8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
An update that solves 8 vulnerabilities, contains one
feature and has two fixes is now available.
Description:
samba was updated to 4.15.4 (jsc#SLE-23329);
Samba was updated to version 4.15.3
krb5 was updated to 1.16.3 to 1.19.2
Changes from 1.19.1:
Changes from 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the “password” and “verify”
options, allowing credentials to be acquired via password and verified
using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set in
issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password(). Protocol
evolution
* Added client and KDC support for Microsoft’s Resource-Based
Constrained Delegation, which allows cross-realm S4U2Proxy requests. A
third-party database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft’s KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set. User
experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
used in the reply. This encryption type will be deprecated and removed
in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only (inspired
by Heimdal’s kgetcred).
Changes from 1.18.3
Changes from 1.18.2
Changes from 1.18.1
Changes from 1.18 Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay
cache filenames using the new format end with “.rcache2” by default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an “enforce_ok_as_delegate” krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC sets
the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for
default_tkt_enctypes and default_tgs_enctypes. Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name
from a PAC. Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified by
X.509 certificate. (Requires support for certificate lookup from a
third-party KDB module.)
* Remove support for an old (“draft 9”) variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.) User experience:
* Add support for “dns_canonicalize_hostname=fallback”, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system’s first DNS search
path as a suffix. Add a “qualify_shortname” krb5.conf relation to
override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios. Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
Changes from 1.17.1
Changes from 1.17: Administrator experience:
Build with full Cyrus SASL support. Negotiating SASL credentials with an
EXTERNAL bind mechanism requires interaction. Kerberos provides its
own interaction function that skips all interaction, thus preventing the
mechanism from working. ldb was updated to version 2.4.1
(jsc#SLE-23329);
Release 2.4.1
Release 2.4.0
talloc was updated to 2.3.3:
tdb was updated to version 1.4.4:
tevent was updated to version 0.11.0:
sssd was updated to:
apparmor was updated to:
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-283=1
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C