Samba 4.12.4, 4.11.11 and 4.10.17: File server not impacted (was: Re: Heads-up: Security Releases ahead!)
Andrew Bartlett
abartlet at samba.org
Thu Jul 2 20:40:37 UTC 2020
On Fri, 2020-06-26 at 07:58 +1200, Andrew Bartlett via samba-technical
wrote:
> Hi,
>
> This is a heads-up that there will be Samba security updates on
> Thursday, July 2 2020. Please make sure that your Samba
> servers will be updated soon after the release!
>
> Impacted components:
> - AD DC (CVSS 7.5, Medium)
> - File server (CVSS 7.5, Medium)
I wish to apologise to any file server users who got a scare from this.
Subsequent analysis showed that nmbd, as used in the file server, is
not impacted by these issues.
The incorrectly assessed issue was:
CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU
Thanks to all Samba users for your understanding.
AD DC users should of course patch with urgency, even if only for
reliability. While CVE-2020-10745 came from fuzzing, all the other
issues came via user reports of real-world network traffic.
We thank those users and encourage all Samba users who can crash Samba
to report those issues confidentially, see
https://wiki.samba.org/index.php/Samba_Security_Process#Reporting_Security_Defects_in_Samba
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list