All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/
Created attachment 182878 [details] svn diff for net/samba46 Created the vuxml entry yesterday. fwiw... Simply updating to 4.6.4 in ports worked for me. https://brnrd.eu/poudriere/data/110libre-default/2017-05-24_11h36m05s/logs/samba46-4.6.4.log net/samba46: Security update to 4.6.4 - Upstream security update PR: 219514 MFH: 2017Q2 Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf Security: CVE-2017-7494
(In reply to Bernard Spil from comment #1) Hi, Bernard! I'm not certain, what should I do regarding this ticket... Author: timur Date: Wed May 24 14:53:46 2017 New Revision: 441602 URL: https://svnweb.freebsd.org/changeset/ports/441602 Log: Urgent upgrade of the Samba 4.[4-6] ports to address RCE in the Samba code(CVE-2017-7494). All versions starting from 3.5+ are affected. Security: CVE-2017-7494
Hi Timur, (In reply to Timur I. Bakeyev from comment #2) Hi Timur, as you've updated the 4.4, 4.5 and 4.6 ports we need to figure out what to do with the older ports. These should be marked deprecated.
Created attachment 182879 [details] svn diff for net/samba4[23] net/samba43: Mark 4.2, 4.3 deprecated - Mark net/amba42, 43 deprecated - Update conflicts (assume all future conflict) PR: 219514 Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf
Shoot! Missed MFH: 2017Q2 net/samba43: Mark 4.2, 4.3 deprecated - Mark net/amba42, 43 deprecated - Update conflicts (assume all future conflict) PR: 219514 MFH: 2017Q2 Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf
(In reply to Bernard Spil from comment #4) I'm all for the deprecation of the 4.2 and 4.3 ports. So, go for it!
A commit references this bug: Author: brnrd Date: Thu May 25 12:36:49 UTC 2017 New revision: 441680 URL: https://svnweb.freebsd.org/changeset/ports/441680 Log: net/samba43: Mark 4.2 and 4.3 deprecated - Add deprecation date and message - Update/simplify conflicts PR: 219514 Approved by: timur (maintainer) MFH: 2017Q2 Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf Changes: head/net/samba42/Makefile head/net/samba43/Makefile
base r441602 requires MFH to 2016Q2
Uh, ports r441602 rather.
A commit references this bug: Author: feld Date: Tue May 30 13:18:38 UTC 2017 New revision: 442060 URL: https://svnweb.freebsd.org/changeset/ports/442060 Log: MFH: r441602 Urgent upgrade of the Samba 4.[4-6] ports to address RCE in the Samba code(CVE-2017-7494). All versions starting from 3.5+ are affected. Security: CVE-2017-7494 Approved by: ports-secteam (with hat) PR: 219514 Changes: _U branches/2017Q2/ branches/2017Q2/net/samba44/Makefile branches/2017Q2/net/samba44/distinfo branches/2017Q2/net/samba45/Makefile branches/2017Q2/net/samba45/distinfo branches/2017Q2/net/samba46/Makefile branches/2017Q2/net/samba46/distinfo branches/2017Q2/net/samba46/files/patch-source3__librpc__crypto__gse.c branches/2017Q2/net/samba46/pkg-plist
A commit references this bug: Author: feld Date: Tue May 30 13:20:14 UTC 2017 New revision: 442061 URL: https://svnweb.freebsd.org/changeset/ports/442061 Log: MFH: r441680 net/samba43: Mark 4.2 and 4.3 deprecated - Add deprecation date and message - Update/simplify conflicts PR: 219514 Approved by: timur (maintainer) Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf Approved by: ports-secteam (with hat) Changes: _U branches/2017Q2/ branches/2017Q2/net/samba42/Makefile branches/2017Q2/net/samba43/Makefile