Some of the information in the other thread are referring to configuration setting instead of the version of the services. There were some out of date services for Apache that has been adressed in 6.10.0.
Commenting for the 4.8.0 samba version sounds very similar to this other thread:
The 4.8.0 is newer than what is available in the current stable release of Debian. We lean on the side of stablity and security with these updates/fixes, so we would not be running the latest versions that are available on the upstream development or experimental releases of base OS images.
samba: Insufficient input validation in libsmbclient (CVE-2018-10858)
samba: NULL pointer dereference in printer server process (CVE-2018-1050)
Nohting to do with "experimental" or whatever. And yalla yalla I know Netgear is backpoting things - why ever without leaving a trace of it in the version information. This makes it hard when you have Netgear ReadyNAS in IT security audits with customers - leading to non-nessecary loops and effort.
What was discovered by the Tenable scanner: That's for once not a SAMBA version detection as we know e.g. from dnsmasq fingerprints.
As the RN OS6 is in the service binaries a very basic Debian, I can't see many reasons for applying ReadyNAS specific mods to smbd or nmbd and the related Kernel module. I'm not complaining about a certain vulnerability (for once). Can't see why they should backport certain code and keep the 4.8.0. And hey, I am the last who would not understand that changing away from 4.8.0 isn'at an opton in the RC2 state (unless urgent security items arise) of course.
Don't have the full picture (a little bit short in reading the full specs and the SAMBA sources) for now. My understanding is that the "server signing = mandatory" (or any of the other option) only apply to SMB 1.0 and to some extent SMB 2.0/2.1.
root@RN516:~# cat /etc/frontview/samba/smb.conf.overrides oplocks = no server min protocol = SMB2_02 server signing = mandatory
SMB 3.x has a different logic - and to my knowledge some behaviour of it can be forced on Windows but not on SAMBA. That's the difference I'm digging for right now.
Thanks provide more details for what you are looking for in the updates.
I will need to look into the reasoning behind out current versioning, but we do pull updates from Samba today and the versioning is read-able when you know know the current versioning.
The (NETGEAR) Samba version "4.8.0-8.netgear2" is based on the Samba version "4.8.8". Instead of updating the standard ".0", we append the "-8" vesrioning.
I will need to look into the reasoning behind out current versioning, but we do pull updates from Samba today and the versioning is read-able when you know know the current versioning.
Not sure what the security auditor must know here.
The (NETGEAR) Samba version "4.8.0-8.netgear2" is based on the Samba version "4.8.8". Instead of updating the standard ".0", we append the "-8" vesrioning.
When we're checking the smbd and nmbd versions operating, we get 4.8.0. From the audit prospcetive, this is an original 4.8.0.
Further on, there are no rolling updates with the complete thread of relese notes - as such I can't find any proof the CVEs listed in my original post were addressed or not. Netgear must understand this is not acceptable, and does not allow to deploy ReadyNAS to many potential business customers.
