Hi Mathieu Thank you for this information. The LTS team will handle this. If nobody else step up I will do it myself.
For the LTS team: I will add this to the dla-needed.txt file later today but feel free to add that and claim yourself to this update. Best regards // Ola On 23 March 2017 at 11:30, Mathieu Parent <math.par...@gmail.com> wrote: > Hi, > > Today samba has released a security fix for a symlink race (leading to > information disclosure). > > Salvatore will take care of the jessie upload, I have uploaded for > sid, but we have not done anything on the wheezy side. > > See attached the backported patches for 3.6 (those are from the samba > bugzilla which is still embargoed). > > Please take care of it. > > Thanks > > Mathieu Parent > > > ---------- Forwarded message ---------- > From: Karolin Seeger via samba-announce <samba-annou...@lists.samba.org> > Date: 2017-03-23 10:11 GMT+01:00 > Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases > Available for Download > To: samba-annou...@lists.samba.org, sa...@lists.samba.org, > samba-techni...@lists.samba.org > > > Release Announcements > --------------------- > > These are a security releases in order to address the following defect: > > o CVE-2017-2619 (Symlink race allows access outside share definition) > > ======= > Details > ======= > > o CVE-2017-2619: > All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to > a malicious client using a symlink race to allow access to areas of > the server file system not exported under the share definition. > > Samba uses the realpath() system call to ensure when a client requests > access to a pathname that it is under the exported share path on the > server file system. > > Clients that have write access to the exported part of the file system > via SMB1 unix extensions or NFS to create symlinks can race the server > by renaming a realpath() checked path and then creating a symlink. If > the client wins the race it can cause the server to access the new > symlink target after the exported share path check has been done. This > new symlink target can point to anywhere on the server file system. > > This is a difficult race to win, but theoretically possible. Note that > the proof of concept code supplied wins the race reliably only when > the server is slowed down using the strace utility running on the > server. Exploitation of this bug has not been seen in the wild. > > > Changes: > -------- > > o Jeremy Allison <j...@samba.org> > * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside > share > directory. > > o Ralph Boehme <s...@samba.org> > * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside > share > directory. > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical IRC channel on irc.freenode.net. > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track down > the problem then you will probably be ignored. All bug reports should > be filed under the "Samba 4.1 and newer" product in the project's Bugzilla > database (https://bugzilla.samba.org/). > > > ====================================================================== > == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > ====================================================================== > > > > ================ > Download Details > ================ > > The uncompressed tarballs and patch files have been signed > using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded > from: > > https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > https://www.samba.org/samba/history/samba-4.6.1.html > https://www.samba.org/samba/history/samba-4.5.7.html > https://www.samba.org/samba/history/samba-4.4.12.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team > > > -- > Mathieu > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
