PCA (Patch Check Advanced) Discussion ()

McGraw, Robert P | 18 Apr 2012 17:06

Picon

samba patch from oracle.


Has anyone seen an oracle patch for the recent samba error CVE ID#:
CVE-2012-1182.

If so what is the patch number.

Thanks

Robert

_____________________________________________________________________
Robert P. McGraw, Jr.
Manager, Computer System                    EMAIL: rmcgraw <at> purdue.edu
Purdue University                            ROOM: MATH-807
Department of Mathematics                   PHONE: (765) 494-6055
150 N. University Street
West Lafayette, IN 47907-2067

Ray Van Dolson | 18 Apr 2012 17:09

Re: samba patch from oracle.

On Wed, Apr 18, 2012 at 08:06:35AM -0700, McGraw, Robert P wrote:
> 
> Has anyone seen an oracle patch for the recent samba error CVE ID#:
> CVE-2012-1182.
> 
> If so what is the patch number.

I haven't seen one released yet.  119757-21 seems to still be the
latest.

Ray

McGraw, Robert P | 18 Apr 2012 17:14

Picon

Re: samba patch from oracle.

FYI,

I submitted a SR to Oracle about this and they told me they were working
on a patch and they would let me know when it was ready.

I have not heard back from Oracle and was just checking to be sure I did
not miss something.

I will let the forum know when/if I hear  back.

Robert

_____________________________________________________________________
Robert P. McGraw, Jr.
Manager, Computer System                    EMAIL: rmcgraw <at> purdue.edu
Purdue University                            ROOM: MATH-807
Department of Mathematics                   PHONE: (765) 494-6055
150 N. University Street
West Lafayette, IN 47907-2067

On 4/18/12 11:09 AM, "Ray Van Dolson" <rvandolson <at> esri.com> wrote:

>
>On Wed, Apr 18, 2012 at 08:06:35AM -0700, McGraw, Robert P wrote:
>> 
>> Has anyone seen an oracle patch for the recent samba error CVE ID#:
>> CVE-2012-1182.
>> 
>> If so what is the patch number.
>

(Continue reading)

Paul B. Henson | 18 Apr 2012 21:13

Picon

Re: samba patch from oracle.

On 4/18/2012 8:14 AM, McGraw, Robert P wrote:

> I submitted a SR to Oracle about this and they told me they were working
> on a patch and they would let me know when it was ready.

I have an open SR as well 8-/, currently with a follow-up date of 4/30. 
Not that I expect an actual solution by then, based on past performance 
I anticipate it taking 6-12 weeks or even longer to get a patch.

I asked how come all of the major Linux vendors had a patch available 
within hours of the announcement, whereas with Oracle it took days to 
even get them to realize there was an issue and say they would look into 
it. No response on that. Don :)? Most likely the script kiddies only 
have linux shell code for this, so hopefully the wide open 
unauthenticated remote code execution with root privileges bug doesn't 
get exploited on my production servers while I'm sitting here twiddling 
my thumbs. I'd run my own local samba rather than the Oracle bundled one 
but it's such a royal pain in the ass to get samba compiled under 
Solaris <sigh>.

AFAIK there's still just one guy in Prague that works on samba.

I wish one of the Illumos distributions was production ready.

Jeff Wieland | 18 Apr 2012 21:20

Picon

Re: samba patch from oracle.

Paul B. Henson wrote:
> On 4/18/2012 8:14 AM, McGraw, Robert P wrote:
>
>> I submitted a SR to Oracle about this and they told me they were working
>> on a patch and they would let me know when it was ready.
>
> I have an open SR as well 8-/, currently with a follow-up date of 
> 4/30. Not that I expect an actual solution by then, based on past 
> performance I anticipate it taking 6-12 weeks or even longer to get a 
> patch.
>
> I asked how come all of the major Linux vendors had a patch available 
> within hours of the announcement, whereas with Oracle it took days to 
> even get them to realize there was an issue and say they would look 
> into it. No response on that. Don :)? Most likely the script kiddies 
> only have linux shell code for this, so hopefully the wide open 
> unauthenticated remote code execution with root privileges bug doesn't 
> get exploited on my production servers while I'm sitting here 
> twiddling my thumbs. I'd run my own local samba rather than the Oracle 
> bundled one but it's such a royal pain in the ass to get samba 
> compiled under Solaris <sigh>.
>
> AFAIK there's still just one guy in Prague that works on samba.
>
> I wish one of the Illumos distributions was production ready.
>
>

I've been building Samba on Solaris since the Solaris 2.3 days...  It
isn't that hard...  Not nearly as bad as Pidgin or Seamonkey .

(Continue reading)

Francois | 18 Apr 2012 21:27

Re: samba patch from oracle.

On Wed, 18 Apr 2012, Jeff Wieland wrote:

> Paul B. Henson wrote:
>> On 4/18/2012 8:14 AM, McGraw, Robert P wrote:
>> 
>>> I submitted a SR to Oracle about this and they told me they were working
>>> on a patch and they would let me know when it was ready.
>> 
>> I have an open SR as well 8-/, currently with a follow-up date of 4/30. Not 
>> that I expect an actual solution by then, based on past performance I 
>> anticipate it taking 6-12 weeks or even longer to get a patch.
>> 
>> I asked how come all of the major Linux vendors had a patch available 
>> within hours of the announcement, whereas with Oracle it took days to even 
>> get them to realize there was an issue and say they would look into it. No 
>> response on that. Don :)? Most likely the script kiddies only have linux 
>> shell code for this, so hopefully the wide open unauthenticated remote code 
>> execution with root privileges bug doesn't get exploited on my production 
>> servers while I'm sitting here twiddling my thumbs. I'd run my own local 
>> samba rather than the Oracle bundled one but it's such a royal pain in the 
>> ass to get samba compiled under Solaris <sigh>.
>> 
>> AFAIK there's still just one guy in Prague that works on samba.
>> 
>> I wish one of the Illumos distributions was production ready.
>> 
>> 
>
> I've been building Samba on Solaris since the Solaris 2.3 days...  It
> isn't that hard...  Not nearly as bad as Pidgin or Seamonkey .

(Continue reading)

Dagobert Michelsen | 18 Apr 2012 22:13

Picon

Re: samba patch from oracle.

Hi Francois,

Am 18.04.2012 um 21:27 schrieb Francois:
> On Wed, 18 Apr 2012, Jeff Wieland wrote:
>> Paul B. Henson wrote:
>>> On 4/18/2012 8:14 AM, McGraw, Robert P wrote:
>>>> I submitted a SR to Oracle about this and they told me they were working
>>>> on a patch and they would let me know when it was ready.
>>> I have an open SR as well 8-/, currently with a follow-up date of 4/30. Not that I expect an actual solution
by then, based on past performance I anticipate it taking 6-12 weeks or even longer to get a patch.
>>> I asked how come all of the major Linux vendors had a patch available within hours of the announcement,
whereas with Oracle it took days to even get them to realize there was an issue and say they would look into
it. No response on that. Don :)? Most likely the script kiddies only have linux shell code for this, so
hopefully the wide open unauthenticated remote code execution with root privileges bug doesn't get
exploited on my production servers while I'm sitting here twiddling my thumbs. I'd run my own local samba
rather than the Oracle bundled one but it's such a royal pain in the ass to get samba compiled under Solaris <sigh>.
>>> AFAIK there's still just one guy in Prague that works on samba.
>>> I wish one of the Illumos distributions was production ready.
>> 
>> I've been building Samba on Solaris since the Solaris 2.3 days...  It
>> isn't that hard...  Not nearly as bad as Pidgin or Seamonkey .
> 
> A wiki or something relating your various experiences would be greatly apreciated :)

You could also take a look at the build recipe for the OpenCSW Samba 3.6.4 package:
  http://sourceforge.net/apps/trac/gar/browser/csw/mgar/pkg/samba/trunk/Makefile

Best regards

  -- Dago

(Continue reading)

Jeff Wieland | 18 Apr 2012 22:26

Picon

Re: samba patch from oracle.

Dagobert Michelsen wrote:
> Hi Francois,
>
> Am 18.04.2012 um 21:27 schrieb Francois:
>   
>> On Wed, 18 Apr 2012, Jeff Wieland wrote:
>>     
>>> Paul B. Henson wrote:
>>>       
>>>> On 4/18/2012 8:14 AM, McGraw, Robert P wrote:
>>>>         
>>>>> I submitted a SR to Oracle about this and they told me they were working
>>>>> on a patch and they would let me know when it was ready.
>>>>>           
>>>> I have an open SR as well 8-/, currently with a follow-up date of 4/30. Not that I expect an actual
solution by then, based on past performance I anticipate it taking 6-12 weeks or even longer to get a patch.
>>>> I asked how come all of the major Linux vendors had a patch available within hours of the announcement,
whereas with Oracle it took days to even get them to realize there was an issue and say they would look into
it. No response on that. Don :)? Most likely the script kiddies only have linux shell code for this, so
hopefully the wide open unauthenticated remote code execution with root privileges bug doesn't get
exploited on my production servers while I'm sitting here twiddling my thumbs. I'd run my own local samba
rather than the Oracle bundled one but it's such a royal pain in the ass to get samba compiled under Solaris <sigh>.
>>>> AFAIK there's still just one guy in Prague that works on samba.
>>>> I wish one of the Illumos distributions was production ready.
>>>>         
>>> I've been building Samba on Solaris since the Solaris 2.3 days...  It
>>> isn't that hard...  Not nearly as bad as Pidgin or Seamonkey .
>>>       
>> A wiki or something relating your various experiences would be greatly apreciated :)
>>

(Continue reading)

Francois | 19 Apr 2012 00:42

Re: samba patch from oracle.

On Wed, 18 Apr 2012, Dagobert Michelsen wrote:

> Hi Francois,
>
> Am 18.04.2012 um 21:27 schrieb Francois:
>> On Wed, 18 Apr 2012, Jeff Wieland wrote:
>>> Paul B. Henson wrote:
>>>> On 4/18/2012 8:14 AM, McGraw, Robert P wrote:
>>>>> I submitted a SR to Oracle about this and they told me they were working
>>>>> on a patch and they would let me know when it was ready.
>>>> I have an open SR as well 8-/, currently with a follow-up date of 4/30. Not that I expect an actual
solution by then, based on past performance I anticipate it taking 6-12 weeks or even longer to get a patch.
>>>> I asked how come all of the major Linux vendors had a patch available within hours of the announcement,
whereas with Oracle it took days to even get them to realize there was an issue and say they would look into
it. No response on that. Don :)? Most likely the script kiddies only have linux shell code for this, so
hopefully the wide open unauthenticated remote code execution with root privileges bug doesn't get
exploited on my production servers while I'm sitting here twiddling my thumbs. I'd run my own local samba
rather than the Oracle bundled one but it's such a royal pain in the ass to get samba compiled under Solaris <sigh>.
>>>> AFAIK there's still just one guy in Prague that works on samba.
>>>> I wish one of the Illumos distributions was production ready.
>>>
>>> I've been building Samba on Solaris since the Solaris 2.3 days...  It
>>> isn't that hard...  Not nearly as bad as Pidgin or Seamonkey .
>>
>> A wiki or something relating your various experiences would be greatly apreciated :)
>
> You could also take a look at the build recipe for the OpenCSW Samba 3.6.4 package:
>  http://sourceforge.net/apps/trac/gar/browser/csw/mgar/pkg/samba/trunk/Makefile
>

(Continue reading)

Laurent Blume | 19 Apr 2012 14:16

Re: samba patch from oracle.

Le 19/04/12 00:42, Francois a écrit :
> Thanks Dagobert for pointing this out ! seems to be the only way to
> upgrade the DIY way without waiting for Oracle to react !...

Or use OpenCSW and prod them a little on #opencsw when needed.
I just did that for Samba, found a packaging bug for them, but in the 
end it works better than Solaris' 

Laurent

francis picabia | 20 Apr 2012 17:12

Picon

Re: samba patch from oracle.

On Thu, Apr 19, 2012 at 9:16 AM, Laurent Blume <laurent <at> elanor.org> wrote:
> Le 19/04/12 00:42, Francois a écrit :
>
>> Thanks Dagobert for pointing this out ! seems to be the only way to
>> upgrade the DIY way without waiting for Oracle to react !...
>
>
> Or use OpenCSW and prod them a little on #opencsw when needed.
> I just did that for Samba, found a packaging bug for them, but in the end it
> works better than Solaris' 

I've put in a SR with Oracle too.  They said they are going to release
3.6.4, which is
bullshit because Samba stated they we backporting patches for many versions
due to the serious nature of the exploit and ease of attack.

My Redhat and Debian machines were updated for the samba exploit
about a week ago, but we may have to wait until May to get this fixed.
 PATHETIC.

I'm not expecting much from them anymore.  Even the zero day telnet exploit
took them weeks to fix.  Your Solaris can be secured by two methods: build your
own binaries (or rely on OpenCSW, which I hope stays up to date better than
Blastwave did), or don't run any services on it.  But I think few of us want
Solaris as a desktop machine...

Wickline, Bob (N-STERLING COMPUTERS CORPORATION | 20 Apr 2012 17:22

Re: EXTERNAL: Re: samba patch from oracle.

The problem with Samba and the Big-O is lawyers pouring through the license agreement and approving its
distribution.  They do NOT like GPLv3...

-----Original Message-----
From: pca-bounces <at> lists.univie.ac.at [mailto:pca-bounces <at> lists.univie.ac.at] On Behalf Of
francis picabia
Sent: Friday, April 20, 2012 10:12 AM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL: Re: [pca] samba patch from oracle.

On Thu, Apr 19, 2012 at 9:16 AM, Laurent Blume <laurent <at> elanor.org> wrote:
> Le 19/04/12 00:42, Francois a écrit :
>
>> Thanks Dagobert for pointing this out ! seems to be the only way to
>> upgrade the DIY way without waiting for Oracle to react !...
>
>
> Or use OpenCSW and prod them a little on #opencsw when needed.
> I just did that for Samba, found a packaging bug for them, but in the end it
> works better than Solaris' 

I've put in a SR with Oracle too.  They said they are going to release
3.6.4, which is
bullshit because Samba stated they we backporting patches for many versions
due to the serious nature of the exploit and ease of attack.

My Redhat and Debian machines were updated for the samba exploit
about a week ago, but we may have to wait until May to get this fixed.
 PATHETIC.

(Continue reading)

Paul B. Henson | 20 Apr 2012 23:52

Picon

Re: EXTERNAL: Re: samba patch from oracle.

On 4/20/2012 8:22 AM, Wickline, Bob (N-STERLING COMPUTERS CORPORATION)
wrote:
> The problem with Samba and the Big-O is lawyers pouring through the
> license agreement and approving its distribution.  They do NOT like
> GPLv3...

That was the excuse for the ridiculously long delay in releasing samba 
3.5, but they've already approved distribution of samba under GPLv3, so 
it hardly seems a valid excuse for taking forever and a day to release a 
critical security patch.

Paul B. Henson | 20 Apr 2012 23:55

Picon

Re: samba patch from oracle.

On 4/20/2012 8:12 AM, francis picabia wrote:

> I've put in a SR with Oracle too.  They said they are going to
> release 3.6.4, which is bullshit because Samba stated they we
> backporting patches for many versions due to the serious nature of
> the exploit and ease of attack.

I've heard 3.6 still has some winbind issues, so I certainly hope they 
don't issue a major version upgrade rather than simply bumping to 3.5.14 
8-/.

> My Redhat and Debian machines were updated for the samba exploit
> about a week ago, but we may have to wait until May to get this
> fixed. PATHETIC.

Yup.

> Your Solaris can be secured by two methods

I'm still trying to be optimistic that Illumian or OpenIndiana will take 
off and get production ready so we can have the benefits of Solaris 
technology without the headache of dealing with Oracle.

Return

Return to gmane.os.solaris.pca.

Advertisement

Project Web Page

PCA (Patch Check Advanced) Discussion ()

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane