SUSE Security Update: Security update for ldb, samba
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0361-1
Rating:             critical
References:         #1014440 #1188727 #1189017 #1189875 #1192214 
                    #1192215 #1192246 #1192247 #1192283 #1192284 
                    #1192505 #1192849 #1194859 SLE-18456 
Cross-References:   CVE-2016-2124 CVE-2020-17049 CVE-2020-25717
                    CVE-2020-25718 CVE-2020-25719 CVE-2020-25721
                    CVE-2020-25722 CVE-2021-20254 CVE-2021-23192
                    CVE-2021-3738 CVE-2021-44142
CVSS scores:
                    CVE-2020-17049 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-25717 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2020-25718 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-25719 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-25721 (SUSE): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
                    CVE-2020-25722 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-20254 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
                    CVE-2021-23192 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2021-3738 (SUSE): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
                    CVE-2021-44142 (SUSE): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:
                    SUSE Enterprise Storage 7
______________________________________________________________________________

   An update that solves 11 vulnerabilities, contains one
   feature and has two fixes is now available.

Description:

   This update for ldb, samba fixes the following issues:

   Changes in ldb:

   + CVE-2020-25718: An RODC can issue (forge) administrator tickets to other
     servers; (bsc#1192246)
   + CVE-2021-3738: Fixed a crash in dsdb stack (bsc#1192215)

   Release ldb 2.2.2

   + Corrected python behaviour for 'in' for LDAP attributes contained as
     part of ldb.Message
   + Fix memory handling in ldb.msg_diff
   + Backport bronze bit fixes, tests, and selftest improvements.

   Changes in samba:

   - CVE-2021-44142: Fixed an Out-of-Bound Read/Write on Samba vfs_fruit
     module; (bsc#1194859)

   - The username map [script] advice from CVE-2020-25717 advisory note has
     undesired side effects for the local nt token. Fallback to a SID/UID
     based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).

   - Fix regression introduced by CVE-2020-25717 patches, winbindd does not
     start when 'allow trusted domains' is off; (bso#14899);

   - CVE-2020-25717: Fixed that a user on the domain can become root on
     domain members; (bsc#1192284); (bso#14556).
   - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values;
     (bsc#1192505); (bso#14564).
   - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other
     servers; (bsc#1192246);(bso#14558).
   - CVE-2020-25719: Fixed AD DC Username based races when no PAC is
     given;(bsc#1192247);(bso#14561).
   - CVE-2020-25722: Fixed that AD DC UPN vs samAccountName not checked
     (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564).
   - CVE-2021-3738: Fixed a crash in dsdb stack;(bsc#1192215); (bso#14468).
   - CVE-2021-23192: Fixed that dcerpc requests don't check all fragments
     against the first auth_state;(bsc#1192214);(bso#14875).

   - CVE-2016-2124: don't fallback to non spnego authentication if we require
     kerberos; (bsc#1014440); (bso#12444).

   Update to 4.13.13

      * rodc_rwdc test flaps;(bso#14868).
      * Backport bronze bit fixes, tests, and selftest improvements;
        (bso#14881).
      * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit'
        S4U2Proxy Constrained Delegation bypass in Samba with embedded
        Heimdal;(bso#14642).
      * Python ldb.msg_diff() memory handling failure;(bso#14836).
      * "in" operator on ldb.Message is case sensitive;(bso#14845).
      * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871).
      * Allow special chars like "@" in samAccountName when generating the
        salt;(bso#14874).
      * Fix transit path validation;(bso#12998).
      * Prepare to operate with MIT krb5 >= 1.20;(bso#14870).
      * rpcclient NetFileEnum and net rpc file both cause lock order
        violation: brlock.tdb, share_entries.tdb;(bso#14645).
      * Python ldb.msg_diff() memory handling failure;(bso#14836).
      * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848).

   - Update to 4.13.12

      * Address a signifcant performance regression in database access in the
        AD DC since Samba 4.12;(bso#14806).
      * Fix performance regression in lsa_LookupSids3/LookupNames4 since
        Samba 4.9 by using an explicit database handle cache; (bso#14807).
      * An unuthenticated user can crash the AD DC KDC by omitting the server
        name in a TGS-REQ;(bso#14817).
      * Address flapping samba_tool_drs_showrepl test;(bso#14818).
      * Address flapping dsdb_schema_attributes test;(bso#14819).
      * An unuthenticated user can crash the AD DC KDC by omitting the server
        name in a TGS-REQ;(bso#14817).
      * Fix CTDB flag/status update race conditions(bso#14784).

   - Update to 4.13.11

      * smbd: panic on force-close share during offload write; (bso#14769).
      * Fix returned attributes on fake quota file handle and avoid hitting
        the VFS;(bso#14731).
      * smbd: "deadtime" parameter doesn't work anymore;(bso#14783).
      * net conf list crashes when run as normal user;(bso#14787).
      * Work around special SMB2 READ response behavior of NetApp Ontap
        7.3.7;(bso#14607).
      * Start the SMB encryption as soon as possible;(bso#14793).
      * Winbind should not start if the socket path for the privileged pipe
        is too long;(bso#14792).

   - Fix 'net rpc' authentication when using the machine account;
     (bsc#1189017); (bso#14796);

   - Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875);
   - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2;
     (bsc#1189875);
   - Fix wrong kvno exported to keytab after net ads changetrustpw due to
     replication delay; (bsc#1188727);
   - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456).

   - Update to 4.13.10

     * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL
       for directory handles; (bso#14708);
     * Take a copy to make sure we don't reference free'd memory; (bso#14721);
     * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722);
     * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
       change_file_owner_to_parent() error path; (bso#14736);
     * samba-tool: Give better error information when the 'domain backup
       restore' fails with a duplicate SID; (bso#14575);
     * smbd: Correctly initialize close timestamp fields; (bso#14714);
     * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740);
     * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475);
     * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750);
     * smbXsrv_{open,session,tcon}: Protect
       smbXsrv_{open,session,tcon}_global_traverse_fn against invalid
       records; (bso#14752);
     * samba-tool domain backup offline doesn't work against bind DLZ
       backend; (bso#14027);
     * netcmd: Use next_free_rid() function to calculate a SID for restoring
       a backup; (bso#14669);

   - Update to 4.13.9

     * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success;
       (bso#14696);
     * Add documentation for dsdb_group_audit and dsdb_group_json_audit to
       "log level", synchronise "log level" in smb.conf with the code;
       (bso#14689);
     * Fix smbd panic when two clients open same file; (bso#14672);
     * Fix memory leak in the RPC server; (bso#14675);
     * s3: smbd: Fix deferred renames; (bso#14679);
     * s3-iremotewinspool: Set the per-request memory context; (bso#14675);
     * rpc_server3: Fix a memleak for internal pipes; (bso#14675);
     * third_party: Update socket_wrapper to version 1.3.2; (bso#11899);
     * third_party: Update socket_wrapper to version 1.3.3; (bso#14639);
     * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict;
       (bso#14663);
     * Fix the build on OmniOS; (bso#14288);

   - Update to 4.13.8

     * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571

   - Update to 4.13.7

     * Release with dependency on ldb version 2.2.1.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 7:

      zypper in -t patch SUSE-Storage-7-2022-361=1



Package List:

   - SUSE Enterprise Storage 7 (aarch64 x86_64):

      ctdb-4.13.13+git.545.5897c2d94f3-3.12.1
      ctdb-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      ldb-debugsource-2.2.2-4.6.1
      libdcerpc-binding0-4.13.13+git.545.5897c2d94f3-3.12.1
      libdcerpc-binding0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libdcerpc0-4.13.13+git.545.5897c2d94f3-3.12.1
      libdcerpc0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libldb2-2.2.2-4.6.1
      libldb2-debuginfo-2.2.2-4.6.1
      libndr-krb5pac0-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr-krb5pac0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr-nbt0-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr-nbt0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr-standard0-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr-standard0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr1-4.13.13+git.545.5897c2d94f3-3.12.1
      libndr1-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libnetapi0-4.13.13+git.545.5897c2d94f3-3.12.1
      libnetapi0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-credentials0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-credentials0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-errors0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-errors0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-hostconfig0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-hostconfig0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-passdb0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-passdb0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-util0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamba-util0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamdb0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsamdb0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbclient0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbclient0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbconf0-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbconf0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbldap2-4.13.13+git.545.5897c2d94f3-3.12.1
      libsmbldap2-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libtevent-util0-4.13.13+git.545.5897c2d94f3-3.12.1
      libtevent-util0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      libwbclient0-4.13.13+git.545.5897c2d94f3-3.12.1
      libwbclient0-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      python3-ldb-2.2.2-4.6.1
      python3-ldb-debuginfo-2.2.2-4.6.1
      samba-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-ceph-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-ceph-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-client-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-client-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-debugsource-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-libs-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-libs-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-libs-python3-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-libs-python3-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-winbind-4.13.13+git.545.5897c2d94f3-3.12.1
      samba-winbind-debuginfo-4.13.13+git.545.5897c2d94f3-3.12.1


References:

   https://www.suse.com/security/cve/CVE-2016-2124.html
   https://www.suse.com/security/cve/CVE-2020-17049.html
   https://www.suse.com/security/cve/CVE-2020-25717.html
   https://www.suse.com/security/cve/CVE-2020-25718.html
   https://www.suse.com/security/cve/CVE-2020-25719.html
   https://www.suse.com/security/cve/CVE-2020-25721.html
   https://www.suse.com/security/cve/CVE-2020-25722.html
   https://www.suse.com/security/cve/CVE-2021-20254.html
   https://www.suse.com/security/cve/CVE-2021-23192.html
   https://www.suse.com/security/cve/CVE-2021-3738.html
   https://www.suse.com/security/cve/CVE-2021-44142.html
   https://bugzilla.suse.com/1014440
   https://bugzilla.suse.com/1188727
   https://bugzilla.suse.com/1189017
   https://bugzilla.suse.com/1189875
   https://bugzilla.suse.com/1192214
   https://bugzilla.suse.com/1192215
   https://bugzilla.suse.com/1192246
   https://bugzilla.suse.com/1192247
   https://bugzilla.suse.com/1192283
   https://bugzilla.suse.com/1192284
   https://bugzilla.suse.com/1192505
   https://bugzilla.suse.com/1192849
   https://bugzilla.suse.com/1194859