Vulnerabilities in SAMBA

Latest response

Recently multiple vulnerabilities was found in SAMBA packages.

How can I update samba packages:

to version 4.15.2 or 4.14.10 according to this article
Red Hat 8.
When I try to update it through command yum update samba*, system not finding any updates.

Also I want to update packages on Red Hat 6:

Here the same problem with update.


Hi Darya,

If you look at the links, you see that Red Hat has not created a fix yet fo RHEL 7 and RHEL 8.

For RHEL 6 no fix will be created, out of scope.


Jan Gerrit

Ok, thanks. Is there any date when this issue will be fixed for RHEL7 and RHEL8?

Hi Darya,

I am customer, not a Red Hat employee. I cannot answer that question.

If you wish to get an estimate on the release of the fixes, please open a support case


Jan Gerrit

Hi Darya,

See previous posts of course, like Jan's above. mentions this mitigation (not an RPM fix), so this is a configuration mitigation:

Ensure the following [global] smb.conf parameters are set to their default values as shown below:

  client lanman auth = no
  client NTLMv2 auth = yes
  client plaintext auth = no
  client min protocol = SMB2_02
Or use the '-k' command line option only without the -U option, which will make use of an existing krb5 ccache. mentions this mitigation:

Setting "gensec:require_pac=true" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit.

It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password

 (repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app) mentions samba and samba4 is not affected up through RHEL 8, however, the ipa package IS AFFECTED according to this link. shows RHEL 8 is affected, prior releases of 6 through 7 are not.

Like Jan said, open a case with Red Hat for the non-resolved items.

Some of these (for the moment) mandate fixes in the configuration (excerpts above in text blocks).

Regarding RHEL 6, the only way to resolve the rpms is to purchase extended update support. I'd recommend migrating to a current version of RHEL for anything that is RHEL 6 (and begin an action plan to get from RHEL 7 to 8). RHEL 6 has numerous other security vulnerabilities otherwise, please see this link regarding RHEL 6

Kind Regards,