Security update for samba

Announcement ID:	SUSE-SU-2022:4395-1
Rating:	important
References:	bsc#1200102 bsc#1201490 bsc#1201492 bsc#1201493 bsc#1201495 bsc#1201496 bsc#1201689 bsc#1204254 bsc#1205126
Cross-References:	CVE-2022-2031 CVE-2022-32742 CVE-2022-32744 CVE-2022-32745 CVE-2022-32746 CVE-2022-3437 CVE-2022-42898
CVSS scores:	CVE-2022-2031 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-2031 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32742 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-32742 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-32744 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32744 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32745 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2022-32745 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2022-32746 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-32746 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-3437 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L CVE-2022-3437 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-42898 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L CVE-2022-42898 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15-SP3 openSUSE Leap 15.3 Python 2 Module 15-SP3 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Availability Extension 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2

An update that solves seven vulnerabilities and has two security fixes can now be installed.

Description:

This update for samba fixes the following issues:

Version update to 4.15.12.

Security issues fixed:

• CVE-2022-2031: Fixed AD users that could have bypassed certain restrictions associated with changing passwords (bsc#1201495).
• CVE-2022-32742: Fixed SMB1 code that does not correctly verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths (bsc#1201496).
• CVE-2022-32744: Fixed AD users that could have forged password change requests for any user (bsc#1201493).
• CVE-2022-32745: Fixed AD users that could have crashed the server process with an LDAP add or modify request (bsc#1201492).
• CVE-2022-32746: Fixed a use-after-free occurring in database audit logging (bsc#1201490).
• CVE-2022-3437: Fixed buffer overflow in Heimdal unwrap_des3() (bsc#1204254).
• CVE-2022-42898: Fixed Samba buffer overflow vulnerabilities on 32-bit systems (bsc#1205126).

Bug fixes:

• Install a systemd drop-in file for named service to allow read/write access to the DLZ directory (bsc#1201689).
• Possible use after free of connection_struct when iterating smbd_server_connection->connections (bsc#1200102).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3
  zypper in -t patch SUSE-2022-4395=1
• Basesystem Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-4395=1
• Python 2 Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2022-4395=1
• SUSE Linux Enterprise High Availability Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2022-4395=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2022-4395=1
• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-4395=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-4395=1

Package List:

• openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
  • samba-ad-dc-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-pcp-pmda-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-gpupdate-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy-python3-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-pcp-pmda-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-dsdb-modules-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-dsdb-modules-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ldb-ldap-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-test-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-test-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ldb-ldap-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-tool-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• openSUSE Leap 15.3 (x86_64)
  • samba-winbind-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-devel-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• openSUSE Leap 15.3 (noarch)
  • samba-doc-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• openSUSE Leap 15.3 (aarch64 x86_64)
  • samba-ceph-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ceph-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• openSUSE Leap 15.3 (aarch64_ilp32)
  • samba-libs-python3-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-devel-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-64bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-64bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• Basesystem Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • samba-winbind-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-gpupdate-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy-python3-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-dsdb-modules-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-dsdb-modules-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ldb-ldap-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ldb-ldap-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-tool-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-devel-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • libsamba-policy0-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• Basesystem Module 15-SP3 (aarch64 x86_64)
  • samba-ceph-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ceph-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• Basesystem Module 15-SP3 (x86_64)
  • samba-winbind-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-devel-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-32bit-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-32bit-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• Python 2 Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ad-dc-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• SUSE Linux Enterprise High Availability Extension 15 SP3 (aarch64 ppc64le s390x x86_64)
  • ctdb-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • samba-client-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • ctdb-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ceph-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-python3-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-ceph-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-winbind-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
  • samba-client-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
  • samba-client-libs-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-client-libs-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debugsource-4.15.12+git.535.7750e5c95ef-150300.3.43.1
  • samba-debuginfo-4.15.12+git.535.7750e5c95ef-150300.3.43.1

References:

• https://www.suse.com/security/cve/CVE-2022-2031.html
• https://www.suse.com/security/cve/CVE-2022-32742.html
• https://www.suse.com/security/cve/CVE-2022-32744.html
• https://www.suse.com/security/cve/CVE-2022-32745.html
• https://www.suse.com/security/cve/CVE-2022-32746.html
• https://www.suse.com/security/cve/CVE-2022-3437.html
• https://www.suse.com/security/cve/CVE-2022-42898.html
• https://bugzilla.suse.com/show_bug.cgi?id=1200102
• https://bugzilla.suse.com/show_bug.cgi?id=1201490
• https://bugzilla.suse.com/show_bug.cgi?id=1201492
• https://bugzilla.suse.com/show_bug.cgi?id=1201493
• https://bugzilla.suse.com/show_bug.cgi?id=1201495
• https://bugzilla.suse.com/show_bug.cgi?id=1201496
• https://bugzilla.suse.com/show_bug.cgi?id=1201689
• https://bugzilla.suse.com/show_bug.cgi?id=1204254
• https://bugzilla.suse.com/show_bug.cgi?id=1205126