Samba 4.12.4, 4.11.11 and 4.10.17: File server not impacted (was: Re: Heads-up: Security Releases ahead!)

Andrew Bartlett abartlet at
Thu Jul 2 20:40:37 UTC 2020

On Fri, 2020-06-26 at 07:58 +1200, Andrew Bartlett via samba-technical
> Hi,
> This is a heads-up that there will be Samba security updates on
> Thursday, July 2 2020. Please make sure that your Samba
> servers will be updated soon after the release!
> Impacted components:
>  - AD DC (CVSS 7.5, Medium)
>  - File server (CVSS 7.5, Medium)

I wish to apologise to any file server users who got a scare from this.

Subsequent analysis showed that nmbd, as used in the file server, is
not impacted by these issues.  

The incorrectly assessed issue was:

CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU 

Thanks to all Samba users for your understanding.

AD DC users should of course patch with urgency, even if only for
reliability.  While CVE-2020-10745 came from fuzzing, all the other
issues came via user reports of real-world network traffic. 

We thank those users and encourage all Samba users who can crash Samba 
to report those issues confidentially, see

Andrew Bartlett
Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT 

More information about the samba-technical mailing list