no-dsa for Samba CVEs in Debian.

To: Sylvain Beucler <beuc@beuc.net>
Cc: debian-security@lists.debian.org
Subject: no-dsa for Samba CVEs in Debian.
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 18 May 2021 09:38:30 +1200
Message-id: <[🔎] 3906866be3b567f6815b9229e0626d13e6d9bb11.camel@samba.org>
In-reply-to: <[🔎] 20210517201705.GA5561@mail.beuc.net>
References: <[🔎] 3f7cc799edf69f8f58efecea7211634aa73e6aca.camel@samba.org> <[🔎] CAKTje6GHSQpmp1=LEZqtnGcZEssWO=8D1Ko+wqSt8UCQGocWnw@mail.gmail.com> <[🔎] fc4df1f92398c8d0526daef48ef9d4f7bde522f7.camel@samba.org> <[🔎] 20210517201705.GA5561@mail.beuc.net>

On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote:
> Hello Andrew,
> 
> I read your message as well as
> https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
> and I believe I can add a few more pointers, as part of the
> (separate)
> Debian Long Term Support (LTS) team.
> 
> (I'm a bit confused because you're listed as a Debian package
> maintainer at https://packages.debian.org/sid/samba but I assume
> you're asking from upstream / Samba maintainers' point of view.)

Yeah, I helped build the current monster, and try to help out when I
can, mostly in terms of advise, but I've increasingly stepped back.  My
various Debian privileges, such as I had them, have expired and I
should probably be retired to 'lurker' status.

> First "no-dsa" (and its sub-states ignored/postponed) is described
> at:
> https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
> Note that no-dsa usually means fixing the issue is not
> urgent/critical,
> needs not high-priority tracking/action from the Security Team, but
> the package maintainer(s) may track and prepare a fix nonetheless,
> e.g. through Debian's quarterly point releases (10.x).
> Likewise, I read "Minor issue" as "non-critical".
> 
> By contrast, "unimportant" is a lesser severity state, and matching
> CVEs will likely never be fixed due to inapplicability in Debian or
> questionable security relevance.

Can you clarify the mapping between "Minor issue"/"non-critical" and
the Severity levels table?  Samba generally only issues a CVE for
things that are "medium" or above.

> Looking at the open CVEs and samba package history, it seems the
> immediate limiting factor for fixing CVEs is whether the samba
> branches shipped in Debian (4.5.x and 4.9.x) were maintained upstream
> at CVE time, and probably packager man-power to ship a minor upgrade
> and/or backport fixes.

Yes, due to the various cycles, freeze windows and support lifetimes,
Debian almost always ships unsupported Samba versions, and even if the
series is supported, the point release is not, because those are not
followed, so manual back-porting is always required.

I certainly don't envy the responsibility of back-porting patches into
previously un-tested combinations without the backing of the full Samba
CI stack. 

> If you're interested in the handling of samba in Debian LTS
> (stretch/oldstable) specifically, which is extended support and is
> usually performed by the LTS team without involving the package
> maintainers, you may want to reach debian-lts@lists.debian.org.

Thanks.  My view is that Debian should probably strip much of Samba out
before it moves to LTS, in particular the AD DC.  

That said, the LTS team has patched a number of issues that are
unpatched in Debian Stable, and I congratulate them on that, but I warn
that future security issues may not be so easy to backport.

Finally, thanks so much for the extra context, I appreciate it.

Andrew Bartlett

> Cheers!
> Sylvain Beucler
> Debian LTS Team
> 
> 
> On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett wrote:
> > On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:
> > > On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:
> > > 
> > > > I'm keen to discuss the thought process behind a number of the
> > > > no-
> > > > dsa
> > > > flags on Samba security releases.  Does this list reach those
> > > > involved
> > > > in that, or is this more a general 'interest in security' list?
> > > 
> > > It tends to be more of a general security list. Probably
> > > contacting
> > > the security team directly on security@debian.org or
> > > team@security.debian.org is more appropriate, or if you want to
> > > discuss the issues in public, the debian-security-tracker list.
> > > 
> > > https://security-tracker.debian.org/tracker/data/report
> > > https://lists.debian.org/debian-security-tracker/
> > 
> > Thanks, I've mailed the security team, CCing the Debian Samba Team.
> > 
> > Hopefully they can help me out.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead, Catalyst IT   
> > https://catalyst.net.nz/services/samba
> > 
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Reply to:

Follow-Ups:
- Re: no-dsa for Samba CVEs in Debian.
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Is this the right place to discuss no-dsa choices?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Is this the right place to discuss no-dsa choices?
  - From: Paul Wise <pabs@debian.org>
- Re: Is this the right place to discuss no-dsa choices?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Is this the right place to discuss no-dsa choices?
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Is this the right place to discuss no-dsa choices?
Next by Date: Re: no-dsa for Samba CVEs in Debian.
Previous by thread: Re: Is this the right place to discuss no-dsa choices?
Next by thread: Re: no-dsa for Samba CVEs in Debian.
Index(es):
- Date
- Thread