lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <62fb7c9a-179a-f3f0-93b6-5e74f88dad63@leemhuis.info>
Date:   Mon, 30 Jan 2023 12:04:23 +0100
From:   "Linux kernel regression tracking (Thorsten Leemhuis)" 
        <regressions@...mhuis.info>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Linux regressions mailing list <regressions@...ts.linux.dev>,
        Ronnie Sahlberg <lsahlber@...hat.com>,
        Steve French <stfrench@...rosoft.com>
Subject: CIFS NTLM regression still annoying people (was: Re: Linux
 regressions report for mainline [2023-01-29])

On 29.01.23 20:32, Linus Torvalds wrote:
> On Sun, Jan 29, 2023 at 9:42 AM Regzbot (on behalf of Thorsten
> Leemhuis) <regressions@...mhuis.info> wrote:
>>
>> * Andrew afaics didn’t sent a revert[1] from Vlastimir your way
> Ok, I applied this one as tiny and clear and hitting actual user loads.

Great, many thx!

>> * A fix[1] for a stack_depot/kmemleak issue is in next for a while already too[2]
> This one I left alone, since it's a bit more involved and the use-case
> is more esoteric too.

Totally fine with me and yeah, a bit esoteric. But when somebody bisects
and report a problem (in this case: Boris) that already fixed in next
for a few days, my mind yells "what a waste or energy, this could have
been prevented by mainlining the fix a bit more quickly" -- that's why I
brought it up.

> And in other news, the input regression revert you mentioned earlier
> got pulled this morning.

Ahh, great.

BTW, there is one thing that still bugs me: every few weeks there is yet
somebody new[1] complaining about the removal of support for NTLM and
weaker authentication algorithms from cifs some time ago in
76a3c92ec9e0. The situation[2] was improved slightly in 2f6f19c7aaad
("cifs: fix regression in very old smb1 mounts"), but it seems some
users of Apple Time Capsules or some Epson printer/scanner still can't
access their devices which apparently still work fine in Windows and
macOS[1].

Yes, the issue is tricky, as there are security implications here and we
have nobody that tests this, as you pointed out [3]. Is there
nevertheless something somebody committed could do? Would we even be
willing to add that support back in, in case someone commits to maintain
and regularly test that codepath?

Ciao, Thorsten

[1] https://bugzilla.kernel.org/show_bug.cgi?id=216682
[2] https://bugzilla.kernel.org/show_bug.cgi?id=215375
[3]
https://lore.kernel.org/all/CAHk-=wjSBvRk-ksUBOiQzJd=e19UZKvOSZs1UHahK5U0QVh6RQ@mail.gmail.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ