Security update for ldb, samba (moderate)

An update that solves one vulnerability and has 10 fixes is
now available.

Description:

This update for ldb, samba fixes the following issues:

ldb was updated to version 2.4.2 to fix:

• Fix for CVE-2021-3670, ensure that the LDB request has not timed out
  during filter processing as the LDAP server MaxQueryDuration is
  otherwise not honoured.

samba was updated to fix:

• Revert NIS support removal; (bsc#1199247);

• Use requires_eq macro to require the libldb2 version available at
  samba-dsdb-modules build time; (bsc#1199362);

• Add missing samba-client requirement to samba-winbind package;
  (bsc#1198255);

Update to 4.15.7

• Share and server swapped in smbget password prompt; (bso#14831);
• Durable handles won’t reconnect if the leased file is written to;
  (bso#15022);
• rmdir silently fails if directory contains unreadable files and hide
  unreadable is yes; (bso#15023);
• SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
  on renamed file handle; (bso#15038);
• vfs_shadow_copy2 breaks “smbd async dosmode” sync fallback; (bso#14957);
• shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
  (bso#15035);
• PAM Kerberos authentication incorrectly fails with a clock skew error;
  (bso#15046);
• username map - samba erroneously applies unix group memberships to user
  account entries; (bso#15041);
• NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
  SMBC_server_internal; (bso#14983);
• Simple bind doesn’t work against an RODC (with non-preloaded users);
  (bso#13879);
• Crash of winbind on RODC; (bso#14641);
• uncached logon on RODC always fails once; (bso#14865);
• KVNO off by 100000; (bso#14951);
• LDAP simple binds should honour “old password allowed period”;
  (bso#15001);
• wbinfo -a doesn’t work reliable with upn names; (bso#15003);
• Simple bind doesn’t work against an RODC (with non-preloaded users);
  (bso#13879);
• Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
• Regression: create krb5 conf = yes doesn’t work with a single KDC;
  (bso#15016);

• Add provides to samba-client-libs package to fix upgrades from previous
  versions; (bsc#1197995);

• Add missing samba-libs requirement to samba-winbind package;
  (bsc#1198255);

Update to 4.15.6

• Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND;
  (bso#14169);
• Samba does not response STATUS_INVALID_PARAMETER when opening 2
  objects with same lease key; (bso#14737);
• NT error code is not set when overwriting a file during rename in
  libsmbclient; (bso#14938);
• Fix ldap simple bind with TLS auditing; (bso#14996);
• net ads info shows LDAP Server: 0.0.0.0 depending on contacted server;
  (bso#14674);
• Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224);
• pam_winbind will not allow gdm login if password about to expire;
  (bso#8691);
• virusfilter_vfs_openat: Not scanned: Directory or special file;
  (bso#14971);
• DFS fix for AIX broken; (bso#13631);
• Solaris and AIX acl modules: wrong function arguments; (bso#14974);
• Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239);
• Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy
  in tdbsam_getsampwnam; (bso#14900);
• Fix a use-after-free in SMB1 server; (bso#14989);
• smb2_signing_decrypt_pdu() may not decrypt with
  gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968);
• Changing the machine password against an RODC likely destroys the domain
  join; (bso#14984);
• authsam_make_user_info_dc() steals memory from its struct ldb_message
  *msg argument; (bso#14993);
• Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995);
• Samba autorid fails to map AD users if id rangesize fits in the id range
  only once; (bso#14967);

Other SUSE fixes:

• Fix mismatched version of libldb2; (bsc#1196788).
• Drop obsolete SuSEfirewall2 service files.
• Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
  (bsc#1080338).
• Fix ntlm authentications with “winbind use default domain = yes”;
  (bso#13126); (bsc#1173429); (bsc#1196308).
• Fix samba-ad-dc status warning notification message by disabling systemd
  notifications in bgqd; (bsc#1195896); (bso#14947).
• libldb version mismatch in Samba dsdb component; (bsc#1118508);

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4:

  zypper in -t patch openSUSE-SLE-15.4-2022-2307=1

• SUSE Linux Enterprise Module for Basesystem 15-SP4:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2307=1

• SUSE Linux Enterprise High Availability 15-SP4:

  zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2022-2307=1