enterprise-support team mailing list archive

Thread
Date

[Bug 1956635] Re: samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Kellen Renshaw <1956635@xxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Jan 2022 22:33:43 -0000
Reply-to: Bug 1956635 <1956635@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Received this explanation:
CVE-2020-25717 is about samba performing a fallback from "DOMAIN\account" to
simply "account" and ignoring the domain part. This would allow users to take
advantage of the fallback to escalate privileges.

The only way to fix the issue is to remove the fallback, hence winbind is now
required after the security update is applied. While this was a soft requirement
in 4.8 and later versions, fixing the security issue changed it to a hard
requirement as the fallback is no longer available. While the soft requirement
was introduced in 4.8, if we want to fix the security issue in 4.7 in Bionic, we
unfortunately had to require winbind also.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25717

** Changed in: samba (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1956635

Title:
  samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using
  winbind

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1956635/+subscriptions

References

[Bug 1956635] [NEW] samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind
From: Kellen Renshaw, 2022-01-07