similar to: [Announce] Samba 4.6.4, 4.5.10 and 4.4.14 Available for Download

On Wed, May 24, 2017 at 09:21:14AM +0200, Karolin Seeger via samba-technical wrote: > Release Announcements > --------------------- > > These are a security releases in order to address the following defect: > > o CVE-2017-7494 (Remote code execution from a writable share) > > ======= > Details > ======= > > o CVE-2017-7494: > All versions of Samba

Am 24.05.2017 um 17:50 schrieb Jeremy Allison via samba: > Here are some mitigation techniques from Red Hat in > case servers cannot be patched immediately: > 2. Mount the filessytem which is used by samba for its writeable share, > using "noexec" option. I would have expected this to be standard security precaution on all pure file servers (which is probably the most

Hi, How I apply CVE-2017-7494 in the Samba 4.6.3 ? Do I need to recompile and reinstall the Samba 4, after applying this patch? Regards, Márcio Bacci

Hi All, Can someone please confirm if Samba 3.0.28 is vulnerable to CVE-2017-7494. If yes, please let me know where I can get the patches for this. I have already checked samba site for patches but couldn't find any. Regards, Krishna This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the

Hi We have the one server SAMBA 4.3.11-ubuntu in Active Directory mode with some Windows Clients The Ubuntu repository not update samba package (last version is 4.3.11). Please, how am i can fix the CVE-2017-7494 (Remote code execution from a writable share) in my SAMBA server? Should option 'nt pipe support = no' will influence how SAMBA_AD works? Anderson Hoffmann

Hi Rowland, Thanks for the update. The setup we have is unaltered from long time. Now we are asked to install the patch for CVE-2017-7494, since we are not running the affected version its fine for now. But can you please let me know what are vulnerabilities in 3.0.28 and any patches available for it. I will try to update it to the latest version on our dev servers first. Moreover we have the

Hi Team, Please let me know the severity of CVE-2017-2619 and CVE-2017-7494. Arjit Kumar

Hi, Does a fix has already been made in the CenOS RPM repositories for this Samba remote execution code vulnerability, CVE-2017-7494? Thx, Bernard

Hi, Sorry, but I have the following doubt: Is need apply the CVE-2017-7494 (Remote code execution from a writable share) patch or this patch already was included in Debian repository, this way I need only to execute apt-get upgrade? In the case that I need to apply manually, how do I do it ? I'm using Samba 4.6.3 on Debian 8. Regards, Márcio Bacci

On Fri, 26 May 2017, Christian, Mark wrote: > On Fri, 2017-05-26 at 11:19 -0400, Bernard Fay wrote: >> Hi, >> >> Does a fix has already been made in the CenOS RPM repositories for this >> Samba remote execution code vulnerability, CVE-2017-7494? > yes. samba-3.6.23-43.el6_9.x86_64.rpm And samba-*-4.4.4-14.el7_3.x86_64 -- Paul Heinlein <> heinlein at

Hi, Could we use the samba service with the port 445 closed. Now we upgrade samba from version 3 to 4.6.4 for the CVE-2017-7494. We found out that samba-3 can provide service with only 139 open. But it doesn't work with samba-4. Thanks. Finger

Hi folks, Firstly; apologies in advance for what is a head wrecker of keeping on top of the speculative mitigations and also if this is a duplicate email; my first copy didn't seem to make it into the archive. Also a disclaimer that I may have misunderstood elements of the below but please bear with me. I write this hoping to find out a bit more about the state of the relevant kernel

Thanks for the analysis of second bug. Please also share CVSSv3 score for first bug. Arjit Kumar On Fri, May 26, 2017 at 12:29 PM, Andrew Bartlett <abartlet at samba.org> wrote: > On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote: > > Hi Team, > > > > Please let me know the severity of CVE-2017-2619 and CVE-2017-7494. > > They are not unpublished:

Hi all! I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. I note that when I run the redhat script to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on

Hi, I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream. Given that 4.5 is now also reaching EOL, backporting to 4.4 will become

Does mitigation of the so-called BADLOCK CVE (CVE-2016-2118) for Samba 3.x imply an upgrade to a non-vulnerable version of the tdb library? If so, can someone point me to any documentation on the tdb vulnerability? Thanks, Sam

Release Announcements ===================== Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to address CVE-2011-0719. o CVE-2011-0719: All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the

Release Announcements ===================== Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to address CVE-2011-0719. o CVE-2011-0719: All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the

On Fri, 2018-01-05 at 21:42 +1030, David Newall wrote: > On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ > years), and I can't think what these

Release Announcements ===================== Samba 3.6.4, 3.5.14 and 3.4.16 are security releases in order to address CVE-2012-1182. o CVE-2012-1182: Samba 3.0.x to 3.6.3 are affected by a vulnerability that allows remote code execution as the "root" user. Changes: -------- o Stefan Metzmacher <metze at samba.org> *BUG 8815: PIDL based autogenerated code allows