Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
223 views
Skip to first unread message
Samuel Wolf
Oct 24, 2022, 5:30:04 AM10/24/22
to
Package: samba
Version: 2:4.13.13+dfsg-1~deb11u5
Severity: normal
Hello,
is it possible to patch the Samba version in Debian stable with the Kerberos patch?
Or should we moving forward to the Samba Backports version until the next Debian stable release?
https://bugzilla.samba.org/show_bug.cgi?id=15197
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/6 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.12
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u5
ii libgnutls30 3.7.1-5+deb11u2
ii libldb2 2:2.2.3-2~deb11u2
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpopt0 1.18-2
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.1-2+b1
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.3-1+b1
ii libtevent0 0.10.2-1
ii libwbclient0 2:4.13.13+dfsg-1~deb11u5
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-samba 2:4.13.13+dfsg-1~deb11u5
ii samba-common 2:4.13.13+dfsg-1~deb11u5
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u5
ii samba-libs 2:4.13.13+dfsg-1~deb11u5
ii tdb-tools 1.4.3-1+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-6
ii logrotate 3.18.0-2+deb11u1
ii python3-markdown 3.3.4-1
ii samba-dsdb-modules 2:4.13.13+dfsg-1~deb11u5
ii samba-vfs-modules 2:4.13.13+dfsg-1~deb11u5
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
pn ntp | chrony <none>
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.13.13+dfsg-1~deb11u5
-- no debconf information
Version: 2:4.13.13+dfsg-1~deb11u5
Severity: normal
Hello,
is it possible to patch the Samba version in Debian stable with the Kerberos patch?
Or should we moving forward to the Samba Backports version until the next Debian stable release?
https://bugzilla.samba.org/show_bug.cgi?id=15197
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/6 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.12
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u5
ii libgnutls30 3.7.1-5+deb11u2
ii libldb2 2:2.2.3-2~deb11u2
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpopt0 1.18-2
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.1-2+b1
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.3-1+b1
ii libtevent0 0.10.2-1
ii libwbclient0 2:4.13.13+dfsg-1~deb11u5
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-samba 2:4.13.13+dfsg-1~deb11u5
ii samba-common 2:4.13.13+dfsg-1~deb11u5
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u5
ii samba-libs 2:4.13.13+dfsg-1~deb11u5
ii tdb-tools 1.4.3-1+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-6
ii logrotate 3.18.0-2+deb11u1
ii python3-markdown 3.3.4-1
ii samba-dsdb-modules 2:4.13.13+dfsg-1~deb11u5
ii samba-vfs-modules 2:4.13.13+dfsg-1~deb11u5
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
pn ntp | chrony <none>
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.13.13+dfsg-1~deb11u5
-- no debconf information
Michael Tokarev
Oct 24, 2022, 5:50:04 AM10/24/22
to
Control: tag -1 confirmed upstream patch
Control: forwarded -1 https://bugzilla.samba.org/show_bug.cgi?id=15197
Control: severity -1 important
24.10.2022 12:22, Samuel Wolf wrote:
> Package: samba
> Version: 2:4.13.13+dfsg-1~deb11u5
> Severity: normal
>
> Hello,
>
> is it possible to patch the Samba version in Debian stable with the Kerberos patch?
Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy
to make the resulting binaries into the archive.
Tomorrow expected another security update for samba, - if that affects bullseye
too, I hope to get all fixes together for the next update.
> Or should we moving forward to the Samba Backports version until the next Debian stable release?
This is a preferred way regardless. 4.13 is not supported upstream anymore,
and all our support of 4.13 in debian is even more limited than that. More.
4.16 in bpo is much more accurate.
>
> https://bugzilla.samba.org/show_bug.cgi?id=15197
Yeah, I know about this issue.
Thanks,
/mjt
Control: forwarded -1 https://bugzilla.samba.org/show_bug.cgi?id=15197
Control: severity -1 important
24.10.2022 12:22, Samuel Wolf wrote:
> Package: samba
> Version: 2:4.13.13+dfsg-1~deb11u5
> Severity: normal
>
> Hello,
>
> is it possible to patch the Samba version in Debian stable with the Kerberos patch?
to make the resulting binaries into the archive.
Tomorrow expected another security update for samba, - if that affects bullseye
too, I hope to get all fixes together for the next update.
> Or should we moving forward to the Samba Backports version until the next Debian stable release?
and all our support of 4.13 in debian is even more limited than that. More.
4.16 in bpo is much more accurate.
>
> https://bugzilla.samba.org/show_bug.cgi?id=15197
Yeah, I know about this issue.
Thanks,
/mjt
Samuel Wolf
Oct 24, 2022, 9:00:04 AM10/24/22
to
> Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy
> to make the resulting binaries into the archive.
>
> Tomorrow expected another security update for samba, - if that affects bullseye
> too, I hope to get all fixes together for the next update.
Thank you Michael.
> to make the resulting binaries into the archive.
>
> Tomorrow expected another security update for samba, - if that affects bullseye
> too, I hope to get all fixes together for the next update.
> This is a preferred way regardless. 4.13 is not supported upstream anymore,
> and all our support of 4.13 in debian is even more limited than that. More.
> 4.16 in bpo is much more accurate.
Thanks.
Michael Tokarev
Oct 24, 2022, 9:10:03 AM10/24/22
to
24.10.2022 15:47, Samuel Wolf wrote:
> Is the backports Samba package also monitored for security issues?
It is not. Just like bullseye samba package.
> Is the backports Samba package also monitored for security issues?
For security and general bugfix support, we basically rely on upstream
samba team. Once a security update is out, I tend to make it available
to debian almost available in terms of unstable/testing and backports.
Debian bullseye/stable version only receives "easily backportable"
fixes.
/mjt
Michael Tokarev
Nov 2, 2022, 3:50:04 AM11/2/22
to
24.10.2022 15:47, Samuel Wolf wrote:
>> Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy
>> to make the resulting binaries into the archive.
Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing?
>> to make the resulting binaries into the archive.
I don't have a test environment here, setting it up is quite a bit of work, - I'll
need several virtual machines with different OSes, including win 22H2..
I prepared bullseye samba build, if you (or anyone else) have a way to test them,
please do.
http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/ , in particular,
http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/samba-4.13/samba_4.13.13+dfsg-1~deb11u5a/
In an apt/sources.list form, it is:
deb http://www.corpit.ru/mjt/packages/samba debian-11-bullseye-test/samba-4.13/
(the trailing slash is important!). This is a temporary repository signed with
my GPG key I use for Debian packaging.
There are 2 changes in this release compared with current 4.13.13+dfsg-1~deb11u5:
samba (2:4.13.13+dfsg-1~deb11u5a) bullseye-test; urgency=medium
* CVE-2022-3437-des3-overflow-v4a-4.13.patch
Closes: CVE-2022-3437 (Heimdal unwrap_des/unwrap_des3 buffer overflow)
* windows11-22h2-kerrberos-kdc-avoid-re-encoding-KDC-REQ-BODY.patch
Closes: #1022574, incorrect AD DC behavior with Windows11 22H2
If everything goes well, I'll try to push this one to bullseye-security.
Thanks!
/mjt
Samuel Wolf
Nov 6, 2022, 4:00:04 AM11/6/22
to
> Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing?
> I don't have a test environment here, setting it up is quite a bit of work, - I'll
> need several virtual machines with different OSes, including win 22H2..
Michael, I upgrade already to the backports version, downgrade again
> I don't have a test environment here, setting it up is quite a bit of work, - I'll
> need several virtual machines with different OSes, including win 22H2..
is not a good idea I guess.
Works with backports doesn't help you, or?
Samuel
Tom Weber
Dec 7, 2022, 4:10:03 PM12/7/22
to
Am 02.11.22 um 08:39 schrieb Michael Tokarev:
Hitting the Problem with 22H2 i upgraded samba today to your provided packages on bullseye.
So far all seems to work - quick tests with 7/10/11/2016
thanks for your work!
Tom
So far all seems to work - quick tests with 7/10/11/2016
thanks for your work!
Tom
Michael Tokarev
Dec 8, 2022, 2:00:04 AM12/8/22
to
07.12.2022 23:56, Tom Weber wrote:
..
is in *significantly* better shape and is actually supported (upstream
and by me). 4.13 in bullseye lacks many bugfixes, is not supported
upstream and is only supported by me in a "lazy" manner.
Thanks!
/mjt
..
> Hitting the Problem with 22H2 i upgraded samba today to your provided packages on bullseye.
Tom, I strongly suggest you to upgrade to bullseye-backports (4.17), it
is in *significantly* better shape and is actually supported (upstream
and by me). 4.13 in bullseye lacks many bugfixes, is not supported
upstream and is only supported by me in a "lazy" manner.
Thanks!
/mjt
0 new messages