[Pkg-samba-maint] Bug#820958: Upgrade of 4.1 to 4.2 in Jessie forces the samba package to be installed and the daemons started (nagios plugins install)

[Christian Balzer]

Package: samba
Version: 2:4.2.10+dfsg-0+deb8u1
Severity: Normal

Hello,

the just released security fix and thus upgrade from Samba 4.1 to 4.2
in Jessie introduces another potential security problem.

Consider this (fairly common) scenario:
Server isn't running samba at all, but nagios-plugins-standard was
installed to monitor (NRPE) other services.
nagios-plugins-standard pulls in samba-common (to get smbclient).
So far so good, until now this didn't do anything dangerous and people
most likely allowed all the dependencies/recommendations to be installed.

However this latest version of samba requires the actual samba package to
be installed as well if samba-common is present, which of course will
install the daemon binaries and start them, potentially exposing the
server in question to attacks.
 
A quick workaround is of course to un-install samba if one didn't need
the functionality in the first place.

But a re-packaging in the previous style or at least a stern warning when
pulling in samba into a system that only had samba-common before would be
the correct way forward.

Regards,

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi at gol.com   	Global OnLine Japan/Rakuten Communications
http://www.gol.com/