Topic: Badlock (new Windows/Samba crucial vuln to be announce 4/12)

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

InkblotAdmirer

24 Mar 2016, 18:58

http://badlock.org/

Which Samba versions will get patches?
Patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2 on April 12th.
With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED.
Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release, so that you will not have to make a major version update at the time you need to get the security fix installed.

Unless the patch can be backported to 3.6 it appears that the current OpenWrt package should get an upgrade.

Post #2

discrucio

4 Apr 2016, 08:44

Samba 4.4 has been ported by wongsyrone here:
https://github.com/wongsyrone/openwrt-1 … ed/samba44

However, package size is still an issue (13.9MB):
https://github.com/wongsyrone/openwrt-1/issues/85

Post #3

silentcreek

4 Apr 2016, 09:36

You can be sure the fix will be backported to Samba 3.6. At least Debian still supports Samba 3.6 in their "oldstable" release 7 (Wheezy). So, they will issue some sort of fix or workaround for their samba 3.6 package. The same is true for 4.1 which may officially be "unsupported" by the Samba team, but is still supported by various distributions like Debian 8 (Jessie) or Ubuntu 14.04 LTS (Trusty).

Post #4

InkblotAdmirer

13 Apr 2016, 02:35

They actually officially patched 3.6.25. I'm not sure if I'm reading the CVEs correctly but it really looks to me like it's a non-issue if you don't use active directory?

https://www.samba.org/samba/history/security.html

The discussion might have continued from here.

Page 1 of 1