Comment from Jim @ SuSE.
We're going to do like RH and mark earlier versions as unsafe with SMB1
(or in our oldest case, unix extensions/NFS), and update our latest two
releases (SLES12SP5 and SLES15SP3) to 4.15.
OK, as agreed upon, I'm now opening this bug up to Samba vendors.
(In reply to Jeremy Allison from comment #12)
Please make sure that https://bugzilla.samba.org/show_bug.cgi?id=14846
(and also possible other regressions) gets fixed before telling the world to upgrade to 4.15.
Release date for this has been set as January 10th 2022.
(In reply to Jeremy Allison from comment #14)
Is January 10th, 2022 the same date the vulnerability will be publicly announced?
Yes, the plan is to announce on January 10th 2022. Let me know if this works for everyone please.
Any news for samba-vendor?
January 10th will be the announcement date. What more for samba-vendor do you need ?
Usually there are patches available about two weeks ahead of the public release. But maybe I'm misunderstanding the term "announcement".
The "patch" for this is 4.15.0 and above. It was a 2-3 year rewrite to fix the VFS layer to make everything handle based and remove any possibility of symlink escape.
There are only mitigations possible for releases below 4.15.
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.