11.1-U6

August 21, 2018

The FreeNAS development team is pleased to announce the availability of the sixth update to FreeNAS 11.1.

This bug fix release addresses the following security vulnerabilities:

• FreeBSD-SA-18:08.tcp: Resource exhaustion in TCP reassembly
• FreeBSD-SA-18:10.ip: Resource exhaustion in IP fragment reassembly
• CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient
• CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server
• CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server
• CVE-2018-1139: Weak authentication protocol allowed
• CVE-2018-1140: Denial of Service Attack on DNS and LDAP server

“It also fixes the Known Issues documented in FreeNAS 11.1-U5. Users of 11.1 systems are encouraged to update to U6 using the instructions in the Guide.”

SMB1 has been disabled by default for security reasons. If legacy clients are no longer able to connect, type this command in the Shell, then restart the SMB service:

sysctl freenas.services.smb.config.server_min_protocol=NT1 If that resolves the issue, you can make that setting permanent by going to System → Tunables →Add Tunable and creating a Tunable with these settings:

Variable: freenas.services.smb.config.server_min_protocol

Value: NT1

Type: Sysctl

Due to a migration bug, it is currently not possible to upgrade from 11.1-U6 to 11.2-BETA2. Please wait til 11.2-BETA3 is available before attempting to upgrade from 11.1-U6.

• 26131 Feature Add “Auxiliary arguments” field to middleware
• 26695 Bug Use 4k jumbo cluster pool for all jumbo frames until the allocator problem is fixed for the 9k jumbo cluster pool
• 28063 Bug Write local SID to correct DB file
• 29020 Bug Encrypt cloud credentials in configuration database
• 30696 Bug Fixes for Windows AD User Base entries
• 32055 Bug Remove warning that vfs_full_audit may cause transfer problems
• 33054 Feature Automatically create bridge with default route for iocage jails
• 33453 Bug Fix unnecessary AD restarts caused by enabling service monitor
• 33645 Feature Add ability to stop winmsa from changing owner
• 34134 Bug Fix corruption of first byte in AFP_AfpInfo stream/xattr in Samba
• 34264 Feature Add support for configuring a custom S3 endpoint
• 34276 Bug NVMe SMART monitoring workaround
• 34396 Bug Use FreeNAS-specific fork of iocage
• 34459 Bug Recompile minio to allow S3 service to start
• 34522 Bug Allow reset of SED password in UI
• 34603 Bug Fix traceback when setting IPMI VLAN ID
• 34684 Bug Fix quota exceeded emails being sent every minute
• 35215 Bug Fix smart.nawk script in freenas-debug SMART section
• 35404 Bug Fix race condition in SMART
• 35973 Bug Remove faulty enabled/disabled logic from freenas-debug
• 37143 Bug Remove unnecessary pam_sss errors from /var/log/auth.log
• 37878 Bug Add sysctls to disable winbind and sssd enumeration
• 37902 Bug Remove ‘net usersidlist’ from freenas-debug
• 38898 Bug Improve text of unauthorized email alert message
• 39178 Bug Ensure that U6 installs the correct version of the Guide
• 39628 Bug Fix function for storing SIDs
• 40572 Bug Allow Samba to also listen on loopback when specifying a Bind IP
• 40636 Bug Allow /etc/find_alias_for_smtplib.sh to be used by sudoers
• 40640 Bug Monitor mdnsd and restart if necessary
• 40644 Bug Get samba_server status when checking if AD started
• 40648 Bug Load catia VFS module before zfs_space and zfsacl
• 40664 Feature Log netatalk messages to /var/log/afp.log
• 40668 Bug Regenerate /etc/resolv.conf when disabling Domain Controller service
• 40672 Bug Write out pam configuration files in /etc/pam.d/ if they don’t already exist
• 40680 Bug Kerberos authentication fixes for LDAP servers
• 40684 Feature Allow NIS to be ID provider for Active Directory
• 40688 Bug Fix typo and lack of clarity in NTLMv1 warning
• 40692 Bug At boot, have MDNS wait for /etc/resolv.conf to be available and valid
• 40696 Bug Remove leftover NT4 code
• 40704 Bug Do not grant extra privileges to users when a Directory Service is enabled
• 40708 Bug Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups
• 40716 Bug Disable SMB1 by default
• 40720 Bug Replace (nss|pam)_ldap with nss-pam-ldapd
• 40724 Bug Allow unsigned 64-bit serials for certificates which allows AFP auth against macOS LDAP/KRB5
• 40728 Feature Add experimental sysctl to enable multichannel Samba
• 40768 Bug Revert recent zilstat commit as there is no zil_lwb_write_start() function in FreeNAS 11.1
• 40968 Bug Fix traceback when trying to add a Cloud Sync task
• 41028 Bug Patch FreeBSD CVE-2018-6922 “Resource exhaustion in TCP reassembly”
• 41044 Bug Fix traceback when creating an internal certificate
• 41052 Bug Bug fix for zvol/dataset traceback
• 41244 Bug Fix check to see whether the SMB service is started
• 41272 Bug Properly encode passwords in inadyn config
• 41332 Bug Check for iocage host release being less than jail release when creating regular jail
• 41385 Bug Update Samba port to address August CVEs
• 41410 Bug Fix “AttributeError: ‘Undefined’ object has no attribute ‘call’ traceback
• 41772 Bug Add patch to address FreeBSD-SA-18:10.ip
• 41880 Bug Improve service status wording in freenas-debug

Tickets can be viewed at the iXsystems & FreeNAS Redmine page.