[Samba] Badlock CVE-2016-2118 in samba release 3.0.35

Sketch smblist at rednsx.org
Tue Apr 26 19:29:51 UTC 2016

On Tue, 26 Apr 2016, Madhu A G wrote:

> Samba has released patch for CVE-2016-2118 from 3.6.x release onwards.   We
> use samba 3.0.35 in our product.   Is there any patch available for
> 3.0.35?

Not exactly true.  Samba only releases patches for supported versions, 
meaning 4.2 is the oldest version they released patches for.

Some vendors who provide products based on earlier versions have 
backported the patches to older versions they support like 3.6.
For more details, see:


This post mentions that Redhat did backport some of the fixes to 3.0 
(3.0.33 according to their advisory for RHEL4), but some are likely 
unfixable.  It also mentions that the particular CVE you mentioned doesn't 
even apply to Samba 3.0.

More information about the samba mailing list