Univention Bugzilla – Bug 54015
samba: Multiple issues (5.0)
Last modified: 2022-01-24 10:52:27 CET
Security update scheduled for January 10th 2022. * https://bugzilla.samba.org/show_bug.cgi?id=13979 * https://bugzilla.samba.org/show_bug.cgi?id=14842
We should check https://gitlab.com/samba-team/samba/-/merge_requests/2251 which suggests https://gitlab.com/samba-team/samba/-/merge_requests/2253 as a better approach, to see if we should replace 98_CVE-2020-25717-add-local-nt-token-from-nss.quilt to be closer to upstream.
See https://bugzilla.samba.org/show_bug.cgi?id=14901 for Comment 1
Created attachment 10899 [details] 0001-s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch The general mitigation is * UCS 5.0 Samba already defaults to SMB2 as minimum, but maybe updated systems or custom settings didn't follow that. So we should recommend checking testparm -sv --parameter-name="server min protocol" and if that returns LANMAN1, then recommend adjusting with ucr set samba/min/protocol=SMB2_02; /etc/init.d/samba restart * Don't export a samba share also via smb * Don't allow user access to share directories on server side The latter is already standard of UCS/Samba AD DCs. For CVE-2021-20316 the upstream (4.15) changes are too invasive to backport. For CVE-2021-43566 there is a patch that applies to 4.13, see attachment.
(In reply to Arvid Requate from comment #3) > * Don't export a samba share also via smb The typo is rather significant, it should be Don't export a samba share also via _NFS_
Yes, right, silly annoying typo, sorry. I've cherry-picked samba from errata5.0-0 to errata5.0-1 and rebuilt it with that patch. Also I added the additional recommendations https://help.univention.com/t/19188 to the advisory. New patch: 98_CVE-2021-43566.quilt 5667a77da9 | Advisory 6e8b3e9dff | Advisory update
OK: 98_CVE-2021-43566.quilt applied for CVE-2021-43566 OK: CVE-2021-20316 cannot be backported, we will have to update to Samba 4.15 at some point OK: Help article OK: yaml Verified
<https://errata.software-univention.de/#/?erratum=5.0x187>