Re: [Pkg-samba-maint] fixing CVE-2018-1050 in samba 3.3.6
On Wed, 2018-03-21 at 22:01 +0000, Holger Levsen wrote:
> Dear samba maintainers,
> 
> the fix for CVE-2018-1050 (eg from 4.5.12+dfsg-2+deb9u) applies cleanly
> on 3.6.6-6+deb7u15, however CVE-2018-1050 says that only versions >4.0.0
> are affected.
> 
> Since (afaics) there is no known exploit I cannot really test this, but
> I believe 3.6.6-6+deb7u15 is also vulnerable and the ">4.0.0" is only
> claimed to be non-affected because the samba developers don't support
> < 4.0.0 anymore. Is that the case?
No, that isn't how we write our advisories.  The code does appear to be
in 3.6 so hopefully you get a researched answer to your query on the
bug.
> What's your recommendation what should be done here? To me it seems we
> should fix 3.6.6 in oldoldstable and then also notify others that <4.0.0
> is vulnerable, but I have no idea how to best communicate the latter.
This was always a very minor concern, a DoS in a non-default
configuration.
The patch still applies but the DoS becomes a self-DoS (kill your own
connection) unless those options are set (which is rare, in my view).
Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
Reply to: