Bug 16018 - May 2026 security meta-bug
Summary: May 2026 security meta-bug
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: CVE-2026-1933 CVE-2026-2340 CVE-2026-3012 CVE-2026-3238 CVE-2026-4480 CVE-2026-4408
Blocks:
  Show dependency treegraph
 
Reported: 2026-03-07 22:35 UTC by Douglas Bagnall
Modified: 2026-05-29 01:10 UTC (History)
5 users (show)

See Also:

Attachments
Combined patch for 4.21 (32.85 KB, patch)
2026-03-11 02:24 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.22 (32.78 KB, patch)
2026-03-11 02:24 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.23 (32.78 KB, patch)
2026-03-11 02:24 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.24 (32.38 KB, patch)
2026-03-11 02:25 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.24 v2 (32.62 KB, patch)
2026-03-11 23:52 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.21 v2 (33.10 KB, patch)
2026-03-11 23:53 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.23 v2 (33.02 KB, patch)
2026-03-11 23:55 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.22 v2 (33.02 KB, patch)
2026-03-11 23:56 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.22 v3 (33.08 KB, patch)
2026-03-12 02:58 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.24 v3 (32.69 KB, patch)
2026-03-12 02:58 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.23 v3 (33.08 KB, patch)
2026-03-12 02:59 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.24 v4 (32.67 KB, patch)
2026-03-12 03:09 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.23 v4 (33.06 KB, patch)
2026-03-12 03:10 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.22 v4 (33.06 KB, patch)
2026-03-12 03:10 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.24 v5 (35.42 KB, patch)
2026-03-25 20:16 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.23 v5 (35.81 KB, patch)
2026-03-25 20:17 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.22 v5 (35.81 KB, patch)
2026-03-25 20:18 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.21 v5 (35.85 KB, patch)
2026-03-25 20:20 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.17 (excludes CVE-2026-1933) (54.87 KB, patch)
2026-04-03 02:16 UTC, Douglas Bagnall 		no flags Details
patch for 4.16 (excludes CVE-2026-1933 and CVE-2026-2340) (15.10 KB, patch)
2026-04-03 03:34 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.17 v3 (excludes CVE-2026-1933) (54.48 KB, patch)
2026-04-07 20:01 UTC, Samuel Cabrero 		jsutton: review+
Details
Combined patch for 4.22 v6 (116.54 KB, patch)
2026-05-14 22:59 UTC, Douglas Bagnall 		metze: review+
metze: ci-passed+
Details
Combined patch for master v6 (116.08 KB, patch)
2026-05-15 00:56 UTC, Douglas Bagnall 		metze: review+
metze: ci-passed+
Details
Combined patch for 4.24 v6 (116.08 KB, patch)
2026-05-15 00:57 UTC, Douglas Bagnall 		metze: review+
metze: ci-passed+
Details
Combined patch for 4.23 v6 (116.47 KB, patch)
2026-05-15 00:58 UTC, Douglas Bagnall 		metze: review+
metze: ci-passed+
Details
Combined patch for 4.21 v6 (116.57 KB, patch)
2026-05-15 01:03 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.17 lts (excludes CVE-2026-1933) (135.18 KB, patch)
2026-05-15 02:15 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.17 lts (excludes CVE-2026-1933) v5 (135.24 KB, patch)
2026-05-15 02:33 UTC, Douglas Bagnall 		jsutton: review+
dbagnall: ci-passed+
Details
Combined patch for 4.16 v2 (96.13 KB, patch)
2026-05-15 02:34 UTC, Douglas Bagnall 		jsutton: review+
Details
Combined patch for 4.16 v3 (97.60 KB, patch)
2026-05-20 04:08 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Combined patch for 4.17 lts (excludes CVE-2026-1933) v6 (136.71 KB, patch)
2026-05-20 04:10 UTC, Douglas Bagnall 		no flags Details
Combined patch for 4.17 lts (excludes CVE-2026-1933) v8 (135.40 KB, patch)
2026-05-21 02:05 UTC, Douglas Bagnall 		dbagnall: ci-passed+
Details
Show Obsolete (25) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2026-03-07 22:35:06 UTC 
I suggest we collect up the patches from the various bugs here and run the private autobuilds once per release rather than n times for each release.
Comment 2 Douglas Bagnall 2026-03-11 02:24:06 UTC 
Created attachment 18885 [details]
Combined patch for 4.21
Comment 3 Douglas Bagnall 2026-03-11 02:24:35 UTC 
Created attachment 18886 [details]
Combined patch for 4.22
Comment 4 Douglas Bagnall 2026-03-11 02:24:56 UTC 
Created attachment 18887 [details]
Combined patch for 4.23
Comment 5 Douglas Bagnall 2026-03-11 02:25:17 UTC 
Created attachment 18888 [details]
Combined patch for 4.24
Comment 6 Douglas Bagnall 2026-03-11 06:10:18 UTC 
Comment on attachment 18888 [details]
Combined patch for 4.24

Current status is:

* CI passed for all branches, all patches
* bug 16003 patches needs review
* some advisories have the wrong 4.23 version number
Comment 7 Douglas Bagnall 2026-03-11 23:52:29 UTC 
Created attachment 18889 [details]
Combined patch for 4.24 v2
Comment 8 Douglas Bagnall 2026-03-11 23:53:06 UTC 
Created attachment 18890 [details]
Combined patch for 4.21 v2
Comment 9 Douglas Bagnall 2026-03-11 23:55:45 UTC 
Created attachment 18891 [details]
Combined patch for 4.23 v2
Comment 10 Douglas Bagnall 2026-03-11 23:56:41 UTC 
Created attachment 18892 [details]
Combined patch for 4.22 v2
Comment 11 Douglas Bagnall 2026-03-12 00:03:30 UTC 
I have added new versions of the patches with Reviewed-by tags for bug 16003, but I am not running new autobuilds for those.
Comment 12 Jennifer Sutton 2026-03-12 02:49:05 UTC 
Comment on attachment 18890 [details]
Combined patch for 4.21 v2

I noticed that commit ‘CVE-2026-2340: test whether vfs_worm allows overwrite’ is Reviewed-by only in the 4.21 patch, and not in the other three patches.
Comment 13 Douglas Bagnall 2026-03-12 02:58:07 UTC 
Created attachment 18893 [details]
Combined patch for 4.22 v3
Comment 14 Douglas Bagnall 2026-03-12 02:58:41 UTC 
Created attachment 18894 [details]
Combined patch for 4.24 v3
Comment 15 Douglas Bagnall 2026-03-12 02:59:39 UTC 
Created attachment 18895 [details]
Combined patch for 4.23 v3
Comment 16 Jennifer Sutton 2026-03-12 03:02:40 UTC 
One more little request: can you change ‘Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>’ to ‘Reviewed-by: Volker Lendecke <vl@samba.org>’, as in the 4.21 patch?
Comment 17 Douglas Bagnall 2026-03-12 03:09:33 UTC 
Created attachment 18896 [details]
Combined patch for 4.24 v4
Comment 18 Douglas Bagnall 2026-03-12 03:10:09 UTC 
Created attachment 18897 [details]
Combined patch for 4.23 v4
Comment 19 Douglas Bagnall 2026-03-12 03:10:52 UTC 
Created attachment 18898 [details]
Combined patch for 4.22 v4
Comment 20 Douglas Bagnall 2026-03-12 03:21:37 UTC 
Final patch versions are v2 for 4.21, v4 for the others.

Some of the CVE advisory texts still have the wrong version number for 4.23, but are otherwise reviewed and ready.
Comment 21 Volker Lendecke 2026-03-18 14:10:20 UTC 
16033 and 16034 should also be included. Waiting for CVE numbers.
Comment 23 Douglas Bagnall 2026-03-25 20:16:22 UTC 
Created attachment 18920 [details]
Combined patch for 4.24 v5
Comment 24 Douglas Bagnall 2026-03-25 20:17:21 UTC 
Created attachment 18921 [details]
Combined patch for 4.23 v5
Comment 25 Douglas Bagnall 2026-03-25 20:18:22 UTC 
Created attachment 18922 [details]
Combined patch for 4.22 v5
Comment 26 Douglas Bagnall 2026-03-25 20:20:04 UTC 
Created attachment 18923 [details]
Combined patch for 4.21 v5

Latest patches (v5) include bug #16033 and bug #16034.
Comment 27 Douglas Bagnall 2026-03-25 20:30:35 UTC 
(In reply to Douglas Bagnall from comment #26)
Note, I haven't completely reviewed the 16033 and 16034 patches.

For 16033 I used the older version of the patch which is identical to the master patch without the CVE number in the subject (these patches passed each other in the night).
Comment 28 Björn Jacke 2026-03-30 15:56:56 UTC 
adding vendors to cc of this security release meta bug.

Scheduled release date is 2026-04-09.
Comment 29 Douglas Bagnall 2026-04-03 02:16:23 UTC 
Created attachment 18935 [details]
Combined patch for 4.17 (excludes CVE-2026-1933)

The v4-17 patch excludes CVE-2026-1933 (the reparse points one, which affects 4.21+), and includes backports of quite a few vfs_worm patches, rescuing that module out of the bug 10430 quagmire). There are also a few changes to help the build with newer tools.

Versions 4.18, 4.19, and 4.20 should work with some combination of the 4.17 or the 4.21 patches.

Only 4.22, 4.23, and 4.24 are officially supported.
Comment 30 Douglas Bagnall 2026-04-03 03:34:10 UTC 
Created attachment 18936 [details]
patch for 4.16 (excludes CVE-2026-1933 and CVE-2026-2340)

v4-16 patch drops the vfs_worm patches, as the 4.16 is getting too close to the vfs rewrite.
Comment 31 Douglas Bagnall 2026-04-04 20:15:41 UTC 
(In reply to Douglas Bagnall from comment #30)
The 4.16 patch also lacks CVE-2026-3012 (the gpo http one, bug 16003), because it predates the issue.
Comment 32 Jennifer Sutton 2026-04-07 00:10:52 UTC 
Comment on attachment 18935 [details]
Combined patch for 4.17 (excludes CVE-2026-1933)

‘CVE-2026-3012: do not fetch certificate over http’ contains some code that shouldn’t be there (r.headers['Content-Type']).
Comment 33 Samuel Cabrero 2026-04-07 20:01:49 UTC 
Created attachment 18937 [details]
Combined patch for 4.17 v3 (excludes CVE-2026-1933)

(In reply to Jennifer Sutton from comment #32)

Patch 09/19 updated to remove the unwanted code.
Comment 34 Björn Jacke 2026-04-08 16:28:10 UTC 
The security release that was scheduled for tomorrow, will be postponed due to
new problems that have been identified with one of the fixes.

We will announce a new release date as soon as possible after the remaining
issues have been ruled out.

Sorry for any inconvinience.
Comment 35 Douglas Bagnall 2026-05-14 22:59:13 UTC 
Created attachment 18978 [details]
Combined patch for 4.22 v6
Comment 36 Douglas Bagnall 2026-05-15 00:56:05 UTC 
Created attachment 18979 [details]
Combined patch for master v6
Comment 37 Douglas Bagnall 2026-05-15 00:57:33 UTC 
Created attachment 18980 [details]
Combined patch for 4.24 v6
Comment 38 Douglas Bagnall 2026-05-15 00:58:37 UTC 
Created attachment 18981 [details]
Combined patch for 4.23 v6
Comment 39 Douglas Bagnall 2026-05-15 01:03:44 UTC 
Created attachment 18982 [details]
Combined patch for 4.21 v6
Comment 40 Douglas Bagnall 2026-05-15 02:15:00 UTC 
Created attachment 18983 [details]
Combined patch for 4.17 lts (excludes CVE-2026-1933)

4.17 patch goes on top of https://gitlab.com/samba-team/lts-community/samba/-/tree/v4-17-lts
Comment 41 Douglas Bagnall 2026-05-15 02:33:42 UTC 
Created attachment 18984 [details]
Combined patch for 4.17 lts (excludes CVE-2026-1933) v5
Comment 42 Douglas Bagnall 2026-05-15 02:34:31 UTC 
Created attachment 18985 [details]
Combined patch for 4.16 v2
Comment 43 Björn Jacke 2026-05-15 13:00:04 UTC 
Scheduled release date is 2026-05-26.
Comment 44 Douglas Bagnall 2026-05-20 04:08:46 UTC 
Created attachment 18987 [details]
Combined patch for 4.16 v3
Comment 45 Douglas Bagnall 2026-05-20 04:10:02 UTC 
Created attachment 18988 [details]
Combined patch for 4.17 lts (excludes CVE-2026-1933) v6
Comment 46 Douglas Bagnall 2026-05-21 02:05:37 UTC 
Created attachment 18989 [details]
Combined patch for 4.17 lts (excludes CVE-2026-1933) v8
Comment 47 Stefan Metzmacher 2026-05-26 09:15:00 UTC 
I plan to upload the releases in about 3 hours from now...
Comment 48 Stefan Metzmacher 2026-05-26 12:51:49 UTC 
Pushed to master autobuild