Security update for samba, ldb, talloc, tdb, tevent SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:2356-1 Final 1 1 2015-12-24T11:14:41Z current 2015-12-24T11:14:41Z 2015-12-24T11:14:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for samba, ldb, talloc, tdb, tevent This update for ldb, samba, talloc, tdb, tevent fixes the following issues: ldb was updated to 1.1.24. + Fix ldap \00 search expression attack dos; cve-2015-3223; (bso#11325) + Fix remote read memory exploit in ldb; cve-2015-5330; (bso#11599) + Move ldb_(un)pack_data into ldb_module.h for testing + Fix installation of _ldb_text.py + Fix propagation of ldb errors through tdb + Fix bug triggered by having an empty message in database during search + Test improvements + Improved python bindings + Validate_ldb of string(generalized-time) does not accept millisecond format '.000Z'; (bso#9810) + Fix logic in ldb_val_to_time() + Allow to register extended match rules + Fixes for segfaults in pyldb + Documentation fixes + Build system improvements + Fix a typo in the comment, ldb_flags_mod_xxx -> ldb_flag_mod_xxx + Fix check for third_party + Make the successful ldb_transaction_start() message clearer + Ldb-samba: fix a memory leak in ldif_canonicalise_objectcategory() + Ldb-samba: move pyldb-utils dependency to python_samba__ldb + Build: improve detection of srcdir Samba was updated to 4.1.22. + Malicious request can cause samba ldap server to hang, spinning using cpu; CVE-2015-3223; (bso#11325); (boo#958581). + Remote read memory exploit in ldb; cve-2015-5330; (bso#11599); (boo#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (boo#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (boo#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (boo#958583). + Fix microsoft ms15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (boo#958585). + Fix remote dos in samba (ad) ldap server; cve-2015-7540; (bso#9187); (boo#958580). + Ensure attempt to ssh into locked account triggers 'Your account is disabled.....' to the console; (boo#953382). + Prevent null pointer access in samlogon fallback when security credentials are null; (boo#949022). talloc was updated to 2.1.5; (boo#954658). + Minor build fixes + Point ld_library_path to the just-built libraries while calling make test. + Disable rpath-install and silent-rules while configure. + Update to 2.1.4; (boo#951660). + Test that talloc magic differs between processes. + Increment minor version due to added talloc_test_get_magic. + Provide tests access to talloc_magic. + Test magic protection measures. + Update the samba library distribution key file 'talloc.keyring'; (bso#945116). + Update to 2.1.3; (boo#939051). + Improved python3 bindings + Documentation fixes regarding talloc_reference() and talloc_unlink() tdb was updated to version 1.3.8; (boo#954658). + Fix broken build with --disable-python + Minor build fixes + Disable rpath-install and silent-rules while configure. + Update the samba library distribution key file 'tdb.keyring'; (bso#945116). + Update to version 1.3.7. + First fix deadlock in the interaction between fcntl and mutex locking; (bso#11381) + Improved python3 bindings + Update to version 1.3.6. + Fix runtime detection for robust mutexes in the standalone build; (bso#11326). + Possible fix for the build with robust mutexes on solaris 11; (bso#11319). + Update to version 1.3.5. + Abi change: tdb_chainlock_read_nonblock() has been added, a nonblock variant of tdb_chainlock_read() + Do not build test binaries if it's not a standalone build + Fix cid 1034842 resource leak + Fix cid 1034841 resource leak + Don't let tdb_wrap_open() segfault with name==null + Update to version 1.3.4. + Toos: allow transactions with tdb_mutex_locking + Test: add tdb1-run-mutex-transaction1 test + Allow transactions on on tdb's with tdb_mutex_locking + Update to version 1.3.3. + Test: tdb_clear_if_first | tdb_mutex_locking, o_rdonly is a valid combination + Update to version 1.3.2. + Allow tdb_open_ex() with o_rdonly of tdb_feature_flag_mutex tdbs. + Fix a comment + Fix tdb_runtime_check_for_robust_mutexes() + Improve wording in a comment + Tdb.h needs bool type; obsoletes include_stdbool_bso10625.patch + Tdb_wrap: make mutexes easier to use + Tdb_wrap: only pull in samba-debug + Tdb_wrap: standalone compile without includes.h + Tdb_wrap: tdb_wrap.h doesn't need struct loadparm_context - Update to version 1.3.1. + Tools: fix a compiler warning + Defragment the freelist in tdb_allocate_from_freelist() + Add 'freelist_size' sub-command to tdbtool + Use tdb_freelist_merge_adjacent in tdb_freelist_size() + Add tdb_freelist_merge_adjacent() + Add utility function check_merge_ptr_with_left_record() + Simplify tdb_free() using check_merge_with_left_record() + Add utility function check_merge_with_left_record() + Improve comments for tdb_free(). + Factor merge_with_left_record() out of tdb_free() + Fix debug message in tdb_free() + Reduce indentation in tdb_free() for merging left + Increase readability of read_record_on_left() + Factor read_record_on_left() out of tdb_free() + Build: improve detection of srcdir. tevent was update to version 0.9.26; (boo#954658). + New tevent_thread_proxy api + Minor build fixes + Update the samba library distribution key file 'tevent.keyring'; (bso#945116). + Update to 0.9.25. + Fix compile error in solaris ports backend. + Fix access after free in tevent_common_check_signal(); (bso#11308). + Improve pytevent bindings. + Testsuite fixes. + Improve the documentation of the tevent_add_fd() assumtions. it must be talloc_free'ed before closing the fd! (bso##11141); (bso#11316). + Update to 0.9.24. + Ignore unexpected signal events in the same way the epoll backend does. + Update to 0.9.23. + Update the tevent_data.dox tutrial stuff to fix some errors, including white space problems. + Use tevent_req_simple_recv_unix in a few places. + Update to 0.9.22. + Remove unused exit_code in tevent_select.c + Remove unused exit_code in tevent_poll.c + Build: improve detection of srcdir + Lib: tevent: make tevent_sig_increment atomic. + Update flags in tevent pkgconfig file + Utilize doxygen to generate the api documentation and package it. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html E-Mail link for openSUSE-SU-2015:2356-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings ldb-1.1.24-3.7.1 ldb-tools-1.1.24-3.7.1 libdcerpc-atsvc-devel-4.1.22-3.46.1 libdcerpc-atsvc0-4.1.22-3.46.1 libdcerpc-atsvc0-32bit-4.1.22-3.46.1 libdcerpc-binding0-4.1.22-3.46.1 libdcerpc-binding0-32bit-4.1.22-3.46.1 libdcerpc-devel-4.1.22-3.46.1 libdcerpc-samr-devel-4.1.22-3.46.1 libdcerpc-samr0-4.1.22-3.46.1 libdcerpc-samr0-32bit-4.1.22-3.46.1 libdcerpc0-4.1.22-3.46.1 libdcerpc0-32bit-4.1.22-3.46.1 libgensec-devel-4.1.22-3.46.1 libgensec0-4.1.22-3.46.1 libgensec0-32bit-4.1.22-3.46.1 libldb-devel-1.1.24-3.7.1 libldb1-1.1.24-3.7.1 libldb1-32bit-1.1.24-3.7.1 libndr-devel-4.1.22-3.46.1 libndr-krb5pac-devel-4.1.22-3.46.1 libndr-krb5pac0-4.1.22-3.46.1 libndr-krb5pac0-32bit-4.1.22-3.46.1 libndr-nbt-devel-4.1.22-3.46.1 libndr-nbt0-4.1.22-3.46.1 libndr-nbt0-32bit-4.1.22-3.46.1 libndr-standard-devel-4.1.22-3.46.1 libndr-standard0-4.1.22-3.46.1 libndr-standard0-32bit-4.1.22-3.46.1 libndr0-4.1.22-3.46.1 libndr0-32bit-4.1.22-3.46.1 libnetapi-devel-4.1.22-3.46.1 libnetapi0-4.1.22-3.46.1 libnetapi0-32bit-4.1.22-3.46.1 libpdb-devel-4.1.22-3.46.1 libpdb0-4.1.22-3.46.1 libpdb0-32bit-4.1.22-3.46.1 libregistry-devel-4.1.22-3.46.1 libregistry0-4.1.22-3.46.1 libregistry0-32bit-4.1.22-3.46.1 libsamba-credentials-devel-4.1.22-3.46.1 libsamba-credentials0-4.1.22-3.46.1 libsamba-credentials0-32bit-4.1.22-3.46.1 libsamba-hostconfig-devel-4.1.22-3.46.1 libsamba-hostconfig0-4.1.22-3.46.1 libsamba-hostconfig0-32bit-4.1.22-3.46.1 libsamba-policy-devel-4.1.22-3.46.1 libsamba-policy0-4.1.22-3.46.1 libsamba-policy0-32bit-4.1.22-3.46.1 libsamba-util-devel-4.1.22-3.46.1 libsamba-util0-4.1.22-3.46.1 libsamba-util0-32bit-4.1.22-3.46.1 libsamdb-devel-4.1.22-3.46.1 libsamdb0-4.1.22-3.46.1 libsamdb0-32bit-4.1.22-3.46.1 libsmbclient-devel-4.1.22-3.46.1 libsmbclient-raw-devel-4.1.22-3.46.1 libsmbclient-raw0-4.1.22-3.46.1 libsmbclient-raw0-32bit-4.1.22-3.46.1 libsmbclient0-4.1.22-3.46.1 libsmbclient0-32bit-4.1.22-3.46.1 libsmbconf-devel-4.1.22-3.46.1 libsmbconf0-4.1.22-3.46.1 libsmbconf0-32bit-4.1.22-3.46.1 libsmbldap-devel-4.1.22-3.46.1 libsmbldap0-4.1.22-3.46.1 libsmbldap0-32bit-4.1.22-3.46.1 libsmbsharemodes-devel-4.1.22-3.46.1 libsmbsharemodes0-4.1.22-3.46.1 libtalloc-devel-2.1.5-7.10.1 libtalloc2-2.1.5-7.10.1 libtalloc2-32bit-2.1.5-7.10.1 libtdb-devel-1.3.8-4.7.1 libtdb1-1.3.8-4.7.1 libtdb1-32bit-1.3.8-4.7.1 libtevent-devel-0.9.26-4.7.1 libtevent-util-devel-4.1.22-3.46.1 libtevent-util0-4.1.22-3.46.1 libtevent-util0-32bit-4.1.22-3.46.1 libtevent0-0.9.26-4.7.1 libtevent0-32bit-0.9.26-4.7.1 libwbclient-devel-4.1.22-3.46.1 libwbclient0-4.1.22-3.46.1 libwbclient0-32bit-4.1.22-3.46.1 pyldb-1.1.24-3.7.1 pyldb-32bit-1.1.24-3.7.1 pyldb-devel-1.1.24-3.7.1 pytalloc-2.1.5-7.10.1 pytalloc-32bit-2.1.5-7.10.1 pytalloc-devel-2.1.5-7.10.1 python-tdb-1.3.8-4.7.1 python-tdb-32bit-1.3.8-4.7.1 python-tevent-0.9.26-4.7.1 python-tevent-32bit-0.9.26-4.7.1 samba-4.1.22-3.46.1 samba-32bit-4.1.22-3.46.1 samba-client-4.1.22-3.46.1 samba-client-32bit-4.1.22-3.46.1 samba-core-devel-4.1.22-3.46.1 samba-doc-4.1.22-3.46.1 samba-libs-4.1.22-3.46.1 samba-libs-32bit-4.1.22-3.46.1 samba-pidl-4.1.22-3.46.1 samba-python-4.1.22-3.46.1 samba-test-4.1.22-3.46.1 samba-test-devel-4.1.22-3.46.1 samba-winbind-4.1.22-3.46.1 samba-winbind-32bit-4.1.22-3.46.1 talloc-2.1.5-7.10.1 tdb-1.3.8-4.7.1 tdb-tools-1.3.8-4.7.1 tevent-0.9.26-4.7.1 The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles certain zero values, which allows remote attackers to cause a denial of service (infinite loop) via crafted packets. CVE-2015-3223 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-3223.html CVE-2015-3223 https://bugzilla.suse.com/958581 SUSE Bug 958581 vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share. CVE-2015-5252 moderate 6.8 AV:N/AC:L/Au:S/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-5252.html CVE-2015-5252 https://bugzilla.suse.com/958582 SUSE Bug 958582 Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c. CVE-2015-5296 moderate 3.2 AV:A/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-5296.html CVE-2015-5296 https://bugzilla.suse.com/1058622 SUSE Bug 1058622 https://bugzilla.suse.com/958584 SUSE Bug 958584 https://bugzilla.suse.com/973031 SUSE Bug 973031 The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not verify that the DIRECTORY_LIST access right has been granted, which allows remote attackers to access snapshots by visiting a shadow copy directory. CVE-2015-5299 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-5299.html CVE-2015-5299 https://bugzilla.suse.com/958583 SUSE Bug 958583 ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, which allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading (1) an error message or (2) a database value. CVE-2015-5330 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-5330.html CVE-2015-5330 https://bugzilla.suse.com/958581 SUSE Bug 958581 https://bugzilla.suse.com/958586 SUSE Bug 958586 The LDAP server in the AD domain controller in Samba 4.x before 4.1.22 does not check return values to ensure successful ASN.1 memory allocation, which allows remote attackers to cause a denial of service (memory consumption and daemon crash) via crafted packets. CVE-2015-7540 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-7540.html CVE-2015-7540 https://bugzilla.suse.com/958580 SUSE Bug 958580 The samldb_check_user_account_control_acl function in dsdb/samdb/ldb_modules/samldb.c in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not properly check for administrative privileges during creation of machine accounts, which allows remote authenticated users to bypass intended access restrictions by leveraging the existence of a domain with both a Samba DC and a Windows DC, a similar issue to CVE-2015-2535. CVE-2015-8467 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html https://www.suse.com/security/cve/CVE-2015-8467.html CVE-2015-8467 https://bugzilla.suse.com/958585 SUSE Bug 958585