iX Information Library
- /
- /
- /
FreeNAS 11.1-U6
The FreeNAS development team is pleased to announce the availability of the sixth update to FreeNAS 11.1.
This bug fix release addresses the following security vulnerabilities:
- FreeBSD-SA-18:08.tcp: Resource exhaustion in TCP reassembly
- FreeBSD-SA-18:10.ip: Resource exhaustion in IP fragment reassembly
- CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient
- CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server
- CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server
- CVE-2018-1139: Weak authentication protocol allowed
- CVE-2018-1140: Denial of Service Attack on DNS and LDAP server
It also fixes the Known Issues documented in https://www.ixsystems.com/blog/library/freenas-11-1-u5/. Users of 11.1 systems are encouraged to update to U6 using the instructions in the Guide.
Known Impacts
SMB1 has been disabled by default for security reasons. If legacy clients are no longer able to connect, type this command in the Shell, then restart the SMB service:
sysctl freenas.services.smb.config.server_min_protocol=NT1
If that resolves the issue, you can make that setting permanent by going to System → Tunables →Add Tunable and creating a Tunable with these settings:
Variable: freenas.services.smb.config.server_min_protocol
Value: NT1
Type: Sysctl
Known Issues
Due to a migration bug, it is currently not possible to upgrade from 11.1-U6 to 11.2-BETA2. Please wait til 11.2-BETA3 is available before attempting to upgrade from 11.1-U6.
Changelog
| 26131 | Feature | Add “Auxiliary arguments” field to middleware |
| 26695 | Bug | Use 4k jumbo cluster pool for all jumbo frames until the allocator problem is fixed for the 9k jumbo cluster pool |
| 28063 | Bug | Write local SID to correct DB file |
| 29020 | Bug | Encrypt cloud credentials in configuration database |
| 30696 | Bug | Fixes for Windows AD User Base entries |
| 32055 | Bug | Remove warning that vfs_full_audit may cause transfer problems |
| 33054 | Feature | Automatically create bridge with default route for iocage jails |
| 33453 | Bug | Fix unnecessary AD restarts caused by enabling service monitor |
| 33645 | Feature | Add ability to stop winmsa from changing owner |
| 34134 | Bug | Fix corruption of first byte in AFP_AfpInfo stream/xattr in Samba |
| 34264 | Feature | Add support for configuring a custom S3 endpoint |
| 34276 | Bug | NVMe SMART monitoring workaround |
| 34396 | Bug | Use FreeNAS-specific fork of iocage |
| 34459 | Bug | Recompile minio to allow S3 service to start |
| 34522 | Bug | Allow reset of SED password in UI |
| 34603 | Bug | Fix traceback when setting IPMI VLAN ID |
| 34684 | Bug | Fix quota exceeded emails being sent every minute |
| 35215 | Bug | Fix smart.nawk script in freenas-debug SMART section |
| 35404 | Bug | Fix race condition in SMART |
| 35973 | Bug | Remove faulty enabled/disabled logic from freenas-debug |
| 37143 | Bug | Remove unnecessary pam_sss errors from /var/log/auth.log |
| 37878 | Bug | Add sysctls to disable winbind and sssd enumeration |
| 37902 | Bug | Remove ‘net usersidlist’ from freenas-debug |
| 38898 | Bug | Improve text of unauthorized email alert message |
| 39178 | Bug | Ensure that U6 installs the correct version of the Guide |
| 39628 | Bug | Fix function for storing SIDs |
| 40572 | Bug | Allow Samba to also listen on loopback when specifying a Bind IP |
| 40636 | Bug | Allow /etc/find_alias_for_smtplib.sh to be used by sudoers |
| 40640 | Bug | Monitor mdnsd and restart if necessary |
| 40644 | Bug | Get samba_server status when checking if AD started |
| 40648 | Bug | Load catia VFS module before zfs_space and zfsacl |
| 40664 | Feature | Log netatalk messages to /var/log/afp.log |
| 40668 | Bug | Regenerate /etc/resolv.conf when disabling Domain Controller service |
| 40672 | Bug | Write out pam configuration files in /etc/pam.d/ if they don’t already exist |
| 40680 | Bug | Kerberos authentication fixes for LDAP servers |
| 40684 | Feature | Allow NIS to be ID provider for Active Directory |
| 40688 | Bug | Fix typo and lack of clarity in NTLMv1 warning |
| 40692 | Bug | At boot, have MDNS wait for /etc/resolv.conf to be available and valid |
| 40696 | Bug | Remove leftover NT4 code |
| 40704 | Bug | Do not grant extra privileges to users when a Directory Service is enabled |
| 40708 | Bug | Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups |
| 40716 | Bug | Disable SMB1 by default |
| 40720 | Bug | Replace (nss|pam)_ldap with nss-pam-ldapd |
| 40724 | Bug | Allow unsigned 64-bit serials for certificates which allows AFP auth against macOS LDAP/KRB5 |
| 40728 | Feature | Add experimental sysctl to enable multichannel Samba |
| 40768 | Bug | Revert recent zilstat commit as there is no zil_lwb_write_start() function in FreeNAS 11.1 |
| 40968 | Bug | Fix traceback when trying to add a Cloud Sync task |
| 41028 | Bug | Patch FreeBSD CVE-2018-6922 “Resource exhaustion in TCP reassembly” |
| 41044 | Bug | Fix traceback when creating an internal certificate |
| 41052 | Bug | Bug fix for zvol/dataset traceback |
| 41244 | Bug | Fix check to see whether the SMB service is started |
| 41272 | Bug | Properly encode passwords in inadyn config |
| 41332 | Bug | Check for iocage host release being less than jail release when creating regular jail |
| 41385 | Bug | Update Samba port to address August CVEs |
| 41410 | Bug | Fix “AttributeError: ‘Undefined’ object has no attribute ‘call’` traceback |
| 41772 | Bug | Add patch to address FreeBSD-SA-18:10.ip |
| 41880 | Bug | Improve service status wording in freenas-debug |
