packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0005-CVE-2022-37966.patch

45 lines
2.0 KiB
Diff
Raw Blame History

From 9e486cdac679dc5121db33e198e48f364ea28ff8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 21:31:37 +0100
Subject: [PATCH 05/54] CVE-2022-37966 docs-xml/smbdotconf: "kerberos
encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../smbdotconf/security/kerberosencryptiontypes.xml | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
index 2c3c6c5d5fc6..a245af55f5f3 100644
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -37,15 +37,9 @@
</para>
<para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
- is allowed. Avoiding AES this way has one a very specific use.
- Normally, the encryption type is negotiated between the peers.
- However, there is one scenario in which a Windows read-only domain
- controller (RODC) advertises AES encryption, but then proxies the
- request to a writeable DC which may not support AES encryption,
- leading to failure of the handshake. Setting this parameter to
- <constant>legacy</constant> would cause samba not to negotiate AES
- encryption. It is assumed of course that the weaker legacy
- encryption types are acceptable for the setup.
+ is allowed. AVOID using this option, because of
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>.
</para>
</description>
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink