when will Ubuntu be updating samba v4.3.11 for the bug just discovered?

It was announced just yesterday that there's a new-and-serious Samba bug. Information about it can be found here:

"In CVE-2017-7494, a malicious client can "upload a shared library to a writable share, and then cause the server to load and execute it.""

On my 16.04 LTS server, I ran 'samba --version" and got back: 4.3.11

When I followed the link in the article to Samba's website, it indicates fixes for some versions, but not for Samba 4.3.11. Does anyone know when Ubuntu/Canonical will be making an update for Samba available to us?

1

2 Answers

See CVE-2017-7494 and USN 3296-1. Fix has been released except for 17.10. The guidelines on updating are

$ sudo apt-get update
$ sudo apt-get dist-upgrade

But -when- this is released we do not know. As soon as possible is the best you can get. Though I would assume it already should ... it is seen as a "high security issue".

===

It is:

Setting up samba-vfs-modules (2:4.5.8+dfsg-0ubuntu0.17.04.2) ...

was what I got when I dist-upgraded.

2

Based on a suggestion I got from my post on ubuntuforums.org:

I just ran 'apt changelog samba' per suggestion and it does indeed look (if I read it correctly) it has already been patched. I simply don't remember seeing it, but I'm glad it is patched. This is what I got:

samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: remote code execution from a writable share - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c. - CVE-2017-7494 -- Marc Deslauriers <> Fri, 19 May 2017 14:18:13 -0400

Thanks again for your help!

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like