15263 – [SECURITY] Samba should enforce CVE-2020-25720 CreateChild restrictions by default

Bug 15263 - [SECURITY] Samba should enforce CVE-2020-25720 CreateChild restrictions by default

Summary: [SECURITY] Samba should enforce CVE-2020-25720 CreateChild restrictions by de...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.17.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15244
	Show dependency tree / graph

Reported:	2022-12-13 08:57 UTC by Andrew Bartlett
Modified:	2022-12-22 07:00 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2022-12-13 08:57:10 UTC

As reminded by https://twitter.com/brdpoker/status/1590066974104879110?cxt=HHwWjIDQiaHfhpEsAAAA 

https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

Microsoft intends to enforce the changes in CVE-2021-42291 (which Samba fixed with bug 14810 and called CVE-2020-25720) sometime after April 2023.  

Currently the fixes for bug 14810 are only in master, so will be released with Samba 4.18, we might choose to backport to 4.17 and enforce with 4.18.