I tried to run this script on a system running 4.5.15 built from source under Ubuntu 16.04, but I get the following exception: # PYTHONPATH="/usr/local/samba/lib/python2.7/site-packages/" ./samba_CVE-2018-1057_helper --lock-pwchange Temporarily overriding 'dsdb:schema update allowed' setting Traceback (most recent call last): File "./samba_CVE-2018-1057_helper", line 139, in <module> sd_helper.modify_sd_on_dn(msg.dn, new_desc) File "/usr/local/samba/lib/python2.7/site-packages/samba/sd_utils.py", line 40, in modify_sd_on_dn m.dn = Dn(self.ldb, object_dn) TypeError: argument 2 must be string, not ldb.Dn A transaction is still active in ldb context [0x2337ea0] on tdb:///usr/local/samba/private/sam.ldb I tried doing "kinit Administrator" and then repeating, but that didn't change the error. I see samba 4.8.0 was released yesterday, which means 4.5.x technically dropped out of support yesterday too: https://wiki.samba.org/index.php/Samba_Release_Planning However, I also note that a security patch was released for 4.5.15: https://download.samba.org/pub/samba/patches/security/samba-4.5.15-security-2018-03-13.patch Obviously I will have to proceed with the underlying patching and/or upgrading of Samba. But if anyone can help me get the short-term fix working for 4.5, that would be a useful stop-gap. Thanks, Brian.
Am Mittwoch, 14. März 2018, 08:35:53 CET schrieb Brian Candler via samba:> I tried to run this script on a system running 4.5.15 built from > source under Ubuntu 16.04, but I get the following exception: > > # PYTHONPATH="/usr/local/samba/lib/python2.7/site-packages/" > ./samba_CVE-2018-1057_helper --lock-pwchange > Temporarily overriding 'dsdb:schema update allowed' setting > Traceback (most recent call last): > File "./samba_CVE-2018-1057_helper", line 139, in <module> > sd_helper.modify_sd_on_dn(msg.dn, new_desc) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/sd_utils.py", line > 40, in modify_sd_on_dn > m.dn = Dn(self.ldb, object_dn) > TypeError: argument 2 must be string, not ldb.Dn > A transaction is still active in ldb context [0x2337ea0] on > tdb:///usr/local/samba/private/sam.ldb > > I tried doing "kinit Administrator" and then repeating, but that > didn't change the error. > > I see samba 4.8.0 was released yesterday, which means 4.5.x > technically dropped out of support yesterday too: > https://wiki.samba.org/index.php/Samba_Release_Planning > > However, I also note that a security patch was released for 4.5.15: > > https://download.samba.org/pub/samba/patches/security/samba-4.5.15-sec > urity-2018-03-13.patch > > Obviously I will have to proceed with the underlying patching and/or > upgrading of Samba. But if anyone can help me get the short-term fix > working for 4.5, that would be a useful stop-gap.Best is to wait for security updates of ubuntu!!! In debian repository this patch is applied to 2:4.7.4+dfsg-2 *and* 2:4.5.12+dfsg-2+deb9u2. So should enter ubuntu repository soon.> Thanks, > > Brian.-- Gruss Harry Jede
Hi Brian,> I tried to run this script on a system running 4.5.15 built from source > under Ubuntu 16.04, but I get the following exception: > > # PYTHONPATH="/usr/local/samba/lib/python2.7/site-packages/" > ./samba_CVE-2018-1057_helper --lock-pwchange > Temporarily overriding 'dsdb:schema update allowed' setting > Traceback (most recent call last): > File "./samba_CVE-2018-1057_helper", line 139, in <module> > sd_helper.modify_sd_on_dn(msg.dn, new_desc) > File "/usr/local/samba/lib/python2.7/site-packages/samba/sd_utils.py", > line 40, in modify_sd_on_dn > m.dn = Dn(self.ldb, object_dn) > TypeError: argument 2 must be string, not ldb.Dn > A transaction is still active in ldb context [0x2337ea0] on > tdb:///usr/local/samba/private/sam.ldb > > I tried doing "kinit Administrator" and then repeating, but that didn't > change the error.you don't need to kinit. The script directly goes to ldb files. The script is ok for 4.7 but there is a small fix to make it run for earlier Samba version, cf. the diff in attachment.> I see samba 4.8.0 was released yesterday, which means 4.5.x technically > dropped out of support yesterday too:the fix for this security flaw has been backport from 4.8 to 4.3, so yes 4.5 can be patched. But I would advise you to use the mitigation script first and prepare and update to 4.7.6 in the coming weeks because, like you said, 4.5 won't get any feature fixes from upstream anymore since 4.8 is out. Cheers, Denis> https://wiki.samba.org/index.php/Samba_Release_Planning > > However, I also note that a security patch was released for 4.5.15: > > https://download.samba.org/pub/samba/patches/security/samba-4.5.15-security-2018-03-13.patch > > > Obviously I will have to proceed with the underlying patching and/or > upgrading of Samba. But if anyone can help me get the short-term fix > working for 4.5, that would be a useful stop-gap. > > Thanks, > > Brian. >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr -------------- next part -------------- A non-text attachment was scrubbed... Name: samba_CVE-2018-1057_helper.diff Type: text/x-patch Size: 503 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20180314/c46bdc29/samba_CVE-2018-1057_helper.bin>
On 14/03/2018 09:24, Harry Jede wrote:> Best is to wait for security updates of ubuntu!!!As I said, I built 4.5.15 from source. The version of Samba in the Ubuntu 16.04 repositories is ancient (4.3.11) and I couldn't find a free repository where someone else had built binary packages for Ubuntu. Maybe Debian Stretch would be a better base, or Ubuntu 18.04 when it comes out. But right now, I have what I have. Fortunately I kept the 4.5.15 source directory, so applying the patch and then "make && make install" has done the job. Cheers, Brian.
Am Mittwoch, 14. März 2018, 08:35:53 CET schrieb Brian Candler via samba:> I tried to run this script on a system running 4.5.15 built from > source under Ubuntu 16.04, but I get the following exception: > > # PYTHONPATH="/usr/local/samba/lib/python2.7/site-packages/" > ./samba_CVE-2018-1057_helper --lock-pwchange > Temporarily overriding 'dsdb:schema update allowed' setting > Traceback (most recent call last): > File "./samba_CVE-2018-1057_helper", line 139, in <module> > sd_helper.modify_sd_on_dn(msg.dn, new_desc) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/sd_utils.py", line > 40, in modify_sd_on_dn > m.dn = Dn(self.ldb, object_dn) > TypeError: argument 2 must be string, not ldb.Dn > A transaction is still active in ldb context [0x2337ea0] on > tdb:///usr/local/samba/private/sam.ldb > > I tried doing "kinit Administrator" and then repeating, but that > didn't change the error. > > I see samba 4.8.0 was released yesterday, which means 4.5.x > technically dropped out of support yesterday too: > https://wiki.samba.org/index.php/Samba_Release_Planning > > However, I also note that a security patch was released for 4.5.15: > > https://download.samba.org/pub/samba/patches/security/samba-4.5.15-sec > urity-2018-03-13.patch > > Obviously I will have to proceed with the underlying patching and/or > upgrading of Samba. But if anyone can help me get the short-term fix > working for 4.5, that would be a useful stop-gap.Now I have checked the ubuntu repos. The patch is applied to: samba (2:4.3.11+dfsg-0ubuntu0.14.04.14) trusty-security samba (2:4.3.11+dfsg-0ubuntu0.16.04.13) xenial-security samba (2:4.6.7+dfsg-1ubuntu3.2) artful-security So you have one (easy) choice. Download the source package from artful- security and build it on xenial. This brings you to a supported samba release.> Thanks, > > Brian.-- Gruss Harry Jede