Now that the badlock bug and fixes are available, it is too much for some companies

Richard Sharpe realrichardsharpe at
Thu Apr 14 09:36:39 UTC 2016

On Wed, Apr 13, 2016 at 11:58 PM, Andrew Bartlett <abartlet at> wrote:
> On Wed, 2016-04-13 at 11:52 -0700, Richard Sharpe wrote:
>> I am suggesting it as an interim solution that mitigates the risk
>> while we get the complete solution through the organization because
>> QA
>> is going to require a long testing cycle because of the amount of
>> code
>> change that it involves.
> Do you enforce SMB signing in your product?  If not, MITM attacks
> against SMB (and so ncacn_np) are much easier to do than exploiting
> this issue.  The reason the release came with so many other fixes is
> that only with them all fixed and signing required on all protocols doe
> s it make sense.

I don't understand how what you said addresses the issue I raised. We
are working on getting all the changes in and have raised tickets to
do so,

What I am referring to is a way that something can be done quickly
while the rest of it is integrated into the product and tested.

Also, as I have raised elsewhere, any competent QA organization is
going to require reproducers to demonstrate that the claimed problem
exists in the code before it was fixed and is gone after the fix.

> The rest is a pile of correctness stuff that is worthwhile, but put
> another way, if the front door is unlocked, checking the deadbolt on
> the patio isn't much help.
> Andrew Bartlett
> --
> Andrew Bartlett             
> Authentication Developer, Samba Team
> Samba Developer, Catalyst IT

Richard Sharpe

More information about the samba-technical mailing list