SUSE-SU-2021:3647-1: important: Security update for samba and ldb

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Nov 10 20:32:01 UTC 2021


   SUSE Security Update: Security update for samba and ldb
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3647-1
Rating:             important
References:         #1014440 #1192214 #1192215 #1192246 #1192247 
                    #1192283 #1192284 #1192505 
Cross-References:   CVE-2016-2124 CVE-2020-25717 CVE-2020-25718
                    CVE-2020-25719 CVE-2020-25721 CVE-2020-25722
                    CVE-2021-23192 CVE-2021-3738
CVSS scores:
                    CVE-2020-25717 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2020-25718 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-25719 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-25722 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-23192 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2021-3738 (SUSE): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Affected Products:
                    SUSE MicroOS 5.1
                    SUSE Linux Enterprise Module for Python2 15-SP3
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise High Availability 15-SP3
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

   This update for samba and ldb fixes the following issues:

   - CVE-2020-25718: Fixed that an RODC can issue (forge) administrator
     tickets to other servers (bsc#1192246).
   - CVE-2021-3738: Fixed crash in dsdb stack (bsc#1192215).
   - CVE-2016-2124: Fixed not to fallback to non spnego authentication if we
     require kerberos (bsc#1014440).
   - CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a
     user could become root on domain members (bsc#1192284).
   - CVE-2020-25719: Fixed AD DC Username based races when no PAC is given
     (bsc#1192247).
   - CVE-2020-25722: Fixed AD DC UPN vs samAccountName not checked (top-level
     bug for AD DC validation issues) (bsc#1192283).
   - CVE-2021-23192: Fixed dcerpc requests to don't check all fragments
     against the first auth_state (bsc#1192214).
   - CVE-2020-25721: Fixed fill in the new HAS_SAM_NAME_AND_SID values
     (bsc#1192505).

   Samba was updated to 4.13.13

   * rodc_rwdc test flaps;(bso#14868).
   * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881).
   * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit'
     S4U2Proxy Constrained Delegation bypass in Samba with embedded
     Heimdal;(bso#14642).
   * Python ldb.msg_diff() memory handling failure;(bso#14836).
   * "in" operator on ldb.Message is case sensitive;(bso#14845).
   * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871).
   * Allow special chars like "@" in samAccountName when generating the
     salt;(bso#14874).
   * Fix transit path validation;(bso#12998).
   * Prepare to operate with MIT krb5 >= 1.20;(bso#14870).
   * rpcclient NetFileEnum and net rpc file both cause lock order violation:
     brlock.tdb, share_entries.tdb;(bso#14645).
   * Python ldb.msg_diff() memory handling failure;(bso#14836).
   * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848).

   Samba was updated to 4.13.12:

   * Address a signifcant performance regression in database access in the AD
     DC since Samba 4.12;(bso#14806).
   * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba
     4.9 by using an explicit database handle cache; (bso#14807).
   * An unuthenticated user can crash the AD DC KDC by omitting the server
     name in a TGS-REQ;(bso#14817).
   * Address flapping samba_tool_drs_showrepl test;(bso#14818).
   * Address flapping dsdb_schema_attributes test;(bso#14819).
   * An unuthenticated user can crash the AD DC KDC by omitting the server
     name in a TGS-REQ;(bso#14817).
   * Fix CTDB flag/status update race conditions(bso#14784).

   Samba was updated to 4.13.11:

   * smbd: panic on force-close share during offload write; (bso#14769).
   * Fix returned attributes on fake quota file handle and avoid hitting the
     VFS;(bso#14731).
   * smbd: "deadtime" parameter doesn't work anymore;(bso#14783).
   * net conf list crashes when run as normal user;(bso#14787).
   * Work around special SMB2 READ response behavior of NetApp Ontap
     7.3.7;(bso#14607).
   * Start the SMB encryption as soon as possible;(bso#14793).
   * Winbind should not start if the socket path for the privileged pipe is
     too long;(bso#14792).

   ldb was updated to 2.2.2:

   + CVE-2020-25718: samba: An RODC can issue (forge) administrator tickets
     to other servers; (bsc#1192246); (bso#14558)
   + CVE-2021-3738: samba: crash in dsdb stack; (bsc#1192215);(bso#14848)

   Release ldb 2.2.2

   + Corrected python behaviour for 'in' for LDAP attributes contained as
     part of ldb.Message;(bso#14845).
   + Fix memory handling in ldb.msg_diff Corrected python
     docstrings;(bso#14836)
   + Backport bronze bit fixes, tests, and selftest improvements; (bso#14881).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE MicroOS 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3647=1

   - SUSE Linux Enterprise Module for Python2 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3647=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3647=1

   - SUSE Linux Enterprise High Availability 15-SP3:

      zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-3647=1



Package List:

   - SUSE MicroOS 5.1 (aarch64 s390x x86_64):

      ldb-debugsource-2.2.2-3.3.1
      libldb2-2.2.2-3.3.1
      libldb2-debuginfo-2.2.2-3.3.1

   - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64):

      samba-ad-dc-4.13.13+git.528.140935f8d6a-3.12.1
      samba-ad-dc-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):

      ldb-debugsource-2.2.2-3.3.1
      ldb-tools-2.2.2-3.3.1
      ldb-tools-debuginfo-2.2.2-3.3.1
      libdcerpc-binding0-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-binding0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-samr-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-samr0-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-samr0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc0-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libldb-devel-2.2.2-3.3.1
      libldb2-2.2.2-3.3.1
      libldb2-debuginfo-2.2.2-3.3.1
      libndr-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-krb5pac-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-krb5pac0-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-krb5pac0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-nbt-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-nbt0-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-nbt0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-standard-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-standard0-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-standard0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr1-4.13.13+git.528.140935f8d6a-3.12.1
      libndr1-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libnetapi-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libnetapi0-4.13.13+git.528.140935f8d6a-3.12.1
      libnetapi0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-credentials-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-credentials0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-credentials0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-errors-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-errors0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-errors0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-hostconfig-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-hostconfig0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-hostconfig0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-passdb-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-passdb0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-passdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-policy-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-policy-python3-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-policy0-python3-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-policy0-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-util-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-util0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamdb-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsamdb0-4.13.13+git.528.140935f8d6a-3.12.1
      libsamdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbclient0-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbconf-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbconf0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbldap-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbldap2-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbldap2-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libtevent-util-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libtevent-util0-4.13.13+git.528.140935f8d6a-3.12.1
      libtevent-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libwbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1
      libwbclient0-4.13.13+git.528.140935f8d6a-3.12.1
      libwbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      python3-ldb-2.2.2-3.3.1
      python3-ldb-debuginfo-2.2.2-3.3.1
      python3-ldb-devel-2.2.2-3.3.1
      samba-4.13.13+git.528.140935f8d6a-3.12.1
      samba-client-4.13.13+git.528.140935f8d6a-3.12.1
      samba-client-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-core-devel-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1
      samba-dsdb-modules-4.13.13+git.528.140935f8d6a-3.12.1
      samba-dsdb-modules-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-gpupdate-4.13.13+git.528.140935f8d6a-3.12.1
      samba-ldb-ldap-4.13.13+git.528.140935f8d6a-3.12.1
      samba-ldb-ldap-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-python3-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-python3-4.13.13+git.528.140935f8d6a-3.12.1
      samba-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-winbind-4.13.13+git.528.140935f8d6a-3.12.1
      samba-winbind-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64):

      samba-ceph-4.13.13+git.528.140935f8d6a-3.12.1
      samba-ceph-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):

      libdcerpc-binding0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc-binding0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libdcerpc0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libldb2-32bit-2.2.2-3.3.1
      libldb2-32bit-debuginfo-2.2.2-3.3.1
      libndr-krb5pac0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-krb5pac0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-nbt0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-nbt0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-standard0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libndr-standard0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libndr1-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libndr1-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libnetapi0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libnetapi0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-credentials0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-credentials0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-errors0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-errors0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-hostconfig0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-hostconfig0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-passdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-passdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamba-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsamdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsamdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbconf0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbconf0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbldap2-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libsmbldap2-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libtevent-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libtevent-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      libwbclient0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      libwbclient0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      samba-libs-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-winbind-32bit-4.13.13+git.528.140935f8d6a-3.12.1
      samba-winbind-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1

   - SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x x86_64):

      ctdb-4.13.13+git.528.140935f8d6a-3.12.1
      ctdb-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
      samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1


References:

   https://www.suse.com/security/cve/CVE-2016-2124.html
   https://www.suse.com/security/cve/CVE-2020-25717.html
   https://www.suse.com/security/cve/CVE-2020-25718.html
   https://www.suse.com/security/cve/CVE-2020-25719.html
   https://www.suse.com/security/cve/CVE-2020-25721.html
   https://www.suse.com/security/cve/CVE-2020-25722.html
   https://www.suse.com/security/cve/CVE-2021-23192.html
   https://www.suse.com/security/cve/CVE-2021-3738.html
   https://bugzilla.suse.com/1014440
   https://bugzilla.suse.com/1192214
   https://bugzilla.suse.com/1192215
   https://bugzilla.suse.com/1192246
   https://bugzilla.suse.com/1192247
   https://bugzilla.suse.com/1192283
   https://bugzilla.suse.com/1192284
   https://bugzilla.suse.com/1192505



More information about the sle-updates mailing list