Status of Samba Security update November 2021

Status of Samba Security update November 2021

Updated on 2021-11-15

Fixes for the vulnerabilities have been released UCS servers should be updated to UCS 5.0 errata 157, or UCS 4.4 errata 1095.

This addresses these vulnerabilities:

CVE-2016-2124
CVE-2020-17049
CVE-2020-25717
CVE-2020-25718
CVE-2020-25719
CVE-2020-25721
CVE-2020-25722
CVE-2021-3738
CVE-2021-23192

For details see Samba - Security Updates and Information

General advice regarding security hardening for Active Directory:

  • Consider setting ms-DS-MachineAccountQuota to 0 if you don’t actually need that feature. The current value can be checked with univention-s4search -s base ms-DS-MachineAccountQuota.
  • UCS systems installed before UCS 5.0 may still have the parameter acl:search set to no in /etc/samba/smb.conf. You should consider changing that by running ucr set samba/acl_search=yes on each UCS Samba/AD server (i.e. Primary/Master, Backup and Replica/Slave Nodes). The current value can be checked e.g. with samba-tool testparm --suppress-prompt | grep acl:search.
  • Section on Samba/AD in UCS Security Hardening - A Collection.

previous versions of this page contained the following information
We are involved into the adoption of the upstream patches since about a week before the public disclosure, which was shorter this time than usual. We primarily invested into a backport of the patches for Samba 4.10, which is used in UCS 4.4. During QA for that a regression was identified for Samba file servers (i.e. UCS Managed Nodes, formerly known as UCS Memberservers), which made us put the release on hold on Tuesday. The regression would have affected UCS 5 and UCS 4.4 and, while we are not happy about the situation, we are glad, that our QA processes were able to identify the issue before release. We are currently in the process of identifying the source of the issue and finding a solution for that.

See also: