Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <35b4b85c-f411-421a-a29f-d25bd7797a33@catalyst.net.nz>
Date: Fri, 17 Oct 2025 10:09:51 +1300
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
To: Demi Marie Obenour <demiobenour@...il.com>,
 oss-security@...ts.openwall.com
Subject: Re: Samba security releases for CVE-2025-10230 and
 CVE-2025-9640

On 17/10/25 07:37, Demi Marie Obenour wrote:
> On 10/15/25 22:18, Douglas Bagnall wrote:
>> Anyway, the summary is the Samba 3/4 history has left us with
>> unmaintained pockets within our codebase that we ignore because we
>> assume nobody is using them, but which we don't delete because maybe
>> somebody is using them. There may not be very many more.
> 
> Would it make sense to announce that they are deprecated, and then
> remove them in the next release?

Yes. That is vaguely the plan in this case:

[ excerpt from https://bugzilla.samba.org/show_bug.cgi?id=15903#c8 ]
>> We should do things in this order:
>> 
>> 1. backport the fix.
>> 2. remove source4 wins hook from master/4.next.

though I did not put deprecated markers in the security patch, and now 
there is no urgency...

We will probably deprecate in the next release, and remove after that, 
depending on whether users show up.

As for other bits, we are slowly deduplicating where we can, for example:

https://gitlab.com/samba-team/samba/-/merge_requests/4219

Douglas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.