Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#54177 - [samba] remote code execution from a writable share
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Wednesday, 24 May 2017, 21:56 GMT
Last edited by Evangelos Foutras (foutrelis) - Saturday, 27 May 2017, 07:01 GMT
Opened by loqs (loqs) - Wednesday, 24 May 2017, 21:56 GMT
Last edited by Evangelos Foutras (foutrelis) - Saturday, 27 May 2017, 07:01 GMT
|
DetailsDescription:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Additional info: samba 4.5.8-1 in extra and samba 4.6.3-1 in testing are affected. https://www.samba.org/samba/security/CVE-2017-7494.html |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Saturday, 27 May 2017, 07:01 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in [extra] with samba 4.5.10-1 and in [testing] with samba 4.6.4-1.
Saturday, 27 May 2017, 07:01 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in [extra] with samba 4.5.10-1 and in [testing] with samba 4.6.4-1.
The easiest fix is actually just upgrade to 4.6.4, the patch (https://download.samba.org/pub/samba/patches/samba-4.6.3-4.6.4.diffs.gz) seemed very minimal so we should have just had it testing.