An update that solves one vulnerability and has 10 fixes is
now available.
Description:
This update for ldb, samba fixes the following issues:
ldb was updated to version 2.4.2 to fix:
- Fix for CVE-2021-3670, ensure that the LDB request has not timed out
during filter processing as the LDAP server MaxQueryDuration is
otherwise not honoured.
samba was updated to fix:
-
Revert NIS support removal; (bsc#1199247);
-
Use requires_eq macro to require the libldb2 version available at
samba-dsdb-modules build time; (bsc#1199362);
-
Add missing samba-client requirement to samba-winbind package;
(bsc#1198255);
Update to 4.15.7
- Share and server swapped in smbget password prompt; (bso#14831);
- Durable handles won’t reconnect if the leased file is written to;
(bso#15022);
- rmdir silently fails if directory contains unreadable files and hide
unreadable is yes; (bso#15023);
- SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
on renamed file handle; (bso#15038);
- vfs_shadow_copy2 breaks “smbd async dosmode” sync fallback; (bso#14957);
- shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
(bso#15035);
- PAM Kerberos authentication incorrectly fails with a clock skew error;
(bso#15046);
- username map - samba erroneously applies unix group memberships to user
account entries; (bso#15041);
- NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
SMBC_server_internal; (bso#14983);
- Simple bind doesn’t work against an RODC (with non-preloaded users);
(bso#13879);
- Crash of winbind on RODC; (bso#14641);
- uncached logon on RODC always fails once; (bso#14865);
- KVNO off by 100000; (bso#14951);
- LDAP simple binds should honour “old password allowed period”;
(bso#15001);
- wbinfo -a doesn’t work reliable with upn names; (bso#15003);
- Simple bind doesn’t work against an RODC (with non-preloaded users);
(bso#13879);
- Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
- Regression: create krb5 conf = yes doesn’t work with a single KDC;
(bso#15016);
Update to 4.15.6
- Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND;
(bso#14169);
- Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key; (bso#14737);
- NT error code is not set when overwriting a file during rename in
libsmbclient; (bso#14938);
- Fix ldap simple bind with TLS auditing; (bso#14996);
- net ads info shows LDAP Server: 0.0.0.0 depending on contacted server;
(bso#14674);
- Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224);
- pam_winbind will not allow gdm login if password about to expire;
(bso#8691);
- virusfilter_vfs_openat: Not scanned: Directory or special file;
(bso#14971);
- DFS fix for AIX broken; (bso#13631);
- Solaris and AIX acl modules: wrong function arguments; (bso#14974);
- Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239);
- Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy
in tdbsam_getsampwnam; (bso#14900);
- Fix a use-after-free in SMB1 server; (bso#14989);
- smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968);
- Changing the machine password against an RODC likely destroys the domain
join; (bso#14984);
- authsam_make_user_info_dc() steals memory from its struct ldb_message
*msg argument; (bso#14993);
- Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995);
- Samba autorid fails to map AD users if id rangesize fits in the id range
only once; (bso#14967);
Other SUSE fixes:
- Fix mismatched version of libldb2; (bsc#1196788).
- Drop obsolete SuSEfirewall2 service files.
- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
(bsc#1080338).
- Fix ntlm authentications with “winbind use default domain = yes”;
(bso#13126); (bsc#1173429); (bsc#1196308).
- Fix samba-ad-dc status warning notification message by disabling systemd
notifications in bgqd; (bsc#1195896); (bso#14947).
- libldb version mismatch in Samba dsdb component; (bsc#1118508);
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-2307=1
-
SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2307=1
-
SUSE Linux Enterprise High Availability 15-SP4:
zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2022-2307=1