8.0.4-p1 and the samba vulnerability

Discussion in 'Archived Announcements' started by jpaetzel, Apr 11, 2012.

  1. Offline

    jpaetzel FreeNAS Core Team

    Member Since:
    May 27, 2011
    Messages:
    192
    Message Count:
    192
    Likes Received:
    28
    Trophy Points:
    28
    Occupation:
    IT
    Location:
    Gilroy, CA
    Home page:
    jpaetzel, Apr 11, 2012

    Samba released a new version yesterday, which addresses a critical security vulnerability that allowed pre-auth remote code execution as root. Obviously this is a huge problem and needs to be addressed ASAP.

    We are doing test builds of 8.0.4-RELEASE-p1 that contains the fixed version of samba, as well as a small handful of other fixes to 8.0.4-RELEASE now and should have an image up later today.
  2. Offline

    ProtoSD FreeNAS Guru

    Member Since:
    Jul 1, 2011
    Messages:
    3,358
    Message Count:
    3,358
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Leaving FreeNAS
    ProtoSD, Apr 11, 2012

    I just noticed the updates show up in the download area. Thanks for the update!
  3. Offline

    warri FreeNAS Guru

    Member Since:
    Jun 6, 2011
    Messages:
    1,052
    Message Count:
    1,052
    Likes Received:
    44
    Trophy Points:
    48
    Location:
    Germany
    warri, Apr 11, 2012

    Thanks for the quick update!
    I just updated via GUI, and the auto-reboot did not seem to work (for the first time). Nothing happened after a while and the HTTP interface just returned HTTP 500 and 503. Anyway, after a manual reboot via shell everything seems to work now.

    Here are the last log entries:
    Code (text):
    1.  
    2. Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/rm -rf /var/tmp/firmware
    3. Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/mkdir -p /mnt/tank1/stuff/.freenas
    4. Apr 12 03:10:53 freenas freenas[2020]: Executing: /usr/sbin/chown www:www /mnt/tank1/stuff/.freenas
    5. Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/ln -s /mnt/tank1/stuff/.freenas /var/tmp/firmware
    6. Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/rm -rf /var/tmp/firmware
    7. Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/mkdir -p /mnt/tank1/stuff/.freenas
    8. Apr 12 03:11:19 freenas freenas[2020]: Executing: /usr/sbin/chown www:www /mnt/tank1/stuff/.freenas
    9. Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/ln -s /mnt/tank1/stuff/.freenas /var/tmp/firmware
    10. Apr 12 03:11:19 freenas freenas[2020]: Popen()ing: /sbin/sha256 -q /var/tmp/firmware/firmware.xz
    11. Apr 12 03:11:22 freenas freenas[2020]: Executing: /usr/bin/xz -t /var/tmp/firmware/firmware.xz
    12. Apr 12 03:11:46 freenas freenas[2020]: Executing: /usr/bin/xz -cd /var/tmp/firmware/firmware.xz | sh /root/update && touch /data/need-update
    13. Apr 12 03:15:15 freenas kernel: pid 2020 (python), uid 0: exited on signal 10
    14. Apr 12 03:17:32 freenas freenas: 1930257+0 records in
    15. Apr 12 03:17:32 freenas freenas: 7540+1 records out
    16. Apr 12 03:17:32 freenas freenas: 988291584 bytes transferred in 346.141501 secs (2855166 bytes/sec)
    17. Apr 12 03:17:33 freenas kernel: GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).
    18. Apr 12 03:17:37 freenas freenas: ** /dev/da0s2a (NO WRITE)
    19. Apr 12 03:17:37 freenas freenas: ** Last Mounted on /build/home/jpaetzel/fn_build/8.0.4/obj.amd64/_.mnt
    20. Apr 12 03:17:37 freenas freenas: ** Phase 1 - Check Blocks and Sizes
    21. Apr 12 03:17:37 freenas freenas: ** Phase 2 - Check Pathnames
    22. Apr 12 03:17:37 freenas freenas: ** Phase 3 - Check Connectivity
    23. Apr 12 03:17:37 freenas freenas: ** Phase 4 - Check Reference Counts
    24. Apr 12 03:17:37 freenas freenas: ** Phase 5 - Check Cyl groups
    25. Apr 12 03:17:37 freenas freenas: 24349 files, 775865 used, 1121941 free (829 frags, 140139 blocks, 0.0% fragmentation)
    26. Apr 12 03:17:37 freenas freenas: tar: Removing leading '/' from member names
    27. Apr 12 03:17:37 freenas freenas: x boot/modules/
    28. Apr 12 03:17:39 freenas mountd[2450]: can't delete exports for /mnt/tmp.YG2VNG: Invalid argument
    29. Apr 12 03:17:41 freenas freenas: active set on da0s2
    30.  
  4. Offline

    ProtoSD FreeNAS Guru

    Member Since:
    Jul 1, 2011
    Messages:
    3,358
    Message Count:
    3,358
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Leaving FreeNAS
    ProtoSD, Apr 11, 2012

    I also just finished my upgrade using the GUI from version 8.0.4 x64 and didn't have any problems.
  5. Offline

    TECK FreeNAS Aware

    Member Since:
    Jun 23, 2011
    Messages:
    298
    Message Count:
    298
    Likes Received:
    1
    Trophy Points:
    18
    TECK, Apr 11, 2012

    Hmm, I upgraded to 8.0.4-p1 and the CIFS performance is now cut in half. I can read and write at about 50MB/sec, compared to the previous stats posted into my build thread. I re-installed Windows 7 Ultimate, just to be sure there is nothing special related to it.

    When I ran a disk test as Administrator, the results were OK for my RAID1 array:
    Code (text):
    1. > winsat disk -drive c
    2. > Disk  Sequential 64.0 Read                   96.62 MB/s         6.5
    3. > Disk  Random 16.0 Read                       2.47 MB/s          4.4
    4. > Responsiveness: Average IO Rate              2.12 ms/IO         6.9
    5. > Responsiveness: Grouped IOs                  8.34 units         7.4
    6. > Responsiveness: Long IOs                     5.59 units         7.7
    7. > Responsiveness: Overall                      46.64 units        7.1
    8. > Responsiveness: PenaltyFactor                0.0
    9. > Disk  Sequential 64.0 Write                  113.21 MB/s        6.8
    10. > Average Read Time with Sequential Writes     6.977 ms           5.3
    11. > Latency: 95th Percentile                     32.720 ms          3.0
    12. > Latency: Maximum                             112.231 ms         7.6
    13. > Average Read Time with Random Writes         13.346 ms          3.7
    14. > Total Run Time 00:01:39.50
  6. Offline

    jpaetzel FreeNAS Core Team

    Member Since:
    May 27, 2011
    Messages:
    192
    Message Count:
    192
    Likes Received:
    28
    Trophy Points:
    28
    Occupation:
    IT
    Location:
    Gilroy, CA
    Home page:
    jpaetzel, Apr 11, 2012

    FreeNAS-8.0.4-RELEASE-p1 is now available for immediate download from:

    https://sourceforge.net/projects/freenas/files/FreeNAS-8.0.4/

    FreeNAS-8.0.4-RELEASE-p1 contains Samba 3.6.4, which addresses the
    critical security flaw in CVE-2012-1182.

    This update is critical for anyone using CIFS.

    A small handful of other fixes since 8.0.4-RELEASE have been included
    in this release.

    Release Notes for FreeNAS 8.0.4-RELEASE-p1

    *** IMPORTANT ***

    - The image size increased in 8.0.1-BETA3. The new size requires a 2 GB
    storage device. The GUI upgrade can be used to upgrade a system from
    BETA3, BETA4, or RC1 but upgrades from earlier releases can only be
    done from the CD. The other option is to save the config, reinstall
    the new version, then restore the config.
    - FreeBSD can be really touchy with hardware. Please be sure to update
    your BIOS/BMC firmware when upgrading / installing FreeNAS if you run
    into OS hang issues. There have been cases identified where a BIOS
    upgrade has fixed driver hangs, and/or other issues with FreeNAS; one
    such example was with an Intel 82578DC motherboard, as noted in the
    FreeNAS 8 forum thread titled "8.0.3-RELEASE coming soon..":
    http://bit.ly/rq78Q3 , post # 70-88. Again, please only do this if you
    experience booting / runtime issues, as some vendors don't test
    FreeBSD interoperability as much as others between major firmware
    releases.
    - Previous builds were branded as i386/amd64 (32-bit and 64-bit
    respectively). 8.0.3-RC1+ rebranded the architectures as x86 and x64,
    respectively.
    - 8.0.1 and 8.0.2 images advertised CIFS shares to Macs by default but
    8.0.3 and later images don't advertise CIFS shares by default. If you
    want to advertise CIFS shares in 8.0.3 and later, be sure to turn on
    "Zeroconf" support in the CIFS global settings.
    - Builds prior to 8.0.3-RELEASE with 'CIFS' didn't actually have AIO
    (asynchronous I/O) enabled. So, if you experience performance
    degradation after upgrading from prior versions of FreeNAS to
    8.0.3-RELEASE or newer, turn off AIO or tune the AIO size from '1' to
    something more reasonable (the new default in 8.0.3-RELEASE-p1 is 4096
    or 4kB).

    Changes since 8.0.4-RELEASE:

    Enhancements
    ========================

    GUI
    ------------------------

    1. Selecting reboot now causes the screen to turn red during the
    confirmation dialog, adding emphasis to the fact that this operation
    will affect availability.

    Bugfixes
    ========================

    OS/Third party
    ------------------------

    1. Samba has been upgraded to 3.6.4 to address CVE-2012-1182 which is a
    critical vulnerability. All FreeNAS users who are using CIFS are
    urged to upgrade.

    2. Create the ldap and nss secret files when LDAP integration is
    enabled.

    3. Ensure the configuration database is not world readable.

    4. Remove failsafe from the PAM group file, this prevents a situation
    where the wheel group being empty allowed any user to su to root.


    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x64.GUI_Upgrade.xz
    SHA256 Hash:
    ba909e18a0f1cc64b6be0c5f089d9b89b684138f1b621024e91a47532426d662

    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x64.img.xz
    SHA256 Hash:
    8e4eec14170d8c0314e51abb0474c7447ec967189af0bcd5e41ed61bbdba51b9

    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x64.iso
    SHA256 Hash:
    130b5d021b0b67e01039cbf8adcbe02d67cf6b01040cf7a084445c674db0ea29

    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x86.GUI_Upgrade.xz
    SHA256 Hash:
    749ebde664913deeefc077efa47f30195b5e3a68ea36da3085e01832039a8ade

    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x86.img.xz
    SHA256 Hash:
    662a2de3f423ddd0f6a8a9792fc5afc0eb2ccb37ac00d1bfef3d03f163c20dcc

    Filename:
    FreeNAS-8.0.4-RELEASE-p1-x86.iso
    SHA256 Hash:
    d7a737ab61994b5a46642e77891b40b5e54815a2a4e0b27f1dc943d06fd61d2b
  7. Offline

    Gnome

    Member Since:
    Aug 18, 2011
    Messages:
    53
    Message Count:
    53
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Software Engineer
    Location:
    Cape Town, South Africa
    Gnome, Apr 13, 2012

    Are you sure? Have you tried downgrading and testing by doing the exact same copy operation for before/after comparison?
  8. Offline

    sumsum

    Member Since:
    Feb 10, 2012
    Messages:
    7
    Message Count:
    7
    Likes Received:
    1
    Trophy Points:
    3
    sumsum, Apr 13, 2012

    I have nearly the same setup as TECK.
    After the upgrade to 8.0.4-RELEASE-p1 I have the same performance as before.
    Write : ~76MB/s
    Read : ~110MB/s

    cheers
    tom
  9. Offline

    William Grzybowski FreeNAS Guru

    Member Since:
    May 27, 2011
    Messages:
    1,659
    Message Count:
    1,659
    Likes Received:
    23
    Trophy Points:
    38
    Location:
    Curitiba, Brazil
    William Grzybowski, Apr 13, 2012

    I think he upgraded prior to 8.0.3...

    Turning AIO on/off might help
  10. Offline

    TECK FreeNAS Aware

    Member Since:
    Jun 23, 2011
    Messages:
    298
    Message Count:
    298
    Likes Received:
    1
    Trophy Points:
    18
    TECK, Apr 14, 2012

    Yes, from 8.0.2. :)
    I tried with both AIO On or Off, I get a slight increase in speed but we are talking KB.
    Also, I cannot login as root anymore:
    Code (text):
    1. $ su -
    2. su: Sorry
  11. Offline

    Simon00

    Member Since:
    Jan 22, 2012
    Messages:
    17
    Message Count:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Simon00, Apr 15, 2012

    I've also had some trouble upgrading as well, may possibly due to my hardware combo or a buggy upgrade process. But I simply export my ZFS volume, and swap the bootable SD card with the new version. Re-import volume and I usually just re-enter the settings manually just to be sure. I have low spec. hardware so leave AIO off.
  12. Offline

    bman

    Member Since:
    Mar 21, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bman, Apr 16, 2012

    FreeNAS newbie here. I successfully built a unit using an old PC. I completed the original installation with a monitor and keyboard attached. I have since removed and run the system headless. I just burned the CD with 8.04p1. My question is, do I need to re-attach a monitor and keyboard to upgrade? OR can you tell me how I would complete this with a headless system. Any help is appreciated.
  13. Offline

    warri FreeNAS Guru

    Member Since:
    Jun 6, 2011
    Messages:
    1,052
    Message Count:
    1,052
    Likes Received:
    44
    Trophy Points:
    48
    Location:
    Germany
    warri, Apr 16, 2012

    That depends on your current version. If you are upgrading from pre-8.0.1-BETA3 you need to upgrade via CD due to the increased image size.
    Newer versions should be upgradable via the HTTP GUI, just grab the correct image (FreeNAS-8.0.4-RELEASE-p1-x86.GUI_Upgrade.xz or x64 depending on your architecture), go to Settings - Advanced - Firmware Update and follow the instructions.
  14. Offline

    nepenthe

    Member Since:
    Sep 4, 2011
    Messages:
    4
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    nepenthe, Apr 16, 2012

    Could not su to root from SSH login after upgrade

    Apparently after this upgrade from 8.04 I was unable to su to root when logging in via SSH. After further research I found there were no members of the wheel group. I re-added my user account into the group and all was well. Just thought I should bring this up, anyone else experience anything like that? Should I submit a bug report perhaps?
  15. Offline

    William Grzybowski FreeNAS Guru

    Member Since:
    May 27, 2011
    Messages:
    1,659
    Message Count:
    1,659
    Likes Received:
    23
    Trophy Points:
    38
    Location:
    Curitiba, Brazil
    William Grzybowski, Apr 16, 2012

    No, it is a bugix, it is in release notes.
    Users should not be allowed to su if not in wheel group.
  16. Offline

    nepenthe

    Member Since:
    Sep 4, 2011
    Messages:
    4
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    nepenthe, Apr 16, 2012

    My bad. I just quickly read that and figured users were previously being automatically added to the Wheel group upon creation, instead of the Wheel group not mattering.
  17. Offline

    bman

    Member Since:
    Mar 21, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bman, Apr 18, 2012

    Thanks warri. I updated from the GUI. Very easy.
  18. Offline

    TECK FreeNAS Aware

    Member Since:
    Jun 23, 2011
    Messages:
    298
    Message Count:
    298
    Likes Received:
    1
    Trophy Points:
    18
    TECK, Apr 19, 2012

    I never heard that before and I use UNIX for a long time. Is this specific to FreeBSD?
    Adding a regular user to wheel group presents security risks, as this group has special permissions. I would rather have an option assigned to a specific group. For example, you tick an option that says "Members of this group are superusers", that would be more appropriate.

    I'm connecting through SSH, but I see this note:
    "Remove failsafe from the PAM group file, this prevents a situation where the wheel group being empty allowed any user to su to root."
    The normal behavior in every Unix OS I know is to allow any user to su, isn't it?
  19. Offline

    TECK FreeNAS Aware

    Member Since:
    Jun 23, 2011
    Messages:
    298
    Message Count:
    298
    Likes Received:
    1
    Trophy Points:
    18
    TECK, Apr 19, 2012

    You upgraded from 8.0.3, right? Myself and protosd both upgraded from 8.0.2 and saw an important loss of data speed transfers.
  20. Offline

    sumsum

    Member Since:
    Feb 10, 2012
    Messages:
    7
    Message Count:
    7
    Likes Received:
    1
    Trophy Points:
    3
    sumsum, Apr 19, 2012

    I upgraded from 8.0.4 Release to p1

Share This Page