Re: [oi-dev] samba security
But 3.6.x currently has winbind issues. On Sunday, April 15, 2012 08:54 PM, Bayard Bell wrote: A version of 3.6.4 is pending for the illumos-userland head. On Sun, Apr 15, 2012 at 1:44 PM, Martin Walterm...@uni-freiburg.de wrote: Hi, yesterday I updated to oi_151a3 and saw: # pkg list | grep samba library/samba/libsmbclient3.5.5-0.151.1.3 i-- service/network/samba 3.5.5-0.151.1.3 i-- Is there any newer version without the security bug from https://www.samba.org/samba/security/CVE-2012-1182 ? Best regards, Martin ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
I can confirm that 3.5.14 builds with sun cc and runs fine without the winbind issues found in 3.5.5-7 On Monday, April 16, 2012 06:20 AM, Gordon Ross wrote: Bayard has 3.5.14 building in userland, I think (the latest in the samba 3.5 branch). That would be a reasonable choice for the stable branch, because changes along the samba 3.5.x branch are generally just maintenance changes. (Like CVE-2012-1182, which bumped 3.5.13 to 3.5.14) Gordon On Sun, Apr 15, 2012 at 2:59 PM, Alasdair Lumsdenalasdai...@gmail.com wrote: Hi Martin, We've obtained the Debian security patches for 3.5.6 which should hopefully apply fairly cleanly against our 3.5.5: http://security-tracker.debian.org/tracker/source-package/samba We're looking into things. Cheers, Alasdair ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Tue, Apr 17, 2012 at 09:20:52PM +0800, Christopher Chan wrote: I can confirm that 3.5.14 builds with sun cc and runs fine without 3.5.14 as immediate measure would be fine! and sometimes later 3.6.4 . martin ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Tuesday, April 17, 2012 09:44 PM, Martin Walter wrote: On Tue, Apr 17, 2012 at 09:20:52PM +0800, Christopher Chan wrote: I can confirm that 3.5.14 builds with sun cc and runs fine without 3.5.14 as immediate measure would be fine! and sometimes later 3.6.4 . I'm not touching 3.6.4 with a ten foot pole until the samba chums sort out their issues with winbind on 3.6.x. I'm not desperate for SMB2 support. ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
A version of 3.6.4 is pending for the illumos-userland head. On Sun, Apr 15, 2012 at 1:44 PM, Martin Walter m...@uni-freiburg.de wrote: Hi, yesterday I updated to oi_151a3 and saw: # pkg list | grep samba library/samba/libsmbclient 3.5.5-0.151.1.3 i-- service/network/samba 3.5.5-0.151.1.3 i-- Is there any newer version without the security bug from https://www.samba.org/samba/security/CVE-2012-1182 ? Best regards, Martin ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On 15 Apr 2012, at 13:54, Bayard Bell wrote: A version of 3.6.4 is pending for the illumos-userland head. Hi Walter, Unfortunately however the new version probably won't make the stable branch. The stuff in illumos-userland will be destined for /experimental followed by /dev. Cheers, Alasdair ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Apr 15, 2012, Alasdair Lumsden wrote: Unfortunately however the new version probably won't make the stable branch. The stuff in illumos-userland will be destined for /experimental followed by /dev. You may wish to reconsider... A remote, pre-authentication vulnerability is essentially the most severe kind of flaw that can crop up in a software package such as Samba. An attacker who found a vulnerable installation of Samba would not need to authenticate in order to launch an exploit. http://m.threatpost.com/en_us/blogs/remote-pre-authentication-flaw-fixed-samba-041112 ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Sun, Apr 15, 2012 at 02:18:11PM +0100, Alasdair Lumsden wrote: On 15 Apr 2012, at 13:54, Bayard Bell wrote: A version of 3.6.4 is pending for the illumos-userland head. Hi Alasdair, Unfortunately however the new version probably won't make the stable branch. The stuff in illumos-userland will be destined for /experimental followed by /dev. pkg.openindiana.org/experimental is last updated at 2011-11-19 !? I think such critical security holes should be fixed asap. Otherwise it is really a risk to run Openindiana on big fileservers. Best regards, Martin ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Apr 15, 2012, at 7:11 AM, Martin Walter wrote: I think such critical security holes should be fixed asap. Otherwise it is really a risk to run Openindiana on big fileservers. That service should never be exposed to the Internet in the first place. But otherwise I'd agree it ought to be considered for inclusion since the Samba team has decided it important enough that they're also patching some end of lifed versions as well. -Gary ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On Sun, Apr 15, 2012 at 08:57:56AM -0700, Gary Driggs wrote: On Apr 15, 2012, at 7:11 AM, Martin Walter wrote: I think such critical security holes should be fixed asap. Otherwise it is really a risk to run Openindiana on big fileservers. That service should never be exposed to the Internet in the first place. Yes, of course. But 25000 internal users (students) are enough for me to feel uncomfortable with this bug! ;-) Martin ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
Hi Martin, On 15 Apr 2012, at 15:10, Martin Walter wrote: snip Unfortunately however the new version probably won't make the stable branch. The stuff in illumos-userland will be destined for /experimental followed by /dev. pkg.openindiana.org/experimental is last updated at 2011-11-19 !? I think such critical security holes should be fixed asap. Otherwise it is really a risk to run Openindiana on big fileservers. The binary repo was last updated quite a while ago, but work continues on the source side at: https://hg.openindiana.org/illumos-userland/ and https://hg.openindiana.org/upstream/oracle/userland-gate The challenge is manpower - 151a was built using a collection of highly unpalatable build systems that few of our developers want to work on. The reason for the delay between oi_151 and our next big release (not the stable) is that we're completely re-tooling around a single build system. Once done, we'll be able to churn out updates far more easily. However the retooling effort has been derailed and held up by the fact it started life as oi-build and became a collaborative effort with Nexenta called illumos-userland, which they are going to also use for Illumian. A lot of resources have had to be diverted to sorting out collaborating with them and dealing with the consequences of this. We're nearly there and hopefully things will speed up again once we get into the swing of things. If you'd like things to proceed faster, I'd like to point out that the devs working on OI are contributing their free time to do this. If you value OI then you're welcome to assist us and help get things updated faster. The stable release is about backporting critical security fixes, and this one sounds like the kind of thing we should look at backporting. So we will look into it and see what can be done. But it probably won't involve a version bump, more a patch to the older version. Cheers, Alasdair ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
On 15 Apr 2012, at 18:59, Martin Walter wrote: Would it be not easier and better to just make the newest version available? E.g. I would much more prefer just a samba-3.6.4 package than an updated samba-3.5.5. Yes, if we were on the new build system. So updating samba for /experimental wouldn't be too hard. But samba for oi_151a is stuck in an old build system, so updating it would require more effort than anyone we have is willing to take on. And as Rich pointed out, isn't really what the stable branch is about. If you have time you could have a look to see if there is a patch that applies against samba-3.5.5 that fixes the CVE. The usual place to look is other distro's patch sets against samba where their version is close to ours. *That* would be genuinely helpful and more use to us than building stuff :-) Cheers, Alasdair ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] samba security
Hi Martin, We've obtained the Debian security patches for 3.5.6 which should hopefully apply fairly cleanly against our 3.5.5: http://security-tracker.debian.org/tracker/source-package/samba We're looking into things. Cheers, Alasdair ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev