On Tue, 26 Apr 2016, Madhu A G wrote:
> Samba has released patch for CVE-2016-2118 from 3.6.x release onwards. We
> use samba 3.0.35 in our product. Is there any patch available for
> 3.0.35?
Not exactly true. Samba only releases patches for supported versions,
meaning 4.2 is the oldest version they released patches for.
Some vendors who provide products based on earlier versions have
backported the patches to older versions they support like 3.6.
For more details, see:
http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/
This post mentions that Redhat did backport some of the fixes to 3.0
(3.0.33 according to their advisory for RHEL4), but some are likely
unfixable. It also mentions that the particular CVE you mentioned doesn't
even apply to Samba 3.0.