Samba in UCS 4.4 is affected by * https://www.samba.org/samba/security/CVE-2022-37966.html * https://www.samba.org/samba/security/CVE-2022-37967.html * https://www.samba.org/samba/security/CVE-2022-38023.html which are fixed in the regular release Samba 4.16.8, and additionally by * https://www.samba.org/samba/security/CVE-2022-45141.html +++ This bug was initially created as a clone of Bug #55511 +++ Samba 4.16.8 has been released https://www.samba.org/samba/history/samba-4.16.8.html It addresses security issues: * https://www.samba.org/samba/security/CVE-2022-37966.html * https://www.samba.org/samba/security/CVE-2022-37967.html * https://www.samba.org/samba/security/CVE-2022-38023.html
Backporting the changes to Samba 4.10.18 may not be possible and updating Samba to anything higher than 4.13.7 (the version contained in the original UCS 5.0-0 major release) would break the package update chain. The upstream advisory for the first CVE explains how to fix this. I've adapted the upstream advice for UCS and published it as help article: https://help.univention.com/t/20961 or https://help.univention.com/t/samba-deprecates-rc4-hmac-cipher-for-kerberos-session-keys
Since we still use UCS-4.4 and AD Member Mode is this bug relevant for us?
The first two vulnerabilities are related to Samba/AD KDC behavior. In AD-Member configuration, the UCS server will use the Micosoft AD KDC instead, for which Microsoft has issued updates addressing the issues. The vulnerability https://www.samba.org/samba/security/CVE-2022-38023.html also affects fileservers as far as I understand, and as described in that advisory, the Samba patch just changes teh default for two configuration options. This can also be done manually by running ucr set samba/global/options/"reject md5 servers"=yes \ samba/global/options/"reject md5 clients"=yes /etc/init.d/samba restart on all UCS servers running Samba.