It was announced just yesterday that there's a new-and-serious Samba bug. Information about it can be found here:
"In CVE-2017-7494, a malicious client can "upload a shared library to a writable share, and then cause the server to load and execute it.""
On my 16.04 LTS server, I ran 'samba --version" and got back: 4.3.11
When I followed the link in the article to Samba's website, it indicates fixes for some versions, but not for Samba 4.3.11. Does anyone know when Ubuntu/Canonical will be making an update for Samba available to us?
12 Answers
See CVE-2017-7494 and USN 3296-1. Fix has been released except for 17.10. The guidelines on updating are
$ sudo apt-get update
$ sudo apt-get dist-upgradeBut -when- this is released we do not know. As soon as possible is the best you can get. Though I would assume it already should ... it is seen as a "high security issue".
===
It is:
Setting up samba-vfs-modules (2:4.5.8+dfsg-0ubuntu0.17.04.2) ...was what I got when I dist-upgraded.
2Based on a suggestion I got from my post on ubuntuforums.org:
I just ran 'apt changelog samba' per suggestion and it does indeed look (if I read it correctly) it has already been patched. I simply don't remember seeing it, but I'm glad it is patched. This is what I got:
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: remote code execution from a writable share - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c. - CVE-2017-7494 -- Marc Deslauriers <> Fri, 19 May 2017 14:18:13 -0400Thanks again for your help!
1