TrueNAS CORE 12.0-U6.1 appears to be released

[Samuel Tai]

It's available as a system update, but neither the release notes nor the direct download links are up yet. Initial buzz is that this resolves the CPU temperature reporting bug. What other bug fixes are rolled into this release are currently unknown.

 

[Samuel Tai]

From the iX Jira, this release only provides 3 hotfixes and 1 security fix for several Samba CVEs:

• https://jira.ixsystems.com/browse/NAS-112733: webUI dashboard is calling pool.get_disks
• https://jira.ixsystems.com/browse/NAS-112819: CPU temp reporting broken in Reporting UI and API
• https://jira.ixsystems.com/browse/NAS-113018: Checksum defaults to SHA512 for NON-dedup datasets
• https://jira.ixsystems.com/browse/NAS-113195: Samba 4.15.2 and 4.13.4 Security Releases

 

[Samuel Tai]

Direct download link is up: https://download.freenas.org/12.0/STABLE/U6.1/TrueNAS-12.0-U6.1-manual-update.tar. SHA256 hash for the download is 1fc56779039c37bd107d085dbba1a1340012b42c0c21d8b76d90cc6113ec00e1.

 

[anodos]

There should be a security notice coming out soon. If you are using the AD plugin, you should plan to update ASAP:

Samba - Security Announcement Archive

Code:

===========================================================
== Subject:     A user in an AD Domain could become root on
==              domain members
==
== CVE ID#:     CVE-2020-25717
==
== Versions:    All Samba versions since Samba 3.0
==
== Summary:     Samba may map domain users to local users
==              in an undesired way.
===========================================================

==========
Workaround
==========

Setting "gensec:require_pac=true" in the smb.conf makes the
DOMAIN\user lookup succeed, due to a cache prime in winbind, provided
nss_winbind is in use and no error paths are hit.

It would be prudent to pre-create disabled users in Active Directory
matching on all privileged names not held in Active Directory, eg

samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
...

(repeat for eg all system users under 1000 in /etc/passwd or special
to any other AD-connected services, eg perhaps "admin" for a web-app)

Setting ms-DS-MachineAccountQuota to 0, in the Active Directory domain
is also advised, if possible.

The following settings might be additional mitigations (but they have
not been explicitly verified yet):

1. The use of the 'invalid users' option, note this needs to be
specified in the [global] section, as well as every share with an
existing 'invalid users' option, e.g.:

invalid users = root, ubuntu

2. The usage of the "obey pam restrictions = yes" together with
something like 'account required pam_succeed_if.so quiet uid >=
1000' in the pam configuration for "samba", please consult 'man 8
pam_succeed_if'.

 

[anodos]

If you use winbindd in your environment (for instance FreeBSD / Linux clients joined to AD), then you should also plan to upgrade and/or apply workarounds.