[Pkg-samba-maint] Partial mitigations for the Nov Samba CVEs

Andrew Bartlett abartlet at samba.org
Mon Nov 22 17:43:50 GMT 2021


On Mon, 2021-11-22 at 15:01 +0100, Salvatore Bonaccorso wrote:
> 
> Thank you helping identifying the bare minimum to pick. I'm working
> on
> 
> this for Debian (for buster) and based on the above I have test
> 
> packages at:
> 
> 
> 
> https://people.debian.org/~carnil/tmp/samba/2021-11-09/
> 

Great, thanks for picking this up.

> 
> (they are not signed! So anyone reading this, they should not be
> 
> considered production ready)
> 
> 
> 
> What is missing from here with that: The above referenced update
> would
> 
> still require admins of the setups described in
> 
> https://www.samba.org/samba/security/CVE-2020-25717.html to apply the
> 
> 'username map' and 'username map script'. So a followup in the form
> of
> 
> https://bugzilla.samba.org/show_bug.cgi?id=14901 as well for 4.9
> would
> 
> be good to have (help on that part as well much appreciated if
> 
> possible).
> 
> 
> 
> I see there are patches for 4.10, so I will try to take your patches
> 
> for 4.9.

The trick there would be to take the C parts, as the new testsuite is
Python 3.6 only anyway.  The C code hasn't changed much, I hope it will
drop in OK.

The same would apply for almost all the patches really, I'm not
expecting big dramas to take the tested C patches from 4.10 to 4.9 but
the more that is changed the riskier it becomes, and I don't 'do'
untested patches :-)

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions




More information about the Pkg-samba-maint mailing list