Univention Bugzilla – Bug 52066
(ES 4.3) samba
Last modified: 2021-06-14 09:42:16 CEST
Provide samba version 2:4.10.1-1A~4.4.0.202006301635 for UCS 4.3 First imported at bug #51532 This update addresses the following issues: * A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba's AD DC LDAP server. (CVE-2020-10730) * Compression of replies to NetBIOS over TCP/IP name resolution and DNS packets (which can be supplied as UDP requests) can be abused to consume excessive amounts of CPU on the Samba AD DC (only). (CVE-2020-10745) * The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free. (CVE-2020-10760) * The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives a empty (zero-length) UDP packet to port 137. (CVE-2020-14303)
See bug 51210 for information about a removal of the package version in UCS 4.3-5. This has to be fixed before providing the package as ES 4.3. I will remove the samba and ldb package from the ES 4.3 scope for now.
should be still relevant for UCS 4.4
(In reply to Ingo Steuwer from comment #3) > should be still relevant for UCS 4.4 no, wrong bug -> still UCS 4.3
Extended security maintenance for UCS 4.3 ended on 31 May 2021. Customers with access to 4.3 extended security maintenance did not run samba on their UCS 4.3 systems, there was no requirement to fix this in 4.3. Bug closed.