Fix for CVE-2013-4475 missing in Samba-3.5 series

Andrew Bartlett abartlet at
Mon Jan 27 13:24:55 MST 2014

On Mon, 2014-01-20 at 15:23 -0800, Jeremy Allison wrote:
> On Fri, Jan 17, 2014 at 07:44:48AM +0000, V S, Nagendra (Nonstop Filesystems Team) wrote:
> > Hi,
> > I was porting the recent samba CVE (CVE-2013-4408) to NonStop, while at it observed that fix for CVE-2013-4475 was not present in Samba-3.5.22 version. Can you please let me know if this is intentional? (i.e CVE-2013-4475 is not applicable to 3.5 series)
> 3.5.22 was released before CVE-2013-4408 was discovered.
> 3.5.x is out of maintenance, so we won't be releasing
> a 3.5.23 for this. The patch against 3.5.22 is available
> on the bug report, if you need to create a product using
> 3.5.x.

The bug report isn't public, but the patches are published to

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list