Hi, This is a heads-up that there will be Samba security updates on Thursday, July 2 2020. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - AD DC (CVSS 7.5, Medium) - File server (CVSS 7.5, Medium) Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Andrew Bartlett
2020-Jul-02 20:40 UTC
[Samba] Samba 4.12.4, 4.11.11 and 4.10.17: File server not impacted (was: Re: Heads-up: Security Releases ahead!)
On Fri, 2020-06-26 at 07:58 +1200, Andrew Bartlett via samba-technical wrote:> Hi, > > This is a heads-up that there will be Samba security updates on > Thursday, July 2 2020. Please make sure that your Samba > servers will be updated soon after the release! > > Impacted components: > - AD DC (CVSS 7.5, Medium) > - File server (CVSS 7.5, Medium)I wish to apologise to any file server users who got a scare from this. Subsequent analysis showed that nmbd, as used in the file server, is not impacted by these issues. The incorrectly assessed issue was: CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU Thanks to all Samba users for your understanding. AD DC users should of course patch with urgency, even if only for reliability. While CVE-2020-10745 came from fuzzing, all the other issues came via user reports of real-world network traffic. We thank those users and encourage all Samba users who can crash Samba to report those issues confidentially, see https://wiki.samba.org/index.php/Samba_Security_Process#Reporting_Security_Defects_in_Samba Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba