[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Since this was fixed in version 4.16 I added tasks for Focal and Bionic which are impacted and marked the development release as Fix Released. ** Also affects: samba (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: samba (Ubuntu) Status: Incomplete => Fix Released ** Changed in: samba (Ubuntu Bionic) Status: New => Triaged ** Changed in: samba (Ubuntu Focal) Status: New => Triaged -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Fix Released Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba source package in Bionic: Triaged Status in samba source package in Focal: Triaged Status in samba package in Debian: Fix Released Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case 1] Verify that the regression reported in bug 1644428 has not recurred. [Test Case 2] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
** Changed in: samba (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Incomplete Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba package in Debian: Fix Released Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case 1] Verify that the regression reported in bug 1644428 has not recurred. [Test Case 2] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Revised fix-1584485.patch that includes a missing library in the static build to fix bug #1677329. Patch submitted upstream to samba-technical awaiting feedback. ** Patch added: "fix-1584485-take2.patch" https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4914111/+files/fix-1584485-take2.patch ** Changed in: samba (Ubuntu) Status: Fix Released => Triaged -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Incomplete Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba package in Debian: New Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case 1] Verify that the regression reported in bug 1644428 has not recurred. [Test Case 2] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.4 --- samba (2:4.3.11+dfsg-0ubuntu0.14.04.4) trusty-security; urgency=medium * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing - debian/patches/CVE-2016-2123.patch: check lengths in librpc/ndr/ndr_dnsp.c. - CVE-2016-2123 * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c, source4/auth/gensec/gensec_gssapi.c. - CVE-2016-2125 * SECURITY UPDATE: privilege elevation in Kerberos PAC validation - debian/patches/CVE-2016-2126.patch: only allow known checksum types in auth/kerberos/kerberos_pac.c. - CVE-2016-2126 -- Marc DeslauriersMon, 12 Dec 2016 08:40:01 -0500 ** Changed in: samba (Ubuntu Trusty) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2123 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2125 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2126 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Fix Released Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba package in Debian: New Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case 1] Verify that the regression reported in bug 1644428 has not recurred. [Test Case 2] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list:
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Reopening for trusty as the change was reverted in bug 1644428. ** Changed in: samba (Ubuntu Trusty) Status: Fix Released => In Progress ** Tags removed: verification-done-trusty ** Tags added: verification-failed ** Tags removed: verification-needed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Fix Released Status in samba source package in Trusty: In Progress Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba package in Debian: New Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.2 --- samba (2:4.3.11+dfsg-0ubuntu0.14.04.2) trusty; urgency=medium * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind to be statically linked fixes LP: #1584485. * d/rules: Compile winbindd/winbindd statically. -- Jorge NiedbalskiWed, 09 Nov 2016 15:09:11 +0100 ** Changed in: samba (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: Fix Released Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Committed Status in samba source package in Yakkety: Fix Committed Status in samba package in Debian: New Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
** Also affects: samba (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: In Progress Status in samba source package in Trusty: In Progress Status in samba source package in Xenial: In Progress Status in samba source package in Yakkety: In Progress Status in samba package in Debian: Unknown Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
** No longer affects: samba (Ubuntu Precise) ** Changed in: samba (Ubuntu Xenial) Status: New => In Progress ** Changed in: samba (Ubuntu Xenial) Importance: Undecided => High ** Changed in: samba (Ubuntu Xenial) Assignee: (unassigned) => Jorge Niedbalski (niedbalski) ** Patch added: "Yakkety Patch for 1584485" https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763305/+files/fix-1584485-yakkety.debdiff -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: In Progress Status in samba source package in Trusty: In Progress Status in samba source package in Xenial: In Progress Status in samba source package in Yakkety: In Progress Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
** Also affects: samba (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: samba (Ubuntu Yakkety) Importance: High Assignee: Jorge Niedbalski (niedbalski) Status: In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS Status in samba package in Ubuntu: In Progress Status in samba source package in Precise: New Status in samba source package in Trusty: New Status in samba source package in Xenial: New Status in samba source package in Yakkety: In Progress Bug description: [Impact] * Upgrading samba when using winbind as NSS service can break OS. * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. * Huge impact due to big version different between winbind and libraries. [Test Case] 1) Start an ubuntu Trusty container 2) cp /etc/apt/sources.list /etc/apt/sources.list.back 3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list 4) sudo apt-get update 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind 6) Set /etc/nsswitch.conf to : passwd: winbind compat 7) Restart the services 7.1) sudo restart smbd 7.2) sudo restart nmbd 7.3) sudo restart winbind 8) cp /etc/apt/sources.list.back /etc/apt/sources.list 9) sudo apt-get update 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind While installing, you will see things similar to this : > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ... > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (- > -unpack): > subprocess dpkg-deb --control returned error exit status 2 > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped [Regression Potential] * "preinst" and "postrm" maintainer scripts are acting only in "upgrade" * uninstalling packages and reinstalling would bypass this change [Other Info] * Original Bug Description: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp