I just thought I'd leave this here; Samba is suffering a really bad root vulnerability on older versions. "Samba versions 3.6.3 and all versions previous"
See the articles:
https://www.samba.org/samba/security/CVE-2012-1182
https://lwn.net/Articles/491516/rss
Join the discussion:
http://www.reddit.com/r/linux/commen...hole_in_samba/
Thanks for the info. The version of Samba currently running on VB 2.0/Fedora 16 is samba-3.6.3-78.
Not much we can do other than wait for Fedora to release a new version. Here is a Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=811392
divreg and Ron,Originally Posted by Ron Olsen
Thanks for making this known.
Do you understand if the Fedora 14 Samba release is vulnerable to this bug? If so, and when it's fixed in 16, will those fixes work in Fedora 14, and will the upgrade button for those still using VortexBox v 1.XX correct the security exposure on those systems?
Fedora 14 reached end of life on Dec. 9, 2011 and is now unsupported. Fedora has not provided updates to F14 since then. See https://fedoraproject.org/wiki/End_of_life
Also, the VB GUI Upgrade button no longer works on VB 1.10/F14 systems due to the removal of the ATrpms F14 repositories in March 2012.
Personally, I'm not worried about this issue. AFAIK, the Samba server on my VB is not accessible from outside my local network.
Thanks, It's understood that F14 is unsupported. Some do have VB access from outside a local network. As far as you know, did the F14 release include the bug, and is there a practical way to include the fix for it in an F14 VB after it's developed and released?
From what I read, if the risk is exploited, it presents a severe vulnerability. It would probably be worthwhile for VB users who do, or may in the future, want to access their VB from the Internet to know of the potential risk.
I saw this via the "What's New" tab and see that it's in the "Beta" section, which is probably little-referenced. It might be worth posting a warning or link in the General section.
It says that the Samba team has patched it in 3.6.4, but Fedora has not pushed the patch out yet. I don't see it on the updates-testing repo, so I guess we'll just have to wait; I expect Fedora will have the update pushed out quickly. Red Hat already has theirs.
It amazes me this vulnerability has been around for 10 years.
RedHat will be pushing a release for Fedora 14 as well. So even users on older unsupported version of VortexBox can get this fix. This bug has been around for a long time and even if you machine is exposed to the internet it would be impossible for somebody to use this exploit to get into your system unless you open the Samba port on your router.
Opening the Samba port on your router would be a massive security vulnerability even if this bug was not found so hopefully nobody is doing this.
These remarks reinforce my belief that this is a NON-ISSUE for most (all?) VortexBox users. There are things to be concerned about with any computer system; this is NOT one of them.
A new version of Samba (3.6.4-82) is now available in the Fedora 16 Updates repository. This update fixes the vulnerability reported in https://www.samba.org/samba/security/CVE-2012-1182
Update your VB 2.0 system to pick up this version and this Samba issue can be laid to rest.
Fedora has archived the Fedora 14 Updates repository here: http://archives.fedoraproject.org/pu...dates/14/i386/
This repo contains Samba 3.5.11-79, so there is no fix for this issue for F14/VB 1.10 users at this time.
Posting Permissions
Reply With Quote
Bookmarks