Platforms affected:
- OSMC for Raspberry Pi (all models)
- OSMC for Apple TV
- OSMC for Vero (all models)
A number of vulnerabilities [1] [2] [3] [4] [5] [6] [7] [8] have been discovered in Samba which is offered in the OSMC App Store and Debian APT repository. This vulnerability is considered critical.
The most critical vulnerability, named Badlock [1] allows for SAMR and LSA man in the middle attacks.
This vulnerability has been fixed in upstream Debian and OSMC has now included this fix as an update. We recommend you update your device immediately. This can be done by going to My OSMC -> Updates -> Check for Updates. After updating, your system should report OSMC 2016.04-2 as the version in My OSMC.
If you have not installed the Samba Server via the App Store or Samba via the apt-get utility, then your system is not vulnerable. After today’s update, future installations of the Samba Server from the OSMC Store or via the apt-get utility will automatically have this vulnerability patched.
Although OSMC has a monthly update cycle, OSMC makes critical bug fixes and fixes for security vulnerabilities immediately available. You can learn more about OSMC’s update cycle and about keeping your system up to date here. We also recommend updating any computers in your household. Microsoft have released patches for supported versions of Windows.
[1] CVE-2016-2118[2] CVE-2015-5370
[3] CVE-2016-2110
[4] CVE-2016-2111
[5] CVE-2016-2112
[6] CVE-2016-2113
[7] CVE-2016-2114
[8] CVE-2016-2115