Now that the badlock bug and fixes are available, it is too much for some companies
Jeremy Allison
jra at samba.org
Wed Apr 13 16:55:30 UTC 2016
On Tue, Apr 12, 2016 at 07:45:22PM -0700, Richard Sharpe wrote:
> Hi folks,
>
> Great work on getting the badlock bug under control and releasing
> patches and new versions.
>
> However, I notice that there is several hundred kilobytes of
> compressed patches to get us from 4.3.6 to 4.3.8, for example.
>
> Now, for many companies shipping Samba the actual jump from what they
> are currently shipping to the version that is available is large and
> will require a significant QA effort. Those same organizations, if
> they are shipping Samba as a member server might not have been aware
> that they were making the netlogon, samr, etc RPC servers available.
> This is because such a large change invalidates a large amount of the
> QA that has already been done.
>
> If there was a simple way to disable these services that they could
> push through QA on their next release while they work on getting the
> larger set of changes through their engineering process it might help
> get rid of vulnerable versions out there.
>
> For example, I have some up with a change in make_server_pipes_struct
> that disables samr, lsarpc, lsass, ncalrpc and netlogon.
>
> Is this a reasonable way to mitigate the risk for a member-server only
> product while we work on getting 4.3.8 into the product and through
> QA?
Yes, you can try that and it may work as a mitigation strategy.
However, I must warn you that this was my initial reaction to
learning of the problems, but Metze convinced me that they were
bad enough that the full fix was required. He was *very*
convincing :-).
More information about the samba-technical
mailing list