SUSE-SU-2021:0185-1: moderate: Security update for samba

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Jan 21 07:15:31 MST 2021


   SUSE Security Update: Security update for samba
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:0185-1
Rating:             moderate
References:         #1173902 #1173994 #1177355 #1177613 #1178469 
                    
Cross-References:   CVE-2020-14318 CVE-2020-14323 CVE-2020-14383
                   
Affected Products:
                    SUSE Enterprise Storage 7
______________________________________________________________________________

   An update that solves three vulnerabilities and has two
   fixes is now available.

Description:

   This update for samba fixes the following issues:

   - Update to 4.13.3
     + libcli: smb2: Never print length if smb2_signing_key_valid() fails for
       crypto blob; (bso#14210);
     + s3: modules: gluster. Fix the error I made in preventing talloc leaks
       from a function; (bso#14486);
     + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL
       via TALLOC_FREE(); (bso#14515);
     + s3: spoolss: Make parameters in call to user_ok_token() match all
       other uses; (bso#14568);
     + s3: smbd: Quiet log messages from usershares for an unknown share;
       (bso#14590);
     + samba process does not honor max log size; (bso#14248);
     + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@
       ACE; (bso#14587);
     + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124);
     + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486);
     + smbclient: Fix recursive mget; (bso#14517);
     + clitar: Use do_list()'s recursion in clitar.c; (bso#14581);
     + manpages/vfs_glusterfs: Mention silent skipping of write-behind
       translator; (bso#14486);
     + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573);
     + interface: Fix if_index is not parsed correctly; (bso#14514);

   - Update to 4.13.2
     + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on
       return; (bso#14486);
     + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
       (bso#14471);
     + smb.conf.5: Add clarification how configuration changes reflected by
       Samba; (bso#14538);
     + daemons: Report status to systemd even when running in foreground;
       (bso#14552);
     + DNS Resolver: Support both dnspython before and after 2.0.0;
       (bso#14553);
     + s3-vfs_glusterfs: Refuse connection when write-behind xlator is
       present; (bso#14486);
     + provision: Add support for BIND 9.16.x; (bso#14487);
     + ctdb-common: Avoid aliasing errors during code optimization;
       (bso#14537);
     + libndr: Avoid assigning duplicate versions to symbols; (bso#14541);
     + docs: Fix default value of spoolss:architecture; (bso#14522);
     + winbind: Fix a memleak; (bso#14388);
     + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531);
     + docs-xml/manpages: Add warning about write-behind translator for
       vfs_glusterfs; (bso#14486);
     + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
     + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530);
     + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547);
     + examples:auth: Do not install example plugin; (bso#14550);
     + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513);
     + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
       (bso#14471);

   - Adjust smbcacls '--propagate-inheritance' feature to align with
     upstream; (bsc#1178469).

   - Update to samba 4.13.1
     + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with
       easily crafted records; (bsc#1177613); (bso#14472);
     + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994);
       (bso#14436);
     + CVE-2020-14318: Missing handle permissions check in SMB1/2/3
       ChangeNotify; (bsc#1173902); (bso#14434);
   - Adjust systemd tmpfiles.d configuration, use /run/samba instead of
     /var/run/samba; (bsc#1177355);


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 7:

      zypper in -t patch SUSE-Storage-7-2021-185=1



Package List:

   - SUSE Enterprise Storage 7 (aarch64 x86_64):

      ctdb-4.13.3+git.181.fc4672a5b81-3.3.1
      ctdb-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libdcerpc-binding0-4.13.3+git.181.fc4672a5b81-3.3.1
      libdcerpc-binding0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libdcerpc0-4.13.3+git.181.fc4672a5b81-3.3.1
      libdcerpc0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-krb5pac0-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-krb5pac0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-nbt0-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-nbt0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-standard0-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr-standard0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr1-4.13.3+git.181.fc4672a5b81-3.3.1
      libndr1-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libnetapi0-4.13.3+git.181.fc4672a5b81-3.3.1
      libnetapi0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-credentials0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-credentials0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-errors0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-errors0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-hostconfig0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-hostconfig0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-passdb0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-passdb0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-util0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamba-util0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamdb0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsamdb0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbclient0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbclient0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbconf0-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbconf0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbldap2-4.13.3+git.181.fc4672a5b81-3.3.1
      libsmbldap2-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libtevent-util0-4.13.3+git.181.fc4672a5b81-3.3.1
      libtevent-util0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      libwbclient0-4.13.3+git.181.fc4672a5b81-3.3.1
      libwbclient0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-ceph-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-ceph-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-client-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-client-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-debugsource-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-libs-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-libs-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-libs-python3-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-libs-python3-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-winbind-4.13.3+git.181.fc4672a5b81-3.3.1
      samba-winbind-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-14318.html
   https://www.suse.com/security/cve/CVE-2020-14323.html
   https://www.suse.com/security/cve/CVE-2020-14383.html
   https://bugzilla.suse.com/1173902
   https://bugzilla.suse.com/1173994
   https://bugzilla.suse.com/1177355
   https://bugzilla.suse.com/1177613
   https://bugzilla.suse.com/1178469



More information about the sle-security-updates mailing list