Ubuntu
samba package

Patch the Badlock bug in the initial release of Ubuntu 16.04

Bug #1566348 reported by rpr nospam
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Unassigned

Bug Description

On 12 April Microsoft and the Samba Team will release patches to fix the Badlock bug (see http://badlock.org), a crucial security bug in Windows and Samba.

As the release of Ubuntu 16.04 is scheduled for 21 April it could be possible and is highly desirable to include appropriate patches for Samba in the initial release of Ubuntu 16.04.

rpr nospam (rpr-nospam)
information type: Private Security → Public Security
Ryan Harper (raharper)
Changed in samba (Ubuntu):
importance: Undecided → High
Christian Ehrhardt  (paelzer)
Changed in samba (Ubuntu):
status: New → Triaged
Revision history for this message
Russell Jones (russell-jones-oxphys) wrote :

Dupe of https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1569497 ?

Revision history for this message
rpr nospam (rpr-nospam) wrote :

No, this is not a duplicate of #1569497, which "is for tracking regressions while the updated packages are in the security team PPA".

I reported this bug to make sure the new samba packages which patch Badlock&co will be included in the initial release of Ubuntu 16.04.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

FIxed by:

samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
    - CVE-2015-5370: Multiple errors in DCE-RPC code
    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
    - CVE-2016-2112: The LDAP client and server don't enforce integrity
      protection
    - CVE-2016-2113: Missing TLS certificate validation allows man in the
      middle attacks
    - CVE-2016-2114: "server signing = mandatory" not enforced
    - CVE-2016-2115: SMB client connections for IPC traffic are not
      integrity protected
    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
  * debian/patches/winbind_trusted_domains.patch: make sure domain members
    can talk to trusted domains DCs.

 -- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:26:29 -0400

Changed in samba (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.