when will Ubuntu be updating samba v4.3.11 for the bug just discovered?
See CVE-2017-7494 and USN 3296-1. Fix has been released except for 17.10. The guidelines on updating are
$ sudo apt-get update
$ sudo apt-get dist-upgrade
But -when- this is released we do not know. As soon as possible is the best you can get. Though I would assume it already should ... it is seen as a "high security issue".
===
It is:
Setting up samba-vfs-modules (2:4.5.8+dfsg-0ubuntu0.17.04.2) ...
was what I got when I dist-upgraded.
Related videos on Youtube
David Allie
Updated on September 18, 2022Comments
-
David Allie over 1 year
It was announced just yesterday that there's a new-and-serious Samba bug. Information about it can be found here:
http://www.theregister.co.uk/2017/05/25/fatthumbed_dev_slashes_samba_security/
"In CVE-2017-7494, a malicious client can "upload a shared library to a writable share, and then cause the server to load and execute it.""
On my 16.04 LTS server, I ran 'samba --version" and got back: 4.3.11
When I followed the link in the article to Samba's website, it indicates fixes for some versions, but not for Samba 4.3.11. Does anyone know when Ubuntu/Canonical will be making an update for Samba available to us?
-
Thomas Ward almost 7 years17.10 Samba is on the list of things needing attention - but that's the Development release, my guess is that CVE will be included and patched in 17.10 when that version is 'updated' properly.
-
David Allie almost 7 years@Rinzwind, thanks for the quick reply. To be honest, I've used the apt-get dist-update command only once several years ago and it ended up removing a bunch of packages. The man-page for apt-get also says "The dist-upgrade command may therefore remove some packages." --So I'm hesitant to use it. As you say, it is listed a "high security issue", so I'm going to assume that they'll fix/update it very quickly. I guess I'll wait a few days... and as I only have a few PCs accessing a Samba share right now, it isn't widely visible. Thanks!
-
Xenhat almost 7 yearsUpvoted since upgrading the entire distribution isn't always an option on a production server and the patch ID and bug description are matching, indicating that the bug has indeed been patched.