https://lwn.net/Articles/875565/ This is a special feed containing comments posted to the individual LWN article titled "Samba 4.15.2, 4.14.10, 4.13.14 security releases available". en-us Sun, 12 Oct 2025 11:06:32 +0000 Sun, 12 Oct 2025 11:06:32 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/876069/ https://lwn.net/Articles/876069/ abartlet <div class="FormattedComment"> Firstly, sorry for missing the CVSS score on CVE-2016-2124. My stab at this is:<br> <p> CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3)<br> <p> (CVSS scores are meant to assume the worst case)<br> <p> It isn&#x27;t ideal that it is possible to disclose the NTLMv2 response, due to &#x27;pass the hash&#x27; attacks, but by default the plaintext password isn&#x27;t shown unless other configuration options were set (client plaintext auth). That would make it a 3.1 if you consider an NTLMv2 response a &#x27;limited breach of confidentiality&#x27;. <br> <p> More broadly, there are a few concerns for Samba clients in Windows domains. It depends on what kind of client and what level of trust there is in the DC, but we issued CVE-2020-25717 because the controls around msDS-MachineAccountQuota were way to weak (and Samba was not strict enough about sandboxing AD accounts to an AD-specific namespace). <br> <p> My personal view is that CVE-2021-23192 was important to fix but it is a server-side issue and assumes a MITM already and a request with multiple fragments (which is rare, and quite unlikely outside the context of being the DC).<br> </div> Mon, 15 Nov 2021 07:31:34 +0000 https://lwn.net/Articles/876036/ https://lwn.net/Articles/876036/ docontra <div class="FormattedComment"> From reading the security advisories, Samba clients joined to AD may be vulnerable to CVE-2016-2124 (IIUC, it&#x27;s the protocol vulnerability that caused Microsoft to disable SMB1 by default in later Windows 10 releases; requires specific client configuration to trigger), CVE-2020-25717 (second highest CVSSv3 rating, but some vulnerabilities were not rated) and CVE-2021-23192 (lowest CVSSv3 rated vulnerability).<br> </div> Sun, 14 Nov 2021 12:38:41 +0000 https://lwn.net/Articles/876030/ https://lwn.net/Articles/876030/ pabs <div class="FormattedComment"> What about Samba based clients of a Windows based AD domain and DC?<br> </div> Sun, 14 Nov 2021 07:03:52 +0000 https://lwn.net/Articles/875960/ https://lwn.net/Articles/875960/ abartlet <div class="FormattedComment"> To be clear, the situations that are a worry here are those servers in an AD domain or which are an AD DC. A standalone fileserver in particular is not the concern here.<br> </div> Fri, 12 Nov 2021 20:21:19 +0000 https://lwn.net/Articles/875832/ https://lwn.net/Articles/875832/ ccchips <div class="FormattedComment"> Updated to 4.13.14.<br> <p> Thank you!<br> </div> Thu, 11 Nov 2021 22:56:06 +0000 https://lwn.net/Articles/875718/ https://lwn.net/Articles/875718/ ccchips <div class="FormattedComment"> Linux Mint 20.2 is showing 4.11.6. Can anyone advise me how I can request this be upgraded, or is it even possible?<br> </div> Wed, 10 Nov 2021 18:25:28 +0000