[FEEDBACK WANTED] Proposal to not do security releases for recoverable DoS issues

Andrew Bartlett abartlet at samba.org
Mon Aug 16 04:54:48 UTC 2021


I just wanted to give folks here a heads up that I'm asking the Samba
Team to change the Samba security process to avoid issuing a Samba
security release for a Denial of Service where that issue is not
persistent.

There are, sadly, many ways to overwhelm a Samba Server, and
occasionally we find some ways that are not just flooding, where
particular packets can crash the server.  

Where the issue is just a crash - say a NULL pointer is de-referenced -
and where that part of Samba does auto-restart, for example in the AD
DC for the LDAP, KDC and RPC servers, we would just fix the issue
without a full security release, and prepare a backport to the
supported releases (but not the security-only branch).

What my proposal would avoid is allocating a CVE and issuing a security
release, patch and advisory in this case.  We find security releases
take around 10x-20x the effort of a normal bug, once everything is
considered, and by their nature need to avoid our public CI and review
process  

The reason for this mail is to ask for feedback, in case I've missed
something about this change that would significantly impact you or your
installations.  

Do be aware that, as I mentioned in my SambaXP talk [1], it is already
a struggle to address all the issues raised - some lower priority
issues don't get the full attention they deserve - so part of the
motivation is to allow a better focus on the most important issues by
avoiding large costs dealing with a 'simple' Denial of Service.

Please let me know your thoughts,

Andrew Bartlett

[1] https://sambaxp.org/fileadmin/user_upload/sambaxp2021-slides/Bartlett_Inside_Your_Samba_Security_Release.pdf

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions




More information about the samba-technical mailing list