Security update for samba

Announcement ID:	SUSE-SU-2023:0160-1
Rating:	important
References:	bsc#1200102 bsc#1201490 bsc#1201492 bsc#1201493 bsc#1201495 bsc#1201496 bsc#1201689 bsc#1204254 bsc#1205126 bsc#1205385 bsc#1205386 bsc#1206504 bsc#1206546
Cross-References:	CVE-2021-20251 CVE-2022-2031 CVE-2022-32742 CVE-2022-32744 CVE-2022-32745 CVE-2022-32746 CVE-2022-3437 CVE-2022-37966 CVE-2022-37967 CVE-2022-38023 CVE-2022-42898
CVSS scores:	CVE-2021-20251 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20251 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-2031 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-2031 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32742 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-32742 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-32744 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32744 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32745 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2022-32745 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2022-32746 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-32746 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-3437 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L CVE-2022-3437 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-37966 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-37966 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-37967 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-37967 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-38023 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-38023 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-42898 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L CVE-2022-42898 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 openSUSE Leap Micro 5.3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Availability Extension 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro for Rancher 5.3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves 11 vulnerabilities and has two security fixes can now be installed.

Description:

This update for samba fixes the following issues:

• CVE-2021-20251: Fixed an issue where the bad password count would not be properly incremented, which could allow attackers to brute force a user's password (bsc#1206546).

• Updated to version 4.15.13:

• CVE-2022-37966: Fixed an issue where a weak cipher would be selected to encrypt session keys, which could lead to privilege escalation (bsc#1205385).
• CVE-2022-37967: Fixed a potential privilege escalation issue via constrained delegation due to weak a cryptographic algorithm being selected (bsc#1205386).

• CVE-2022-38023: Disabled weak ciphers by default in the Netlogon Secure channel (bsc#1206504).

• Updated to version 4.15.12:

• CVE-2022-42898: Fixed several buffer overflow vulnerabilities on 32-bit systems (bsc#1205126).

• Updated to version 4.15.11:

• CVE-2022-3437: Fixed a buffer overflow in Heimdal unwrap_des3() (bsc#1204254).

• Updated to version 4.15.10:

• Fixed a potential crash due to a concurrency issue (bsc#1200102).

• Updated to version 4.15.9:

• CVE-2022-32742: Fixed an information leak that could be triggered via SMB1 (bsc#1201496).
• CVE-2022-32746: Fixed a memory corruption issue in database audit logging (bsc#1201490).
• CVE-2022-2031: Fixed AD restrictions bypass associated with changing passwords (bsc#1201495).
• CVE-2022-32745: Fixed a remote server crash that could be triggered with certain LDAP requests (bsc#1201492).
• CVE-2022-32744: Fixed an issue where AD users could have forged password change requests on behalf of other users (bsc#1201493).

Other fixes:

• Fixed a problem when using bind as samba-ad-dc backend related to the named service (bsc#1201689).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap Micro 5.3
  zypper in -t patch openSUSE-Leap-Micro-5.3-2023-160=1
• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-160=1
• SUSE Linux Enterprise Micro for Rancher 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2023-160=1
• SUSE Linux Enterprise Micro 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2023-160=1
• Basesystem Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-160=1
• SUSE Linux Enterprise High Availability Extension 15 SP4
  zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2023-160=1

Package List:

• openSUSE Leap Micro 5.3 (aarch64 x86_64)
  • samba-client-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • samba-dsdb-modules-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ldb-ldap-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-dsdb-modules-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ldb-ldap-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-test-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-test-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy0-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-pcp-pmda-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-gpupdate-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy-python3-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-pcp-pmda-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-tool-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy0-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
• openSUSE Leap 15.4 (x86_64)
  • libsamba-policy0-python3-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-devel-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy0-python3-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
• openSUSE Leap 15.4 (aarch64 x86_64)
  • samba-ceph-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ceph-4.15.13+git.591.ab36624310c-150400.3.19.1
• openSUSE Leap 15.4 (noarch)
  • samba-doc-4.15.13+git.591.ab36624310c-150400.3.19.1
• SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
  • samba-client-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
• SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
  • samba-client-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
• Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • samba-dsdb-modules-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ldb-ldap-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-dsdb-modules-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ldb-ldap-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-winbind-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy0-python3-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ad-dc-libs-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-gpupdate-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy-python3-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy-devel-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-tool-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-4.15.13+git.591.ab36624310c-150400.3.19.1
  • libsamba-policy0-python3-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
• Basesystem Module 15-SP4 (aarch64 x86_64)
  • samba-ceph-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-ceph-4.15.13+git.591.ab36624310c-150400.3.19.1
• Basesystem Module 15-SP4 (x86_64)
  • samba-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-32bit-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-client-libs-32bit-4.15.13+git.591.ab36624310c-150400.3.19.1
• SUSE Linux Enterprise High Availability Extension 15 SP4 (aarch64 ppc64le s390x x86_64)
  • samba-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-debuginfo-4.15.13+git.591.ab36624310c-150400.3.19.1
  • samba-debugsource-4.15.13+git.591.ab36624310c-150400.3.19.1
  • ctdb-4.15.13+git.591.ab36624310c-150400.3.19.1

References:

• https://www.suse.com/security/cve/CVE-2021-20251.html
• https://www.suse.com/security/cve/CVE-2022-2031.html
• https://www.suse.com/security/cve/CVE-2022-32742.html
• https://www.suse.com/security/cve/CVE-2022-32744.html
• https://www.suse.com/security/cve/CVE-2022-32745.html
• https://www.suse.com/security/cve/CVE-2022-32746.html
• https://www.suse.com/security/cve/CVE-2022-3437.html
• https://www.suse.com/security/cve/CVE-2022-37966.html
• https://www.suse.com/security/cve/CVE-2022-37967.html
• https://www.suse.com/security/cve/CVE-2022-38023.html
• https://www.suse.com/security/cve/CVE-2022-42898.html
• https://bugzilla.suse.com/show_bug.cgi?id=1200102
• https://bugzilla.suse.com/show_bug.cgi?id=1201490
• https://bugzilla.suse.com/show_bug.cgi?id=1201492
• https://bugzilla.suse.com/show_bug.cgi?id=1201493
• https://bugzilla.suse.com/show_bug.cgi?id=1201495
• https://bugzilla.suse.com/show_bug.cgi?id=1201496
• https://bugzilla.suse.com/show_bug.cgi?id=1201689
• https://bugzilla.suse.com/show_bug.cgi?id=1204254
• https://bugzilla.suse.com/show_bug.cgi?id=1205126
• https://bugzilla.suse.com/show_bug.cgi?id=1205385
• https://bugzilla.suse.com/show_bug.cgi?id=1205386
• https://bugzilla.suse.com/show_bug.cgi?id=1206504
• https://bugzilla.suse.com/show_bug.cgi?id=1206546