Badlock security update tracking bug

Bug #1569497 reported by Marc Deslauriers
290
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Unassigned

Bug Description

Today Samba released updates for the Badlock security issue:

http://badlock.org/

This bug is for tracking regressions while the updated packages are in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Steve Beattie (sbeattie)
Changed in samba (Ubuntu):
status: New → In Progress
Revision history for this message
Simon Déziel (sdeziel) wrote :

Prior to this update, the usr.sbin.smbd profile was missing those Apparmor rules:

  capability audit_write,
  /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
  /usr/lib/@{multiarch}/samba/**/ r,
  /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,

Now with 4.3.8+dfsg-0ubuntu0.14.04.2, the following additional rules are also needed:

  /{,var/}run/samba/msg.lock/ rw,
  /{,var/}run/samba/msg.lock/[0-9]* rwk,

Revision history for this message
Simon Déziel (sdeziel) wrote :

On some other configurations I've also seen the sys_admin capability to be needed. I think this capability is needed when using the "force user/group" options.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks Simon!

Could you please file a bug against the apparmor package, where that profile is located since it's not actually part of the packages in this update? Thanks!

Revision history for this message
Simon Déziel (sdeziel) wrote :

Apologies, the AA profile is not shipped with Samba. Please ignore my previous comments (#1 and #2).

The test packages work well on Trusty!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This has now been released

http://www.ubuntu.com/usn/usn-2950-1/

Changed in samba (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related questions