Bug 15263 - [SECURITY] Samba should enforce CVE-2020-25720 CreateChild restrictions by default
Summary: [SECURITY] Samba should enforce CVE-2020-25720 CreateChild restrictions by de...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15244
  Show dependency treegraph
 
Reported: 2022-12-13 08:57 UTC by Andrew Bartlett
Modified: 2022-12-22 07:00 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-12-13 08:57:10 UTC
As reminded by https://twitter.com/brdpoker/status/1590066974104879110?cxt=HHwWjIDQiaHfhpEsAAAA 

https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

Microsoft intends to enforce the changes in CVE-2021-42291 (which Samba fixed with bug 14810 and called CVE-2020-25720) sometime after April 2023.  

Currently the fixes for bug 14810 are only in master, so will be released with Samba 4.18, we might choose to backport to 4.17 and enforce with 4.18.