http://badlock.org/ On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th. Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
@samba, can we prepare to have 4.x stable?
Update: Patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2 on April 12th. With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED. Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release
Public: Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download These are Security Releases in order to address CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115 and CVE-2016-2118. Affected Versions: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, 4.4.0 (earlier versions have not been assessed) Patched Versions: 4.2.10 / 4.2.11, 4.3.7 / 4.3.8 and 4.4.1 / 4.4.2 (both the interim and final security release have the patches).
commit 058eb202b4c757f889daf21e114188c7119c3be6 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Apr 12 22:08:22 2016 net-fs/samba: Security bump to versions 4.2.11, 4.3.8 and 4.4.2 (bug #578004). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Feel free to start stabilization calls.
That is for samba-4.2.11
*** Bug 579802 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable =net-fs/samba-4.2.11 Target keywords: amd64 arm ia64 ppc ppc64 sparc x86
CVE-2016-2118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2118): The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."
amd64 stable
x86 stable
According to https://www.samba.org/samba/history/security.html there is a patch for 3.6.25 as well. It would be nice to have 3.6.25-r1 with the patch.
arm stable
Stable for HPPA PPC64.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
@ Maintainer(s): Please apply patches from https://www.samba.org/samba/ftp/patches/security/samba-v3-6-security-2016-04-12.tar.xz to =net-fs/samba-3.6.25 and do a rev bump.
@ Maintainer(s): I talked to Tobias (alpha arch). Bug 578668 is blocking alpha from using recent samba. Like posted by Matt in the same bug, a patch was sent upstream. Tobias will test the patch later this week. If it works we will cherry-pick the patch so alpha can move to stable samba as well and we can drop the remaining vulnerable version to proceed with this bug.
Short update: Thanks to the now resolved bug 578668 alpha is currently re-keywording net-fs/samba and will move to the fixed stable version as well. Once this is done we can proceed with the cleanup.
Stable on alpha.
@ Maintainer(s): Please drop =net-fs/samba-3.6.25.
commit 0aa1ea43d64b5c40839f1fbb4c1a176c5826ba6c Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Dec 19 14:33:06 2016 net-fs/samba: Security cleanup (bug #578004). Package-Manager: Portage-2.3.3, Repoman-2.3.1
This issue was resolved and addressed in GLSA 201612-47 at https://security.gentoo.org/glsa/201612-47 by GLSA coordinator Aaron Bauman (b-man).