Samba cve-2018-1050 and 1057



just to report two new samba security issues

(Saito Benkei) #3

from what I understand this should only work if the attack is carried out via intranet, not via internet.

(Davide Principi) #4

Yes the domain controller LDAP service binds to a LAN IP.

Samba has released the fix yesterday:

(Davide Principi) #5

The RPM is available from testing repository /cc @quality_team

 yum --enablerepo=nethserver-testing update nethserver-dc

(Davide Principi) #6

The testing package is on production in my DC since yesterday: I’m going to release it today! Please provide some testing feedback!

(Markus Neuberger) #7

Tested on a fresh VM and on my home server:

On the fresh VM it just worked. I tested joining and domain logon from Windows 7.

On the home server I had to reset permissions to make ACL shares work again but this is not related to nethserver-dc I think. Domain logons from Windows 10 worked normally after update.

(Davide Principi) #8

(Alessio Fattorini) #9

Thanks Markus great feedback