Re: no-dsa for Samba CVEs in Debian.

[Sylvain Beucler <beuc@beuc.net>]

Hello Andrew,

On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote:
> Yes, due to the various cycles, freeze windows and support lifetimes,
> Debian almost always ships unsupported Samba versions, and even if the
> series is supported, the point release is not, because those are not
> followed, so manual back-porting is always required.

The default release policy is to only ship security fixes in Debian
stable, but for selected quality packages the release team is inclined
to accept following an upstream stable branch, which apparently
happened to some extent in stretch (before LTS), 4.5.8->4.5.16:

samba (2:4.5.8+dfsg-2)         Thu, 18 May 2017
samba (2:4.5.8+dfsg-2+deb9u1)  Thu, 13 Jul 2017
samba (2:4.5.12+dfsg-1)        Sat, 26 Aug 2017
samba (2:4.5.12+dfsg-2)        Mon, 25 Sep 2017
samba (2:4.5.12+dfsg-2+deb9u1) Mon, 20 Nov 2017
samba (2:4.5.12+dfsg-2+deb9u2) Mon, 05 Mar 2018
samba (2:4.5.12+dfsg-2+deb9u3) Mon, 13 Aug 2018
samba (2:4.5.12+dfsg-2+deb9u4) Thu, 22 Nov 2018
samba (2:4.5.16+dfsg-1)        Thu, 31 Jan 2019
samba (2:4.5.16+dfsg-1+deb9u1) Fri, 05 Apr 2019
samba (2:4.5.16+dfsg-1+deb9u2) Wed, 08 May 2019

(of course I can't speak for the debian samba or release teams, just
pointing out that a few packages are maintained with no/fewer backports.)


> I certainly don't envy the responsibility of back-porting patches into
> previously un-tested combinations without the backing of the full Samba
> CI stack. 

In LTS there is focus on developing automated testing, e.g.
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/1
so I believe we can contribute some man-power on improving Debian
Samba testing, not just in LTS but generally, if there's interest.

Cheers!
Sylvain