[Samba] [FEEDBACK WANTED] Proposal to not do security releases for recoverable DoS issues
Andrew Bartlett
abartlet at samba.org
Tue Aug 31 04:55:26 UTC 2021
On Mon, 2021-08-16 at 16:54 +1200, Andrew Bartlett via samba wrote:
> I just wanted to give folks here a heads up that I'm asking the Samba
> Team to change the Samba security process to avoid issuing a Samba
> security release for a Denial of Service where that issue is not
> persistent.
>
> There are, sadly, many ways to overwhelm a Samba Server, and
> occasionally we find some ways that are not just flooding, where
> particular packets can crash the server.
I've made that change, you can see that here:
https://wiki.samba.org/index.php?title=Samba_Security_Process&type=revision&diff=17607&oldid=17181
I've had feedback from Red Hat that they would still see value in a
CVE- number being assigned for such issues, but without the rest of the
process.
As Red Hat assigns those numbers for us, that seems reasonable, but
I'll put any further changes to the Samba Team, as the team as a whole
owns the policy.
As this means some CVE- marked things might be referenced in Samba
without a security release, and because it is useful anyway, I've added
links to all the CVEs in bugzilla to our security pages.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list