Ubuntu
samba package

Samba CVE-2021-44142 release for Jammy

Asked by Siejka, Olaf

I've been trying to understand the samba release status for CVE-2021-44142 on Jammy, as referenced in: https://ubuntu.com/security/CVE-2021-44142

It is currently listed as "Released (4.13.17~dfsg-0ubuntu1)" - but this version just doesn't seem to be correct, as current version for this package on Jammy is 2:4.15.13+dfsg-0ubuntu1.5

Looking at other versions, it would make sense it to be "Released (2:4.13.17~dfsg-0ubuntu1)" as presented on changelog for this version: https://git.launchpad.net/ubuntu/+source/samba/commit/?h=ubuntu/jammy&id=c6433bc7d8a81e3b825b0dd8f4c1321edb056021

Could it be a typo? I tried to look it up in other CVE aggregators, but status for Jammy is either copied from Ubuntu Security listing for this CVE, or missing, for example https://nvd.nist.gov/vuln/detail/CVE-2021-44142

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu samba Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

That CVE was already tackled during development and before publishing of Ubuntu jammy.
It seems to me that version 4.13.17~dfsg-0ubuntu1 was the first one that solved the problem, and already at publishing date of Ubuntu jammy, samba was provided in a higher version (2:4.15.5~dfsg-0ubuntu5) which is not vulnerable to CVE-2021-44142.

My understanding of the CVE listings in Ubuntu is, that the first version that is not vulnerable to the CVE is shown on that page, and later updates done on the software, are not shown any more.

In any case, I conclude from combining the information in https://ubuntu.com/security/CVE-2021-44142 and in https://launchpad.net/ubuntu/+source/samba that any version of samba in Ubuntu jammy from the official repositories does not exhibit the problem in that CVE.

Remark: It may be a bit confusing that sometimes the epoch number "2:" is shown as part of the version numbers, and sometimes it is missing.

Revision history for this message
Siejka, Olaf (iaukzlink) said : 		#2

Thanks Manfred Hampl, that solved my question.