CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not...

author Stefan Metzmacher <metze@samba.org>

Mon, 5 Dec 2022 20:31:37 +0000 (21:31 +0100)

committer Stefan Metzmacher <metze@samba.org>

Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)
author Stefan Metzmacher <metze@samba.org>
Mon, 5 Dec 2022 20:31:37 +0000 (21:31 +0100)
committer Stefan Metzmacher <metze@samba.org>
Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml

index 2c3c6c5d5fc617f9ce4893ae75a1a0be12fbb0fd..a245af55f5f3632ca1a1baf71421aa797df8ca03 100644 (file)
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -37,15 +37,9 @@
      </para>
  
      <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
-    is allowed. Avoiding AES this way has one a very specific use.
-    Normally, the encryption type is negotiated between the peers.
-    However, there is one scenario in which a Windows read-only domain
-    controller (RODC) advertises AES encryption, but then proxies the
-    request to a writeable DC which may not support AES encryption,
-    leading to failure of the handshake. Setting this parameter to
-    <constant>legacy</constant> would cause samba not to negotiate AES
-    encryption. It is assumed of course that the weaker legacy
-    encryption types are acceptable for the setup.
+    is allowed. AVOID using this option, because of
+    <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see
+    <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>.
      </para>
  </description>
author	Stefan Metzmacher <metze@samba.org>
	Mon, 5 Dec 2022 20:31:37 +0000 (21:31 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 13 Dec 2022 23:48:48 +0000 (00:48 +0100)