Post Syndicated from original https://lwn.net/Articles/884052/

Well-maintained free-software projects usually make a point of quickly
fixing known security problems, and the Samba
project, which provides interoperability between Windows and Unix
systems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316,
a symbolic-link vulnerability, was well over two years in coming.
Sometimes, a security bug can be fixed with a simple tweak to the code.
Other times, the fix requires a massive rewrite of much of a projects’s
internal code. This particular vulnerability fell firmly into the latter
category, necessitating a public rewrite of Samba’s virtual filesystem
(VFS) layer to address a non-disclosed vulnerability.