Andrew Bartlett
2021-Aug-16 04:54 UTC
[Samba] [FEEDBACK WANTED] Proposal to not do security releases for recoverable DoS issues
I just wanted to give folks here a heads up that I'm asking the Samba Team to change the Samba security process to avoid issuing a Samba security release for a Denial of Service where that issue is not persistent. There are, sadly, many ways to overwhelm a Samba Server, and occasionally we find some ways that are not just flooding, where particular packets can crash the server. Where the issue is just a crash - say a NULL pointer is de-referenced - and where that part of Samba does auto-restart, for example in the AD DC for the LDAP, KDC and RPC servers, we would just fix the issue without a full security release, and prepare a backport to the supported releases (but not the security-only branch). What my proposal would avoid is allocating a CVE and issuing a security release, patch and advisory in this case. We find security releases take around 10x-20x the effort of a normal bug, once everything is considered, and by their nature need to avoid our public CI and review process The reason for this mail is to ask for feedback, in case I've missed something about this change that would significantly impact you or your installations. Do be aware that, as I mentioned in my SambaXP talk [1], it is already a struggle to address all the issues raised - some lower priority issues don't get the full attention they deserve - so part of the motivation is to allow a better focus on the most important issues by avoiding large costs dealing with a 'simple' Denial of Service. Please let me know your thoughts, Andrew Bartlett [1] https://sambaxp.org/fileadmin/user_upload/sambaxp2021-slides/Bartlett_Inside_Your_Samba_Security_Release.pdf -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Andrew Bartlett
2021-Aug-31 04:55 UTC
[Samba] [FEEDBACK WANTED] Proposal to not do security releases for recoverable DoS issues
On Mon, 2021-08-16 at 16:54 +1200, Andrew Bartlett via samba wrote:> I just wanted to give folks here a heads up that I'm asking the Samba > Team to change the Samba security process to avoid issuing a Samba > security release for a Denial of Service where that issue is not > persistent. > > There are, sadly, many ways to overwhelm a Samba Server, and > occasionally we find some ways that are not just flooding, where > particular packets can crash the server.I've made that change, you can see that here: https://wiki.samba.org/index.php?title=Samba_Security_Process&type=revision&diff=17607&oldid=17181 I've had feedback from Red Hat that they would still see value in a CVE- number being assigned for such issues, but without the rest of the process. As Red Hat assigns those numbers for us, that seems reasonable, but I'll put any further changes to the Samba Team, as the team as a whole owns the policy. As this means some CVE- marked things might be referenced in Samba without a security release, and because it is useful anyway, I've added links to all the CVEs in bugzilla to our security pages. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions