[Pkg-samba-maint] bookworm-security: package samba/2:4.17.10+dfsg-0+deb12u1

Moritz Muehlenhoff jmm at inutil.org
Thu Jul 20 20:07:35 BST 2023 

On Wed, Jul 19, 2023 at 08:38:38PM +0300, Michael Tokarev wrote:
> 19.07.2023 20:14, Moritz Muehlenhoff wrote:
> > On Wed, Jul 19, 2023 at 06:27:45PM +0300, Michael Tokarev wrote:
> > > Hi!  Here's the updated samba package for bookworm-security, released by
> > > the samba team today.
> > > 
> > > It fixes several security issues, some of them might be serious enough.
> > >  From the WHATSNEW.txt file (also available on samba.org):
> > 
> > Most of them look harmless, but I guess we can do a DSA based on CVE-2022-2127.
> 
> There was a previous discussion about this started by Salvatore on Jul-15,
> titled "Upcoming samba issues". I posted a reply to it to team at security too
> but got no further references.  Not that there's more info in there, but
> still.

debdiff looks good, please upload to security-master.

> > I'll have a closer look later.
> > 
> > What about oldstable/Bullseye? Apart of the new round of issues, there's also
> > various issues open. It also misses the bugfix which was fixed in
> > https://lists.debian.org/debian-stable-announce/2023/07/msg00000.html, right?
> 
> Yes. I didn't fix bullseye.  It is like trying to apply a band-aid
> to a dead horse.
> 
> It has numerous issues which aren't fixed, and its packaging is in
> a quite bad shape, we applied lots of efforts to fix that.
> 
> The fix for the recent windows updates is trivial to apply to 4.13,
> it's a simple patch which applies to 4.10 and even 4.7.  But this is
> like pretending we're doing something with that one, - nope, we're
> not. Maybe this should be made official really, I just don't know how
> to do that properly.

We can add a note to the advisory text. And in addition mark it as unsupported
in debian-security-support.

> > 4.13 is long EOL, can we still backport these reliably?
> > 
> > Given that 4.13 is long EOL and a supported 4.18 release it out, we could e.g. tell
> > people using Active Directoy/domain controller functionality to upgrade to
> > Bookworm and selectively only backport fixes which support the file/print server
> > as domain member use case?
> 
> Any use of debian 4.13 packages should be avoided, I'd say.  I keep
> bookworm-backports up to date (it already contains the same version

bullseye-backports

> as bookworm, with the recent win update issue fixed too) and plan to
> update it with this version being discussed now.  This might be an
> easier route than to upgrade whole system to bookworm.  I also keep
> compatibility with previous releases (bullseye), but this is not 100%
> verified - there might be some rough edges still with sssd (the most
> common problem case with it has been fixed in bookworm samba packages).
> 
> I can push something to bullseye samba 4.13. But that would be a false
> sense of security and support, so to say.

Nah, let's avoid solutions which provide a false sense of security. We can
tell people to upgrade to Bookworm and in the interim move to
bullseye-backports. I'll draft some text for the advisory.

Cheers,
        Moritz

More information about the Pkg-samba-maint mailing list