Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[security-announce] SUSE-SU-2016:1022-1: important: Security update for samba

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

SUSE Security Update: Security update for samba

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:1022-1

Rating: important

References: #320709 #913547 #919309 #924519 #936862 #942716

#946051 #949022 #964023 #966271 #968973 #971965

#972197 #973031 #973032 #973033 #973034 #973036

#973832 #974629

Cross-References: CVE-2015-5370 CVE-2016-2110 CVE-2016-2111

CVE-2016-2112 CVE-2016-2113 CVE-2016-2115

CVE-2016-2118

Affected Products:

SUSE Linux Enterprise Software Development Kit 12

SUSE Linux Enterprise Server 12

SUSE Linux Enterprise High Availability 12

SUSE Linux Enterprise Desktop 12

______________________________________________________________________________

 

An update that solves 7 vulnerabilities and has 13 fixes is

now available.

 

Description:

 

Samba was updated to the 4.2.x codestream, bringing some new features and

security fixes (bsc#973832, FATE#320709).

 

These security issues were fixed:

- CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM

attacks (bsc#936862).

- CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP

authentication (bsc#973031).

- CVE-2016-2111: Domain controller netlogon member computer could have

been spoofed (bsc#973032).

- CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM

attack (bsc#973033).

- CVE-2016-2113: TLS certificate validation were missing (bsc#973034).

- CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks

(bsc#973036).

- CVE-2016-2118: "Badlock" DCERPC impersonation of authenticated account

were possible (bsc#971965).

 

Also the following fixes were done:

- Upgrade on-disk FSRVP server state to new version; (bsc#924519).

- Fix samba.tests.messaging test and prevent potential tdb corruption by

removing obsolete now invalid tdb_close call; (bsc#974629).

- Align fsrvp feature sources with upstream version.

- Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel

from samba-core-devel; (bsc#973832).

- s3:utils/smbget: Fix recursive download; (bso#6482).

- s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem

with no ACL support; (bso#10489).

- docs: Add example for domain logins to smbspool man page; (bso#11643).

- s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).

- loadparm: Fix memory leak issue; (bso#11708).

- lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).

- ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...";

(bso#11719).

- s3:smbd:open: Skip redundant call to file_set_dosmode when creating a

new file; (bso#11727).

- param: Fix str_list_v3 to accept ";" again; (bso#11732).

- Real memeory leak(buildup) issue in loadparm; (bso#11740).

- Obsolete libsmbclient from libsmbclient0 and libpdb-devel from

libsamba-passdb-devel while not providing it; (bsc#972197).

- Getting and setting Windows ACLs on symlinks can change permissions on

link

- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).

- Enable clustering (CTDB) support; (bsc#966271).

- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703);

(bsc#964023).

- vfs_fruit: Fix renaming directories with open files; (bso#11065).

- Fix MacOS finder error 36 when copying folder to Samba; (bso#11347).

- s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks;

(bso#11400).

- Fix copying files with vfs_fruit when using vfs_streams_xattr without

stream prefix and type suffix; (bso#11466).

- s3:libsmb: Correctly initialize the list head when keeping a list of

primary followed by DFS connections; (bso#11624).

- Reduce the memory footprint of empty string options; (bso#11625).

- lib/async_req: Do not install async_connect_send_test; (bso#11639).

- docs: Fix typos in man vfs_gpfs; (bso#11641).

- smbd: make "hide dot files" option work with "store dos attributes =

yes"; (bso#11645).

- smbcacls: Fix uninitialized variable; (bso#11682).

- s3:smbd: Ignore initial allocation size for directory creation;

(bso#11684).

- Changing log level of two entries to from 1 to 3; (bso#9912).

- vfs_gpfs: Re-enable share modes; (bso#11243).

- wafsamba: Also build libraries with RELRO protection; (bso#11346).

- ctdb: Strip trailing spaces from nodes file; (bso#11365).

- s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute

type of zero; (bso#11452).

- nss_wins: Do not run into use after free issues when we access memory

allocated on the globals and the global being reinitialized; (bso#11563).

- async_req: Fix non-blocking connect(); (bso#11564).

- auth: gensec: Fix a memory leak; (bso#11565).

- lib: util: Make non-critical message a warning; (bso#11566).

- Fix winbindd crashes with samlogon for trusted domain user; (bso#11569);

(bsc#949022).

- smbd: Send SMB2 oplock breaks unencrypted; (bso#11570).

- ctdb: Open the RO tracking db with perms 0600 instead of 0000;

(bso#11577).

- manpage: Correct small typo error; (bso#11584).

- s3: smbd: If EA's are turned off on a share don't allow an SMB2 create

containing them; (bso#11589).

- Backport some valgrind fixes from upstream master; (bso#11597).

- s3: smbd: have_file_open_below() fails to enumerate open files below an

open directory handle; (bso#11615).

- docs: Fix some typos in the idmap config section of man 5 smb.conf;

(bso#11619).

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 12:

 

zypper in -t patch SUSE-SLE-SDK-12-2016-605=1

 

- SUSE Linux Enterprise Server 12:

 

zypper in -t patch SUSE-SLE-SERVER-12-2016-605=1

 

- SUSE Linux Enterprise High Availability 12:

 

zypper in -t patch SUSE-SLE-HA-12-2016-605=1

 

- SUSE Linux Enterprise Desktop 12:

 

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-605=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

 

ctdb-debuginfo-4.2.4-18.17.1

ctdb-devel-4.2.4-18.17.1

libdcerpc-atsvc-devel-4.2.4-18.17.1

libdcerpc-atsvc0-4.2.4-18.17.1

libdcerpc-atsvc0-debuginfo-4.2.4-18.17.1

libdcerpc-devel-4.2.4-18.17.1

libdcerpc-samr-devel-4.2.4-18.17.1

libdcerpc-samr0-4.2.4-18.17.1

libdcerpc-samr0-debuginfo-4.2.4-18.17.1

libgensec-devel-4.2.4-18.17.1

libndr-devel-4.2.4-18.17.1

libndr-krb5pac-devel-4.2.4-18.17.1

libndr-nbt-devel-4.2.4-18.17.1

libndr-standard-devel-4.2.4-18.17.1

libnetapi-devel-4.2.4-18.17.1

libregistry-devel-4.2.4-18.17.1

libsamba-credentials-devel-4.2.4-18.17.1

libsamba-hostconfig-devel-4.2.4-18.17.1

libsamba-passdb-devel-4.2.4-18.17.1

libsamba-policy-devel-4.2.4-18.17.1

libsamba-policy0-4.2.4-18.17.1

libsamba-policy0-debuginfo-4.2.4-18.17.1

libsamba-util-devel-4.2.4-18.17.1

libsamdb-devel-4.2.4-18.17.1

libsmbclient-devel-4.2.4-18.17.1

libsmbclient-raw-devel-4.2.4-18.17.1

libsmbconf-devel-4.2.4-18.17.1

libsmbldap-devel-4.2.4-18.17.1

libtevent-util-devel-4.2.4-18.17.1

libwbclient-devel-4.2.4-18.17.1

samba-core-devel-4.2.4-18.17.1

samba-debuginfo-4.2.4-18.17.1

samba-debugsource-4.2.4-18.17.1

samba-test-devel-4.2.4-18.17.1

 

- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

 

libdcerpc-binding0-4.2.4-18.17.1

libdcerpc-binding0-debuginfo-4.2.4-18.17.1

libdcerpc0-4.2.4-18.17.1

libdcerpc0-debuginfo-4.2.4-18.17.1

libgensec0-4.2.4-18.17.1

libgensec0-debuginfo-4.2.4-18.17.1

libndr-krb5pac0-4.2.4-18.17.1

libndr-krb5pac0-debuginfo-4.2.4-18.17.1

libndr-nbt0-4.2.4-18.17.1

libndr-nbt0-debuginfo-4.2.4-18.17.1

libndr-standard0-4.2.4-18.17.1

libndr-standard0-debuginfo-4.2.4-18.17.1

libndr0-4.2.4-18.17.1

libndr0-debuginfo-4.2.4-18.17.1

libnetapi0-4.2.4-18.17.1

libnetapi0-debuginfo-4.2.4-18.17.1

libregistry0-4.2.4-18.17.1

libregistry0-debuginfo-4.2.4-18.17.1

libsamba-credentials0-4.2.4-18.17.1

libsamba-credentials0-debuginfo-4.2.4-18.17.1

libsamba-hostconfig0-4.2.4-18.17.1

libsamba-hostconfig0-debuginfo-4.2.4-18.17.1

libsamba-passdb0-4.2.4-18.17.1

libsamba-passdb0-debuginfo-4.2.4-18.17.1

libsamba-util0-4.2.4-18.17.1

libsamba-util0-debuginfo-4.2.4-18.17.1

libsamdb0-4.2.4-18.17.1

libsamdb0-debuginfo-4.2.4-18.17.1

libsmbclient-raw0-4.2.4-18.17.1

libsmbclient-raw0-debuginfo-4.2.4-18.17.1

libsmbclient0-4.2.4-18.17.1

libsmbclient0-debuginfo-4.2.4-18.17.1

libsmbconf0-4.2.4-18.17.1

libsmbconf0-debuginfo-4.2.4-18.17.1

libsmbldap0-4.2.4-18.17.1

libsmbldap0-debuginfo-4.2.4-18.17.1

libtevent-util0-4.2.4-18.17.1

libtevent-util0-debuginfo-4.2.4-18.17.1

libwbclient0-4.2.4-18.17.1

libwbclient0-debuginfo-4.2.4-18.17.1

samba-4.2.4-18.17.1

samba-client-4.2.4-18.17.1

samba-client-debuginfo-4.2.4-18.17.1

samba-debuginfo-4.2.4-18.17.1

samba-debugsource-4.2.4-18.17.1

samba-libs-4.2.4-18.17.1

samba-libs-debuginfo-4.2.4-18.17.1

samba-winbind-4.2.4-18.17.1

samba-winbind-debuginfo-4.2.4-18.17.1

 

- SUSE Linux Enterprise Server 12 (s390x x86_64):

 

libdcerpc-binding0-32bit-4.2.4-18.17.1

libdcerpc-binding0-debuginfo-32bit-4.2.4-18.17.1

libdcerpc0-32bit-4.2.4-18.17.1

libdcerpc0-debuginfo-32bit-4.2.4-18.17.1

libgensec0-32bit-4.2.4-18.17.1

libgensec0-debuginfo-32bit-4.2.4-18.17.1

libndr-krb5pac0-32bit-4.2.4-18.17.1

libndr-krb5pac0-debuginfo-32bit-4.2.4-18.17.1

libndr-nbt0-32bit-4.2.4-18.17.1

libndr-nbt0-debuginfo-32bit-4.2.4-18.17.1

libndr-standard0-32bit-4.2.4-18.17.1

libndr-standard0-debuginfo-32bit-4.2.4-18.17.1

libndr0-32bit-4.2.4-18.17.1

libndr0-debuginfo-32bit-4.2.4-18.17.1

libnetapi0-32bit-4.2.4-18.17.1

libnetapi0-debuginfo-32bit-4.2.4-18.17.1

libsamba-credentials0-32bit-4.2.4-18.17.1

libsamba-credentials0-debuginfo-32bit-4.2.4-18.17.1

libsamba-hostconfig0-32bit-4.2.4-18.17.1

libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.17.1

libsamba-passdb0-32bit-4.2.4-18.17.1

libsamba-passdb0-debuginfo-32bit-4.2.4-18.17.1

libsamba-util0-32bit-4.2.4-18.17.1

libsamba-util0-debuginfo-32bit-4.2.4-18.17.1

libsamdb0-32bit-4.2.4-18.17.1

libsamdb0-debuginfo-32bit-4.2.4-18.17.1

libsmbclient-raw0-32bit-4.2.4-18.17.1

libsmbclient-raw0-debuginfo-32bit-4.2.4-18.17.1

libsmbclient0-32bit-4.2.4-18.17.1

libsmbclient0-debuginfo-32bit-4.2.4-18.17.1

libsmbconf0-32bit-4.2.4-18.17.1

libsmbconf0-debuginfo-32bit-4.2.4-18.17.1

libsmbldap0-32bit-4.2.4-18.17.1

libsmbldap0-debuginfo-32bit-4.2.4-18.17.1

libtevent-util0-32bit-4.2.4-18.17.1

libtevent-util0-debuginfo-32bit-4.2.4-18.17.1

libwbclient0-32bit-4.2.4-18.17.1

libwbclient0-debuginfo-32bit-4.2.4-18.17.1

samba-32bit-4.2.4-18.17.1

samba-client-32bit-4.2.4-18.17.1

samba-client-debuginfo-32bit-4.2.4-18.17.1

samba-debuginfo-32bit-4.2.4-18.17.1

samba-libs-32bit-4.2.4-18.17.1

samba-libs-debuginfo-32bit-4.2.4-18.17.1

samba-winbind-32bit-4.2.4-18.17.1

samba-winbind-debuginfo-32bit-4.2.4-18.17.1

 

- SUSE Linux Enterprise Server 12 (noarch):

 

samba-doc-4.2.4-18.17.1

 

- SUSE Linux Enterprise High Availability 12 (s390x x86_64):

 

ctdb-4.2.4-18.17.1

ctdb-debuginfo-4.2.4-18.17.1

 

- SUSE Linux Enterprise Desktop 12 (noarch):

 

samba-doc-4.2.4-18.17.1

 

- SUSE Linux Enterprise Desktop 12 (x86_64):

 

libdcerpc-binding0-32bit-4.2.4-18.17.1

libdcerpc-binding0-4.2.4-18.17.1

libdcerpc-binding0-debuginfo-32bit-4.2.4-18.17.1

libdcerpc-binding0-debuginfo-4.2.4-18.17.1

libdcerpc0-32bit-4.2.4-18.17.1

libdcerpc0-4.2.4-18.17.1

libdcerpc0-debuginfo-32bit-4.2.4-18.17.1

libdcerpc0-debuginfo-4.2.4-18.17.1

libgensec0-32bit-4.2.4-18.17.1

libgensec0-4.2.4-18.17.1

libgensec0-debuginfo-32bit-4.2.4-18.17.1

libgensec0-debuginfo-4.2.4-18.17.1

libndr-krb5pac0-32bit-4.2.4-18.17.1

libndr-krb5pac0-4.2.4-18.17.1

libndr-krb5pac0-debuginfo-32bit-4.2.4-18.17.1

libndr-krb5pac0-debuginfo-4.2.4-18.17.1

libndr-nbt0-32bit-4.2.4-18.17.1

libndr-nbt0-4.2.4-18.17.1

libndr-nbt0-debuginfo-32bit-4.2.4-18.17.1

libndr-nbt0-debuginfo-4.2.4-18.17.1

libndr-standard0-32bit-4.2.4-18.17.1

libndr-standard0-4.2.4-18.17.1

libndr-standard0-debuginfo-32bit-4.2.4-18.17.1

libndr-standard0-debuginfo-4.2.4-18.17.1

libndr0-32bit-4.2.4-18.17.1

libndr0-4.2.4-18.17.1

libndr0-debuginfo-32bit-4.2.4-18.17.1

libndr0-debuginfo-4.2.4-18.17.1

libnetapi0-32bit-4.2.4-18.17.1

libnetapi0-4.2.4-18.17.1

libnetapi0-debuginfo-32bit-4.2.4-18.17.1

libnetapi0-debuginfo-4.2.4-18.17.1

libregistry0-4.2.4-18.17.1

libregistry0-debuginfo-4.2.4-18.17.1

libsamba-credentials0-32bit-4.2.4-18.17.1

libsamba-credentials0-4.2.4-18.17.1

libsamba-credentials0-debuginfo-32bit-4.2.4-18.17.1

libsamba-credentials0-debuginfo-4.2.4-18.17.1

libsamba-hostconfig0-32bit-4.2.4-18.17.1

libsamba-hostconfig0-4.2.4-18.17.1

libsamba-hostconfig0-debuginfo-32bit-4.2.4-18.17.1

libsamba-hostconfig0-debuginfo-4.2.4-18.17.1

libsamba-passdb0-32bit-4.2.4-18.17.1

libsamba-passdb0-4.2.4-18.17.1

libsamba-passdb0-debuginfo-32bit-4.2.4-18.17.1

libsamba-passdb0-debuginfo-4.2.4-18.17.1

libsamba-util0-32bit-4.2.4-18.17.1

libsamba-util0-4.2.4-18.17.1

libsamba-util0-debuginfo-32bit-4.2.4-18.17.1

libsamba-util0-debuginfo-4.2.4-18.17.1

libsamdb0-32bit-4.2.4-18.17.1

libsamdb0-4.2.4-18.17.1

libsamdb0-debuginfo-32bit-4.2.4-18.17.1

libsamdb0-debuginfo-4.2.4-18.17.1

libsmbclient-raw0-32bit-4.2.4-18.17.1

libsmbclient-raw0-4.2.4-18.17.1

libsmbclient-raw0-debuginfo-32bit-4.2.4-18.17.1

libsmbclient-raw0-debuginfo-4.2.4-18.17.1

libsmbclient0-32bit-4.2.4-18.17.1

libsmbclient0-4.2.4-18.17.1

libsmbclient0-debuginfo-32bit-4.2.4-18.17.1

libsmbclient0-debuginfo-4.2.4-18.17.1

libsmbconf0-32bit-4.2.4-18.17.1

libsmbconf0-4.2.4-18.17.1

libsmbconf0-debuginfo-32bit-4.2.4-18.17.1

libsmbconf0-debuginfo-4.2.4-18.17.1

libsmbldap0-32bit-4.2.4-18.17.1

libsmbldap0-4.2.4-18.17.1

libsmbldap0-debuginfo-32bit-4.2.4-18.17.1

libsmbldap0-debuginfo-4.2.4-18.17.1

libtevent-util0-32bit-4.2.4-18.17.1

libtevent-util0-4.2.4-18.17.1

libtevent-util0-debuginfo-32bit-4.2.4-18.17.1

libtevent-util0-debuginfo-4.2.4-18.17.1

libwbclient0-32bit-4.2.4-18.17.1

libwbclient0-4.2.4-18.17.1

libwbclient0-debuginfo-32bit-4.2.4-18.17.1

libwbclient0-debuginfo-4.2.4-18.17.1

samba-32bit-4.2.4-18.17.1

samba-4.2.4-18.17.1

samba-client-32bit-4.2.4-18.17.1

samba-client-4.2.4-18.17.1

samba-client-debuginfo-32bit-4.2.4-18.17.1

samba-client-debuginfo-4.2.4-18.17.1

samba-debuginfo-32bit-4.2.4-18.17.1

samba-debuginfo-4.2.4-18.17.1

samba-debugsource-4.2.4-18.17.1

samba-libs-32bit-4.2.4-18.17.1

samba-libs-4.2.4-18.17.1

samba-libs-debuginfo-32bit-4.2.4-18.17.1

samba-libs-debuginfo-4.2.4-18.17.1

samba-winbind-32bit-4.2.4-18.17.1

samba-winbind-4.2.4-18.17.1

samba-winbind-debuginfo-32bit-4.2.4-18.17.1

samba-winbind-debuginfo-4.2.4-18.17.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-5370.html

https://www.suse.com/security/cve/CVE-2016-2110.html

https://www.suse.com/security/cve/CVE-2016-2111.html

https://www.suse.com/security/cve/CVE-2016-2112.html

https://www.suse.com/security/cve/CVE-2016-2113.html

https://www.suse.com/security/cve/CVE-2016-2115.html

https://www.suse.com/security/cve/CVE-2016-2118.html

https://bugzilla.suse.com/320709

https://bugzilla.suse.com/913547

https://bugzilla.suse.com/919309

https://bugzilla.suse.com/924519

https://bugzilla.suse.com/936862

https://bugzilla.suse.com/942716

https://bugzilla.suse.com/946051

https://bugzilla.suse.com/949022

https://bugzilla.suse.com/964023

https://bugzilla.suse.com/966271

https://bugzilla.suse.com/968973

https://bugzilla.suse.com/971965

https://bugzilla.suse.com/972197

https://bugzilla.suse.com/973031

https://bugzilla.suse.com/973032

https://bugzilla.suse.com/973033

https://bugzilla.suse.com/973034

https://bugzilla.suse.com/973036

https://bugzilla.suse.com/973832

https://bugzilla.suse.com/974629

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×