Performing verification for noble. This will cover both the kernel and the cifs-utils package. both in -proposed.
This is going to be long, as we need to test: * patched kernel, patched cifs-utils * patched kernel, existing cifs-utils * existing kernel, patched cifs-utils I started a fresh noble VM, with: kernel 6.8.0-60-generic from -updates cifs-utils 2:7.0-2build1 from -release I then followed the instructions to about step 34. root@samba-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 39 days on Fri Jul 4 02:00:18 2025 root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/[email protected] renew until 05/26/25 04:46:33 root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/[email protected] renew until 05/26/25 04:46:33 05/25/25 04:46:54 05/25/25 14:46:37 cifs/samba-dc.example.com@ renew until 05/26/25 04:46:33 Ticket server: cifs/[email protected] # journalctl -b0 kernel: Key type cifs.spnego registered kernel: Key type cifs.idmap registered kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1860]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0> cifs.upcall[1861]: ver=2 cifs.upcall[1861]: host=samba-dc.example.com cifs.upcall[1861]: ip=192.168.122.124 cifs.upcall[1861]: sec=1 cifs.upcall[1861]: uid=0 cifs.upcall[1861]: creduid=0 cifs.upcall[1861]: user=root cifs.upcall[1861]: pid=1829 cifs.upcall[1860]: get_cachename_from_process_env: pid == 0 cifs.upcall[1860]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1860]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1860]: handle_krb5_mech: using native krb5 cifs.upcall[1860]: handle_krb5_mech: obtained service ticket cifs.upcall[1860]: Exit status 0 # stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,41 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 04:29:15.755959600 +0000 Modify: 2025-04-09 02:54:45.264000000 +0000 Change: 2025-04-09 02:54:45.264000000 +0000 Birth: 2025-04-09 02:54:45.264000000 +0000 # docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash root@685c7e420afc:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,41 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 13:59:15.755959600 +0930 Modify: 2025-04-09 12:24:45.264000000 +0930 Change: 2025-04-09 12:24:45.264000000 +0930 Birth: 2025-04-09 12:24:45.264000000 +0930 root@fcec5b069772:/# vim /etc/krb5.conf default_ccache_name = /tmp/krb5cc_00%{uid} Now back on the host: root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@samba-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp ESTAB 0 0 192.168.122.124:58156 192.168.122.124:microsoft-ds On the docker container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available cifs.upcall[2003]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7d2 cifs.upcall[2004]: ver=2 cifs.upcall[2004]: host=samba-dc.example.com cifs.upcall[2004]: ip=192.168.122.124 cifs.upcall[2004]: sec=1 cifs.upcall[2004]: uid=0 cifs.upcall[2004]: creduid=0 cifs.upcall[2004]: user=root cifs.upcall[2004]: pid=2002 cifs.upcall[2003]: get_cachename_from_process_env: pid == 0 cifs.upcall[2003]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[2003]: get_tgt_time: unable to get principal cifs.upcall[2003]: krb5_get_init_creds_keytab: -1765328228 cifs.upcall[2003]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2003]: handle_krb5_mech: using GSS-API cifs.upcall[2003]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[2003]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) cifs.upcall[2003]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[2003]: Unable to obtain service ticket cifs.upcall[2003]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 Note the line: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 and GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) In this case, cifs.upcall tried to use the kerberos credential cache from the container namespace, instead of the host namespace where the mount was actually first mounted in. So we can reproduce the issue. Next we will test: * patched kernel, patched cifs-utils ==================================== kernel: 6.8.0-62-generic from -proposed cifs-utils: 2:7.0-2ubuntu0.1 from -security-proposed First, we make sure existing behaviour is maintained with the default option: root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@samba-dc:/home/ubuntu# stat /mnt/testshare1 File: /mnt/testshare1 Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,43 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 04:29:15.755959600 +0000 Modify: 2025-04-09 02:54:45.264000000 +0000 Change: 2025-04-09 02:54:45.264000000 +0000 Birth: 2025-04-09 02:54:45.264000000 +0000 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1695]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0> cifs.upcall[1696]: ver=2 cifs.upcall[1696]: host=samba-dc.example.com cifs.upcall[1696]: ip=192.168.122.124 cifs.upcall[1696]: sec=1 cifs.upcall[1696]: uid=0 cifs.upcall[1696]: creduid=0 cifs.upcall[1696]: user=root cifs.upcall[1696]: pid=1691 cifs.upcall[1696]: upcall_target=app cifs.upcall[1695]: upcall_target=app, switching namespaces to application thread cifs.upcall[1695]: get_cachename_from_process_env: pid == 0 cifs.upcall[1695]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1695]: main: valid service ticket exists in credential cache cifs.upcall[1695]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1695]: handle_krb5_mech: using native krb5 cifs.upcall[1695]: handle_krb5_mech: obtained service ticket cifs.upcall[1695]: Exit status 0 Note, upcall_target=app is enabled by default. In the docker container: root@samba-dc:/home/ubuntu# docker start 685c7e420afc 685c7e420afc root@samba-dc:/home/ubuntu# docker exec -it 685c7e420afc bash root@685c7e420afc:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,43 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 13:59:15.755959600 +0930 Modify: 2025-04-09 12:24:45.264000000 +0930 Change: 2025-04-09 12:24:45.264000000 +0930 Birth: 2025-04-09 12:24:45.264000000 +0930 On the host: root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@samba-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp ESTAB 0 0 192.168.122.124:35920 192.168.122.124:microsoft-ds On the container: root@fcec5b069772:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[1847]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x736;upcall_target=app cifs.upcall[1848]: ver=2 cifs.upcall[1848]: host=samba-dc.example.com cifs.upcall[1848]: ip=192.168.122.124 cifs.upcall[1848]: sec=1 cifs.upcall[1848]: uid=0 cifs.upcall[1848]: creduid=0 cifs.upcall[1848]: user=root cifs.upcall[1848]: pid=1846 cifs.upcall[1848]: upcall_target=app cifs.upcall[1847]: upcall_target=app, switching namespaces to application thread cifs.upcall[1847]: get_cachename_from_process_env: pid == 0 cifs.upcall[1847]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 cifs.upcall[1847]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000) cifs.upcall[1847]: get_tgt_time: unable to get principal cifs.upcall[1847]: main: valid TGT is not present in credential cache cifs.upcall[1847]: krb5_get_init_creds_keytab: -1765328228 cifs.upcall[1847]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1847]: handle_krb5_mech: using GSS-API cifs.upcall[1847]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[1847]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000) cifs.upcall[1847]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[1847]: Unable to obtain service ticket cifs.upcall[1847]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 We still have existing behaviour by default: cifs.upcall[1847]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000 which means we will not cause any regressions. Next, we will use the new mount option, "upcall_target=mount": # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount //samba-dc.example.com/demo /mnt/testshare1 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1930]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x786;upcall_target=mount cifs.upcall[1931]: ver=2 cifs.upcall[1931]: host=samba-dc.example.com cifs.upcall[1931]: ip=192.168.122.124 cifs.upcall[1931]: sec=1 cifs.upcall[1931]: uid=0 cifs.upcall[1931]: creduid=0 cifs.upcall[1931]: user=root cifs.upcall[1931]: pid=1926 cifs.upcall[1931]: upcall_target=mount cifs.upcall[1930]: upcall_target=mount, not switching namespaces to application thread cifs.upcall[1930]: get_cachename_from_process_env: pid == 0 cifs.upcall[1930]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1930]: main: valid service ticket exists in credential cache cifs.upcall[1930]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1930]: handle_krb5_mech: using native krb5 cifs.upcall[1930]: handle_krb5_mech: obtained service ticket cifs.upcall[1930]: Exit status 0 Now we have upcall_target=mount set. In the container: root@samba-dc:/home/ubuntu# docker start 685c7e420afc 685c7e420afc root@samba-dc:/home/ubuntu# docker exec -it 685c7e420afc bash root@685c7e420afc:/# stat /mnt/shared File: /mnt/shared Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,43 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 13:59:15.755959600 +0930 Modify: 2025-04-09 12:24:45.264000000 +0930 Change: 2025-04-09 12:24:45.264000000 +0930 Birth: 2025-04-09 12:24:45.264000000 +0930 On the host: root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0 root@samba-dc:/home/ubuntu# ss -K dport 445 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp ESTAB 0 0 192.168.122.124:37264 192.168.122.124:microsoft-ds On the container: root@685c7e420afc:/# stat /mnt/shared stat: cannot statx '/mnt/shared': Required key not available On the host: # journalctl -f cifs.upcall[2065]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x810;upcall_target=mount cifs.upcall[2066]: ver=2 cifs.upcall[2066]: host=samba-dc.example.com cifs.upcall[2066]: ip=192.168.122.124 cifs.upcall[2066]: sec=1 cifs.upcall[2066]: uid=0 cifs.upcall[2066]: creduid=0 cifs.upcall[2066]: user=root cifs.upcall[2066]: pid=2064 cifs.upcall[2066]: upcall_target=mount cifs.upcall[2065]: upcall_target=mount, not switching namespaces to application thread cifs.upcall[2065]: get_cachename_from_process_env: pid == 0 cifs.upcall[2065]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2065]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[2065]: get_tgt_time: unable to get principal cifs.upcall[2065]: main: valid TGT is not present in credential cache cifs.upcall[2065]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[2065]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2065]: handle_krb5_mech: using GSS-API cifs.upcall[2065]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[2065]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0) cifs.upcall[2065]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[2065]: Unable to obtain service ticket cifs.upcall[2065]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 Now that "mount" is used, we correctly only use the credential cache from the host namespace, which is FILE:/tmp/krb5cc_0, and we don't leak any data between the container or the host, fixing the security issue. Next we will test: * patched kernel, existing cifs-utils ===================================== kernel: 6.8.0-62-generic from -proposed cifs-utils: 2:7.0-2.1 from -release If we were to manually specify upcall_target=app on the mount command line: root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1 # journalctl -f kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1531]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x5df;upcall_target=app cifs.upcall[1532]: ver=2 cifs.upcall[1532]: host=samba-dc.example.com cifs.upcall[1532]: ip=192.168.122.124 cifs.upcall[1532]: sec=1 cifs.upcall[1532]: uid=0 cifs.upcall[1532]: creduid=0 cifs.upcall[1532]: user=root cifs.upcall[1532]: pid=1503 cifs.upcall[1531]: get_cachename_from_process_env: pid == 0 cifs.upcall[1531]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1531]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1531]: handle_krb5_mech: using native krb5 cifs.upcall[1531]: handle_krb5_mech: obtained service ticket cifs.upcall[1531]: Exit status 0 The mount continues successfully. The existing cifs-utils does not complain about it. Test with no "upcall_target". e.g.: # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 # journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1542]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x602;upcall_target=app cifs.upcall[1543]: ver=2 cifs.upcall[1543]: host=samba-dc.example.com cifs.upcall[1543]: ip=192.168.122.124 cifs.upcall[1543]: sec=1 cifs.upcall[1543]: uid=0 cifs.upcall[1543]: creduid=0 cifs.upcall[1543]: user=root cifs.upcall[1543]: pid=1538 cifs.upcall[1542]: get_cachename_from_process_env: pid == 0 cifs.upcall[1542]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1542]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1542]: handle_krb5_mech: using native krb5 cifs.upcall[1542]: handle_krb5_mech: obtained service ticket cifs.upcall[1542]: Exit status 0 Note, that we still see "upcall_target=app" appended to key description even though this is with existing cifs-utils. The mount still succeeds as normal. Next we will test: * existing kernel, patched cifs-utils ===================================== Kernel: 6.8.0-60-generic cifs-utils: 2:7.0-2ubuntu0.1 from -security-proposed If we were to manually specify upcall_target=app on the mount command line: # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1 mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) # journalctl -b0 May 25 04:52:25 samba-dc kernel: cifs: Unknown parameter 'upcall_target' cifs-utils accepts it, but the kernel does not, and fails with an unknown parameter. This is okay, because the existing kernel does not have support for the new parameter, and users would be manually be adding it to their mount parameters anyway. If they went to this effort, they would notice their kernel is out of date and would upgrade their kernel to get support. Testing with no "upcall_target": # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 # mount -l //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.124,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) # journalctl -f kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2275]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x8dd cifs.upcall[2276]: ver=2 cifs.upcall[2276]: host=samba-dc.example.com cifs.upcall[2276]: ip=192.168.122.124 cifs.upcall[2276]: sec=1 cifs.upcall[2276]: uid=0 cifs.upcall[2276]: creduid=0 cifs.upcall[2276]: user=root cifs.upcall[2276]: pid=2269 cifs.upcall[2275]: upcall_target=app, switching namespaces to application thread cifs.upcall[2275]: get_cachename_from_process_env: pid == 0 cifs.upcall[2275]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2275]: main: valid service ticket exists in credential cache cifs.upcall[2275]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2275]: handle_krb5_mech: using native krb5 cifs.upcall[2275]: handle_krb5_mech: obtained service ticket cifs.upcall[2275]: Exit status 0 Mounting shares without any additional mount parameters still works correctly. cifs-utils does not append upcall_target=app to the mount command line, so existing kernel continues to work correctly. Note, it does now mention: cifs.upcall[2275]: upcall_target=app, switching namespaces to application thread to say that it uses the current process namespace, which is the same as existing behaviour. We have covered all situations of the testing matrix. Both the kernel in -proposed and cifs-utils in -security-proposed fix the issue, and don't cause any issues being installed independently with or without each other. Happy to mark verified for noble. ** Tags removed: verification-needed-noble-linux ** Tags added: verification-done-noble verification-done-noble-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099914 Title: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
