raistlinkell's picture

Hello Turnkey Linux Gurus

I've just received an email from ACSC (Australian Cyber Security Centre) regarding a HIGH Alert for Samba versions prior to 4.13.17. and checked my Transmission CT executing the following in the container

sudo smbstatus

The Samba version running on this is 4.9.5 and attempted to update the CT using APT. According to APT all the packages are the latest and there are no updates for the samba server currently running.

Wondering if there's a pending resolution to this on the way?

Forum: 
badco's picture

I am guessing the samba package comes from Debian, so we will be getting the fix from them.

https://security-tracker.debian.org/tracker/CVE-2021-44142

Check you have the Debian security repo enabled and have the patched samba version in link the above.

raistlinkell's picture

cat /etc/apt/sources.list.d/security.sources.list


deb [signed-by=/usr/share/keyrings/tkl-buster-security.gpg] http://archive.turnkeylinux.org/debian buster-security main

deb http://security.debian.org/ buster/updates main
deb http://security.debian.org/ buster/updates contrib
deb http://security.debian.org/ buster/updates non-free

Jeremy Davis's picture

As badco noted, Samba is installed from Debian. And as the link he provided currently shows, that for Debian "buster" (which is the basis for TurnKey v16.x), CVE-2021-44142 is patched in Samba package version: '2:4.9.5+dfsg-5+deb10u3' which is in the "security" repo.

So if you are using a TurnKey v16.x server with Samba included, it should already have the relevant patched version installed. To double check that is the version you have:

apt policy samba

The first few lines of output should look like this:

samba:
  Installed: 2:4.9.5+dfsg-5+deb10u3
  Candidate: 2:4.9.5+dfsg-5+deb10u3
[...]

If all is well, yours will look the same; with the fixed version '', listed as both "Installed" and "Candidate". Assuming so, then you're all good and the security update has already been auto-applied.

Add new comment