Now that the badlock bug and fixes are available, it is too much for some companies

Richard Sharpe realrichardsharpe at gmail.com
Wed Apr 13 02:45:22 UTC 2016


Hi folks,

Great work on getting the badlock bug under control and releasing
patches and new versions.

However, I notice that there is several hundred kilobytes of
compressed patches to get us from 4.3.6 to 4.3.8, for example.

Now, for many companies shipping Samba the actual jump from what they
are currently shipping to the version that is available is large and
will require a significant QA effort. Those same organizations, if
they are shipping Samba as a member server might not have been aware
that they were making the netlogon, samr, etc RPC servers available.
This is because such a large change invalidates a large amount of the
QA that has already been done.

If there was a simple way to disable these services that they could
push through QA on their next release while they work on getting the
larger set of changes through their engineering process it might help
get rid of vulnerable versions out there.

For example, I have some up with a change in make_server_pipes_struct
that disables samr, lsarpc, lsass, ncalrpc and netlogon.

Is this a reasonable way to mitigate the risk for a member-server only
product while we work on getting 4.3.8 into the product and through
QA?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)



More information about the samba-technical mailing list