On Dec 15, 2021, at 12:02, Alejandro olivan Alvarez
<alejandro.olivan.alva...@gmail.com> wrote:
> If you look at debian security repo packages notes, and you look for samba,
> you will find that, for the last vulnerability, found this 2021, only the
> packaged sources for Debian Stable, testing and Sid have being patched with
> the fix uploaded in samba.org <http://samba.org/>. Older packaged versions,
> including buster (which was stable until well within 2021) have not (probably
> they can't due to aging code) been patched and are marked as 'vulnerable’.
>
The situation it a bit different under RHEL-based distros (including CentOS).
There, Redhat typically back ports security fixes into the version of the
affected package being used on the distro, thus preserving ABI compatibility
(which is, after all, one of the major reasons for having an ‘Enterprise’
distro at all). This is why the base version of the kernel on an RHEL system
usually looks ancient, yet still has all known vulnerabilities patched; Redhat
back ports the kernel fixes.
> Samba/Windows/SMB/etc has its vulnerabilities, like many other software, but
> the difference here is that, the attack surface is far greater, since, out of
> the dark, Windows computers become potential backdoors for our Linux
> ecosystem.
>
> Being a Linux-only user, I would add that, IMHO (and risking to be polemic)
> nothing is more secure regarding security fixes/updates on the SMB protocol
> than MS Itself (Windows server environment, with AD)... MS will be the first
> to detect AND DEPLOY any security fix for MS machines via Windows Updates. A
> Linux machine, on the other hand, can live happily with older/vulnerable
> samba packages for ages.
>
Totally agree.
> If I had to think of an ideal mixed Win-Linux environment for ease Dropbox
> upload/ingestion, my recommendation would be to have a Rivendell machines
> connecting as clients to a Windows Server, under AD (which is possible at OS
> level, but I recall maybe it is not for rdimport/export/etc ), and mount the
> remote share to read/ingest dropboxes, while the rest of the Win machines
> mounting the same share to do the uploads. This way, all the Win files would
> stay contained within the windows environment, subject to AD handshake all
> the time and possibly under antivirus scrutiny... as we say here 'Juntos,
> pero no revueltos' (toghether, but not mixed)
>
I’ve seen sites do this. It works quite well. The downside is extra complexity
with the concomitant reduction of overall reliability (two machines instead of
one to break down, etc).
Cheers!
|---------------------------------------------------------------------|
| Frederick F. Gleason, Jr. | Chief Developer |
| | Paravel Systems |
|---------------------------------------------------------------------|
| A room without books is like a body without a soul. |
| |
| -- Cicero |
|---------------------------------------------------------------------|
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
