In reply to David Walser from comment #15) > Samba has issued an advisory on November 15: > https://www.samba.org/samba/security/CVE-2022-42898.html > > The issue is fixed upstream in 4.17.3, 4.16.7 and 4.15.12: > https://www.samba.org/samba/history/samba-4.15.12.html > https://www.samba.org/samba/history/samba-4.16.7.html > https://www.samba.org/samba/history/samba-4.17.3.html Fedora has issued an advisory for this today (November 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXHIAIPMFZWDIVEPCU6MTIM33HSORPOQ/
Samba has issued advisories on December 15: https://www.samba.org/samba/security/CVE-2022-38023.html https://www.samba.org/samba/security/CVE-2022-37966.html https://www.samba.org/samba/security/CVE-2022-37967.html https://www.samba.org/samba/security/CVE-2022-45141.html The issues are fixed upstream in 4.15.13, 4.16.8, and 4.17.4: https://www.samba.org/samba/history/samba-4.15.13.html https://www.samba.org/samba/history/samba-4.16.8.html https://www.samba.org/samba/history/samba-4.17.4.html
Summary: samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, CVE-2022-32743, and CVE-2022-42898 => samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, CVE-2022-32743, CVE-2022-38023, CVE-2022-3796[67], CVE-2022-42898, and CVE-2022-45141
Fedora has issued an advisory for this today (December 19): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTYD5EQRS73QZTWPOC2ZO2FL7MMYXMS/
(In reply to David Walser from comment #19) > Fedora has issued an advisory for this today (December 19): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/VCTYD5EQRS73QZTWPOC2ZO2FL7MMYXMS/ and the same for 4.16.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G2CYDXPFBQES2Z4KLZDILGXFFQ3VIGZ4/
4.16.8 is available in core/updates_testing for mga8 Resulting packages: ctdb-4.16.8-1.mga8.x86_64.rpm ctdb-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64samba1-4.16.8-1.mga8.x86_64.rpm lib64samba1-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64samba-dc0-4.16.8-1.mga8.x86_64.rpm lib64samba-dc0-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64samba-devel-4.16.8-1.mga8.x86_64.rpm lib64samba-test0-4.16.8-1.mga8.x86_64.rpm lib64samba-test0-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64smbclient0-4.16.8-1.mga8.x86_64.rpm lib64smbclient0-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64smbclient-devel-4.16.8-1.mga8.x86_64.rpm lib64wbclient0-4.16.8-1.mga8.x86_64.rpm lib64wbclient0-debuginfo-4.16.8-1.mga8.x86_64.rpm lib64wbclient-devel-4.16.8-1.mga8.x86_64.rpm python3-samba-4.16.8-1.mga8.x86_64.rpm python3-samba-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-4.16.8-1.mga8.x86_64.rpm samba-client-4.16.8-1.mga8.x86_64.rpm samba-client-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-common-4.16.8-1.mga8.x86_64.rpm samba-common-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-dc-4.16.8-1.mga8.x86_64.rpm samba-dc-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-debugsource-4.16.8-1.mga8.x86_64.rpm samba-krb5-printing-4.16.8-1.mga8.x86_64.rpm samba-krb5-printing-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-test-4.16.8-1.mga8.x86_64.rpm samba-test-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-winbind-4.16.8-1.mga8.x86_64.rpm samba-winbind-clients-4.16.8-1.mga8.x86_64.rpm samba-winbind-clients-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-winbind-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-winbind-krb5-locator-4.16.8-1.mga8.x86_64.rpm samba-winbind-krb5-locator-debuginfo-4.16.8-1.mga8.x86_64.rpm samba-winbind-modules-4.16.8-1.mga8.x86_64.rpm samba-winbind-modules-debuginfo-4.16.8-1.mga8.x86_64.rpm The updated dependencies that were already available in core/updates_testing would need to go too: talloc-2.3.4-1.mga8 tdb-1.4.7-2.mga8 tevent-0.12.1-1.mga8 ldb-2.5.2-1.mga8 sssd-2.4.0-1.5.mga8 I think we shouldn't waste more time on CVE-2022-1615 at this stage. Fedora 36 is providing 4.16.8 without a patch for CVE-2022-1615 in: > and the same for 4.16.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G2CYDXPFBQES2Z4KLZDILGXFFQ3VIGZ4/
Blocks: (none) => 31346
Summary: samba new security issues CVE-2022-1615, CVE-2022-3437, CVE-2022-3592, CVE-2022-32743, CVE-2022-38023, CVE-2022-3796[67], CVE-2022-42898, and CVE-2022-45141 => samba new security issues CVE-2022-3437, CVE-2022-3592, CVE-2022-38023, CVE-2022-3796[67], CVE-2022-42898, and CVE-2022-45141Assignee: bgmilne => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Patches available from upstream => (none)
Trying to get all the updates. All samba related can be downloaded, but not the ones listed at the end of Comment 21. What's more, even the previous versions of those do not show up in the Core repos, with the exception of sssd, that one lists as version 2.4.0-1.4. Trying to install the samba updates on their own.
CC: (none) => herman.viaene
As I presumed, not possible to install samba updates without the ldb etc...
The debug* ones in Comment 21 don't belong in the list. The others are available.
talloc-2.3.4-1.mga8 not found in the remote repository tdb-1.4.7-2.mga8 not found in the remote repository tevent-0.12.1-1.mga8 not found in the remote repository ldb-2.5.2-1.mga8 not found in the remote repository And again, there are no previous packages with these names in the Core repos. My QArepo and MCC point to different mirrors.
Those are SRPM names which are needed for the advisory. The RPMs are listed at the top of the comment.
The rpm packages built from the srpm talloc (and the others), such as python3-talloc-2.3.4-1.mga8 as needed for qarepo are not listed anywhere in this bug report. http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30843/application/0 fails to show any rpm packages.
CC: (none) => davidwhodgins
The RPMs are listed in Comment 21.
Oh I see, those are only from the samba SRPM. He did fail to list all of the others.
I've put together a couple of scripts to get the list of rpm packages given a list of srpm packages. Still need to add error checking etc, but here are the results for this bug, in a format suitable for qarepo ... ctdb-4.16.8-1.mga8 ldb-utils-2.5.2-1.mga8 lib64ldb2-2.5.2-1.mga8 lib64ldb-devel-2.5.2-1.mga8 lib64pyldb-util2-2.5.2-1.mga8 lib64pyldb-util-devel-2.5.2-1.mga8 lib64pytalloc-util2-2.3.4-1.mga8 lib64pytalloc-util-devel-2.3.4-1.mga8 lib64samba1-4.16.8-1.mga8 lib64samba-dc0-4.16.8-1.mga8 lib64samba-devel-4.16.8-1.mga8 lib64samba-test0-4.16.8-1.mga8 lib64smbclient0-4.16.8-1.mga8 lib64smbclient-devel-4.16.8-1.mga8 lib64talloc2-2.3.4-1.mga8 lib64talloc-devel-2.3.4-1.mga8 lib64tdb1-1.4.7-2.mga8 lib64tdb-devel-1.4.7-2.mga8 lib64tevent0-0.12.1-1.mga8 lib64tevent-devel-0.12.1-1.mga8 lib64wbclient0-4.16.8-1.mga8 lib64wbclient-devel-4.16.8-1.mga8 libipa_hbac-2.4.0-1.5.mga8 libipa_hbac-devel-2.4.0-1.5.mga8 libsss_autofs-2.4.0-1.5.mga8 libsss_certmap-2.4.0-1.5.mga8 libsss_certmap-devel-2.4.0-1.5.mga8 libsss_idmap-2.4.0-1.5.mga8 libsss_idmap-devel-2.4.0-1.5.mga8 libsss_nss_idmap-2.4.0-1.5.mga8 libsss_nss_idmap-devel-2.4.0-1.5.mga8 libsss_simpleifp-2.4.0-1.5.mga8 libsss_simpleifp-devel-2.4.0-1.5.mga8 libsss_sudo-2.4.0-1.5.mga8 python3-ldb-2.5.2-1.mga8 python3-libipa_hbac-2.4.0-1.5.mga8 python3-libsss_nss_idmap-2.4.0-1.5.mga8 python3-samba-4.16.8-1.mga8 python3-sss-2.4.0-1.5.mga8 python3-sssdconfig-2.4.0-1.5.mga8 python3-sss-murmur-2.4.0-1.5.mga8 python3-talloc-2.3.4-1.mga8 python3-tdb-1.4.7-2.mga8 python3-tevent-0.12.1-1.mga8 samba-4.16.8-1.mga8 samba-client-4.16.8-1.mga8 samba-common-4.16.8-1.mga8 samba-dc-4.16.8-1.mga8 samba-krb5-printing-4.16.8-1.mga8 samba-test-4.16.8-1.mga8 samba-winbind-4.16.8-1.mga8 samba-winbind-clients-4.16.8-1.mga8 samba-winbind-krb5-locator-4.16.8-1.mga8 samba-winbind-modules-4.16.8-1.mga8 sssd-2.4.0-1.5.mga8 sssd-ad-2.4.0-1.5.mga8 sssd-client-2.4.0-1.5.mga8 sssd-common-2.4.0-1.5.mga8 sssd-common-pac-2.4.0-1.5.mga8 sssd-dbus-2.4.0-1.5.mga8 sssd-ipa-2.4.0-1.5.mga8 sssd-kcm-2.4.0-1.5.mga8 sssd-krb5-2.4.0-1.5.mga8 sssd-krb5-common-2.4.0-1.5.mga8 sssd-ldap-2.4.0-1.5.mga8 sssd-nfs-idmap-2.4.0-1.5.mga8 sssd-proxy-2.4.0-1.5.mga8 sssd-tools-2.4.0-1.5.mga8 sssd-winbind-idmap-2.4.0-1.5.mga8 tdb-utils-1.4.7-2.mga8
MGA8-64 MATE on Acer Aspire 5253 No installation issues with list from Comment 30. Ref bug 30675 Comment 8 for testing. On this laptop: # systemctl start smb # systemctl -l status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-04 16:24:16 CET; 15s ago Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Main PID: 8840 (smbd) Status: "smbd: ready to serve connections..." Tasks: 3 (limit: 4364) Memory: 6.8M CPU: 379ms CGroup: /system.slice/smb.service ├─8840 /usr/sbin/smbd --foreground --no-process-group ├─8843 /usr/sbin/smbd --foreground --no-process-group └─8844 /usr/sbin/smbd --foreground --no-process-group Jan 04 16:24:16 mach7.hviaene.thuis systemd[1]: Starting Samba SMB Daemon... Jan 04 16:24:16 mach7.hviaene.thuis systemd[1]: Started Samba SMB Daemon. Setup server in MCC. Test connection to smb on my desktop PC $ smbclient //mach1/herman -U herman smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section Password for [TESTGROUP\herman]: smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section smbclient: Ignoring: /etc/krb5.conf:1: binding before section Try "help" to get a list of possible commands. smb: \> pwd Current directory is \\mach1\herman\ smb: \> ls . D 0 Wed Jan 4 15:13:12 2023 .. D 0 Thu Aug 4 13:57:07 2022 .dillo DH 0 Thu Nov 17 18:08:47 2022 Viaene-2021-04-18-09-52-04.gramps N 513054 Sun Apr 18 09:52:04 2021 Viaene-2020-08-07-17-48-13.gramps N 509508 Fri Aug 7 17:48:17 2020 rpmbuild D 0 Sun Aug 16 11:16:34 2020 idkaartherman.jpg N 235947 Thu Sep 23 17:27:46 2010 Watteeuw-2020-08-29-14-22-33.gramps N 678052 Sat Aug 29 14:22:37 2020 kerst2015nedklein.ppsx N 1514274 Fri Dec 25 20:05:05 2015 .audacity-data DH 0 Tue Dec 14 08:53:04 2021 .qareporc H 123 Fri Feb 5 15:51:00 2021 .gnucash DH 0 Sun Dec 29 11:33:23 2019 ipv6.html N 22650 Tue Dec 29 12:35:25 2009 CV muzikaal.odt N 11374 Sat May 28 09:04:16 2016 etc..... Repeated same smbclient test from my desktop PC to this new server, with similar results. So samba is OK for me.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Need a proper advisory. It's not clear from the above which cve fixes have actually been applied, and which references should be listed.
Keywords: (none) => feedback
Indeed. We're fixing the CVEs in the Bug title and upgrading from the Samba 4.14.x branch to the 4.16.x branch. References: https://www.samba.org/samba/security/CVE-2022-3437.html https://www.samba.org/samba/security/CVE-2022-3592.html https://www.samba.org/samba/security/CVE-2022-42898.html https://www.samba.org/samba/security/CVE-2022-38023.html https://www.samba.org/samba/security/CVE-2022-37966.html https://www.samba.org/samba/security/CVE-2022-37967.html https://www.samba.org/samba/security/CVE-2022-45141.html https://www.samba.org/samba/history/samba-4.15.0.html https://www.samba.org/samba/history/samba-4.16.0.html https://www.samba.org/samba/history/samba-4.16.1.html https://www.samba.org/samba/history/samba-4.16.2.html https://www.samba.org/samba/history/samba-4.16.3.html https://www.samba.org/samba/history/samba-4.16.4.html https://www.samba.org/samba/history/samba-4.16.5.html https://www.samba.org/samba/history/samba-4.16.6.html https://www.samba.org/samba/history/samba-4.16.7.html https://www.samba.org/samba/history/samba-4.16.8.html
Keywords: feedback => (none)
The problem with that list is that it includes ones like https://access.redhat.com/security/cve/CVE-2022-37966 and https://www.samba.org/samba/security/CVE-2022-37967.html which only apply to windows as linux doesn't have an Active Directory Domain services.
Samba can be used as an AD domain controller. It's not just for NT domains any more (that was the big addition to Samba 4.0).
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0010.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED