SUSE-CU-2022:116-1: Security update of suse/sles12sp5
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Feb 8 07:57:51 UTC 2022
SUSE Container Update Advisory: suse/sles12sp5
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:116-1
Container Tags : suse/sles12sp5:6.5.290 , suse/sles12sp5:latest
Container Release : 6.5.290
Severity : critical
Type : security
References : 1089938 1139519 1158916 1180064 1182058 1191227 1192684 1193533
1193690 1194859 1195048 CVE-2020-29361 CVE-2021-20316 CVE-2021-43566
CVE-2021-44141 CVE-2021-44142 CVE-2022-0336
-----------------------------------------------------------------
The container suse/sles12sp5 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:323-1
Released: Thu Feb 3 16:53:34 2022
Summary: Security update for samba
Type: security
Severity: critical
References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048,CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
This update contains a major security update for Samba.
samba has received security fixes:
- CVE-2021-44141: Information leak via symlinks of existance of
files or directories outside of the exported share (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
account can impersonate arbitrary services (bsc#1195048);
samba was updated to version 4.15.4; (jsc#SLE-23330);
+ CVE-2021-43566: Symlink race error can allow directory creation
outside of the exported share; (bso#13979); (bsc#1139519);
+ CVE-2021-20316: Symlink race error can allow metadata read and
modify outside of the exported share; (bso#14842); (bsc#1191227);
- Build samba with embedded talloc, pytalloc, pytalloc-util, tdb,
pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries.
The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and
their manpages in /usr/lib[64]/samba/man
This avoids removing old functionality.
samba was updated to 4.15.4:
* Duplicate SMB file_ids leading to Windows client cache
poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set 'client max protocol' to NT1 before
calling the 'Reconnecting with SMB1 for workgroup listing'
path; (bso#14939);
* Cross device copy of the crossrename module always fails;
(bso#14940);
* symlinkat function from VFS cap module always fails with an
error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
(bso#14944);
* 'smbd --build-options' no longer works without an smb.conf file;
(bso#14945);
- Reorganize libs packages. Split samba-libs into samba-client-libs,
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
public libraries depending on internal samba libraries into these
packages as there were dependency problems everytime one of these
public libraries changed its version (bsc#1192684). The devel
packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Update the symlink create by samba-dsdb-modules to private samba
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
/usr/lib64/ldb2/modules/ldb/samba
sssd was updated:
- Build with the newer samba versions; (jsc#SLE-23330);
- Fix a dependency loop by moving internal libraries to sssd-common
package; (bsc#1182058);
p11-kit was updated:
Update to 0.23.2; (jsc#SLE-23330);
* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes
- Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361):
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993)
ca-certificates was updated:
- p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330)
This update also ships:
- libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba.
apparmor was updated:
- Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330);
yast2-samba-client was updated:
- With latest versions of samba (>=4.15.0) calling 'net ads lookup'
with '-U%' fails; (boo#1193533).
- yast-samba-client fails to join if /etc/samba/smb.conf or
/etc/krb5.conf don't exist; (bsc#1089938)
- Do not stop nmbd while nmbstatus is running, it is not necessary
anymore; (bsc#1158916);
The following package changes have been done:
- ca-certificates-1_201403302107-15.3.3 updated
- libp11-kit0-0.23.2-8.3.2 updated
- p11-kit-tools-0.23.2-8.3.2 updated
- p11-kit-0.23.2-8.3.2 updated
More information about the sle-security-updates
mailing list