Synopsis

Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for samba is now available for Red Hat Gluster Storage 3.2 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.

The following packages have been upgraded to a later upstream version: samba (4.4.6). (BZ#1382287)

Security Fix(es):

• It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)
  
• A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)
  

Enhancement(s):

• gluster vfs plugin now supports more than one volfile servers. Samba tries to connect to the next server on the list if one of the gluster server is not reachable. (BZ#1330081)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the smb service will be restarted automatically.

Affected Products

• Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64

Fixes

• BZ - 1290514 - (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux avc's
• BZ - 1379591 - [RHEL7] Bring content into empty distgit branch
• BZ - 1382287 - [RHEL7] Rebase Samba to 4.4.6 for RHGS 3.2.0
• BZ - 1386227 - [RHEL7] Back port changes in shadow copy module for VSS support from upstream
• BZ - 1386230 - [RHEL7] [RFE] gluster vfs plugin should be able to make use of multiple volfile server feature of gfapi
• BZ - 1400948 - [RHEL7] [SAMBA-CTDB]IP failover with ctdb leads to smbd crash
• BZ - 1403114 - CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
• BZ - 1403115 - CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege elevation

CVEs

• CVE-2016-2125
• CVE-2016-2126

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

SRPM
samba-4.4.6-4.el7rhgs.src.rpm	SHA-256: 2c849c54b7c3233ba092b1282ba5f712bb9c1773821e31b52ec87d37037b8423
x86_64
ctdb-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 5388b635937174f841f5179f05334a286db8c0815007d4a3bc2e126738e4955a
ctdb-tests-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 176f033c45ae066785cb6b87ef602f571203bb7c563f7204b654bfec0a52d8e3
libsmbclient-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 394968e8af206a8e98f8f6455aacea0261a69d8dbf5705f593f3652bde06009a
libsmbclient-devel-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: a4544ea0cbf78e3128cc599c9e5c008fb1d23329aa211d89e5431a07213dfc1f
libwbclient-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 9a574f9258ca317b7b85d5c5b5ddf65339364b9933b5eb52a80d8b19f04635e6
libwbclient-devel-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 7a227c683fc16f12b88cda86983cd2fcce65e31f69553bbd952c51ad1117d35d
samba-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 7a5203a666c67484acf41c5db0b11f41af7a621360d0bc6b03710e249b72594c
samba-client-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: f2954e813a94e85c29a822dafd1a62aee50ff07d48a06a2246fac6cca513ae03
samba-client-libs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: b48c305ad786dcae7dcc83b217cdfb3be0103bda41eda66b61cddfd35b743345
samba-common-4.4.6-4.el7rhgs.noarch.rpm	SHA-256: 30dd4171ed8906357699f6cdd5494e191377720c3c48a8d663fb849daaad218a
samba-common-libs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: bb7dab3e2a3dcd294bd3c7bfa40a4ec9086413eae466f86e52a183d4203d6ed9
samba-common-tools-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: cf2ae0ed34a93a52d3fb1b0f1eec03929d1109c0e185195a520dc39d66a58110
samba-dc-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: db2f6dfa5ec375032dec8e8525110fd46403bc48ffb68a629dbf320576a90091
samba-dc-libs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 54a7c80dc56a56d6cde347b70d8b42ec47aab78ba9d44c7e842c92656da4cd81
samba-debuginfo-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: a395ca4aef23b73f1b55aa35ca9ba7968752b8b50b9159a6875f165080edc675
samba-devel-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 5d6166bd4e6f191c3fc31c57f7dd8d74e9c731a62b2689b86c9f231ccd4c08c7
samba-krb5-printing-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 87cf26f2dae6e7bf2a273e5700f87672fa186136a6f029f863141c29be4248c2
samba-libs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 4e1e538decb4e5649380ce47dfd48bb655851b84670997e624e604f5f00486cf
samba-pidl-4.4.6-4.el7rhgs.noarch.rpm	SHA-256: a6270143f05f481e85eaf43d52cb2dabc11bee4322b17f22ac405e149847031f
samba-python-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 24b1e693efd2a608ad698894b0bfe2bb7d8dc67e28143131786b797e29602917
samba-test-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: a0f3e05837d9fd3c3f62637d0c6e2e244e01c3d6559056a3957a48e852ddd757
samba-test-libs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 6df753de9e38a80e04ba5e27ce9ac22ac50503bbcc04a128e6c0f6b3c4b04c62
samba-vfs-glusterfs-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 971ac69bbb48757259402af28e873cece4047c7c32ba914dff9663d811f42481
samba-winbind-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 7238957384e0294d0cdaface01529eb670e3ef0454368736b1f4f64dc19bc281
samba-winbind-clients-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 2b41cfa50ee87c4d107e9cd9ea218fb90b727b9fe2919866334dd73838ebca6c
samba-winbind-krb5-locator-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 760b79bd1476eed7cf8775b578f63503cd1cf161ce12a2798ce40df06ea09857
samba-winbind-modules-4.4.6-4.el7rhgs.x86_64.rpm	SHA-256: 81a4a4861b058cb08ee6e0774e9947759deb30550f1ce3c324c3747b392508cb