[Samba] Samba 4.12.4, 4.11.11 and 4.10.17: File server not impacted (was: Re: Heads-up: Security Releases ahead!)

Andrew Bartlett abartlet at samba.org
Thu Jul 2 20:40:37 UTC 2020


On Fri, 2020-06-26 at 07:58 +1200, Andrew Bartlett via samba-technical
wrote:
> Hi,
> 
> This is a heads-up that there will be Samba security updates on
> Thursday, July 2 2020. Please make sure that your Samba
> servers will be updated soon after the release!
> 
> Impacted components:
>  - AD DC (CVSS 7.5, Medium)
>  - File server (CVSS 7.5, Medium)

I wish to apologise to any file server users who got a scare from this.

Subsequent analysis showed that nmbd, as used in the file server, is
not impacted by these issues.  

The incorrectly assessed issue was:

CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU 

Thanks to all Samba users for your understanding.

AD DC users should of course patch with urgency, even if only for
reliability.  While CVE-2020-10745 came from fuzzing, all the other
issues came via user reports of real-world network traffic. 

We thank those users and encourage all Samba users who can crash Samba 
to report those issues confidentially, see
https://wiki.samba.org/index.php/Samba_Security_Process#Reporting_Security_Defects_in_Samba

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba






More information about the samba mailing list