While this is no doubt a big headache and a ton of work for Tim, and I empathize, this is also a very good discussion to help others avoid this. I think this would make for a great page on the Wiki to have some of these suggested measures available for everyone to have ready access to.
I only am wondering if it should be it's own subject/parent page or a child page to like planning an installation. 73. --Rich On Wed, Dec 15, 2021 at 11:52 PM Brian <theturtl...@gmail.com> wrote: > One more thought... Samba is Open Source, and I think you could make a > case that mature, established, widely-used open source software is > generally less exploitable than widely-used proprietary software of any > age. The reason for this being the fact that the source code is public. > > With public source code in a mature codebase, all the low-hanging fruit > has been plucked years ago. The first place a would-be exploit creator is > going to look for vulnerabilities is the source code. Same with security > researchers. The whole world can clearly see the implementation of the > software, and so with something as widely deployed as Samba, errors will be > caught swiftly by anyone from a random software engineer perusing the > codebase out of curiosity to a security researcher being paid to find > vulnerabilities in open source software. It follows from the sheer number > of eyeballs looking at the code. > > Brian > > > On Wed, Dec 15, 2021 at 8:43 PM Brian <theturtl...@gmail.com> wrote: > >> On Wed, Dec 15, 2021 at 9:02 AM Alejandro olivan Alvarez < >> alejandro.olivan.alva...@gmail.com> wrote: >> >>> Being a Linux-only user, I would add that, IMHO (and risking to be >>> polemic) nothing is more secure regarding security fixes/updates on the SMB >>> protocol than MS Itself (Windows server environment, with AD)... MS will be >>> the first to detect AND DEPLOY any security fix for MS machines via Windows >>> Updates. A Linux machine, on the other hand, can live happily with >>> older/vulnerable samba packages for ages. >>> >> I'm not sure this conclusion follows from the premises. Samba on *nix is >> a totally independent implementation of the SMB/CIFS protocols that shares >> nothing in common with the MS implementations. 99.9% of the time >> vulnerabilities like the one described aren't caused by an inherent flaw in >> the protocol itself, but on one of the implementations of the protocol. If >> the vulnerability were in the protocol itself, that would generally require >> disabling the related feature of the protocol or rolling out a new version >> of the protocol itself, not just patching a bug. The actual coding bugs >> that could be exploited are nearly always going to be totally different – >> and in totally different places – from one implementation to the next. >> >> An exploit that works against Samba is *extremely* unlikely to work >> against Windows, and an exploit that works against Windows is *extremely* >> unlikely to work against Samba. >> >> Therefore, how fast Microsoft patches a vulnerability has no bearing on >> the relative security in practice of choosing Samba. >> >> On the other hand, Microsoft has the disadvantage of being considerably >> more widely deployed as an enterprise file server than Samba on *nix – and >> therefore a much juicier target for malicious attackers to spend their time >> developing exploits for. >> (Though I admit, one might reasonably make the case that the >> proliferation of Samba on Linux-based NAS appliances might actually make it >> an equally tempting target.) >> >> I think it's likely that exploitable vulnerabilities are less commonly >> discovered in Samba than in Windows, so even if they take longer to patch, >> it may still end up being the case that there are fewer days per year that >> a vulnerability could be actively exploited on Samba than on Windows. (I >> would need to compare the frequency/severity of CVEs on both platforms, >> taking number of days unpatched into account to say with certainty) >> >> To summarize: >> * MS is going to have a lot more exploits to patch to keep up with and on >> top of. >> * The exploits that work against MS will almost never work against Samba >> and vice versa. >> * Logically, the swiftness of Microsoft patching vulnerabilities in >> Windows has nothing to say one way or the other about the relative security >> of a Samba deployment. >> >> Brian >> >> > _______________________________________________ > Rivendell-dev mailing list > Rivendell-dev@lists.rivendellaudio.org > http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev > -- -=:{ Rich Gattie, KB2MOB }:=- Email: mob...@gmail.com Web: http://x1radio.net
_______________________________________________ Rivendell-dev mailing list Rivendell-dev@lists.rivendellaudio.org http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
