Vivek Anand -X (vivekan - Altran ACT S.A.S at Cisco)
2023-Jan-30 07:27 UTC
[Samba] Need to know Samba version addressing "CVE-2018-14628" fix
Hi Team, We are looking for Security Release Version / patch for "CVE-2018-14628<https://attachments.samba.org/attachment.cgi?id=14477>". The above CVE says : All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.7.x 4.8.x and 4.9.x have been issued as a security release to correct the defect. But on samba security page, we are unable to find patch/release version addressing "CVE-2018-14628" We are using "samba-4.17.3" and have queries as below: 1. Is "samba-4.17.3" affected by vulnerability "CVE-2018-14628"? 2. If yes, which samba version/patch is containing fix for above CVE? Thanks, Vivek Anand
Andrew Bartlett
2023-Jan-30 07:51 UTC
[Samba] Need to know Samba version addressing "CVE-2018-14628" fix
On Mon, 2023-01-30 at 07:27 +0000, Vivek Anand -X (vivekan - Altran ACT S.A.S at Cisco) via samba wrote:> Hi Team, > We are looking for Security Release Version / patch for "CVE-2018- > 14628<https://attachments.samba.org/attachment.cgi?id=14477>;". > The above CVE says : > All versions of Samba from 4.0.0 onwards are vulnerable to an > information leak (compared with the established behaviour of > Microsoft's Active Directory) when Samba is an Active Directory > Domain > Controller. > A patch addressing this defect has been posted to > http://www.samba.org/samba/security/ > > Additionally, Samba 4.7.x 4.8.x and 4.9.x have been issued as > asecurity release to correct the defect.These words are from a draft advisory that was never published.> But on samba security page, we are unable to find patch/release > version addressing "CVE-2018-14628" > We are using "samba-4.17.3" and have queries as below: > 1. Is "samba-4.17.3" affected by vulnerability "CVE-2018-14628"?The issue remains unfixed and is being tracked at https://bugzilla.samba.org/show_bug.cgi?id=CVE-2018-14628 Sorry, Also, If the AD DC is not being used, then this is not important at all. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions