Performing verification for oracular. This will cover both the kernel and the cifs-utils package. both in -proposed.
This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh Oracular VM, with: kernel 6.11.0-26-generic from -updates cifs-utils 2:7.0-2.1 from -release I then followed the instructions to about step 34. root@oracular-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 17 days on Wed Jun 11 05:01:22 2025 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/25/25 03:03:03 05/25/25 13:03:03 krbtgt/[email protected] renew until 05/26/25 03:03:00 root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/25/25 03:03:03 05/25/25 13:03:03 krbtgt/[email protected] renew until 05/26/25 03:03:00 05/25/25 03:03:22 05/25/25 13:03:03 cifs/samba-dc.example.com@ renew until 05/26/25 03:03:00 Ticket server: cifs/[email protected] # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1)> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2342]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[2343]: ver=2 cifs.upcall[2343]: host=samba-dc.example.com cifs.upcall[2343]: ip=192.168.122.191 cifs.upcall[2343]: sec=1 cifs.upcall[2343]: uid=0 cifs.upcall[2343]: creduid=0 cifs.upcall[2343]: user=root cifs.upcall[2343]: pid=2312 cifs.upcall[2342]: get_cachename_from_process_env: pid == 0 cifs.upcall[2342]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2342]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2342]: handle_krb5_mech: using native krb5 cifs.upcall[2342]: handle_krb5_mech: obtained service ticket cifs.upcall[2342]: Exit status 0 # stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,50 Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-05-12 11:59:53.829982200 +0000 Modify: 2025-04-30 05:04:07.154000000 +0000 Change: 2025-04-30 05:04:07.154000000 +0000 Birth: 2025-04-30 05:04:07.154000000 +0000 # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash root@fcec5b069772:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,50 Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-05-12 23:59:53.829982200 +1200 Modify: 2025-04-30 17:04:07.154000000 +1200 Change: 2025-04-30 17:04:07.154000000 +1200 Birth: 2025-04-30 17:04:07.154000000 +1200 root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@oracular-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@oracular-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.168.122.191:55542 192.168.122.191:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available cifs.upcall[2564]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[2565]: ver=2 cifs.upcall[2565]: host=samba-dc.example.com cifs.upcall[2565]: ip=192.168.122.191 cifs.upcall[2565]: sec=1 cifs.upcall[2565]: uid=0 cifs.upcall[2565]: creduid=0 cifs.upcall[2565]: user=root cifs.upcall[2565]: pid=2563 cifs.upcall[2564]: get_cachename_from_process_env: pid == 0 cifs.upcall[2564]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2564]: get_tgt_time: unable to get principal cifs.upcall[2564]: krb5_get_init_creds_keytab: -1765328228 cifs.upcall[2564]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2564]: handle_krb5_mech: using GSS-API cifs.upcall[2564]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[2564]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) cifs.upcall[2564]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[2564]: Unable to obtain service ticket cifs.upcall[2564]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 Note the line: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 and GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) In this case, cifs.upcall tried to use the kerberos credential cache from the container namespace, instead of the host namespace where the mount was actually first mounted in. So we can reproduce the issue. Next we will test: * patched kernel, patched cifs-utils ==================================== kernel: 6.11.0-28-generic from -proposed cifs-utils: 2:7.0-2.1ubuntu0.1 from -security-proposed First, we make sure existing behaviour is maintained with the default option: root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,53 Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-05-12 11:59:53.829982200 +0000 Modify: 2025-04-30 05:04:07.154000000 +0000 Change: 2025-04-30 05:04:07.154000000 +0000 Birth: 2025-04-30 05:04:07.154000000 +0000 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1877]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[1878]: ver=2 cifs.upcall[1878]: host=samba-dc.example.com cifs.upcall[1878]: ip=192.168.122.191 cifs.upcall[1878]: sec=1 cifs.upcall[1878]: uid=0 cifs.upcall[1878]: creduid=0 cifs.upcall[1878]: user=root cifs.upcall[1878]: pid=1873 cifs.upcall[1878]: upcall_target=app cifs.upcall[1877]: upcall_target=app, switching namespaces to application thread cifs.upcall[1877]: get_cachename_from_process_env: pid == 0 cifs.upcall[1877]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1877]: main: valid service ticket exists in credential cache cifs.upcall[1877]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1877]: handle_krb5_mech: using native krb5 cifs.upcall[1877]: handle_krb5_mech: obtained service ticket cifs.upcall[1877]: Exit status 0 Note, upcall_target=app is enabled by default. In the docker container: root@oracular-dc:/home/ubuntu# docker start fcec5b069772 fcec5b069772 root@oracular-dc:/home/ubuntu# docker exec -it fcec5b069772 bash root@fcec5b069772:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,53 Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-05-12 23:59:53.829982200 +1200 Modify: 2025-04-30 17:04:07.154000000 +1200 Change: 2025-04-30 17:04:07.154000000 +1200 Birth: 2025-04-30 17:04:07.154000000 +1200 On the host: root@oracular-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@oracular-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.168.122.191:60902 192.168.122.191:microsoft-ds On the container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[2144]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x85f;upcall_target=app cifs.upcall[2145]: ver=2 cifs.upcall[2145]: host=samba-dc.example.com cifs.upcall[2145]: ip=192.168.122.191 cifs.upcall[2145]: sec=1 cifs.upcall[2145]: uid=0 cifs.upcall[2145]: creduid=0 cifs.upcall[2145]: user=root cifs.upcall[2145]: pid=2143 cifs.upcall[2145]: upcall_target=app cifs.upcall[2144]: upcall_target=app, switching namespaces to application thread cifs.upcall[2144]: get_cachename_from_process_env: pid == 0 cifs.upcall[2144]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2144]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000) cifs.upcall[2144]: get_tgt_time: unable to get principal cifs.upcall[2144]: main: valid TGT is not present in credential cache cifs.upcall[2144]: krb5_get_init_creds_keytab: -1765328228 cifs.upcall[2144]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2144]: handle_krb5_mech: using GSS-API cifs.upcall[2144]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[2144]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) cifs.upcall[2144]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[2144]: Unable to obtain service ticket cifs.upcall[2144]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 We still have existing behaviour by default: cifs.upcall[2144]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 which means we will not cause any regressions. Next, we will use the new mount option, "upcall_target=mount": # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount //samba-dc.example.com/demo /mnt/testshare1 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2241]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> cifs.upcall[2242]: ver=2 cifs.upcall[2242]: host=samba-dc.example.com cifs.upcall[2242]: ip=192.168.122.191 cifs.upcall[2242]: sec=1 cifs.upcall[2242]: uid=0 cifs.upcall[2242]: creduid=0 cifs.upcall[2242]: user=root cifs.upcall[2242]: pid=2237 cifs.upcall[2242]: upcall_target=mount cifs.upcall[2241]: upcall_target=mount, not switching namespaces to application thread cifs.upcall[2241]: get_cachename_from_process_env: pid == 0 cifs.upcall[2241]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2241]: main: valid service ticket exists in credential cache cifs.upcall[2241]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2241]: handle_krb5_mech: using native krb5 cifs.upcall[2241]: handle_krb5_mech: obtained service ticket cifs.upcall[2241]: Exit status 0 Now we have upcall_target=mount set. In the container: root@oracular-dc:/home/ubuntu# docker start fcec5b069772 fcec5b069772 root@oracular-dc:/home/ubuntu# docker exec -it fcec5b069772 bash root@fcec5b069772:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,53 Inode: 289426 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-05-12 23:59:53.829982200 +1200 Modify: 2025-04-30 17:04:07.154000000 +1200 Change: 2025-04-30 17:04:07.154000000 +1200 Birth: 2025-04-30 17:04:07.154000000 +1200 On the host: root@oracular-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@oracular-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.168.122.191:60122 192.168.122.191:microsoft-ds On the container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[2383]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x94e;upcall_target=mount cifs.upcall[2384]: ver=2 cifs.upcall[2384]: host=samba-dc.example.com cifs.upcall[2384]: ip=192.168.122.191 cifs.upcall[2384]: sec=1 cifs.upcall[2384]: uid=0 cifs.upcall[2384]: creduid=0 cifs.upcall[2384]: user=root cifs.upcall[2384]: pid=2382 cifs.upcall[2384]: upcall_target=mount cifs.upcall[2383]: upcall_target=mount, not switching namespaces to application thread cifs.upcall[2383]: get_cachename_from_process_env: pid == 0 cifs.upcall[2383]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2383]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[2383]: get_tgt_time: unable to get principal cifs.upcall[2383]: main: valid TGT is not present in credential cache cifs.upcall[2383]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[2383]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2383]: handle_krb5_mech: using GSS-API cifs.upcall[2383]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[2383]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0) cifs.upcall[2383]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[2383]: Unable to obtain service ticket cifs.upcall[2383]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 Now that "mount" is used, we correctly only use the credential cache from the host namespace, which is FILE:/tmp/krb5cc_0, and we don't leak any data between the container or the host, fixing the security issue. Next we will test: * patched kernel, existing cifs-utils ===================================== kernel: 6.11.0-28-generic from -proposed cifs-utils: 2:7.0-2.1 from -release If we were to manually specify upcall_target=app on the mount command line: root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1)> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1681]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x675;upcall_target=app cifs.upcall[1682]: ver=2 cifs.upcall[1682]: host=samba-dc.example.com cifs.upcall[1682]: ip=192.168.122.191 cifs.upcall[1682]: sec=1 cifs.upcall[1682]: uid=0 cifs.upcall[1682]: creduid=0 cifs.upcall[1682]: user=root cifs.upcall[1682]: pid=1653 cifs.upcall[1681]: get_cachename_from_process_env: pid == 0 cifs.upcall[1681]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1681]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1681]: handle_krb5_mech: using native krb5 cifs.upcall[1681]: handle_krb5_mech: obtained service ticket cifs.upcall[1681]: Exit status 0 The mount continues successfully. The existing cifs-utils does not complain about it. Test with no "upcall_target". e.g.: # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1697]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x69d;upcall_target=app cifs.upcall[1698]: ver=2 cifs.upcall[1698]: host=samba-dc.example.com cifs.upcall[1698]: ip=192.168.122.191 cifs.upcall[1698]: sec=1 cifs.upcall[1698]: uid=0 cifs.upcall[1698]: creduid=0 cifs.upcall[1698]: user=root cifs.upcall[1698]: pid=1693 cifs.upcall[1697]: get_cachename_from_process_env: pid == 0 cifs.upcall[1697]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1697]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1697]: handle_krb5_mech: using native krb5 cifs.upcall[1697]: handle_krb5_mech: obtained service ticket cifs.upcall[1697]: Exit status 0 Note, that we still see "upcall_target=app" appended to key description even though this is with existing cifs-utils. The mount still succeeds as normal. Next we will test: * existing kernel, patched cifs-utils ===================================== Kernel: 6.11.0-26-generic cifs-utils: 2:7.0-2.1ubuntu0.1 from -security-proposed If we were to manually specify upcall_target=app on the mount command line: # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1 mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) # journalctl -b0 May 25 03:25:19 oracular-dc kernel: cifs: Unknown parameter 'upcall_target' cifs-utils accepts it, but the kernel does not, and fails with an unknown parameter. This is okay, because the existing kernel does not have support for the new parameter, and users would be manually be adding it to their mount parameters anyway. If they went to this effort, they would notice their kernel is out of date and would upgrade their kernel to get support. Testing with no "upcall_target": # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 # mount -l //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.191,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) oracular-dc kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified oracular-dc kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified oracular-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo oracular-dc cifs.upcall[2873]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=> oracular-dc cifs.upcall[2874]: ver=2 oracular-dc cifs.upcall[2874]: host=samba-dc.example.com oracular-dc cifs.upcall[2874]: ip=192.168.122.191 oracular-dc cifs.upcall[2874]: sec=1 oracular-dc cifs.upcall[2874]: uid=0 oracular-dc cifs.upcall[2874]: creduid=0 oracular-dc cifs.upcall[2874]: user=root oracular-dc cifs.upcall[2874]: pid=2867 oracular-dc cifs.upcall[2873]: upcall_target=app, switching namespaces to application thread oracular-dc cifs.upcall[2873]: get_cachename_from_process_env: pid == 0 oracular-dc cifs.upcall[2873]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 oracular-dc cifs.upcall[2873]: main: valid service ticket exists in credential cache oracular-dc cifs.upcall[2873]: handle_krb5_mech: getting service ticket for samba-dc.example.com oracular-dc cifs.upcall[2873]: handle_krb5_mech: using native krb5 oracular-dc cifs.upcall[2873]: handle_krb5_mech: obtained service ticket oracular-dc cifs.upcall[2873]: Exit status 0 Mounting shares without any additional mount parameters still works correctly. cifs-utils does not append upcall_target=app to the mount command line, so existing kernel continues to work correctly. Note, it does now mention: oracular-dc cifs.upcall[2873]: upcall_target=app, switching namespaces to application thread to say that it uses the current process namespace, which is the same as existing behaviour. We have covered all situations of the testing matrix. Both the kernel in -proposed and cifs-utils in -security-proposed fix the issue, and don't cause any issues being installed independently with or without each other. Happy to mark verified for oracular. ** Tags removed: verification-needed-oracular-linux ** Tags added: verification-done-oracular verification-done-oracular-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
