CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes

AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2022-11-24 18:22:23 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-12-13 13:07:29 +0000
commit: 1c6c1129905d0c7a60018e7bf0f17a0fd198a584 (patch)
tree: 2bf2b1dff2f4de50c984b1080639998b93728c7e /libcli
parent: d60828f6391307a59abaa02b72b6a8acf66b2fef (diff)
download: samba-1c6c1129905d0c7a60018e7bf0f17a0fd198a584.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 2e7c06332f0..0f4f7ad761e 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	const char *client_computer;
 	uint32_t proposed_flags;
 	uint32_t required_flags = 0;
-	bool reject_md5_servers = false;
-	bool require_strong_key = false;
+	bool reject_md5_servers = true;
+	bool require_strong_key = true;
 	int require_sign_or_seal = true;
 	bool seal_secure_channel = true;
 	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
author	Stefan Metzmacher <metze@samba.org>	2022-11-24 18:22:23 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-12-13 13:07:29 +0000
commit	1c6c1129905d0c7a60018e7bf0f17a0fd198a584 (patch)
tree	2bf2b1dff2f4de50c984b1080639998b93728c7e /libcli
parent	d60828f6391307a59abaa02b72b6a8acf66b2fef (diff)
download	samba-1c6c1129905d0c7a60018e7bf0f17a0fd198a584.tar.gz