Topic: New security alert for Samba

[David Rayroud]

Hello,

I read on a news that it is a new security alert for Samba.

When I make a
-->     rpm -q --changelog samba | less

I obtain
...
- import security rollup patch for 2.2.7a
- import bugfix so that "logon script = %g.bat" won't hang smbd.
- import fix for "wide links = no" from 2.2.8
...

Is my Samba up to date or I must downloaded the patch for 2.2.8a ?

Thank's

[Robert]

Go to www.samba.org, choose a mirror. Read the news. 2.2.8a was released to address CAN-2003-0201. Read on. A rollup patch for 2.2.7a adresses both CAN-2003-0201 and CAN-2003-0085. If you're still not convinced, go to https://rhn.redhat.com/errata/RHSA-2003-137.html. Here you'll find the RedHat errata packages that were used to build the SME errata packages. The advisory says that these packages address CAN-2003-0196 and CAN-2003-0201. If you're still not convinced, download the rollup patch for 2.2.7a from samba.org and compare to the rollup patch in the SME errata SRPM.

[Paul]

David,

Are you running sme 5.6?

Have you installed update3?

[David Rayroud]

Yes, I have the 5.6 version with the update 3.

But when I type :
rpm -q --changelog samba | less

...
- import security rollup patch for 2.2.7a
- import bugfix so that "logon script = %g.bat" won't hang smbd.
- import fix for "wide links = no" from 2.2.8
...
And I read somewhere that we must have the 2.2.8a to correct the bug in Samba.

I have many server with Samba installed and we can't have security problem.

Thank's for your help.

[Robert]

What part of my reply did you not understand? I've given you the steps to verify for yourself that the security patches were applied. In a reply to your earlier post of this very same question, I told you that while it's true that the bug was fixed in the current stable version 2.2.8a of the samba source code, this doesn't mean that packaged versions below 2.2.8a are unsafe. The samba team themselves have made patches avalaible to address the very same problem that was fixed in 2.2.8a for 2.2.7a and 2.0.10. The samba team's rollup patch for 2.2.7a seems to have been applied to the 2.2.7 packages by RedHat. This is called backporting. You'll find lots of packages with backported security patches in a typical Linux distribution.