[Pkg-samba-maint] Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?

Michael Tokarev mjt at tls.msk.ru
Wed Nov 2 07:39:29 GMT 2022


24.10.2022 15:47, Samuel Wolf wrote:
>> Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy
>> to make the resulting binaries into the archive.

Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing?
I don't have a test environment here, setting it up is quite a bit of work, - I'll
need several virtual machines with different OSes, including win 22H2..

I prepared bullseye samba build, if you (or anyone else) have a way to test them,
please do.

http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/ , in particular,
http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/samba-4.13/samba_4.13.13+dfsg-1~deb11u5a/
In an apt/sources.list form, it is:

deb http://www.corpit.ru/mjt/packages/samba debian-11-bullseye-test/samba-4.13/

(the trailing slash is important!).  This is a temporary repository signed with
my GPG key I use for Debian packaging.

There are 2 changes in this release compared with current 4.13.13+dfsg-1~deb11u5:

  samba (2:4.13.13+dfsg-1~deb11u5a) bullseye-test; urgency=medium

    * CVE-2022-3437-des3-overflow-v4a-4.13.patch
      Closes: CVE-2022-3437 (Heimdal unwrap_des/unwrap_des3 buffer overflow)
    * windows11-22h2-kerrberos-kdc-avoid-re-encoding-KDC-REQ-BODY.patch
      Closes: #1022574, incorrect AD DC behavior with Windows11 22H2

If everything goes well, I'll try to push this one to bullseye-security.

Thanks!

/mjt



More information about the Pkg-samba-maint mailing list