Received this explanation: CVE-2020-25717 is about samba performing a fallback from "DOMAIN\account" to simply "account" and ignoring the domain part. This would allow users to take advantage of the fallback to escalate privileges.
The only way to fix the issue is to remove the fallback, hence winbind is now required after the security update is applied. While this was a soft requirement in 4.8 and later versions, fixing the security issue changed it to a hard requirement as the fallback is no longer available. While the soft requirement was introduced in 4.8, if we want to fix the security issue in 4.7 in Bionic, we unfortunately had to require winbind also. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25717 ** Changed in: samba (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956635 Title: samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1956635/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
