# Samba 3.6.25 status?

## MageSlayer

Hi all

According to https://packages.gentoo.org/packages/net-fs/samba , v3.6.25 is still supported in portage.

However, what worries me is lack of any security patches released after official v3.6.25 release.

I mean those which can be found here - https://www.samba.org/samba/history/security.html

Specifically https://www.samba.org/samba/ftp/patches/security/samba-3.6.25-security-2015-12-16.patch and

https://www.samba.org/samba/ftp/patches/security/samba-v3-6-security-2016-04-12.tar.xz

Are those applied aside of common practice (patches in ebuild) or v3.6.25 is really out-of-date and no longer supported?

/I mean I am quite happy with old and working 3.x Samba and as long it does not pose any security thread, I am fine with it.

Can anybody give some status?

----------

## eccerr0r

You'll probably need to contact the Gentoo samba maintainer:  File a security bug on bugs.gentoo.org against 3.6.25 with the links you found...  Hopefully they have the time to add a -r1 or other patch, otherwise they may need to deprecate 3.6.x...

I don't know what the outcome will be, but seems like there is an upstream solution to this, just takes some effort to make an ebuild.  As I don't have a working/needed samba system, I just upgraded to 4.x and left the config as it is.  I don't know if it even works or introduces security holes...

/slaps self on wrist

----------

## Princess Nell

I'd move on to 4.x. Made the jump at work and no problems. Just make sure to check whether default options have changed and update config accordingly. testparm is your friend.

----------

## eccerr0r

I did have to hack my smb.conf a bit to swap to 4.x before it would start up cleanly again --- so it wasn't completely painless.  For the record, the Apache 2.2 to 2.4 was more painful, and the Apache 1.2.13 to 2.0 was absolutely mega-downtime.

I can see the reason why one would not want to version bump, but it all depends on the dev if you don't want to get down and dirty with ebuilds.

----------

## MageSlayer

Ok.

I filed https://bugs.gentoo.org/show_bug.cgi?id=596418

Let's see maintainer's view on that.

----------

## eccerr0r

Interesting, there had been some discussion about stabilization of even newer sambas.  I guess they had been planning deprecating 3.6.* for a while except the newer sambas were not fully stable yet (due to a dependency!)

Doesn't look good, might have to go make your own ebuild or do the dirty and upgrade...

----------

## Princess Nell

For newer 4.x releases, there's also the annoying https://bugzilla.samba.org/show_bug.cgi?id=10604. Still marked new.

----------

## MageSlayer

Call somebody ask Alex Legler or any other Samba maintainer if it's possible to include those patches in -r1 in case I provide new ebuild for 3.6.25 with patches?

He does not respond in https://bugs.gentoo.org/show_bug.cgi?id=596418

----------

## eccerr0r

Since he marked it as a "duplicate" of bugid 539486 I think you may be on your own for now as this implies the devs want to stabilize a new version instead of keeping the old one around. :(

----------

## Princess Nell

This can be a workaround: https://wiki.gentoo.org/wiki//etc/portage/patches.

----------

## MageSlayer

 *Princess Nell wrote:*   

> This can be a workaround: https://wiki.gentoo.org/wiki//etc/portage/patches.

 

Thanks. But I think I'll just create a new ebuild in overlay repo and be done with it.

That said, it's kind of strange situation.

----------

