Date: Tue, 30 May 2017 19:16:12 +0200 From: "O. Hartmann" <ohartmann@walstatt.org> To: Dimitry Andric <dim@FreeBSD.org> Cc: "O. Hartmann" <ohartmann@walstatt.org>, freebsd-security@freebsd.org Subject: Re: Samba CVE-2017-7494 and SMB implementation of FreeBSD 10 through 12 Message-ID: <20170530191612.71ab88b5@thor.intern.walstatt.dynvpn.de> In-Reply-To: <F67019CC-9B84-4D2E-B027-214216D3DCFC@FreeBSD.org> References: <CAGYSLOcqeqyYgw3BFyoRKO5RcJkmiYFMPT7qps1j-%2BobL2x==g@mail.gmail.com> <F875D26C-F8DA-438F-AE40-8E7B2F5CDC29@FreeBSD.org> <20170530185559.2b94ca1b@thor.intern.walstatt.dynvpn.de> <F67019CC-9B84-4D2E-B027-214216D3DCFC@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Am Tue, 30 May 2017 19:14:42 +0200 Dimitry Andric <dim@FreeBSD.org> schrieb: > On 30 May 2017, at 18:55, O. Hartmann <ohartmann@walstatt.org> wrote: > > > > Am Mon, 29 May 2017 23:47:46 +0200 > > Dimitry Andric <dim@FreeBSD.org> schrieb: > > > >> On 29 May 2017, at 18:53, Darko Gavrilovic <d.gavrilovic@gmail.com> wrote: > >>> > >>> Hello, does anyone know or able to confirm if Samba CVE-2017-7494 > >>> affects Samba 3.6.25 on Freebsd 9.x? > >>> > >>> https://lists.samba.org/archive/samba-announce/2017/000406.html > >> > >> The advisory very clearly says "all versions of Samba from 3.5.0 > >> onwards", so yes. In addition, the 3.x series is dead, and completely > >> unsupported. It is probably wise to upgrade, for example to 4.6.4. > >> > >> -Dimitry > >> > > > > I'm just curious and to have an answere at hand for my superiors: > > > > FreeBSD has a SMB implementation we uitlise with FreeBSD 10.3 and 11.0. Is FreeBSD's > > implementation somehow affected by the bug revealed in SAMBA >= 3.6.25? > > If you mean smbfs, then that is an SMB *client* only, not a server. > CVE-2017-7494 is specifically about an exploitable bug in Samba's SMB > server component. FreeBSD does not provide any SMB server in the base > system. > > That said, I don't know whether there are any security bugs in our smbfs > client implementation. It is really a completely different matter. The > code seems to have been largely unmaintained for years, though, so > purely on that basis it does not inspire a great deal of confidence. > > -Dimitry > Thank you very much for these clear words! Oliver -- O. Hartmann Ich widerspreche der Nutzung oder Übermittlung meiner Daten für Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG). [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iLUEARMKAB0WIQQZVZMzAtwC2T/86TrS528fyFhYlAUCWS2o3AAKCRDS528fyFhY lHtrAf9JPHJXuSsIAuoyhzhtQ6ET4gcHGyQhPVO5p47gKDzquBRXRfIvtqkHlJl2 ghh3Z6AZDbIOIkzayJMdPDRQwjNIAf9sBi7hUtGhlGBnB3/q+AhMBHdkSpqPrMSp ia364KwKlDp22EKtEu7gr4vwbchRB6RwFueEUn5Xz0n6dRDi6kU2 =YBJu -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170530191612.71ab88b5>