Bug 40988

Summary:	samba: multiple issues (4.1)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Arvid Requate <requate>
Status:	CLOSED FIXED	QA Contact:	Felix Botner <botner>
Severity:	normal
Priority:	P5	CC:	botner, walkenhorst
Version:	UCS 4.1	Flags:	requate: Patch_Available+
Target Milestone:	UCS 4.1-1-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	40989, 41193

Description Arvid Requate

2016-04-04 15:20:07 CEST

Samba 4.3.7 fixes a couple of security issues.

Comment 1 Felix Botner

2016-04-05 14:44:08 CEST

* /etc/univention/ssl/ucsCA/crl/crl.pem is only available on master and backup

* after univention-install univention-s4connector libtalloc2, python-tdb,
  libtdb1, libtevent0, python-talloc are not up-to-date

  apt-get -s dist-upgrade 
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Paketaktualisierung (Upgrade) wird berechnet... Fertig
Die folgenden Pakete werden aktualisiert (Upgrade):
  libtalloc2 libtdb1 libtevent0 python-talloc python-tdb
5 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Inst libtalloc2 [2.1.2-3.33.201505181902] (2.1.5-1.51.201604041348 192.168.0.10 [amd64])
Inst python-tdb [1.3.6-1.50.201507161446] (1.3.8-1.66.201604041353 192.168.0.10 [amd64]) []
Inst libtdb1 [1.3.6-1.50.201507161446] (1.3.8-1.66.201604041353 192.168.0.10 [amd64])
Inst libtevent0 [0.9.25-1.30.201507161435] (0.9.26-1.43.201604041350 192.168.0.10 [amd64])
Inst python-talloc [2.1.2-3.33.201505181902] (2.1.5-1.51.201604041348 192.168.0.10 [amd64])
Conf libtalloc2 (2.1.5-1.51.201604041348 192.168.0.10 [amd64])
Conf libtdb1 (1.3.8-1.66.201604041353 192.168.0.10 [amd64])
Conf python-tdb (1.3.8-1.66.201604041353 192.168.0.10 [amd64])
Conf libtevent0 (0.9.26-1.43.201604041350 192.168.0.10 [amd64])
Conf python-talloc (2.1.5-1.51.201604041348 192.168.0.10 [amd64])

  maybe we need a versionized dependency?
  Installation worked find though.

Comment 2 Arvid Requate

2016-04-06 22:04:57 CEST

Done:
• for p in ldb samba; do
   repo_admin.py -F -r 4.1-0-0-ucs -s errata4.1-1 -p $p
   b41-scope errata4.1-1 $p
   done

• svn cp ucs-school-4.1/univention-ldb-modules ucs-4.1-1/services/
• Dependency adjusted for Samba 3.2.7 ldb version
• build ucs_4.1-0-errata4.1-1 ucs-4.1-1/services/univention-ldb-modules

• b41-scope errata4.1-1 winexe

• univention-samba4 smb.conf options adjusted for Samba 4.3.7


Current version matrix:

talloc:
2.1.5-1.37.201604061642:        ucs_3.1-0-extsec3.1
2.1.5-1.38.201604061644:        ucs_3.2-0-errata3.2-8
2.1.5-1.39.201604061650:        ucs_3.3-0
2.1.5-1.40.201604061653:        ucs_4.0-0-errata4.0-5
2.1.5-1.41.201512111354:        ucs_4.1-0-errata4.1-0 # no update

tevent:
0.9.26-1.29.201604061703:       ucs_3.1-0-extsec3.1
0.9.26-1.30.201604061703:       ucs_3.2-0-errata3.2-8
0.9.26-1.31.201604061703:       ucs_3.3-0
0.9.26-1.32.201604061703:       ucs_4.0-0-errata4.0-5
0.9.26-1.33.201512111415:       ucs_4.1-0-errata4.1-0 # no update

tdb:
1.3.8-1.50.201604061726:        ucs_3.1-0-extsec3.1
1.3.8-1.51.201604061726:        ucs_3.2-0-errata3.2-8
1.3.8-1.52.201604061744:        ucs_3.3-0
1.3.8-1.53.201604061726:        ucs_4.0-0-errata4.0-5
1.3.8-1.54.201512111342:        ucs_4.1-0-errata4.1-0 # no update

ldb:
Version:        2:1.1.25-1.68.201604061731:     ucs_3.1-0-extsec3.1
Version:        2:1.1.25-1.69.201604061731:     ucs_3.2-0-errata3.2-8
Version:        2:1.1.25-1.70.201604061731:     ucs_3.3-0
Version:        2:1.1.25-1.71.201604061731:     ucs_4.0-0-errata4.0-5
Version:        2:1.1.25-1.72.201604061731:     ucs_4.1-0-errata4.1-1

samba:
Version:        2:4.3.7-1.826.201604061853:     ucs_3.1-0-extsec3.1
Version:        2:4.3.7-1.827.201604061853:     ucs_3.2-0-errata3.2-8
Version:        2:4.3.6-1.874.201604011331:     ucs_3.3-0     ## TODO
Version:        2:4.3.7-1.829.201604062049:     ucs_4.0-0-errata4.0-5
Version:        2:4.3.7-1.830.201604062051:     ucs_4.1-0-errata4.1-1

Comment 3 Arvid Requate

2016-04-12 16:03:15 CEST

Resolved for final QA and release stage.

Comment 4 Felix Botner

2016-04-12 17:36:27 CEST

Tests, see http://bladis.knut.univention.de/71iBVhOsGa

OK - Install
OK - Update

OK - samba.yaml
OK - ldb.yaml
OK - univention-ldb-modules.yaml
OK - univention-samba4.yaml (missing entry for 40383)

Comment 5 Janek Walkenhorst

2016-04-12 19:21:03 CEST

<http://errata.software-univention.de/ucs/4.1/141.html>
<http://errata.software-univention.de/ucs/4.1/142.html>
<http://errata.software-univention.de/ucs/4.1/143.html>
<http://errata.software-univention.de/ucs/4.1/144.html>

Comment 6 Arvid Requate

2016-04-12 19:48:51 CEST

Fixes: CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
       CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118