SUSE Security Update: Security update for samba
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0323-1
Rating:             critical
References:         #1089938 #1139519 #1158916 #1180064 #1182058 
                    #1191227 #1192684 #1193533 #1193690 #1194859 
                    #1195048 SLE-23330 
Cross-References:   CVE-2020-29361 CVE-2021-20316 CVE-2021-43566
                    CVE-2021-44141 CVE-2021-44142 CVE-2022-0336
                   
CVSS scores:
                    CVE-2020-29361 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-29361 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-20316 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
                    CVE-2021-43566 (SUSE): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
                    CVE-2021-44141 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
                    CVE-2021-44142 (SUSE): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
                    CVE-2022-0336 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Desktop 12-SP5
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise High Availability 12-SP5
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise High Performance Computing 12-SP5
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Server for SAP Applications 12-SP3
                    SUSE Linux Enterprise Server 12-SP4
                    SUSE Linux Enterprise Server for SAP Applications 12-SP4
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
______________________________________________________________________________

   An update that solves 6 vulnerabilities, contains one
   feature and has 5 fixes is now available.

Description:


   This update contains a major security update for Samba.


   samba has received security fixes:

   - CVE-2021-44141: Information leak via symlinks of existance of files or
     directories outside of the exported share (bsc#1193690);
   - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS
     module vfs_fruit allows code execution (bsc#1194859);
   - CVE-2022-0336: Samba AD users with permission to write to an account can
     impersonate arbitrary services (bsc#1195048);

   samba was updated to version 4.15.4; (jsc#SLE-23330);

   + CVE-2021-43566: Symlink race error can allow directory creation
     outside of the exported share; (bso#13979); (bsc#1139519);
   + CVE-2021-20316: Symlink race error can allow metadata read and modify
     outside of the exported share; (bso#14842); (bsc#1191227);

   - Build samba with embedded talloc, pytalloc, pytalloc-util, tdb, pytdb,
     tevent, pytevent, ldb, pyldb and pyldb-util libraries. The tdb and ldb
     tools are installed in /usr/lib[64]/samba/bin and their manpages in
     /usr/lib[64]/samba/man

     This avoids removing old functionality.

   samba was updated to 4.15.4:

   * Duplicate SMB file_ids leading to Windows client cache poisoning;
     (bso#14928);
   * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
     NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
   * kill_tcp_connections does not work; (bso#14934);
   * Can't connect to Windows shares not requiring authentication using
     KDE/Gnome; (bso#14935);
   * smbclient -L doesn't set "client max protocol" to NT1 before calling the
     "Reconnecting with SMB1 for workgroup listing" path; (bso#14939);
   * Cross device copy of the crossrename module always fails; (bso#14940);
   * symlinkat function from VFS cap module always fails with an error;
     (bso#14941);
   * Fix possible fsp pointer deference; (bso#14942);
   * Missing pop_sec_ctx() in error path inside close_directory();
     (bso#14944);
   * "smbd --build-options" no longer works without an smb.conf file;
     (bso#14945);

   - Reorganize libs packages. Split samba-libs into samba-client-libs,
     samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
     public libraries depending on internal samba libraries into these
     packages as there were dependency problems everytime one of these public
     libraries changed its version (bsc#1192684). The devel packages are
     merged into samba-devel.
   - Rename package samba-core-devel to samba-devel
   - Update the symlink create by samba-dsdb-modules to private samba ldb
     modules following libldb2 changes from /usr/lib64/ldb/samba to
     /usr/lib64/ldb2/modules/ldb/samba

   sssd was updated:

   - Build with the newer samba versions; (jsc#SLE-23330);
   - Fix a dependency loop by moving internal libraries to sssd-common
     package; (bsc#1182058);

   p11-kit was updated:

   Update to 0.23.2; (jsc#SLE-23330);

   * Fix forking issues with libffi
   * Fix various crashes in corner cases
   * Updated translations
   * Build fixes

   - Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361):
   - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993)

   ca-certificates was updated:

   - p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330)

   This update also ships:

   - libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the
     requires of the newer samba.

   apparmor was updated:

   - Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330);

   yast2-samba-client was updated:

   - With latest versions of samba (>=4.15.0) calling 'net ads lookup' with
     '-U%' fails; (boo#1193533).
   - yast-samba-client fails to join if /etc/samba/smb.conf or /etc/krb5.conf
     don't exist; (bsc#1089938)
   - Do not stop nmbd while nmbstatus is running, it is not necessary
     anymore; (bsc#1158916);


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-323=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-323=1

   - SUSE Linux Enterprise High Availability 12-SP5:

      zypper in -t patch SUSE-SLE-HA-12-SP5-2022-323=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      apparmor-debugsource-2.8.2-56.6.3
      libapparmor-devel-2.8.2-56.6.3
      libipa_hbac-devel-1.16.1-7.28.9
      libsamba-policy-devel-4.15.4+git.324.8332acf1a63-3.54.1
      libsamba-policy-python3-devel-4.15.4+git.324.8332acf1a63-3.54.1
      libsss_idmap-devel-1.16.1-7.28.9
      libsss_nss_idmap-devel-1.16.1-7.28.9
      p11-kit-debuginfo-0.23.2-8.3.2
      p11-kit-debugsource-0.23.2-8.3.2
      p11-kit-devel-0.23.2-8.3.2
      samba-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-debugsource-4.15.4+git.324.8332acf1a63-3.54.1
      samba-devel-4.15.4+git.324.8332acf1a63-3.54.1
      sssd-debugsource-1.16.1-7.28.9

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64):

      samba-devel-32bit-4.15.4+git.324.8332acf1a63-3.54.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      apache2-mod_apparmor-2.8.2-56.6.3
      apache2-mod_apparmor-debuginfo-2.8.2-56.6.3
      apparmor-debugsource-2.8.2-56.6.3
      apparmor-parser-2.8.2-56.6.3
      apparmor-parser-debuginfo-2.8.2-56.6.3
      libapparmor1-2.8.2-56.6.3
      libapparmor1-debuginfo-2.8.2-56.6.3
      libgnutls30-3.4.17-8.4.1
      libgnutls30-debuginfo-3.4.17-8.4.1
      libhogweed4-3.1-21.3.2
      libhogweed4-debuginfo-3.1-21.3.2
      libipa_hbac0-1.16.1-7.28.9
      libipa_hbac0-debuginfo-1.16.1-7.28.9
      libnettle6-3.1-21.3.2
      libnettle6-debuginfo-3.1-21.3.2
      libp11-kit0-0.23.2-8.3.2
      libp11-kit0-debuginfo-0.23.2-8.3.2
      libsamba-policy0-python3-4.15.4+git.324.8332acf1a63-3.54.1
      libsamba-policy0-python3-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      libsss_certmap0-1.16.1-7.28.9
      libsss_certmap0-debuginfo-1.16.1-7.28.9
      libsss_idmap0-1.16.1-7.28.9
      libsss_idmap0-debuginfo-1.16.1-7.28.9
      libsss_nss_idmap0-1.16.1-7.28.9
      libsss_nss_idmap0-debuginfo-1.16.1-7.28.9
      libsss_simpleifp0-1.16.1-7.28.9
      libsss_simpleifp0-debuginfo-1.16.1-7.28.9
      p11-kit-0.23.2-8.3.2
      p11-kit-debuginfo-0.23.2-8.3.2
      p11-kit-debugsource-0.23.2-8.3.2
      p11-kit-nss-trust-0.23.2-8.3.2
      p11-kit-tools-0.23.2-8.3.2
      p11-kit-tools-debuginfo-0.23.2-8.3.2
      pam_apparmor-2.8.2-56.6.3
      perl-apparmor-2.8.2-56.6.3
      perl-apparmor-debuginfo-2.8.2-56.6.3
      python-sssd-config-1.16.1-7.28.9
      python-sssd-config-debuginfo-1.16.1-7.28.9
      samba-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-libs-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-libs-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-debugsource-4.15.4+git.324.8332acf1a63-3.54.1
      samba-ldb-ldap-4.15.4+git.324.8332acf1a63-3.54.1
      samba-ldb-ldap-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-python3-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-python3-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-python3-4.15.4+git.324.8332acf1a63-3.54.1
      samba-python3-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-tool-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-libs-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-libs-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      sssd-1.16.1-7.28.9
      sssd-ad-1.16.1-7.28.9
      sssd-ad-debuginfo-1.16.1-7.28.9
      sssd-common-1.16.1-7.28.9
      sssd-common-debuginfo-1.16.1-7.28.9
      sssd-dbus-1.16.1-7.28.9
      sssd-dbus-debuginfo-1.16.1-7.28.9
      sssd-debugsource-1.16.1-7.28.9
      sssd-ipa-1.16.1-7.28.9
      sssd-ipa-debuginfo-1.16.1-7.28.9
      sssd-krb5-1.16.1-7.28.9
      sssd-krb5-common-1.16.1-7.28.9
      sssd-krb5-common-debuginfo-1.16.1-7.28.9
      sssd-krb5-debuginfo-1.16.1-7.28.9
      sssd-ldap-1.16.1-7.28.9
      sssd-ldap-debuginfo-1.16.1-7.28.9
      sssd-proxy-1.16.1-7.28.9
      sssd-proxy-debuginfo-1.16.1-7.28.9
      sssd-tools-1.16.1-7.28.9
      sssd-tools-debuginfo-1.16.1-7.28.9

   - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64):

      gnutls-debugsource-3.4.17-8.4.1
      libnettle-debugsource-3.1-21.3.2
      pam_apparmor-debuginfo-2.8.2-56.6.3

   - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):

      libapparmor1-32bit-2.8.2-56.6.3
      libapparmor1-debuginfo-32bit-2.8.2-56.6.3
      libgnutls30-32bit-3.4.17-8.4.1
      libgnutls30-debuginfo-32bit-3.4.17-8.4.1
      libhogweed4-32bit-3.1-21.3.2
      libhogweed4-debuginfo-32bit-3.1-21.3.2
      libnettle6-32bit-3.1-21.3.2
      libnettle6-debuginfo-32bit-3.1-21.3.2
      libp11-kit0-32bit-0.23.2-8.3.2
      libp11-kit0-debuginfo-32bit-0.23.2-8.3.2
      libsamba-policy0-python3-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      libsamba-policy0-python3-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      p11-kit-32bit-0.23.2-8.3.2
      p11-kit-debuginfo-32bit-0.23.2-8.3.2
      pam_apparmor-32bit-2.8.2-56.6.3
      pam_apparmor-debuginfo-32bit-2.8.2-56.6.3
      samba-client-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-libs-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-client-libs-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-python3-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-libs-python3-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-libs-32bit-4.15.4+git.324.8332acf1a63-3.54.1
      samba-winbind-libs-debuginfo-32bit-4.15.4+git.324.8332acf1a63-3.54.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64):

      libsss_nss_idmap-devel-1.16.1-7.28.9
      samba-devel-4.15.4+git.324.8332acf1a63-3.54.1

   - SUSE Linux Enterprise Server 12-SP5 (ppc64le):

      libsamba-policy-python3-devel-4.15.4+git.324.8332acf1a63-3.54.1

   - SUSE Linux Enterprise Server 12-SP5 (noarch):

      apparmor-docs-2.8.2-56.6.3
      apparmor-profiles-2.8.2-56.6.3
      apparmor-utils-2.8.2-56.6.3
      ca-certificates-1_201403302107-15.3.3
      samba-doc-4.15.4+git.324.8332acf1a63-3.54.1
      yast2-samba-client-3.1.23-3.3.1

   - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64):

      ctdb-4.15.4+git.324.8332acf1a63-3.54.1
      ctdb-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-debuginfo-4.15.4+git.324.8332acf1a63-3.54.1
      samba-debugsource-4.15.4+git.324.8332acf1a63-3.54.1


References:

   https://www.suse.com/security/cve/CVE-2020-29361.html
   https://www.suse.com/security/cve/CVE-2021-20316.html
   https://www.suse.com/security/cve/CVE-2021-43566.html
   https://www.suse.com/security/cve/CVE-2021-44141.html
   https://www.suse.com/security/cve/CVE-2021-44142.html
   https://www.suse.com/security/cve/CVE-2022-0336.html
   https://bugzilla.suse.com/1089938
   https://bugzilla.suse.com/1139519
   https://bugzilla.suse.com/1158916
   https://bugzilla.suse.com/1180064
   https://bugzilla.suse.com/1182058
   https://bugzilla.suse.com/1191227
   https://bugzilla.suse.com/1192684
   https://bugzilla.suse.com/1193533
   https://bugzilla.suse.com/1193690
   https://bugzilla.suse.com/1194859
   https://bugzilla.suse.com/1195048