Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

openSUSE: 2023:0048-1 Moderate: Multiple gssntlmssp Issues Fixed

opensuse
Calendar Grey February 18, 2023
Dist Opensuse Esm H88
This patch corrects various flaws in the gssntlmssp module for openSUSE, improving overall security and performance.
An update that fixes 5 vulnerabilities is now available

Description

This update for gssntlmssp fixes the following issues:

Update to version 1.2.0

* Implement gss_set_cred_option.

* Allow to gss_wrap even if NEGOTIATE_SEAL is not negotiated.

* Move HMAC code to OpenSSL EVP API.

* Fix crash bug when acceptor credentials are NULL.

* Translations update from Fedora Weblate.

Fix security issues:

* CVE-2023-25563 (boo#1208278): multiple out-of-bounds read when decoding

NTLM fields.

* CVE-2023-25564 (boo#1208279): memory corruption when decoding UTF16

strings.

* CVE-2023-25565 (boo#1208280): incorrect free when decoding target

information.

* CVE-2023-25566 (boo#1208281): memory leak when parsing usernames.

* CVE-2023-25567 (boo#1208282): out-of-bounds read when decoding target

information.

Update to version 1.1

* various build fixes and better compatibility when a MIC is requested.

Update to version 1.0

* Fix test_gssapi_rfc5587.

* Actually run tests with make check.

* Add...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory memory corruption moderate severity multiple issues out-of-bounds read openSUSE gssntlmssp

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-48=1

Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

gssntlmssp-1.2.0-bp154.2.3.1

gssntlmssp-devel-1.2.0-bp154.2.3.1

References

https://www.suse.com/security/cve/CVE-2023-25563.html

https://www.suse.com/security/cve/CVE-2023-25564.html

https://www.suse.com/security/cve/CVE-2023-25565.html

https://www.suse.com/security/cve/CVE-2023-25566.html

https://www.suse.com/security/cve/CVE-2023-25567.html

https://bugzilla.suse.com/1208278

https://bugzilla.suse.com/1208279

https://bugzilla.suse.com/1208280

https://bugzilla.suse.com/1208281

https://bugzilla.suse.com/1208282

Announcement ID: openSUSE-SU-2023:0048-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Topics%20covered

Topics Covered

security advisory memory corruption moderate severity multiple issues out-of-bounds read openSUSE gssntlmssp

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here