Samba Security Updates Tuesday

this is a heads-up that there will be important Samba security updates
on Tuesday, March 13th (~ 8-11am UTC). Please make sure that your Samba
servers will be updated immediately after the release!

Just a heads up for anyone who isn’t subscribed to the Samba mailing list or who might have missed it. I haven’t seen them issue a heads up like this too often…

Only applies if you compile your own Samba (presumably for DC purposes). Could end up being something pretty minor, but you never know.


Whenever i see such a message i always expect some kind of important vulnerability disclosure a week later.

1 Like

o CVE-2018-1050:
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
service attack when the RPC spoolss service is configured to be run as
an external daemon. Missing input sanitization checks on some of the
input parameters to spoolss RPC calls could cause the print spooler
service to crash.

There is no known vulnerability associated with this error, merely a
denial of service. If the RPC spoolss service is left by default as an
internal service, all a client can do is crash its own authenticated

o CVE-2018-1057:
On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users’
passwords, including administrative users.

So any user can change the admin password for the domain. Not great.

Patched versions are:

4.7.6, 4.6.14 and 4.5.16

Samba 4.8 was also released today.

It now encrypts sensitive LDAP fields, so that’s… essential.

It also has some sort of integration with Sophos and ClamAV virus scanners via a vfs :tada:

I usually give them 2 revisions to sort things out on a new minor version, but glad to see them focus on some security stuff.