How Badlock was discovered and fixed

Thispost on the Red Hat Enterprise Linux blog describes the discovery andrepair of the "Badlock" vulnerability. One begins to understand a littlebetter why it took as long as it did. "The code was rewritten; inMarch 2016 the changes needed to fix all eight CVEs amounted to about 200individual patches against a development version of Samba, with about halfof those responsible for fixing CVE-2015-5370. When backported to previousstable Samba versions, they needed additional hundred patches. To oldestsupported Samba version - about four hundred patches. What started as anindividual snowflake became an avalanche but it wasn't finishedyet."