O. Hartmann
2017-May-30 16:55 UTC
Samba CVE-2017-7494 and SMB implementation of FreeBSD 10 through 12
Am Mon, 29 May 2017 23:47:46 +0200 Dimitry Andric <dim at FreeBSD.org> schrieb:> On 29 May 2017, at 18:53, Darko Gavrilovic <d.gavrilovic at gmail.com> wrote: > > > > Hello, does anyone know or able to confirm if Samba CVE-2017-7494 > > affects Samba 3.6.25 on Freebsd 9.x? > > > > https://lists.samba.org/archive/samba-announce/2017/000406.html > > The advisory very clearly says "all versions of Samba from 3.5.0 > onwards", so yes. In addition, the 3.x series is dead, and completely > unsupported. It is probably wise to upgrade, for example to 4.6.4. > > -Dimitry >I'm just curious and to have an answere at hand for my superiors: FreeBSD has a SMB implementation we uitlise with FreeBSD 10.3 and 11.0. Is FreeBSD's implementation somehow affected by the bug revealed in SAMBA >= 3.6.25? Sorry for this "stupid" question, but I need the answere for the records ;-) Kind regards, Oliver -- O. Hartmann Ich widerspreche der Nutzung oder ?bermittlung meiner Daten f?r Werbezwecke oder f?r die Markt- oder Meinungsforschung (? 28 Abs. 4 BDSG). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170530/a185ceec/attachment.sig>
Dimitry Andric
2017-May-30 17:14 UTC
Samba CVE-2017-7494 and SMB implementation of FreeBSD 10 through 12
On 30 May 2017, at 18:55, O. Hartmann <ohartmann at walstatt.org> wrote:> > Am Mon, 29 May 2017 23:47:46 +0200 > Dimitry Andric <dim at FreeBSD.org> schrieb: > >> On 29 May 2017, at 18:53, Darko Gavrilovic <d.gavrilovic at gmail.com> wrote: >>> >>> Hello, does anyone know or able to confirm if Samba CVE-2017-7494 >>> affects Samba 3.6.25 on Freebsd 9.x? >>> >>> https://lists.samba.org/archive/samba-announce/2017/000406.html >> >> The advisory very clearly says "all versions of Samba from 3.5.0 >> onwards", so yes. In addition, the 3.x series is dead, and completely >> unsupported. It is probably wise to upgrade, for example to 4.6.4. >> >> -Dimitry >> > > I'm just curious and to have an answere at hand for my superiors: > > FreeBSD has a SMB implementation we uitlise with FreeBSD 10.3 and 11.0. Is FreeBSD's > implementation somehow affected by the bug revealed in SAMBA >= 3.6.25?If you mean smbfs, then that is an SMB *client* only, not a server. CVE-2017-7494 is specifically about an exploitable bug in Samba's SMB server component. FreeBSD does not provide any SMB server in the base system. That said, I don't know whether there are any security bugs in our smbfs client implementation. It is really a completely different matter. The code seems to have been largely unmaintained for years, though, so purely on that basis it does not inspire a great deal of confidence. -Dimitry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 194 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170530/b8f02c63/attachment.sig>