Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3868
Security update for samba and ldb
12 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: samba
ldb
Publisher: SUSE
Operating System: SUSE
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Provide Misleading Information -- Existing Account
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23192 CVE-2021-3738 CVE-2020-25722
CVE-2020-25721 CVE-2020-25719 CVE-2020-25718
CVE-2020-25717 CVE-2020-17049 CVE-2016-2124
Reference: ESB-2021.3861
ESB-2021.3774
Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20213647-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for samba and ldb
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:3647-1
Rating: important
References: #1014440 #1192214 #1192215 #1192246 #1192247 #1192283
#1192284 #1192505
Cross-References: CVE-2016-2124 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719
CVE-2020-25721 CVE-2020-25722 CVE-2021-23192 CVE-2021-3738
Affected Products:
SUSE MicroOS 5.1
SUSE Linux Enterprise Module for Python2 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise High Availability 15-SP3
______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for samba and ldb fixes the following issues:
o CVE-2020-25718: Fixed that an RODC can issue (forge) administrator tickets
to other servers (bsc#1192246).
o CVE-2021-3738: Fixed crash in dsdb stack (bsc#1192215).
o CVE-2016-2124: Fixed not to fallback to non spnego authentication if we
require kerberos (bsc#1014440).
o CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user
could become root on domain members (bsc#1192284).
o CVE-2020-25719: Fixed AD DC Username based races when no PAC is given (bsc#
1192247).
o CVE-2020-25722: Fixed AD DC UPN vs samAccountName not checked (top-level
bug for AD DC validation issues) (bsc#1192283).
o CVE-2021-23192: Fixed dcerpc requests to don't check all fragments against
the first auth_state (bsc#1192214).
o CVE-2020-25721: Fixed fill in the new HAS_SAM_NAME_AND_SID values (bsc#
1192505).
Samba was updated to 4.13.13
o rodc_rwdc test flaps;(bso#14868).
o Backport bronze bit fixes, tests, and selftest improvements; (bso#14881).
o Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit'
S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso
#14642).
o Python ldb.msg_diff() memory handling failure;(bso#14836).
o "in" operator on ldb.Message is case sensitive;(bso#14845).
o Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871).
o Allow special chars like "@" in samAccountName when generating the salt;
(bso#14874).
o Fix transit path validation;(bso#12998).
o Prepare to operate with MIT krb5 >= 1.20;(bso#14870).
o rpcclient NetFileEnum and net rpc file both cause lock order violation:
brlock.tdb, share_entries.tdb;(bso#14645).
o Python ldb.msg_diff() memory handling failure;(bso#14836).
o Release LDB 2.3.1 for Samba 4.14.9;(bso#14848).
Samba was updated to 4.13.12:
o Address a signifcant performance regression in database access in the AD DC
since Samba 4.12;(bso#14806).
o Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9
by using an explicit database handle cache; (bso#14807).
o An unuthenticated user can crash the AD DC KDC by omitting the server name
in a TGS-REQ;(bso#14817).
o Address flapping samba_tool_drs_showrepl test;(bso#14818).
o Address flapping dsdb_schema_attributes test;(bso#14819).
o An unuthenticated user can crash the AD DC KDC by omitting the server name
in a TGS-REQ;(bso#14817).
o Fix CTDB flag/status update race conditions(bso#14784).
Samba was updated to 4.13.11:
o smbd: panic on force-close share during offload write; (bso#14769).
o Fix returned attributes on fake quota file handle and avoid hitting the
VFS;(bso#14731).
o smbd: "deadtime" parameter doesn't work anymore;(bso#14783).
o net conf list crashes when run as normal user;(bso#14787).
o Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#
14607).
o Start the SMB encryption as soon as possible;(bso#14793).
o Winbind should not start if the socket path for the privileged pipe is too
long;(bso#14792).
ldb was updated to 2.2.2:
o CVE-2020-25718: samba: An RODC can issue (forge) administrator tickets to
other servers; (bsc#1192246); (bso#14558)
o CVE-2021-3738: samba: crash in dsdb stack; (bsc#1192215);(bso#14848)
Release ldb 2.2.2
o Corrected python behaviour for 'in' for LDAP attributes contained as part
of ldb.Message;(bso#14845).
o Fix memory handling in ldb.msg_diff Corrected python docstrings;(bso#14836)
o Backport bronze bit fixes, tests, and selftest improvements; (bso#14881).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE MicroOS 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3647=1
o SUSE Linux Enterprise Module for Python2 15-SP3:
zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3647=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3647=1
o SUSE Linux Enterprise High Availability 15-SP3:
zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-3647=1
Package List:
o SUSE MicroOS 5.1 (aarch64 s390x x86_64):
ldb-debugsource-2.2.2-3.3.1
libldb2-2.2.2-3.3.1
libldb2-debuginfo-2.2.2-3.3.1
o SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x
x86_64):
samba-ad-dc-4.13.13+git.528.140935f8d6a-3.12.1
samba-ad-dc-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
ldb-debugsource-2.2.2-3.3.1
ldb-tools-2.2.2-3.3.1
ldb-tools-debuginfo-2.2.2-3.3.1
libdcerpc-binding0-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-binding0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-devel-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-samr-devel-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-samr0-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-samr0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc0-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libldb-devel-2.2.2-3.3.1
libldb2-2.2.2-3.3.1
libldb2-debuginfo-2.2.2-3.3.1
libndr-devel-4.13.13+git.528.140935f8d6a-3.12.1
libndr-krb5pac-devel-4.13.13+git.528.140935f8d6a-3.12.1
libndr-krb5pac0-4.13.13+git.528.140935f8d6a-3.12.1
libndr-krb5pac0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr-nbt-devel-4.13.13+git.528.140935f8d6a-3.12.1
libndr-nbt0-4.13.13+git.528.140935f8d6a-3.12.1
libndr-nbt0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr-standard-devel-4.13.13+git.528.140935f8d6a-3.12.1
libndr-standard0-4.13.13+git.528.140935f8d6a-3.12.1
libndr-standard0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr1-4.13.13+git.528.140935f8d6a-3.12.1
libndr1-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libnetapi-devel-4.13.13+git.528.140935f8d6a-3.12.1
libnetapi0-4.13.13+git.528.140935f8d6a-3.12.1
libnetapi0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-credentials-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-credentials0-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-credentials0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-errors-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-errors0-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-errors0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-hostconfig-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-hostconfig0-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-hostconfig0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-passdb-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-passdb0-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-passdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-policy-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-policy-python3-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-policy0-python3-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-policy0-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-util-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-util0-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamdb-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsamdb0-4.13.13+git.528.140935f8d6a-3.12.1
libsamdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsmbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsmbclient0-4.13.13+git.528.140935f8d6a-3.12.1
libsmbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsmbconf-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1
libsmbconf0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsmbldap-devel-4.13.13+git.528.140935f8d6a-3.12.1
libsmbldap2-4.13.13+git.528.140935f8d6a-3.12.1
libsmbldap2-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libtevent-util-devel-4.13.13+git.528.140935f8d6a-3.12.1
libtevent-util0-4.13.13+git.528.140935f8d6a-3.12.1
libtevent-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libwbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1
libwbclient0-4.13.13+git.528.140935f8d6a-3.12.1
libwbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
python3-ldb-2.2.2-3.3.1
python3-ldb-debuginfo-2.2.2-3.3.1
python3-ldb-devel-2.2.2-3.3.1
samba-4.13.13+git.528.140935f8d6a-3.12.1
samba-client-4.13.13+git.528.140935f8d6a-3.12.1
samba-client-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-core-devel-4.13.13+git.528.140935f8d6a-3.12.1
samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1
samba-dsdb-modules-4.13.13+git.528.140935f8d6a-3.12.1
samba-dsdb-modules-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-gpupdate-4.13.13+git.528.140935f8d6a-3.12.1
samba-ldb-ldap-4.13.13+git.528.140935f8d6a-3.12.1
samba-ldb-ldap-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-python3-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-python3-4.13.13+git.528.140935f8d6a-3.12.1
samba-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-winbind-4.13.13+git.528.140935f8d6a-3.12.1
samba-winbind-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64):
samba-ceph-4.13.13+git.528.140935f8d6a-3.12.1
samba-ceph-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
libdcerpc-binding0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc-binding0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libdcerpc0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libldb2-32bit-2.2.2-3.3.1
libldb2-32bit-debuginfo-2.2.2-3.3.1
libndr-krb5pac0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libndr-krb5pac0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr-nbt0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libndr-nbt0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr-standard0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libndr-standard0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libndr1-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libndr1-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libnetapi0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libnetapi0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-credentials0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-credentials0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-errors0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-errors0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-hostconfig0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-hostconfig0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-passdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-passdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamba-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsamdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsamdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsmbconf0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsmbconf0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libsmbldap2-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libsmbldap2-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libtevent-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libtevent-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
libwbclient0-32bit-4.13.13+git.528.140935f8d6a-3.12.1
libwbclient0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-32bit-4.13.13+git.528.140935f8d6a-3.12.1
samba-libs-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-winbind-32bit-4.13.13+git.528.140935f8d6a-3.12.1
samba-winbind-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
o SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x
x86_64):
ctdb-4.13.13+git.528.140935f8d6a-3.12.1
ctdb-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1
samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1
References:
o https://www.suse.com/security/cve/CVE-2016-2124.html
o https://www.suse.com/security/cve/CVE-2020-25717.html
o https://www.suse.com/security/cve/CVE-2020-25718.html
o https://www.suse.com/security/cve/CVE-2020-25719.html
o https://www.suse.com/security/cve/CVE-2020-25721.html
o https://www.suse.com/security/cve/CVE-2020-25722.html
o https://www.suse.com/security/cve/CVE-2021-23192.html
o https://www.suse.com/security/cve/CVE-2021-3738.html
o https://bugzilla.suse.com/1014440
o https://bugzilla.suse.com/1192214
o https://bugzilla.suse.com/1192215
o https://bugzilla.suse.com/1192246
o https://bugzilla.suse.com/1192247
o https://bugzilla.suse.com/1192283
o https://bugzilla.suse.com/1192284
o https://bugzilla.suse.com/1192505
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYY3O7+NLKJtyKPYoAQjbVw//XD6Np4o8F3XfS7KTcHYcDvDgVb6PArgH
hr5CJpoxBIq+jPzucHxIfvfa48/LDBJSdc3V6iXSgSQgx9Uw7MU9a40xLWLiO0Vc
hf57TljAlw6T9KVl8W1s41KXRVQua1Clw8Q4+15ltcxZD+lFz6ZQSCDEqHyXILKm
gQB0x7lgmDLIyXbib9e3dA4HMHG5N8KDaFq4ZNVzp5ds2xyl8Qiog5j3cDLiB8pF
jRlT91/0dhWStMk+QTmdkj0IlLm7WhCiSZWaj7XM/7yWdGVjlmbxsSKlmo8D+c+R
OXdW5A5fGbAxmn4yuBIHaZ4MjGbq1MahQ8zOq0B+MVt0xtORCKiv/VLB9up4JNae
agArtUFlmNMLZXO1N3oO0uZGWKfVSuKibA9/wazi6CA+FUCyAOe9MxY3zk+nmNBQ
H/2EQ1O9vJ85L/mI7GqIu6unUYZHqCVYPK6erj3NgMnUIinzVVlbz8HuYXNMVYNG
iaB68xwD2fU5+iLyNuGEZyrQOTsYHpr7OmiKYrYEf9hBBJSa35sK7BL3+FvTetA7
T8CTOdH71hmECe4Mhu9WO7NGi9v0RrzLhjQJqLrJixRp18VY6eHUK5D8PmPLKfxI
tiRrZAGrtYbgofvyBQ8wMJWn9+XZR2xqMaOS6a6C3oryDcvvn9iQMoS9sYjX8fEA
70YSPBnYRpE=
=uayC
-----END PGP SIGNATURE-----