Samba 4.12.4, 4.11.11 and 4.10.17: File server not impacted (was: Re: Heads-up: Security Releases ahead!)
abartlet at samba.org
Thu Jul 2 20:40:37 UTC 2020
On Fri, 2020-06-26 at 07:58 +1200, Andrew Bartlett via samba-technical
> This is a heads-up that there will be Samba security updates on
> Thursday, July 2 2020. Please make sure that your Samba
> servers will be updated soon after the release!
> Impacted components:
> - AD DC (CVSS 7.5, Medium)
> - File server (CVSS 7.5, Medium)
I wish to apologise to any file server users who got a scare from this.
Subsequent analysis showed that nmbd, as used in the file server, is
not impacted by these issues.
The incorrectly assessed issue was:
CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
Thanks to all Samba users for your understanding.
AD DC users should of course patch with urgency, even if only for
reliability. While CVE-2020-10745 came from fuzzing, all the other
issues came via user reports of real-world network traffic.
We thank those users and encourage all Samba users who can crash Samba
to report those issues confidentially, see
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba-technical