G'Day Debian Developers and potentially other folks packaging Samba. A number of distributions have rightly been reluctant, particularly given my warnings, to backport what patches for our recent issues to older versions. While a monster patch was generated for Samba 4.10, Samba 4.9 and earlier only support Python2 and the modern testsuite validating these changes is written targeting Python 3.6. Regardless I've put some thought into what would be the barest of minimal steps to mitigate the worst of the Samba CVEs issued recently https://bugzilla.samba.org/show_bug.cgi?id=14564#c16 https://bugzilla.samba.org/show_bug.cgi?id=14561#c31 In short, for the cases where a full backport is not possible, it would be good to at least take these patches from https://bugzilla.samba.org/show_bug.cgi?id=14725 CVE-2020-25722 Ensure the structural objectclass cannot be changed CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify The "CVE-2020-25722 Ensure the structural objectclass cannot be changed" patch is for the AD DC the bit that changes this from "any user can become domain admin" (really horrible) to "semi-privileged users become domain admin" (bad, but not horrible), and is quite isolated in terms of backport conflicts. I would note that for CVE-2020-25717 [SECURITY] A user on the domain can become root on domain members https://bugzilla.samba.org/show_bug.cgi?id=14556 Backports have been made to many, many versions. This also includes the patch: CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) That is very helpful on the AD DC for CVE-2020-25719, but there is still much more to fix that issue if unprivileged users can create other users. I hope this helps, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions