[SOLVED] Samba update needed in Slackware 15.0 after KB5028166
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Samba update needed in Slackware 15.0 after KB5028166
I don't really know if this information should go to the thread "Requests for current-next (15.0-->15.1)" because it's urgent. To the point - after installing KB5028166 update, Windows systems cannot connect to the domain controller. Samba has made appropriate fixes in samba-4.16.11, samba-4.17.10 and samba-4.18.5. Meanwhile in Slackware 15.0 we still have samba-4.15.13. I think we need an urgent update of the samba package in Slackware 15.0, because for several weeks it has been possible to work only after uninstalling KB5028166 update and disabling windows update.
I can't say for sure how this is going to affect Slackware 15.0 which ships with Samba 4.15 which now is EOL. Often, when a version gets EOL Slackware no longer provides security updates of that software for stable versions. The release notes for Samba version 4.y.0 should be studied carefully when upgrading from version 4.x.0. If Samba 4.15 not would have been EOL an upgrade would be a no-brainer.
However, a request to update samba in Slackware current does absolutely seem appropriate.
Looking at the timeline of CVE-2022-38023 is kind of interesting:
8/8 2022 (almost a year ago): CVE-2022-38023 is allocated.
11/7 2023: KB5028166 is published which fixes CVE-2022-38023
12/7 2023: Bug report at https://bugzilla.samba.org/show_bug.cgi?id=15418
13/7 2023: First suggested patches for Samba, also confirmed working
19/7 2023: Samba version 4.18.15, 4.17.10 and 4.16.11 released
Those Windows systems have had this known security hole for more than 11 months.
However, a request to update samba in Slackware current does absolutely seem appropriate.
Using Slackware current for production use is risky.
Quote:
Originally Posted by henca
Looking at the timeline of CVE-2022-38023 is kind of interesting:
8/8 2022 (almost a year ago): CVE-2022-38023 is allocated.
11/7 2023: KB5028166 is published which fixes CVE-2022-38023
12/7 2023: Bug report at https://bugzilla.samba.org/show_bug.cgi?id=15418
13/7 2023: First suggested patches for Samba, also confirmed working
19/7 2023: Samba version 4.18.15, 4.17.10 and 4.16.11 released
Those Windows systems have had this known security hole for more than 11 months.
regards Henrik
It's not about security.
It's about "secure channel faulty since Windows 10/11 update 07/2023".
You got up some beautyfull july day, and every network users can't log in to workstation, because of "trust relationship between this workstation and the primary domain failed".
No, You can't fix this by remove and add workstation to domain, because in W10 and W11 Microsoft changed SMB protocol in a way, which old Samba versions don't understands.
Using Slackware current for production use is risky.
Yes, but one day current will become something like 15.1 and it would be sad if 15.1 had an outdated samba which has some broken functionality for updated Windows systems.
Quote:
Originally Posted by Olek
It's not about security.
Vulnerabilities are usually about security. However, the CVE-2022-38023 is not about a vulnerability in Samba but a vulnerability in Windows.
Quote:
Originally Posted by Olek
It's about "secure channel faulty since Windows 10/11 update 07/2023".
You got up some beautyfull july day, and every network users can't log in to workstation, because of "trust relationship between this workstation and the primary domain failed".
No, You can't fix this by remove and add workstation to domain, because in W10 and W11 Microsoft changed SMB protocol in a way, which old Samba versions don't understands.
Yes, that is the drawback of depending upon a vendor which decides to make changes which contradict old specifications. It is also the drawback of depending upon a vendor of closed source software. There is no good way for you to fix this on your Windows computers. To make your mixed environment work you will need to adopt your samba servers to Windows new behavior.
Others, who don't care about AD server functionality in samba, might get upset that this new Samba version breaks functionality they depend upon.
I don't have any influence about which packages gets updates in the /patches directory, but I doubt that there will be any patch package for Samba in Slackware 15.0. Possibly some newer samba package could be provided in the /testing directory.
If no such official package comes from Slackware you will be left to rolling your own working samba installation. Maybe you want to try to migrate to a newer maintained version of samba. Maybe you want to try to apply patches to the source of Samba 4.15. If so, you probably want these commit from github.com/samba-team/samba/
caf2188
585df7e
5d48ea2
6e87858
Those were the commits made on the 4.16 branch of samba and might require a limited amount of tinkering to work with samba version 4.15.
I can't say for sure how this is going to affect Slackware 15.0 which ships with Samba 4.15 which now is EOL. Often, when a version gets EOL Slackware no longer provides security updates of that software for stable versions.
This is impacting my users as well. Slackware 15.0 is what only 1-1/2 years old?
IMO EOL packages have no business in any OS this young, especially a package critical to some environments as Samba is..
With obvious exceptions for packages no longer maintained which have no viable replacements etc
IMO EOL packages have no business in any OS this young, especially a package critical to some environments as Samba is.
Lets have a look at another timeline, Slackware 15.0 changelog vs Samba changelog:
Code:
Mon Aug 16 05:28:16 UTC 2021
Slackware 15.0 release candidate one.
Consider most things frozen and the focus now to be any remaining blocker bugs.
2021-09-20: Samba version 4.15.0 released
Mon Sep 20 18:49:19 UTC 2021
n/samba-4.15.0-x86_64-1.txz: Upgraded.
Thu Oct 28 01:11:07 UTC 2021
n/samba-4.15.1-x86_64-1.txz: Upgraded.
Wed Nov 10 20:32:37 UTC 2021
n/samba-4.15.2-x86_64-1.txz: Upgraded.
Wed Dec 8 20:42:30 UTC 2021
n/samba-4.15.3-x86_64-1.txz: Upgraded.
Wed Jan 12 22:04:33 UTC 2022
Good hello, and welcome to the third and final release candidate for Slackware
15.0. We're 99% frozen at this point and are mostly looking for regression or
other bug reports that might be able to be addressed before this goes stable.
Wed Jan 19 18:18:02 UTC 2022
n/samba-4.15.4-x86_64-1.txz: Upgraded.
Tue Feb 1 04:37:04 UTC 2022
n/samba-4.15.5-x86_64-1.txz: Upgraded.
Wed Feb 2 22:22:22 UTC 2022
Slackware 15.0 x86_64 stable is released!
2022-03-22: Samba version 4.16.0 released
Mon May 2 20:02:49 UTC 2022
patches/packages/samba-4.15.7-x86_64-1_slack15.0.txz: Upgraded.
Wed Jul 27 19:17:38 UTC 2022
patches/packages/samba-4.15.9-x86_64-1_slack15.0.txz: Upgraded.
Wed Oct 19 20:06:33 UTC 2022
patches/packages/samba-4.15.10-x86_64-1_slack15.0.txz: Upgraded.
Tue Oct 25 18:38:58 UTC 2022
patches/packages/samba-4.15.11-x86_64-1_slack15.0.txz: Upgraded.
Thu Nov 17 01:49:28 UTC 2022
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz: Upgraded.
Sat Dec 17 21:14:11 UTC 2022
patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz: Upgraded. (CVE-2022-38023 reltated)
2023-03-08 Samba 4.15 is EOL, less than 1.5 years after initial release.
Yes, the current situation sucks, but Slackware could have done nothing any better than what has been done. Samba version 4.16.0 was released after Slackware 15.0 was released.
I agree that it is bad that something gets EOL after less than 1.5 years, but that is a discussion you should have with the Samba developers.
Upgrading samba to version 4.16 or a newer version might help you, but it might also break things for others.
So what are the options?
Slackware publishes an up to date samba package in the /testing directory for Slackware 15.0
Someone contributes and updated build script for Samba 4.15 which patches version 4.15.13 and a patched 4.15.13 package goes to the /patches directory
A third party samba package for Slackware is published at some place like slackbuilds.org
Every user suffering from this problem rolls his own solution
Also, keep in mind for proper perspective, this is NOT a samba issue, not a Linux issue and not a Slackware issue, IT IS A Windows issue caused by Windows/Microsoft.
In 14.2, samba went from 4.4.4 to finally 4.6.16.
Or in 14.0, from 3.6.8 to 4.2.X to 4.4.X and finally 4.6.16.
Then there is hope that 15.0 will get an updated samba package. Maybe the decision depends upon how backwards compatible the new versions are with old configurations.
It looks like patching samba version 4.15.13 is possible.
If those patches work also with old Samba 4.8 they should work with 4.15. Now there is hope for different solutions for Slackware 15.0.
If it doesn't cause to much trouble to update to a still maintained version of Samba I would prefer such a solution. Even if 4.15.13 gets patched it is still an unmaintained version which hasn't gotten any security updates since December. Before that, there was about one security update every month.
I tried to download the contents of
ftp.slackware.com:/pub/slackware/slackware64-current/source/n/samba to a temporary directory of a Slackware64 15.0 machine. Then I ran the samba.SlackBuild as root and it successfully built:
I haven't tried to install it though as this Slackware 15.0 is not intended to be any samba server. I can't say if it might cause any trouble with existing smb.conf files.
However, this might be the first step on a "roll your own solution".
It is nice to see that older versions of Slackware did jump samba versions. On the other hand, both those Slackware 14.0 and 14.2 are also examples of currently maintained versions of Slackware which have stopped on a version of samba which has been EOL since 2018.
patches/packages/samba-4.18.5-x86_64-1_slack15.0.txz: Upgraded.
PLEASE NOTE: We are taking the unusual step of moving to the latest Samba
branch because Windows has made changes that break Samba 4.15.x. The last
4.15.x will be retained in /pasture as a fallback. There may be some
required configuration changes with this, but we've kept using MIT Kerberos
to try to have the behavior change as little as possible. Upgrade carefully.
This update fixes security issues:
When winbind is used for NTLM authentication, a maliciously crafted request
can trigger an out-of-bounds read in winbind and possibly crash it.
SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain Controllers
where SMB2 packet signing is mandatory.
An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be
triggered by an unauthenticated attacker by issuing a malformed RPC request.
Missing type validation in Samba's mdssvc RPC service for Spotlight can be
used by an unauthenticated attacker to trigger a process crash in a shared
RPC mdssvc worker process.
As part of the Spotlight protocol Samba discloses the server-side absolute
path of shares and files and directories in search results.
For more information, see:
https://www.samba.org/samba/security/CVE-2022-2127.html
https://www.samba.org/samba/security/CVE-2023-3347.html
https://www.samba.org/samba/security/CVE-2023-34966.html
https://www.samba.org/samba/security/CVE-2023-34967.html
https://www.samba.org/samba/security/CVE-2023-34968.html
https://www.cve.org/CVERecord?id=CVE-2022-2127
https://www.cve.org/CVERecord?id=CVE-2023-3347
https://www.cve.org/CVERecord?id=CVE-2023-34966
https://www.cve.org/CVERecord?id=CVE-2023-34967
https://www.cve.org/CVERecord?id=CVE-2023-34968
(* Security fix *)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.