[Pkg-samba-maint] bookworm-security: package samba/2:4.17.10+dfsg-0+deb12u1
Michael Tokarev
mjt at tls.msk.ru
Wed Jul 19 18:38:38 BST 2023
19.07.2023 20:14, Moritz Muehlenhoff wrote:
> On Wed, Jul 19, 2023 at 06:27:45PM +0300, Michael Tokarev wrote:
>> Hi! Here's the updated samba package for bookworm-security, released by
>> the samba team today.
>>
>> It fixes several security issues, some of them might be serious enough.
>> From the WHATSNEW.txt file (also available on samba.org):
>
> Most of them look harmless, but I guess we can do a DSA based on CVE-2022-2127.
There was a previous discussion about this started by Salvatore on Jul-15,
titled "Upcoming samba issues". I posted a reply to it to team at security too
but got no further references. Not that there's more info in there, but
still.
> I'll have a closer look later.
>
> What about oldstable/Bullseye? Apart of the new round of issues, there's also
> various issues open. It also misses the bugfix which was fixed in
> https://lists.debian.org/debian-stable-announce/2023/07/msg00000.html, right?
Yes. I didn't fix bullseye. It is like trying to apply a band-aid
to a dead horse.
It has numerous issues which aren't fixed, and its packaging is in
a quite bad shape, we applied lots of efforts to fix that.
The fix for the recent windows updates is trivial to apply to 4.13,
it's a simple patch which applies to 4.10 and even 4.7. But this is
like pretending we're doing something with that one, - nope, we're
not. Maybe this should be made official really, I just don't know how
to do that properly.
> 4.13 is long EOL, can we still backport these reliably?
>
> Given that 4.13 is long EOL and a supported 4.18 release it out, we could e.g. tell
> people using Active Directoy/domain controller functionality to upgrade to
> Bookworm and selectively only backport fixes which support the file/print server
> as domain member use case?
Any use of debian 4.13 packages should be avoided, I'd say. I keep
bookworm-backports up to date (it already contains the same version
as bookworm, with the recent win update issue fixed too) and plan to
update it with this version being discussed now. This might be an
easier route than to upgrade whole system to bookworm. I also keep
compatibility with previous releases (bullseye), but this is not 100%
verified - there might be some rough edges still with sssd (the most
common problem case with it has been fixed in bookworm samba packages).
I can push something to bullseye samba 4.13. But that would be a false
sense of security and support, so to say.
Thanks,
/mjt
More information about the Pkg-samba-maint
mailing list