Bug #3395

Samba Badlock

Added by Giacomo Sanchietti over 3 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.7
Security class: Resolution:
Affected version:v6.7 NEEDINFO:No

Description

On April 12th, 2016, a new security bug named Badlock, has been disclosed.
The bug affects almost all current Samba releases.
Official site: http://badlock.org17
Red Hat and CentOS already released the updates: https://access.redhat.com/security/vulnerabilities/badlock14

All Windows machines joined to NethServer will not be able to login to the server after Samba update.
We are still investigating the issue, updates will be posted here, in the meanwhile we suggest not to update the Samba packages if you're using NS as PDC.

Workaround 1: users who already updated the system, should downgrade all samba packages sign following command (edited, thanks to @maxbet):

yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc libldb

Workaround 2: use local cached credentials by disconnecting network cable from the Windows machine before login.

Reference: http://community.nethserver.org/t/security-advisory-badlock-bug/3141

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1326918


Related issues

Related to NethServer 6 - Bug #3396: Adagios fails to install after Samba badlock updates CLOSED

History

#1 Updated by Giacomo Sanchietti over 3 years ago

  • Category set to <multiple packages>
  • Status changed from NEW to TRIAGED
  • Target version set to v6.7
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 3 years ago

  • Related to Bug #3396: Adagios fails to install after Samba badlock updates added

#3 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#4 Updated by Giacomo Sanchietti over 3 years ago

  • Description updated (diff)
  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

Packages from CentOS CR repos (CentOS 6.8) seem to fix the issue.

Package in nethserver-testing:
  • samba-winbind-clients-3.6.23-35.el6_8.x86_64.rpm
  • tdb-tools-1.3.8-3.el6_8.2.x86_64.rpm
  • libtdb-1.3.8-3.el6_8.2.x86_64.rpm
  • samba-3.6.23-35.el6_8.x86_64.rpm
  • samba-winbind-3.6.23-35.el6_8.x86_64.rpm
  • samba-common-3.6.23-35.el6_8.x86_64.rpm
  • samba-client-3.6.23-35.el6_8.x86_64.rpm
Test case
  • Check the bug is not reproducible
  • To upgrade an existing machine:
    yum --enablerepo=nethserver-testing update samba tdb-tools
    

#5 Updated by Nicola Rauso over 3 years ago

  • Assignee set to Nicola Rauso

#6 Updated by Nicola Rauso over 3 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Nicola Rauso)
  • % Done changed from 70 to 90
Test case
  • Check the bug is not reproducible

Tested: it works flawlessly

#7 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Releases in nethserver-updates:
  • samba-winbind-clients-3.6.23-35.el6_8.x86_64.rpm
  • tdb-tools-1.3.8-3.el6_8.2.x86_64.rpm
  • libtdb-1.3.8-3.el6_8.2.x86_64.rpm
  • samba-3.6.23-35.el6_8.x86_64.rpm
  • samba-winbind-3.6.23-35.el6_8.x86_64.rpm
  • samba-common-3.6.23-35.el6_8.x86_64.rpm
  • samba-client-3.6.23-35.el6_8.x86_64.rpm

Also available in: Atom PDF