SUSE-CU-2025:7542-1: Security update of suse/samba-client

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Oct 24 08:11:42 UTC 2025 

SUSE Container Update Advisory: suse/samba-client
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7542-1
Container Tags        : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-68.3 , suse/samba-client:latest
Container Release     : 68.3
Severity              : critical
Type                  : security
References            : 1241219 1251279 1251280 CVE-2025-10230 CVE-2025-3576 CVE-2025-9640
-----------------------------------------------------------------

The container suse/samba-client was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3676-1
Released:    Mon Oct 20 10:19:57 2025
Summary:     Security update for samba
Type:        security
Severity:    critical
References:  1251279,1251280,CVE-2025-10230,CVE-2025-9640
This update for samba fixes the following issues:

- CVE-2025-9640: Fixed uninitialized memory disclosure via vfs_streams_xattr (bsc#1251279).
- CVE-2025-10230: Fixed command Injection in WINS server hook script (bsc#1251280).

Update to 4.21.8:

  * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
    SysvolReady=0; (bso#14981).
  * getpwuid does not shift to new DC when current DC is down;
    (bso#15844).
  * Windows security hardening locks out schannel'ed netlogon dc
    calls like netr_DsRGetDCName; (bso#15876).
  * kinit command is failing with Missing cache Error;
    (bso#15840).
  * Figuring out the DC name from IP address fails and breaks
    fork_domain_child(); (bso#15891).
  * Delayed leader broadcast can block ctdb forever; (bso#15892).
  * 'net ads group' failed to list domain groups; (bso#15900).
  * Apparently there is a conflict between shadow_copy2 module
    and virusfilter (action quarantine); (bso#15663).
  * Fix handling of empty GPO link; (bso#15877).
  * SMB ACL inheritance doesn't work for files created;
    (bso#15880).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.


The following package changes have been done:

- libldb2-4.21.8+git.418.e80c9b2a88c-150700.3.11.2 updated
- krb5-1.20.1-150600.11.14.1 updated
- samba-client-libs-4.21.8+git.418.e80c9b2a88c-150700.3.11.2 updated
- samba-client-4.21.8+git.418.e80c9b2a88c-150700.3.11.2 updated
- container:registry.suse.com-bci-bci-micro-15.7-40dd8129e29c9984d8a5a4cfdc038201897e5d0c571d7659f58488fc21676a3d-0 updated

More information about the sle-container-updates mailing list