Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
07.12.2022 23:56, Tom Weber wrote: .. Hitting the Problem with 22H2 i upgraded samba today to your provided packages on bullseye. Tom, I strongly suggest you to upgrade to bullseye-backports (4.17), it is in *significantly* better shape and is actually supported (upstream and by me). 4.13 in bullseye lacks many bugfixes, is not supported upstream and is only supported by me in a "lazy" manner. Thanks! /mjt
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
Am 02.11.22 um 08:39 schrieb Michael Tokarev: 24.10.2022 15:47, Samuel Wolf wrote: Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy to make the resulting binaries into the archive. Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing? I don't have a test environment here, setting it up is quite a bit of work, - I'll need several virtual machines with different OSes, including win 22H2.. I prepared bullseye samba build, if you (or anyone else) have a way to test them, please do. http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/ , in particular, http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/samba-4.13/samba_4.13.13+dfsg-1~deb11u5a/ In an apt/sources.list form, it is: deb http://www.corpit.ru/mjt/packages/samba debian-11-bullseye-test/samba-4.13/ (the trailing slash is important!). This is a temporary repository signed with my GPG key I use for Debian packaging. There are 2 changes in this release compared with current 4.13.13+dfsg-1~deb11u5: samba (2:4.13.13+dfsg-1~deb11u5a) bullseye-test; urgency=medium * CVE-2022-3437-des3-overflow-v4a-4.13.patch Closes: CVE-2022-3437 (Heimdal unwrap_des/unwrap_des3 buffer overflow) * windows11-22h2-kerrberos-kdc-avoid-re-encoding-KDC-REQ-BODY.patch Closes: #1022574, incorrect AD DC behavior with Windows11 22H2 If everything goes well, I'll try to push this one to bullseye-security. Hitting the Problem with 22H2 i upgraded samba today to your provided packages on bullseye. So far all seems to work - quick tests with 7/10/11/2016 thanks for your work! Tom
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
> Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos > thing? > I don't have a test environment here, setting it up is quite a bit of work, - > I'll > need several virtual machines with different OSes, including win 22H2.. Michael, I upgrade already to the backports version, downgrade again is not a good idea I guess. Works with backports doesn't help you, or? Samuel
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
24.10.2022 15:47, Samuel Wolf wrote: Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy to make the resulting binaries into the archive. Samuel, care to test a bullseye 4.13 samba patched with this 22H2 kerberos thing? I don't have a test environment here, setting it up is quite a bit of work, - I'll need several virtual machines with different OSes, including win 22H2.. I prepared bullseye samba build, if you (or anyone else) have a way to test them, please do. http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/ , in particular, http://www.corpit.ru/mjt/packages/samba/debian-11-bullseye-test/samba-4.13/samba_4.13.13+dfsg-1~deb11u5a/ In an apt/sources.list form, it is: deb http://www.corpit.ru/mjt/packages/samba debian-11-bullseye-test/samba-4.13/ (the trailing slash is important!). This is a temporary repository signed with my GPG key I use for Debian packaging. There are 2 changes in this release compared with current 4.13.13+dfsg-1~deb11u5: samba (2:4.13.13+dfsg-1~deb11u5a) bullseye-test; urgency=medium * CVE-2022-3437-des3-overflow-v4a-4.13.patch Closes: CVE-2022-3437 (Heimdal unwrap_des/unwrap_des3 buffer overflow) * windows11-22h2-kerrberos-kdc-avoid-re-encoding-KDC-REQ-BODY.patch Closes: #1022574, incorrect AD DC behavior with Windows11 22H2 If everything goes well, I'll try to push this one to bullseye-security. Thanks! /mjt
Bug#1022574: [Pkg-samba-maint] Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
24.10.2022 15:47, Samuel Wolf wrote: Is the backports Samba package also monitored for security issues? It is not. Just like bullseye samba package. For security and general bugfix support, we basically rely on upstream samba team. Once a security update is out, I tend to make it available to debian almost available in terms of unstable/testing and backports. Debian bullseye/stable version only receives "easily backportable" fixes. /mjt
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
> Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy > to make the resulting binaries into the archive. > > Tomorrow expected another security update for samba, - if that affects > bullseye > too, I hope to get all fixes together for the next update. Thank you Michael. > This is a preferred way regardless. 4.13 is not supported upstream anymore, > and all our support of 4.13 in debian is even more limited than that. More. > 4.16 in bpo is much more accurate. Is the backports Samba package also monitored for security issues? Thanks.
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
Control: tag -1 confirmed upstream patch Control: forwarded -1 https://bugzilla.samba.org/show_bug.cgi?id=15197 Control: severity -1 important 24.10.2022 12:22, Samuel Wolf wrote: Package: samba Version: 2:4.13.13+dfsg-1~deb11u5 Severity: normal Hello, is it possible to patch the Samba version in Debian stable with the Kerberos patch? Yes it is possible, more, it is trivial to _patch_ it. But it is not that easy to make the resulting binaries into the archive. Tomorrow expected another security update for samba, - if that affects bullseye too, I hope to get all fixes together for the next update. Or should we moving forward to the Samba Backports version until the next Debian stable release? This is a preferred way regardless. 4.13 is not supported upstream anymore, and all our support of 4.13 in debian is even more limited than that. More. 4.16 in bpo is much more accurate. https://bugzilla.samba.org/show_bug.cgi?id=15197 Yeah, I know about this issue. Thanks, /mjt
Bug#1022574: samba: Kerberos 22H2 Samba problem in Debian stable | Backports Version or Stable Update?
Package: samba Version: 2:4.13.13+dfsg-1~deb11u5 Severity: normal Hello, is it possible to patch the Samba version in Debian stable with the Kerberos patch? Or should we moving forward to the Samba Backports version until the next Debian stable release? https://bugzilla.samba.org/show_bug.cgi?id=15197 -- Package-specific info: * /etc/samba/smb.conf present, but not attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-19-amd64 (SMP w/6 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages samba depends on: ii adduser 3.118 ii dpkg 1.20.12 ii init-system-helpers 1.60 ii libbsd0 0.11.3-1 ii libc62.31-13+deb11u5 ii libgnutls30 3.7.1-5+deb11u2 ii libldb2 2:2.2.3-2~deb11u2 ii libpam-modules 1.4.0-9+deb11u1 ii libpam-runtime 1.4.0-9+deb11u1 ii libpopt0 1.18-2 ii libpython3.9 3.9.2-1 ii libtalloc2 2.3.1-2+b1 ii libtasn1-6 4.16.0-2 ii libtdb1 1.4.3-1+b1 ii libtevent0 0.10.2-1 ii libwbclient0 2:4.13.13+dfsg-1~deb11u5 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii python3 3.9.2-3 ii python3-dnspython2.0.0-1 ii python3-samba2:4.13.13+dfsg-1~deb11u5 ii samba-common 2:4.13.13+dfsg-1~deb11u5 ii samba-common-bin 2:4.13.13+dfsg-1~deb11u5 ii samba-libs 2:4.13.13+dfsg-1~deb11u5 ii tdb-tools1.4.3-1+b1 Versions of packages samba recommends: ii attr1:2.4.48-6 ii logrotate 3.18.0-2+deb11u1 ii python3-markdown3.3.4-1 ii samba-dsdb-modules 2:4.13.13+dfsg-1~deb11u5 ii samba-vfs-modules 2:4.13.13+dfsg-1~deb11u5 Versions of packages samba suggests: pn bind9 pn bind9utils pn ctdb pn ldb-tools pn ntp | chrony pn smbldap-tools pn ufw ii winbind2:4.13.13+dfsg-1~deb11u5 -- no debconf information
