2

So, the Badlock bug (www.badlock.org) that was revealed yesterday, was not as terrible as feared. And yet, it seems prudent to patch samba ASAP.

However, just prior to releasing the bug, the samba developers decided to EOL the 4.1.x-branch and did not release a fix for the bug.

At the same time, the version that is available when using 'aptitude update' on a fairly recently installed Ubuntu 14 LTS, is version 4.1.6-Ubuntu.

Has this version been specifically patched for Badlock? If not, what is the best course of action to get samba upgraded to a non-EOL version on Ubuntu?

In the security updates thread, https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages , I see an update coming for samba version 4.3.x. But the version I have is the one that was selected by default when I did the installation, 4.1.6-Ubuntu. I ask this question because I am unsure if that fix is going to apply -- and if so, when.

Niels2000
  • 121
  • 3
  • No. I have already read that question, and it does not provide an answer, just the same information that is available on badlock.org. – Niels2000 Apr 13 '16 at 09:01
  • 1
    a) Why didn't you mention that? and b) Did you see the second answer, which talks about the packages being in security update process? (Specifically, it links to a bug about the packages currently proposed for update: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages) – muru Apr 13 '16 at 09:03
  • a) My fault by omission, to be sure. b) I am no expert in the security update process, but in that branch, I only see an update coming for samba version 4.3.x. But the version I have is the one that was selected by default when I did the installation, 4.1.6-Ubuntu. I ask this question because I am unsure if that fix is going to apply. I have updated the question. – Niels2000 Apr 13 '16 at 09:09
  • Ah, but you'll note that one of those 4.3.x packages is for Trusty, aka 14.04. If you're on 14.04, then you can install that (when it becomes available, or by using the PPA). – muru Apr 13 '16 at 09:20

1 Answers1

0

Since you are on 14.04, your packages (in main) get security upgrades for 5 years. I guess the Ubuntu team is already working on that. You'll only need the ppa if you have reason to believe it's going to be exploited at your site before the fix hits official Ubuntu packages.

Jakob Lenfers
  • 1,095
  • 7
  • 17
  • The PPA in question is where the Ubuntu security team is working on the patched package. – muru Apr 13 '16 at 16:55