Status of Samba Security update November 2021
Updated on 2021-11-15
Fixes for the vulnerabilities have been released UCS servers should be updated to UCS 5.0 errata 157, or UCS 4.4 errata 1095.
This addresses these vulnerabilities:
CVE-2016-2124
CVE-2020-17049
CVE-2020-25717
CVE-2020-25718
CVE-2020-25719
CVE-2020-25721
CVE-2020-25722
CVE-2021-3738
CVE-2021-23192
For details see Samba - Security Updates and Information
General advice regarding security hardening for Active Directory:
- Consider setting
ms-DS-MachineAccountQuotato 0 if you don’t actually need that feature. The current value can be checked withunivention-s4search -s base ms-DS-MachineAccountQuota. - UCS systems installed before UCS 5.0 may still have the parameter
acl:searchset tonoin/etc/samba/smb.conf. You should consider changing that by runningucr set samba/acl_search=yeson each UCS Samba/AD server (i.e. Primary/Master, Backup and Replica/Slave Nodes). The current value can be checked e.g. withsamba-tool testparm --suppress-prompt | grep acl:search. - Section on Samba/AD in UCS Security Hardening - A Collection.
previous versions of this page contained the following information
We are involved into the adoption of the upstream patches since about a week before the public disclosure, which was shorter this time than usual. We primarily invested into a backport of the patches for Samba 4.10, which is used in UCS 4.4. During QA for that a regression was identified for Samba file servers (i.e. UCS Managed Nodes, formerly known as UCS Memberservers), which made us put the release on hold on Tuesday. The regression would have affected UCS 5 and UCS 4.4 and, while we are not happy about the situation, we are glad, that our QA processes were able to identify the issue before release. We are currently in the process of identifying the source of the issue and finding a solution for that.
See also: