-2

Company lockdown, I am not allowed to use apt-get so I have to get our systems team to download packages for me, they ftp them to the system and then I install them with 

dpkg -i <package>.deb

Pain in the **** but I can't get this changed; I've asked, pleaded and cajoled but the auditors and security boys will not allow it, no matter that I have to send a request to them every time I want to install a new package or dependency.

SO: I need to upgrade from 16.04.3LTS to 16.04.7LTS (to fix a Samba vulnerability). Any idea if this is possible using package downloads, and where I can find them? Is it just a kernel, and if so where can I get it?

Ah OK looking further into info on CVE-2017-7494 I see "Ubuntu 16.04 LTS (Xenial Xerus): released (2:4.3.11+dfsg-0ubuntu0.16.04.7)". The installed Samba version I have is 4.3.11 so I'm not sure why I'm seeing Ubuntu 16.04.7 in there? I get confused easily...

jokerdino
  • 41,320
Malc P
  • 1
  • I wasn't aware 16.04 had gone beyond the third point release. Are you certain you're after 16.04.7? – Zeiss Ikon Oct 02 '17 at 14:49
  • Hmm. This, dated May 2017: https://usn.ubuntu.com/usn/usn-3296-1/ lists the .7 release as fixing CVE-2017-7494 and points to https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.7 Looks like I'll need to download the install package and do an inplace upgrade? – Malc P Oct 02 '17 at 15:05
  • Oh, now I understand – this 7 is not part of the release code, see How does Ubuntu name packages? for an explanation. – dessert Oct 02 '17 at 15:12
  • 1
    The latest samba security-update package for 16.04 is samba (2:4.3.11+dfsg-0ubuntu0.16.04.11 so what you're looking for is outdated anyway. All samba packages in 16.04 are version 4.3.11 – doug Oct 02 '17 at 20:03

2 Answers2

3

Until today Xenial didn't go beyond the third point release, so 16.04.3 is the most recent Ubuntu 16.04 you can get – see here and here.

No matter which particular vulnerability you refer to, if it can be fixed you always just need to update samba to do so. Test which version is installed using samba --version, compare it with the current version number here and if necessary download it from there and install it as usual.

dessert
  • 39,982
1

Frankly... If they download it for you, and then put it in place for you to use the security guys aren't going to be happy either. None of the code was audited, and that's what the security guys are panicky about (and should know better, but you know... Their paycheck is guaranteed by insecure systems and insane firewall/filtering policies) Basically, your system admins should open the filters/firewall to one chosen mirror and that would be enough. It's functionally equivalent to downloading and then providing it for you.

Still, given that they still bothered to download everything, it looks like the best way for them would be to create an Ubuntu Mirror on-site. They manage the mirror (the same as downloading everything, but easier) and you point your apt-sources to the mirror.

That is actually, exactly how this should be handled.

Also, it is fully documented.

jawtheshark
  • 2,522
  • While this is a correct recommendation, it doesn't really answer the question, does it? – Zeiss Ikon Oct 02 '17 at 15:58
  • 1
    No it doesn't answer the question... However sometimes, answering a question requires critical thought and you're better off suggesting what should be done. His sysadmins might react positively to this request, instead of letting him directly go to the repos. – jawtheshark Oct 02 '17 at 16:52