Rick's picture

Do the automatic security updates patch for this vulnerability?

Jeremy Davis's picture

The automated security updates come from Debian's security repo. So to check if Debian have released an update then head over to the Debian Security Tracker. Towards the bottom of that, you can search via CVE, Debian bug number or package name (which is usually, but not always just the name of the software).

Obviously in this case we have a CVE, but if we didn't and wanted to check reported security issue against Samba specifically, we could search for "samba" there.

Actually, in cases such as this where you already have a CVE, you can go directly to it. Just just append the full CVE (e.g. CVE-2017-7494) on the end of the Deb sec tracker url, e.g. https://security-tracker.debian.org/tracker/CVE-2017-7494

To read the table, you need to know what Debian version you are running. TurnKey v14.x is Debian Jessie (so you need 2:4.2.14+dfsg-0+deb8u6) and TKL v13.x is Debian Wheezy (and needs 2:3.6.6-6+deb7u13 to be secure). if you have the correct version of Samba that relates to the Debian version, then you are good. If you are using a really old version of TurnKey (i.e. v12.x or earlier) then security support has ended and you are definitely vulnerable! You need to update ASAP!

If you don't already know what package version you have installed, you can find that out pretty easy from the commandline; as well as if there are any updates. Here's how: (note AWS Marketplace users will need to prepend "sudo" to the first command).

apt-get update
apt-cache policy samba

On a v14.x server with the latest sec updates installed, should look like this (FWIW this is my local v14.1 fileserver):

  Installed: 2:4.2.14+dfsg-0+deb8u6
  Candidate: 2:4.2.14+dfsg-0+deb8u6
  Version table:
 *** 2:4.2.14+dfsg-0+deb8u6 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.2.14+dfsg-0+deb8u5 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages

Here we can clearly see that we have 2:4.2.14+dfsg-0+deb8u6 installed, and it's also the "candidate" (which means what would be installed if you ran "apt-get install samba"). As this matches the Jessie version that is "fixed" (as noted on the Deb sec tracker) we know and I am good to go.

Hopefully you are safe too. If you don't have the correct version (and are running v13.x or v14.x) then please post back as your auto sec updates aren't working properly and we should try to work out why.

Add new comment