24.10.2022 15:47, Samuel Wolf wrote:
Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy to make the resulting binaries into the archive.
Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing? I don't have a test environment here, setting it up is quite a bit of work, - I'll need several virtual machines with different OSes, including win 22H2.. I prepared bullseye samba build, if you (or anyone else) have a way to test them, please do. http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/ , in particular, http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/samba-4.13/samba_4.13.13+dfsg-1~deb11u5a/ In an apt/sources.list form, it is: deb http://www.corpit.ru/mjt/packages/samba debian-11-bullseye-test/samba-4.13/ (the trailing slash is important!). This is a temporary repository signed with my GPG key I use for Debian packaging. There are 2 changes in this release compared with current 4.13.13+dfsg-1~deb11u5: samba (2:4.13.13+dfsg-1~deb11u5a) bullseye-test; urgency=medium * CVE-2022-3437-des3-overflow-v4a-4.13.patch Closes: CVE-2022-3437 (Heimdal unwrap_des/unwrap_des3 buffer overflow) * windows11-22h2-kerrberos-kdc-avoid-re-encoding-KDC-REQ-BODY.patch Closes: #1022574, incorrect AD DC behavior with Windows11 22H2 If everything goes well, I'll try to push this one to bullseye-security. Thanks! /mjt
