The version of Samba in our billing server is 4.1.17-Debian.
I have been reminded by our management to implement the patch for Samba on this server.
However, I am not sure how to implement the patch. I have browsed some websites for the correct patch to implement for Samba 4.1.17, and the patch recommended is the patch to address the vulnerability "Unexpected code execution in smbd".
There is no patch specifically for Samba version 4.1.17, however there is one for 4.1.16, and the patch is the same as for 4.1.17, which is to address the "Unexpected code execution in smbd" vulnerability.
When I click on the patch link, I am redirected to a page that displays this :
Code:
From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 28 Jan 2015 14:47:31 -0800
Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
talloc_free on an uninitialized pointer.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c903ae8..cab635f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1101,6 +1101,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
struct loadparm_context *lp_ctx;
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+ }
+
if (schannel_global_required) {
status = schannel_check_required(&p->auth,
computer_name,
@@ -1258,7 +1262,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
{
NTSTATUS status = NT_STATUS_OK;
int i;
- struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds = NULL;
DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
--
2.3.0
From 57c186ee4deda5e75d3588fa0252d9817492bb1f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Feb 2015 10:59:23 +0100
Subject: [PATCH 2/2] s3-netlogon: Make sure we do not deference a NULL
pointer.
This is an additional patch for CVE-2015-0240.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index cab635f..2ba3278 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1275,9 +1275,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
+ const char *computer_name = "<unknown>";
+
+ if (creds != NULL && creds->computer_name != NULL) {
+ computer_name = creds->computer_name;
+ }
DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
- r->in.computer_name, creds->computer_name));
+ r->in.computer_name, computer_name));
TALLOC_FREE(creds);
return status;
}
--
2.3.0
Please provide some guide/steps on how to implement this patch on the server?
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.
You apply the patch file using patch command:
The patch command takes a patch file as the input and applies the change to one or more original file(s), producing new patched versions.
I just did some research on how patches are applied in Debian, and they suggest downloading the main package; in this case it is "Samba".
Then cd into the downloaded directory, and run
Code:
# ls debian/patches
to see all available patches. This is because to install a new patch like what I want, then all the other patches have to be installed also. However, when I do the same, there is no "debian/patches" folder in the Samba directory.
Does this mean that there are no other patches for Samba, and I can just go ahead and install the patch above?
According the patch guide, the patch has to be installed, then only build samba from source. However, when I apply the patch, this is the error I receive :
Code:
root@TestVM:/home/aigini/samba-4.6.6# patch -p1 < samba-4.1.16-CVE-2015-0240.patch
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected! Assume -R? [n] y
Hunk #1 succeeded at 1113 (offset 12 lines).
Hunk #2 FAILED at 1258.
1 out of 2 hunks FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected! Assume -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 1275.
1 out of 1 hunk FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
root@TestVM:/home/aigini/samba-4.6.6#
What does the error mean, and how do I resolve this error?
Also, If I were to re-build samba from source, what will happen to the current samba which is installed on the server? Will it cause any problems/crash?
---------- Post updated at 01:33 PM ---------- Previous update was at 11:56 AM ----------
I tried changing the option for -p to 0 instead of 1 :
Code:
patch -p0 < samba-4.1.16-CVE-2015-0240.patch
This is the output I get :
Code:
root@TestVM:/home/aigini# patch -p0 < samba-4.1.16-CVE-2015-0240.patch
can't find file to patch at input line 19
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
|From: Jeremy Allison <jra@samba.org>
|Date: Wed, 28 Jan 2015 14:47:31 -0800
|Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
| talloc_free on an uninitialized pointer.
|
|Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
|
|Signed-off-by: Jeremy Allison <jra@samba.org>
|Reviewed-by: Stefan Metzmacher <metze@samba.org>
|---
| source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
| 1 file changed, 5 insertions(+), 1 deletion(-)
|
|diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|index c903ae8..cab635f 100644
|--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
--------------------------
File to patch:
What do I do next? Is the option I use for patching correct?
I have applied a patch using this command:
patch -p1 < (file)
then I did git commit -a.
Now I want to recompile the kernel for making this patch live.
Should I use
make oldconfig
or
make localmodconfig
After that,
make -j$(grep -c "processor" /proc/cpuinfo)
sudo make... (1 Reply)
I am running HP-UX 11iv3 March 2013 release.
smbstatus -V #output
Version 3.4.3 based HP CIFS Server A.03.01.03
What exactly version i am running?
is it 3.4.3 or
A.03.01.03?
Thank you! (1 Reply)
Hi guys,
Question:
I downloaded a security update for samba:
samba-3.0.7-CAN-2004-0882.patch
The question is how can I get in installed? I cannot find instructions anywhere and it is not a tar file.
Little help? (1 Reply)
I'm trying to setup our jumpstart server to automatically apply the latest patch cluster during installs, but I'm running into an issue. Every time Jumpstart runs it has this error. Obviously it's processing the patch_order file, so I'm not sure what I'm missing.
... (0 Replies)
Hi there,
Apologies if this question has been asked and answered already but I've not been able to find the thread.
Question: Is it possible to apply the Solaris 10 Recommended Patch Cluster to a whole root (non-global) zone locally? I.E. apply the patch cluster from the non-global in... (3 Replies)
Hi,
As in the solaris material i know that the patch is added through the command "patchadd <patch no.>".
But i need to know, what are all the steps we have to follow while applying a patch in a production server. My friend says that we have to detach mirror before applying patch and not... (6 Replies)
Hi,
Is there any command to know the patch version?Suppose i installed RTlinux patch in rethat linux.How can i know the patch version installed?Any helps appreciated.
Thanks,
Sathi. (2 Replies)
Hi ,
I need to collect all information about the patches in my server , I want to know what is the required patch and how to apply it.
Regards (2 Replies)