Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Thu June 06, 2019 03:17 PM

    Originally posted by: Greg Antonov


    Hi developers,

     

    I'm creating this topic for one of my customers that can't seem to be able to login to the devWorks portal or the forums.

     

    The latest available version of Samba on the AIX Toolbox for Linux applications is 4.9.3.

     

    Based on the documentation for CVE-2018-16860, the affected range for Samba 4.9 is 4.9.x < 4.9.8. A fix was shipped in Samba 4.9.8 per the following samba.org security advisory:
    Samba AD DC S4U2Self/S4U2Proxy unkeyed check
    https://www.samba.org/samba/security/CVE-2018-16860.html
     

    • Is the Toolbox Samba 4.9.3 package affected by CVE-2018-16860?
    • If it is, is there a plan to release a new version of Samba for AIX or backport a fix to the latest available version?
    • When could a new version or backported fix be expected?

     

    Thanks in advance!
    ---

    Greg Antonov

    IBM AIX Development Support
    grigor.antonov@bg.ibm.com


    #AIX-Open-Source-Software
    #AIXOpenSource


  • 2.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Mon June 10, 2019 06:56 AM

    Originally posted by: AyappanP


    The mentioned vulnerability (CVE -2018-16860) affects Samba AD DC ie., Active Directory Domain Controller. 

    AIX Toolbox Samba build don't have Domain Controller support. So it is not affected by this vulnerability. 

    We will be uploading Samba 4.9.6 soon in AIX Toolbox as Samba 4.9.3 is affected by CVE-2019-3880. 


    #AIXOpenSource
    #AIX-Open-Source-Software


  • 3.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Mon June 10, 2019 12:57 PM

    Originally posted by: Greg Antonov


    Thanks for the reply, Ayappan.
     
    My customer replied saying that their Tennable scanner will complain about the version of Samba unless they upgrade to 4.9.8 (regardless of the fact the Toolbox Samba is not affected by CVE-2018-16860). The scanner doesn't have the capability to identify that the Samba build does not ship a KDC/ADDC, it simply looks at the version and since the official Samba fix is in 4.9.8, it has become a requirement for the customer's environment to be at that version -- not 4.9.3 and not 4.9.6.

     

    So the following two questions come up:

     

    • Are there any plans to release a build of Samba for AIX with version number 4.9.8?
    • If there are, is there a roadmap for release dates (or a year-to-year schedule)?
    Thanks so much!
    ---
    Greg Antonov
    IBM AIX Development Support
    grigor.antonov@bg.ibm.com

    #AIX-Open-Source-Software
    #AIXOpenSource


  • 4.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Tue June 11, 2019 02:38 AM

    Originally posted by: AyappanP


    Currently we are working on releasing Samba 4.10.2 in AIX Toolbox. Since 4.10.3 came as a security release , Toolbox will have 4.10.3 . Probably this month end we are targeting it.

    There is no roadmap as such. Samba community has aggressive release schedules and we are making sure Toolbox will have supported Samba releases. 

    https://wiki.samba.org/index.php/Samba_Release_Planning


    #AIXOpenSource
    #AIX-Open-Source-Software


  • 5.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Tue July 02, 2019 11:32 AM

    Originally posted by: Greg Antonov


    Hi Ayappan,

     

    Is there more information about the ETA of Samba 4.10.3? I know that you mentioned the end of the month tentatively, but I have a few customers that would appreciate an update about the release date.

     

    Thanks!

    ---

    Greg Antonov
    IBM AIX Development Support
    grigor.antonov@bg.ibm.com

    #AIXOpenSource
    #AIX-Open-Source-Software


  • 6.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Tue July 02, 2019 11:45 AM

    Originally posted by: AyappanP


    We are working on it.

    Samba on AIX Toolbox so far is a 32 bit build with XLC compiler. We are working on a 64 bit build using GCC compiler (version 8) this time. 

    So i would say two more weeks. 


    #AIX-Open-Source-Software
    #AIXOpenSource


  • 7.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Wed July 24, 2019 11:48 AM

    Originally posted by: Greg Antonov


    Hi Ayappan,

     

    Just wanted to check again on the progress of the new Samba build as my customer is asking for an update again. It's been a few weeks since the last ETA was provided.

     

    Thanks!

    ---

    Greg Antonov
    IBM AIX Development Support
    grigor.antonov@bg.ibm.com

    #AIXOpenSource
    #AIX-Open-Source-Software


  • 8.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Thu July 25, 2019 02:20 AM

    Originally posted by: AyappanP


    There are some issues with Active directory support in the latest version found during the testing. Working on that. 

     

     


    #AIXOpenSource
    #AIX-Open-Source-Software


  • 9.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Wed July 31, 2019 04:45 PM

    Originally posted by: releex01


    Will there be an option for a bundle that includes all the dependencies required for an install/upgrade?


    #AIXOpenSource
    #AIX-Open-Source-Software


  • 10.  Re: AIX - Samba 4.9.3 vulnerability - CVE-2018-16860

    Posted Thu August 01, 2019 02:30 AM

    Originally posted by: AyappanP


    No, there won't be any bundle as such.

    Either use YUM or individually download the rpms to install/upgrade. 


    #AIXOpenSource
    #AIX-Open-Source-Software


Related Content