Hi Rowland, Thanks for the update. The setup we have is unaltered from long time. Now we are asked to install the patch for CVE-2017-7494, since we are not running the affected version its fine for now. But can you please let me know what are vulnerabilities in 3.0.28 and any patches available for it. I will try to update it to the latest version on our dev servers first. Moreover we have the below version running, not sure if we still have the latest version available from the pware. pware.samba-3.0.28.rte 3.0.28.0 COMMITTED Samba 3.0.28 Regards, Krishna -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, June 06, 2017 7:42 PM To: samba at lists.samba.org Subject: Re: [Samba] CVE-2017-7494 patches On Tue, 6 Jun 2017 19:15:18 +0530 "Chunduru, Krishnachaithanya via samba" <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:> Hi All, > > Can someone please confirm if Samba 3.0.28 is vulnerable to > CVE-2017-7494. If yes, please let me know where I can get the patches > for this. >I can confirm two things here: 1) only Samba from 3.5.0 was vulnerable 2) you really shouldn't be still using 3.0.28, the 3.0 series went EOL 8 years ago. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
On Tue, 6 Jun 2017 21:15:56 +0530 "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chunduru at broadridge.com> wrote:> Hi Rowland, > > Thanks for the update. > > The setup we have is unaltered from long time. Now we are asked to > install the patch for CVE-2017-7494, since we are not running the > affected version its fine for now. > > But can you please let me know what are vulnerabilities in 3.0.28 and > any patches available for it. I will try to update it to the latest > version on our dev servers first. > > Moreover we have the below version running, not sure if we still have > the latest version available from the pware. > > pware.samba-3.0.28.rte 3.0.28.0 COMMITTED Samba 3.0.28 > >Is this on AIX ? Have a look here for vulnerabilities : https://www.cvedetails.com/vulnerability-list/vendor_id-102/product_id-171/version_id-86928/Samba-Samba-3.0.28.html There may or there may not be patches available. As I said, the 3.0.x versions went EOL nearly 8 years ago, but you seem to be suffering one of the problems of running an enterprise OS, the packages never seem to get updated, unless patches are backported and, in most cases, this will not be done by Samba for EOL versions. Rowland
On Wed, 7 Jun 2017 00:32:32 +0530 "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chunduru at broadridge.com> wrote:> Thanks again. This is for Aix. > > Yes I went through this link already and seen high and medium > critical vulnerabilities. Bad thing is that this is not supported by > IBM on Aix platform. > > And the patches are also not available from samba. So I'm thinking to > upgrade it to the latest, can this be done using the same pware > versions or do I need to download from IBM site which they are > providing it and reconfigure according to that. >When I asked about AIX, it was a guess, I do not use AIX and don't think any of the other Samba team members do either. You might be better of trying to compile Samba yourself, unless you can find AIX Samba packages that are supported. Rowland
On Wed, 7 Jun 2017 18:48:56 +0530 "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chunduru at broadridge.com> wrote:> Hi Rowland, > > Thanks.. > > Even I was thinking of configuring the samba from source, I have > downloaded the latest binaries 4.6.5 from samba.org. > > The tar file seems to be having configure script, but I'm not having > the steps to configure it. > > I'm worrying if I try to configure this, the old existing version on > the server will be overwritten. > > I need some help in configuring it or for downloading the pware > version of samba. The below link for pware seems to be down and not > active, does anyone have the active link to download the latest > versions of pware samba. > > http://pware.hvcc.edu/download/ >I do not use AIX, but I seem to remember reading something about pware being discontinued. You could try doing what I did and search the internet, I found this: http://www.bullfreeware.com/toolbox.php Rowland
On Wed, 7 Jun 2017 20:58:18 +0530 "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chunduru at broadridge.com> wrote:> Thanks Rowland. > > I got one of the latest version from IBM 4.3.8, but they don't have > the patches for CVE 2017-7494. ☺ > > IBM told be to contact samba for getting the patches, do you or > anyone have the patches link so that I can test all together.As far as I am aware, there isn't a patch for the 4.3.x versions. The only supported versions of Samba are 4.4.x, 4.5.x and 4.6.x and there are patches available for these, see here: https://www.samba.org/samba/history/ Rowland