[Samba] Need to know Samba version addressing "CVE-2018-14628" fix

Andrew Bartlett abartlet at samba.org
Mon Jan 30 07:51:15 UTC 2023


On Mon, 2023-01-30 at 07:27 +0000, Vivek Anand -X (vivekan - Altran ACT
S.A.S at Cisco) via samba wrote:
> Hi Team,
> We are looking for Security Release Version / patch for "CVE-2018-
> 14628<https://attachments.samba.org/attachment.cgi?id=14477>;".
> The above CVE says :
> All versions of Samba from 4.0.0 onwards are vulnerable to an
> information leak (compared with the established behaviour of
> Microsoft's Active Directory) when Samba is an Active Directory
> Domain
> Controller.
> A patch addressing this defect has been posted to
>   http://www.samba.org/samba/security/
> 
> Additionally, Samba 4.7.x 4.8.x and 4.9.x have been issued as
> asecurity release to correct the defect.

These words are from a draft advisory that was never published.  
> But on samba security page, we are unable to find patch/release
> version addressing "CVE-2018-14628"
> We are using "samba-4.17.3" and have queries as below:
>   1.  Is "samba-4.17.3" affected by vulnerability "CVE-2018-14628"?

The issue remains unfixed and is being tracked at 
https://bugzilla.samba.org/show_bug.cgi?id=CVE-2018-14628

Sorry,

Also, If the AD DC is not being used, then this is not important at
all. 
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions



More information about the samba mailing list