Bug 13678 - [SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
Summary: [SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-1...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 13663
  Show dependency treegraph
 
Reported: 2018-11-06 21:23 UTC by Andrew Bartlett
Modified: 2018-11-29 07:49 UTC (History)
5 users (show)

See Also:

Attachments
security advisory text (1.78 KB, text/plain)
2018-11-06 21:23 UTC, Andrew Bartlett 		no flags Details
patch for master to disable the build by default (3.36 KB, patch)
2018-11-06 21:26 UTC, Andrew Bartlett 		no flags Details
patch for master to disable the build by default (v2) (3.48 KB, patch)
2018-11-07 20:42 UTC, Andrew Bartlett 		dbagnall: review+
Details
patch for v4-7, v4-8, v4-9 to disable the build by default (v2) (2.31 KB, patch)
2018-11-07 20:43 UTC, Andrew Bartlett 		dbagnall: review+
Details
advisory text v2 (1.82 KB, text/plain)
2018-11-08 01:01 UTC, Douglas Bagnall 		no flags Details
updated adisory with CVE number (1.83 KB, text/plain)
2018-11-21 11:53 UTC, Karolin Seeger 		abartlet: review+
Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2018-11-06 21:23:31 UTC 
Created attachment 14606 [details]
security advisory text

Samba 4.7 and later versions have shipped with code to support building
the Samba AD DC using MIT Kerberos.  Since the time of the release a
number of issues, including security issues, have been found by real-
world use.  However sadly the Samba Team has not been able to resource
the resolution of these issues to a standard that we are happy with,
and so this release marks this mode more clearly as experimental.  

As an experimental feature, we will not be issuing security patches for
this feature, including for:

 S4U2Self crash with MIT KDC build    
 https://bugzilla.samba.org/show_bug.cgi?id=13571

For further information, please see 
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerbero
s_KDC


While not removed, the MIT Kerberos build of the Samba AD DC is
considered experimental.  Because Samba will not issue security
patches for this configuration, such builds now require the explicit
configure option: --with-experimental-mit-ad-dc
Comment 1 Andrew Bartlett 2018-11-06 21:26:10 UTC 
Created attachment 14607 [details]
patch for master to disable the build by default
Comment 2 Andrew Bartlett 2018-11-07 20:42:28 UTC 
Created attachment 14624 [details]
patch for master to disable the build by default (v2)
Comment 3 Andrew Bartlett 2018-11-07 20:43:07 UTC 
Created attachment 14625 [details]
patch for v4-7, v4-8, v4-9 to disable the build by default (v2)
Comment 4 Douglas Bagnall 2018-11-08 01:01:59 UTC 
Created attachment 14633 [details]
advisory text v2
Comment 5 Karolin Seeger 2018-11-16 10:36:54 UTC 
Opening bug report for vendors.
Planned release date is Tuesday, November 27 2018.
Comment 6 Karolin Seeger 2018-11-21 11:53:53 UTC 
Created attachment 14675 [details]
updated adisory with CVE number
Comment 7 Andrew Bartlett 2018-11-21 17:49:59 UTC 
Comment on attachment 14675 [details]
updated adisory with CVE number

Thanks, this is clearer.
Comment 8 Karolin Seeger 2018-11-27 09:45:57 UTC 
Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address this defect.
Comment 9 Karolin Seeger 2018-11-27 10:28:27 UTC 
Pushed to autobuild-master.
Comment 10 Karolin Seeger 2018-11-29 07:49:27 UTC 
(In reply to Karolin Seeger from comment #9)
Pushed to master.
Closing out bug report.

Thanks!