SUSE-CU-2022:116-1: Security update of suse/sles12sp5

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Feb 8 07:57:51 UTC 2022 

SUSE Container Update Advisory: suse/sles12sp5
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:116-1
Container Tags        : suse/sles12sp5:6.5.290 , suse/sles12sp5:latest
Container Release     : 6.5.290
Severity              : critical
Type                  : security
References            : 1089938 1139519 1158916 1180064 1182058 1191227 1192684 1193533
                        1193690 1194859 1195048 CVE-2020-29361 CVE-2021-20316 CVE-2021-43566
                        CVE-2021-44141 CVE-2021-44142 CVE-2022-0336 
-----------------------------------------------------------------

The container suse/sles12sp5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:323-1
Released:    Thu Feb  3 16:53:34 2022
Summary:     Security update for samba
Type:        security
Severity:    critical
References:  1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048,CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336

This update contains a major security update for Samba.


samba has received security fixes:

- CVE-2021-44141: Information leak via symlinks of existance of
  files or directories outside of the exported share (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
  in VFS module vfs_fruit allows code execution (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
  account can impersonate arbitrary services (bsc#1195048);

samba was updated to version 4.15.4; (jsc#SLE-23330);

+ CVE-2021-43566: Symlink race error can allow directory creation
  outside of the exported share; (bso#13979); (bsc#1139519);
+ CVE-2021-20316: Symlink race error can allow metadata read and
  modify outside of the exported share; (bso#14842); (bsc#1191227);

- Build samba with embedded talloc, pytalloc, pytalloc-util, tdb,
  pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries.
  The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and
  their manpages in /usr/lib[64]/samba/man

  This avoids removing old functionality.

samba was updated to 4.15.4:

* Duplicate SMB file_ids leading to Windows client cache
  poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
  NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
  using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set 'client max protocol' to NT1 before
  calling the 'Reconnecting with SMB1 for workgroup listing'
  path; (bso#14939);
* Cross device copy of the crossrename module always fails;
  (bso#14940);
* symlinkat function from VFS cap module always fails with an
  error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
  (bso#14944);
* 'smbd --build-options' no longer works without an smb.conf file;
  (bso#14945);

- Reorganize libs packages. Split samba-libs into samba-client-libs,
  samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
  public libraries depending on internal samba libraries into these
  packages as there were dependency problems everytime one of these
  public libraries changed its version (bsc#1192684). The devel
  packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Update the symlink create by samba-dsdb-modules to private samba
  ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
  /usr/lib64/ldb2/modules/ldb/samba

sssd was updated:

- Build with the newer samba versions; (jsc#SLE-23330);
- Fix a dependency loop by moving internal libraries to sssd-common
  package; (bsc#1182058);

p11-kit was updated:

Update to 0.23.2; (jsc#SLE-23330);

* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes

- Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361):
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993)

ca-certificates was updated:

- p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330)

This update also ships:

- libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba.

apparmor was updated:

- Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330);

yast2-samba-client was updated:

- With latest versions of samba (>=4.15.0) calling 'net ads lookup'
  with '-U%' fails; (boo#1193533).
- yast-samba-client fails to join if /etc/samba/smb.conf or
  /etc/krb5.conf don't exist; (bsc#1089938)
- Do not stop nmbd while nmbstatus is running, it is not necessary
  anymore; (bsc#1158916);



The following package changes have been done:

- ca-certificates-1_201403302107-15.3.3 updated
- libp11-kit0-0.23.2-8.3.2 updated
- p11-kit-tools-0.23.2-8.3.2 updated
- p11-kit-0.23.2-8.3.2 updated

More information about the sle-security-updates mailing list