[Samba] [FEEDBACK WANTED] Proposal to not do security releases for recoverable DoS issues

Andrew Bartlett abartlet at samba.org
Tue Aug 31 04:55:26 UTC 2021

On Mon, 2021-08-16 at 16:54 +1200, Andrew Bartlett via samba wrote:
> I just wanted to give folks here a heads up that I'm asking the Samba
> Team to change the Samba security process to avoid issuing a Samba
> security release for a Denial of Service where that issue is not
> persistent.
> There are, sadly, many ways to overwhelm a Samba Server, and
> occasionally we find some ways that are not just flooding, where
> particular packets can crash the server.  

I've made that change, you can see that here:


I've had feedback from Red Hat that they would still see value in a
CVE- number being assigned for such issues, but without the rest of the

As Red Hat assigns those numbers for us, that seems reasonable, but
I'll put any further changes to the Samba Team, as the team as a whole
owns the policy.

As this means some CVE- marked things might be referenced in Samba
without a security release, and because it is useful anyway, I've added
links to all the CVEs in bugzilla to our security pages. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list