Patch the Badlock bug in the initial release of Ubuntu 16.04

Bug #1566348 reported by rpr nospam on 2016-04-05
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)

Bug Description

On 12 April Microsoft and the Samba Team will release patches to fix the Badlock bug (see, a crucial security bug in Windows and Samba.

As the release of Ubuntu 16.04 is scheduled for 21 April it could be possible and is highly desirable to include appropriate patches for Samba in the initial release of Ubuntu 16.04.

rpr nospam (rpr-nospam) on 2016-04-05
information type: Private Security → Public Security
Ryan Harper (raharper) on 2016-04-05
Changed in samba (Ubuntu):
importance: Undecided → High
Changed in samba (Ubuntu):
status: New → Triaged
rpr nospam (rpr-nospam) wrote :

No, this is not a duplicate of #1569497, which "is for tracking regressions while the updated packages are in the security team PPA".

I reported this bug to make sure the new samba packages which patch Badlock&co will be included in the initial release of Ubuntu 16.04.

Marc Deslauriers (mdeslaur) wrote :

FIxed by:

samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
    - CVE-2015-5370: Multiple errors in DCE-RPC code
    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
    - CVE-2016-2112: The LDAP client and server don't enforce integrity
    - CVE-2016-2113: Missing TLS certificate validation allows man in the
      middle attacks
    - CVE-2016-2114: "server signing = mandatory" not enforced
    - CVE-2016-2115: SMB client connections for IPC traffic are not
      integrity protected
    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
  * debian/patches/winbind_trusted_domains.patch: make sure domain members
    can talk to trusted domains DCs.

 -- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:26:29 -0400

Changed in samba (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers