[Samba] Partial mitigations for the Nov Samba CVEs
Andrew Bartlett
abartlet at samba.org
Mon Nov 22 17:43:50 UTC 2021
On Mon, 2021-11-22 at 15:01 +0100, Salvatore Bonaccorso wrote:
>
> Thank you helping identifying the bare minimum to pick. I'm working
> on
>
> this for Debian (for buster) and based on the above I have test
>
> packages at:
>
>
>
> https://people.debian.org/~carnil/tmp/samba/2021-11-09/
>
Great, thanks for picking this up.
>
> (they are not signed! So anyone reading this, they should not be
>
> considered production ready)
>
>
>
> What is missing from here with that: The above referenced update
> would
>
> still require admins of the setups described in
>
> https://www.samba.org/samba/security/CVE-2020-25717.html to apply the
>
> 'username map' and 'username map script'. So a followup in the form
> of
>
> https://bugzilla.samba.org/show_bug.cgi?id=14901 as well for 4.9
> would
>
> be good to have (help on that part as well much appreciated if
>
> possible).
>
>
>
> I see there are patches for 4.10, so I will try to take your patches
>
> for 4.9.
The trick there would be to take the C parts, as the new testsuite is
Python 3.6 only anyway. The C code hasn't changed much, I hope it will
drop in OK.
The same would apply for almost all the patches really, I'm not
expecting big dramas to take the tested C patches from 4.10 to 4.9 but
the more that is changed the riskier it becomes, and I don't 'do'
untested patches :-)
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list