Important: samba3x security update

Synopsis

Important: samba3x security update

Type/Severity

Security Advisory: Important

Topic

An update for samba3x is now available for Red Hat Enterprise Linux 5 Extended
Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible machines
to share files, printers, and other information.

Security Fix(es):

• A remote code execution flaw was found in Samba. A malicious authenticated
  samba client, having write access to the samba share, could use this flaw to
  execute arbitrary code as root. (CVE-2017-7494)
  

Red Hat would like to thank the Samba project for reporting this issue. Upstream
acknowledges steelo as the original reporter.

Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the smb service will be restarted automatically.

Affected Products

• Red Hat Enterprise Linux Server - Extended Life Cycle Support 5 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 5 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 5 s390x

Fixes

• BZ - 1450347 - CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE

CVEs

• CVE-2017-7494

References

• https://access.redhat.com/security/updates/classification/#important
• https://www.samba.org/samba/security/CVE-2017-7494.html
• https://access.redhat.com/security/vulnerabilities/3034621