SUSE-SU-2016:1022-1: important: Security update for samba
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Apr 12 16:08:02 MDT 2016
SUSE Security Update: Security update for samba
______________________________________________________________________________
Announcement ID: SUSE-SU-2016:1022-1
Rating: important
References: #320709 #913547 #919309 #924519 #936862 #942716
#946051 #949022 #964023 #966271 #968973 #971965
#972197 #973031 #973032 #973033 #973034 #973036
#973832 #974629
Cross-References: CVE-2015-5370 CVE-2016-2110 CVE-2016-2111
CVE-2016-2112 CVE-2016-2113 CVE-2016-2115
CVE-2016-2118
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise High Availability 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that solves 7 vulnerabilities and has 13 fixes is
now available.
Description:
Samba was updated to the 4.2.x codestream, bringing some new features and
security fixes (bsc#973832, FATE#320709).
These security issues were fixed:
- CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM
attacks (bsc#936862).
- CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP
authentication (bsc#973031).
- CVE-2016-2111: Domain controller netlogon member computer could have
been spoofed (bsc#973032).
- CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM
attack (bsc#973033).
- CVE-2016-2113: TLS certificate validation were missing (bsc#973034).
- CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks
(bsc#973036).
- CVE-2016-2118: "Badlock" DCERPC impersonation of authenticated account
were possible (bsc#971965).
Also the following fixes were done:
- Upgrade on-disk FSRVP server state to new version; (bsc#924519).
- Fix samba.tests.messaging test and prevent potential tdb corruption by
removing obsolete now invalid tdb_close call; (bsc#974629).
- Align fsrvp feature sources with upstream version.
- Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel
from samba-core-devel; (bsc#973832).
- s3:utils/smbget: Fix recursive download; (bso#6482).
- s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem
with no ACL support; (bso#10489).
- docs: Add example for domain logins to smbspool man page; (bso#11643).
- s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).
- loadparm: Fix memory leak issue; (bso#11708).
- lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).
- ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...";
(bso#11719).
- s3:smbd:open: Skip redundant call to file_set_dosmode when creating a
new file; (bso#11727).
- param: Fix str_list_v3 to accept ";" again; (bso#11732).
- Real memeory leak(buildup) issue in loadparm; (bso#11740).
- Obsolete libsmbclient from libsmbclient0 and libpdb-devel from
libsamba-passdb-devel while not providing it; (bsc#972197).
- Getting and setting Windows ACLs on symlinks can change permissions on
link
- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).
- Enable clustering (CTDB) support; (bsc#966271).
- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703);
(bsc#964023).
- vfs_fruit: Fix renaming directories with open files; (bso#11065).
- Fix MacOS finder error 36 when copying folder to Samba; (bso#11347).
- s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks;
(bso#11400).
- Fix copying files with vfs_fruit when using vfs_streams_xattr without
stream prefix and type suffix; (bso#11466).
- s3:libsmb: Correctly initialize the list head when keeping a list of
primary followed by DFS connections; (bso#11624).
- Reduce the memory footprint of empty string options; (bso#11625).
- lib/async_req: Do not install async_connect_send_test; (bso#11639).
- docs: Fix typos in man vfs_gpfs; (bso#11641).
- smbd: make "hide dot files" option work with "store dos attributes =
yes"; (bso#11645).
- smbcacls: Fix uninitialized variable; (bso#11682).
- s3:smbd: Ignore initial allocation size for directory creation;
(bso#11684).
- Changing log level of two entries to from 1 to 3; (bso#9912).
- vfs_gpfs: Re-enable share modes; (bso#11243).
- wafsamba: Also build libraries with RELRO protection; (bso#11346).
- ctdb: Strip trailing spaces from nodes file; (bso#11365).
- s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute
type of zero; (bso#11452).
- nss_wins: Do not run into use after free issues when we access memory
allocated on the globals and the global being reinitialized; (bso#11563).
- async_req: Fix non-blocking connect(); (bso#11564).
- auth: gensec: Fix a memory leak; (bso#11565).
- lib: util: Make non-critical message a warning; (bso#11566).
- Fix winbindd crashes with samlogon for trusted domain user; (bso#11569);
(bsc#949022).
- smbd: Send SMB2 oplock breaks unencrypted; (bso#11570).
- ctdb: Open the RO tracking db with perms 0600 instead of 0000;
(bso#11577).
- manpage: Correct small typo error; (bso#11584).
- s3: smbd: If EA's are turned off on a share don't allow an SMB2 create
containing them; (bso#11589).
- Backport some valgrind fixes from upstream master; (bso#11597).
- s3: smbd: have_file_open_below() fails to enumerate open files below an
open directory handle; (bso#11615).
- docs: Fix some typos in the idmap config section of man 5 smb.conf;
(bso#11619).
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2016-605=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2016-605=1
- SUSE Linux Enterprise High Availability 12:
zypper in -t patch SUSE-SLE-HA-12-2016-605=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2016-605=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
ctdb-debuginfo-4.2.4-18.17.1
ctdb-devel-4.2.4-18.17.1
libdcerpc-atsvc-devel-4.2.4-18.17.1
libdcerpc-atsvc0-4.2.4-18.17.1
libdcerpc-atsvc0-debuginfo-4.2.4-18.17.1
libdcerpc-devel-4.2.4-18.17.1
libdcerpc-samr-devel-4.2.4-18.17.1
libdcerpc-samr0-4.2.4-18.17.1
libdcerpc-samr0-debuginfo-4.2.4-18.17.1
libgensec-devel-4.2.4-18.17.1
libndr-devel-4.2.4-18.17.1
libndr-krb5pac-devel-4.2.4-18.17.1
libndr-nbt-devel-4.2.4-18.17.1
libndr-standard-devel-4.2.4-18.17.1
libnetapi-devel-4.2.4-18.17.1
libregistry-devel-4.2.4-18.17.1
libsamba-credentials-devel-4.2.4-18.17.1
libsamba-hostconfig-devel-4.2.4-18.17.1
libsamba-passdb-devel-4.2.4-18.17.1
libsamba-policy-devel-4.2.4-18.17.1
libsamba-policy0-4.2.4-18.17.1
libsamba-policy0-debuginfo-4.2.4-18.17.1
libsamba-util-devel-4.2.4-18.17.1
libsamdb-devel-4.2.4-18.17.1
libsmbclient-devel-4.2.4-18.17.1
libsmbclient-raw-devel-4.2.4-18.17.1
libsmbconf-devel-4.2.4-18.17.1
libsmbldap-devel-4.2.4-18.17.1
libtevent-util-devel-4.2.4-18.17.1
libwbclient-devel-4.2.4-18.17.1
samba-core-devel-4.2.4-18.17.1
samba-debuginfo-4.2.4-18.17.1
samba-debugsource-4.2.4-18.17.1
samba-test-devel-4.2.4-18.17.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
libdcerpc-binding0-4.2.4-18.17.1
libdcerpc-binding0-debuginfo-4.2.4-18.17.1
libdcerpc0-4.2.4-18.17.1
libdcerpc0-debuginfo-4.2.4-18.17.1
libgensec0-4.2.4-18.17.1
libgensec0-debuginfo-4.2.4-18.17.1
libndr-krb5pac0-4.2.4-18.17.1
libndr-krb5pac0-debuginfo-4.2.4-18.17.1
libndr-nbt0-4.2.4-18.17.1
libndr-nbt0-debuginfo-4.2.4-18.17.1
libndr-standard0-4.2.4-18.17.1
libndr-standard0-debuginfo-4.2.4-18.17.1
libndr0-4.2.4-18.17.1
libndr0-debuginfo-4.2.4-18.17.1
libnetapi0-4.2.4-18.17.1
libnetapi0-debuginfo-4.2.4-18.17.1
libregistry0-4.2.4-18.17.1
libregistry0-debuginfo-4.2.4-18.17.1
libsamba-credentials0-4.2.4-18.17.1
libsamba-credentials0-debuginfo-4.2.4-18.17.1
libsamba-hostconfig0-4.2.4-18.17.1
libsamba-hostconfig0-debuginfo-4.2.4-18.17.1
libsamba-passdb0-4.2.4-18.17.1
libsamba-passdb0-debuginfo-4.2.4-18.17.1
libsamba-util0-4.2.4-18.17.1
libsamba-util0-debuginfo-4.2.4-18.17.1
libsamdb0-4.2.4-18.17.1
libsamdb0-debuginfo-4.2.4-18.17.1
libsmbclient-raw0-4.2.4-18.17.1
libsmbclient-raw0-debuginfo-4.2.4-18.17.1
libsmbclient0-4.2.4-18.17.1
libsmbclient0-debuginfo-4.2.4-18.17.1
libsmbconf0-4.2.4-18.17.1
libsmbconf0-debuginfo-4.2.4-18.17.1
libsmbldap0-4.2.4-18.17.1
libsmbldap0-debuginfo-4.2.4-18.17.1
libtevent-util0-4.2.4-18.17.1
libtevent-util0-debuginfo-4.2.4-18.17.1
libwbclient0-4.2.4-18.17.1
libwbclient0-debuginfo-4.2.4-18.17.1
samba-4.2.4-18.17.1
samba-client-4.2.4-18.17.1
samba-client-debuginfo-4.2.4-18.17.1
samba-debuginfo-4.2.4-18.17.1
samba-debugsource-4.2.4-18.17.1
samba-libs-4.2.4-18.17.1
samba-libs-debuginfo-4.2.4-18.17.1
samba-winbind-4.2.4-18.17.1
samba-winbind-debuginfo-4.2.4-18.17.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
libdcerpc-binding0-32bit-4.2.4-18.17.1
libdcerpc-binding0-debuginfo-32bit-4.2.4-18.17.1
libdcerpc0-32bit-4.2.4-18.17.1
libdcerpc0-debuginfo-32bit-4.2.4-18.17.1
libgensec0-32bit-4.2.4-18.17.1
libgensec0-debuginfo-32bit-4.2.4-18.17.1
libndr-krb5pac0-32bit-4.2.4-18.17.1
libndr-krb5pac0-debuginfo-32bit-4.2.4-18.17.1
libndr-nbt0-32bit-4.2.4-18.17.1
libndr-nbt0-debuginfo-32bit-4.2.4-18.17.1
libndr-standard0-32bit-4.2.4-18.17.1
libndr-standard0-debuginfo-32bit-4.2.4-18.17.1
libndr0-32bit-4.2.4-18.17.1
libndr0-debuginfo-32bit-4.2.4-18.17.1
libnetapi0-32bit-4.2.4-18.17.1
libnetapi0-debuginfo-32bit-4.2.4-18.17.1
libsamba-credentials0-32bit-4.2.4-18.17.1
libsamba-credentials0-debuginfo-32bit-4.2.4-18.17.1
libsamba-hostconfig0-32bit-4.2.4-18.17.1
libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.17.1
libsamba-passdb0-32bit-4.2.4-18.17.1
libsamba-passdb0-debuginfo-32bit-4.2.4-18.17.1
libsamba-util0-32bit-4.2.4-18.17.1
libsamba-util0-debuginfo-32bit-4.2.4-18.17.1
libsamdb0-32bit-4.2.4-18.17.1
libsamdb0-debuginfo-32bit-4.2.4-18.17.1
libsmbclient-raw0-32bit-4.2.4-18.17.1
libsmbclient-raw0-debuginfo-32bit-4.2.4-18.17.1
libsmbclient0-32bit-4.2.4-18.17.1
libsmbclient0-debuginfo-32bit-4.2.4-18.17.1
libsmbconf0-32bit-4.2.4-18.17.1
libsmbconf0-debuginfo-32bit-4.2.4-18.17.1
libsmbldap0-32bit-4.2.4-18.17.1
libsmbldap0-debuginfo-32bit-4.2.4-18.17.1
libtevent-util0-32bit-4.2.4-18.17.1
libtevent-util0-debuginfo-32bit-4.2.4-18.17.1
libwbclient0-32bit-4.2.4-18.17.1
libwbclient0-debuginfo-32bit-4.2.4-18.17.1
samba-32bit-4.2.4-18.17.1
samba-client-32bit-4.2.4-18.17.1
samba-client-debuginfo-32bit-4.2.4-18.17.1
samba-debuginfo-32bit-4.2.4-18.17.1
samba-libs-32bit-4.2.4-18.17.1
samba-libs-debuginfo-32bit-4.2.4-18.17.1
samba-winbind-32bit-4.2.4-18.17.1
samba-winbind-debuginfo-32bit-4.2.4-18.17.1
- SUSE Linux Enterprise Server 12 (noarch):
samba-doc-4.2.4-18.17.1
- SUSE Linux Enterprise High Availability 12 (s390x x86_64):
ctdb-4.2.4-18.17.1
ctdb-debuginfo-4.2.4-18.17.1
- SUSE Linux Enterprise Desktop 12 (noarch):
samba-doc-4.2.4-18.17.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
libdcerpc-binding0-32bit-4.2.4-18.17.1
libdcerpc-binding0-4.2.4-18.17.1
libdcerpc-binding0-debuginfo-32bit-4.2.4-18.17.1
libdcerpc-binding0-debuginfo-4.2.4-18.17.1
libdcerpc0-32bit-4.2.4-18.17.1
libdcerpc0-4.2.4-18.17.1
libdcerpc0-debuginfo-32bit-4.2.4-18.17.1
libdcerpc0-debuginfo-4.2.4-18.17.1
libgensec0-32bit-4.2.4-18.17.1
libgensec0-4.2.4-18.17.1
libgensec0-debuginfo-32bit-4.2.4-18.17.1
libgensec0-debuginfo-4.2.4-18.17.1
libndr-krb5pac0-32bit-4.2.4-18.17.1
libndr-krb5pac0-4.2.4-18.17.1
libndr-krb5pac0-debuginfo-32bit-4.2.4-18.17.1
libndr-krb5pac0-debuginfo-4.2.4-18.17.1
libndr-nbt0-32bit-4.2.4-18.17.1
libndr-nbt0-4.2.4-18.17.1
libndr-nbt0-debuginfo-32bit-4.2.4-18.17.1
libndr-nbt0-debuginfo-4.2.4-18.17.1
libndr-standard0-32bit-4.2.4-18.17.1
libndr-standard0-4.2.4-18.17.1
libndr-standard0-debuginfo-32bit-4.2.4-18.17.1
libndr-standard0-debuginfo-4.2.4-18.17.1
libndr0-32bit-4.2.4-18.17.1
libndr0-4.2.4-18.17.1
libndr0-debuginfo-32bit-4.2.4-18.17.1
libndr0-debuginfo-4.2.4-18.17.1
libnetapi0-32bit-4.2.4-18.17.1
libnetapi0-4.2.4-18.17.1
libnetapi0-debuginfo-32bit-4.2.4-18.17.1
libnetapi0-debuginfo-4.2.4-18.17.1
libregistry0-4.2.4-18.17.1
libregistry0-debuginfo-4.2.4-18.17.1
libsamba-credentials0-32bit-4.2.4-18.17.1
libsamba-credentials0-4.2.4-18.17.1
libsamba-credentials0-debuginfo-32bit-4.2.4-18.17.1
libsamba-credentials0-debuginfo-4.2.4-18.17.1
libsamba-hostconfig0-32bit-4.2.4-18.17.1
libsamba-hostconfig0-4.2.4-18.17.1
libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.17.1
libsamba-hostconfig0-debuginfo-4.2.4-18.17.1
libsamba-passdb0-32bit-4.2.4-18.17.1
libsamba-passdb0-4.2.4-18.17.1
libsamba-passdb0-debuginfo-32bit-4.2.4-18.17.1
libsamba-passdb0-debuginfo-4.2.4-18.17.1
libsamba-util0-32bit-4.2.4-18.17.1
libsamba-util0-4.2.4-18.17.1
libsamba-util0-debuginfo-32bit-4.2.4-18.17.1
libsamba-util0-debuginfo-4.2.4-18.17.1
libsamdb0-32bit-4.2.4-18.17.1
libsamdb0-4.2.4-18.17.1
libsamdb0-debuginfo-32bit-4.2.4-18.17.1
libsamdb0-debuginfo-4.2.4-18.17.1
libsmbclient-raw0-32bit-4.2.4-18.17.1
libsmbclient-raw0-4.2.4-18.17.1
libsmbclient-raw0-debuginfo-32bit-4.2.4-18.17.1
libsmbclient-raw0-debuginfo-4.2.4-18.17.1
libsmbclient0-32bit-4.2.4-18.17.1
libsmbclient0-4.2.4-18.17.1
libsmbclient0-debuginfo-32bit-4.2.4-18.17.1
libsmbclient0-debuginfo-4.2.4-18.17.1
libsmbconf0-32bit-4.2.4-18.17.1
libsmbconf0-4.2.4-18.17.1
libsmbconf0-debuginfo-32bit-4.2.4-18.17.1
libsmbconf0-debuginfo-4.2.4-18.17.1
libsmbldap0-32bit-4.2.4-18.17.1
libsmbldap0-4.2.4-18.17.1
libsmbldap0-debuginfo-32bit-4.2.4-18.17.1
libsmbldap0-debuginfo-4.2.4-18.17.1
libtevent-util0-32bit-4.2.4-18.17.1
libtevent-util0-4.2.4-18.17.1
libtevent-util0-debuginfo-32bit-4.2.4-18.17.1
libtevent-util0-debuginfo-4.2.4-18.17.1
libwbclient0-32bit-4.2.4-18.17.1
libwbclient0-4.2.4-18.17.1
libwbclient0-debuginfo-32bit-4.2.4-18.17.1
libwbclient0-debuginfo-4.2.4-18.17.1
samba-32bit-4.2.4-18.17.1
samba-4.2.4-18.17.1
samba-client-32bit-4.2.4-18.17.1
samba-client-4.2.4-18.17.1
samba-client-debuginfo-32bit-4.2.4-18.17.1
samba-client-debuginfo-4.2.4-18.17.1
samba-debuginfo-32bit-4.2.4-18.17.1
samba-debuginfo-4.2.4-18.17.1
samba-debugsource-4.2.4-18.17.1
samba-libs-32bit-4.2.4-18.17.1
samba-libs-4.2.4-18.17.1
samba-libs-debuginfo-32bit-4.2.4-18.17.1
samba-libs-debuginfo-4.2.4-18.17.1
samba-winbind-32bit-4.2.4-18.17.1
samba-winbind-4.2.4-18.17.1
samba-winbind-debuginfo-32bit-4.2.4-18.17.1
samba-winbind-debuginfo-4.2.4-18.17.1
References:
https://www.suse.com/security/cve/CVE-2015-5370.html
https://www.suse.com/security/cve/CVE-2016-2110.html
https://www.suse.com/security/cve/CVE-2016-2111.html
https://www.suse.com/security/cve/CVE-2016-2112.html
https://www.suse.com/security/cve/CVE-2016-2113.html
https://www.suse.com/security/cve/CVE-2016-2115.html
https://www.suse.com/security/cve/CVE-2016-2118.html
https://bugzilla.suse.com/320709
https://bugzilla.suse.com/913547
https://bugzilla.suse.com/919309
https://bugzilla.suse.com/924519
https://bugzilla.suse.com/936862
https://bugzilla.suse.com/942716
https://bugzilla.suse.com/946051
https://bugzilla.suse.com/949022
https://bugzilla.suse.com/964023
https://bugzilla.suse.com/966271
https://bugzilla.suse.com/968973
https://bugzilla.suse.com/971965
https://bugzilla.suse.com/972197
https://bugzilla.suse.com/973031
https://bugzilla.suse.com/973032
https://bugzilla.suse.com/973033
https://bugzilla.suse.com/973034
https://bugzilla.suse.com/973036
https://bugzilla.suse.com/973832
https://bugzilla.suse.com/974629
More information about the sle-security-updates
mailing list