SUSE-SU-2022:2307-1: moderate: Security update for ldb, samba

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Jul 6 16:27:40 UTC 2022


   SUSE Security Update: Security update for ldb, samba
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2307-1
Rating:             moderate
References:         #1080338 #1118508 #1173429 #1195896 #1196224 
                    #1196308 #1196788 #1197995 #1198255 #1199247 
                    #1199362 
Cross-References:   CVE-2021-3670
CVSS scores:
                    CVE-2021-3670 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Availability 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Basesystem 15-SP4
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that solves one vulnerability and has 10 fixes is
   now available.

Description:

   This update for ldb, samba fixes the following issues:

   ldb was updated to version 2.4.2 to fix:

   + Fix for CVE-2021-3670, ensure that the LDB request has not timed out
     during filter processing as the LDAP server MaxQueryDuration is
     otherwise not honoured.

   samba was updated to fix:

   - Revert NIS support removal; (bsc#1199247);

   - Use requires_eq macro to require the libldb2 version available at
     samba-dsdb-modules build time; (bsc#1199362);

   - Add missing samba-client requirement to samba-winbind package;
     (bsc#1198255);

   Update to 4.15.7

   * Share and server swapped in smbget password prompt; (bso#14831);
   * Durable handles won't reconnect if the leased file is written to;
     (bso#15022);
   * rmdir silently fails if directory contains unreadable files and hide
     unreadable is yes; (bso#15023);
   * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
     on renamed file handle; (bso#15038);
   * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957);
   * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
     (bso#15035);
   * PAM Kerberos authentication incorrectly fails with a clock skew error;
     (bso#15046);
   * username map - samba erroneously applies unix group memberships to user
     account entries; (bso#15041);
   * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
     SMBC_server_internal; (bso#14983);
   * Simple bind doesn't work against an RODC (with non-preloaded users);
     (bso#13879);
   * Crash of winbind on RODC; (bso#14641);
   * uncached logon on RODC always fails once; (bso#14865);
   * KVNO off by 100000; (bso#14951);
   * LDAP simple binds should honour "old password allowed period";
     (bso#15001);
   * wbinfo -a doesn't work reliable with upn names; (bso#15003);
   * Simple bind doesn't work against an RODC (with non-preloaded users);
     (bso#13879);
   * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
   * Regression: create krb5 conf = yes doesn't work with a single KDC;
     (bso#15016);

   - Add provides to samba-client-libs package to fix upgrades from previous
     versions; (bsc#1197995);

   - Add missing samba-libs requirement to samba-winbind package;
     (bsc#1198255);

   Update to 4.15.6

   * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND;
     (bso#14169);
   * Samba does not response STATUS_INVALID_PARAMETER when opening 2
     objects with same lease key; (bso#14737);
   * NT error code is not set when overwriting a file during rename in
     libsmbclient; (bso#14938);
   * Fix ldap simple bind with TLS auditing; (bso#14996);
   * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server;
     (bso#14674);
   * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224);
   * pam_winbind will not allow gdm login if password about to expire;
     (bso#8691);
   * virusfilter_vfs_openat: Not scanned: Directory or special file;
     (bso#14971);
   * DFS fix for AIX broken; (bso#13631);
   * Solaris and AIX acl modules: wrong function arguments; (bso#14974);
   * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239);
   * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy
     in tdbsam_getsampwnam; (bso#14900);
   * Fix a use-after-free in SMB1 server; (bso#14989);
   * smb2_signing_decrypt_pdu() may not decrypt with
     gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968);
   * Changing the machine password against an RODC likely destroys the domain
     join; (bso#14984);
   * authsam_make_user_info_dc() steals memory from its struct ldb_message
     *msg argument; (bso#14993);
   * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995);
   * Samba autorid fails to map AD users if id rangesize fits in the id range
     only once; (bso#14967);

   Other SUSE fixes:

   - Fix mismatched version of libldb2; (bsc#1196788).
   - Drop obsolete SuSEfirewall2 service files.
   - Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
     (bsc#1080338).
   - Fix ntlm authentications with "winbind use default domain = yes";
     (bso#13126); (bsc#1173429); (bsc#1196308).
   - Fix samba-ad-dc status warning notification message by disabling systemd
     notifications in bgqd; (bsc#1195896); (bso#14947).
   - libldb version mismatch in Samba dsdb component; (bsc#1118508);


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-2307=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2307=1

   - SUSE Linux Enterprise High Availability 15-SP4:

      zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2022-2307=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      ctdb-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      ctdb-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      ctdb-pcp-pmda-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      ctdb-pcp-pmda-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      ldb-debugsource-2.4.2-150400.4.3.11
      ldb-tools-2.4.2-150400.4.3.11
      ldb-tools-debuginfo-2.4.2-150400.4.3.11
      libldb-devel-2.4.2-150400.4.3.11
      libldb2-2.4.2-150400.4.3.11
      libldb2-debuginfo-2.4.2-150400.4.3.11
      libsamba-policy-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy-python3-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy0-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy0-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      python3-ldb-2.4.2-150400.4.3.11
      python3-ldb-debuginfo-2.4.2-150400.4.3.11
      python3-ldb-devel-2.4.2-150400.4.3.11
      samba-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debugsource-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-dsdb-modules-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-dsdb-modules-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-gpupdate-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ldb-ldap-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ldb-ldap-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-test-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-test-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-tool-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - openSUSE Leap 15.4 (aarch64 x86_64):

      samba-ceph-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ceph-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - openSUSE Leap 15.4 (noarch):

      samba-doc-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - openSUSE Leap 15.4 (x86_64):

      libldb2-32bit-2.4.2-150400.4.3.11
      libldb2-32bit-debuginfo-2.4.2-150400.4.3.11
      libsamba-policy0-python3-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy0-python3-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      python3-ldb-32bit-2.4.2-150400.4.3.11
      python3-ldb-32bit-debuginfo-2.4.2-150400.4.3.11
      samba-ad-dc-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-devel-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64):

      ldb-debugsource-2.4.2-150400.4.3.11
      ldb-tools-2.4.2-150400.4.3.11
      ldb-tools-debuginfo-2.4.2-150400.4.3.11
      libldb-devel-2.4.2-150400.4.3.11
      libldb2-2.4.2-150400.4.3.11
      libldb2-debuginfo-2.4.2-150400.4.3.11
      libsamba-policy-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy-python3-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy0-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      libsamba-policy0-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      python3-ldb-2.4.2-150400.4.3.11
      python3-ldb-debuginfo-2.4.2-150400.4.3.11
      python3-ldb-devel-2.4.2-150400.4.3.11
      samba-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ad-dc-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debugsource-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-devel-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-dsdb-modules-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-dsdb-modules-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-gpupdate-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ldb-ldap-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ldb-ldap-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-python3-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-python3-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-winbind-libs-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 x86_64):

      samba-ceph-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-ceph-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (x86_64):

      libldb2-32bit-2.4.2-150400.4.3.11
      libldb2-32bit-debuginfo-2.4.2-150400.4.3.11
      samba-client-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-client-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-32bit-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-libs-32bit-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3

   - SUSE Linux Enterprise High Availability 15-SP4 (aarch64 ppc64le s390x x86_64):

      ctdb-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      ctdb-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debuginfo-4.15.7+git.376.dd43aca9ab2-150400.3.5.3
      samba-debugsource-4.15.7+git.376.dd43aca9ab2-150400.3.5.3


References:

   https://www.suse.com/security/cve/CVE-2021-3670.html
   https://bugzilla.suse.com/1080338
   https://bugzilla.suse.com/1118508
   https://bugzilla.suse.com/1173429
   https://bugzilla.suse.com/1195896
   https://bugzilla.suse.com/1196224
   https://bugzilla.suse.com/1196308
   https://bugzilla.suse.com/1196788
   https://bugzilla.suse.com/1197995
   https://bugzilla.suse.com/1198255
   https://bugzilla.suse.com/1199247
   https://bugzilla.suse.com/1199362



More information about the sle-security-updates mailing list