File _patchinfo of Package patchinfo.27433
<patchinfo incident="27433">
<issue tracker="cve" id="2022-37967"/>
<issue tracker="cve" id="2021-20251"/>
<issue tracker="cve" id="2022-3437"/>
<issue tracker="cve" id="2022-37966"/>
<issue tracker="cve" id="2022-38023"/>
<issue tracker="cve" id="2022-32746"/>
<issue tracker="cve" id="2022-32745"/>
<issue tracker="cve" id="2022-42898"/>
<issue tracker="cve" id="2022-2031"/>
<issue tracker="cve" id="2022-32742"/>
<issue tracker="cve" id="2022-32744"/>
<issue tracker="bnc" id="1201493">VUL-0: CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user</issue>
<issue tracker="bnc" id="1206546">VUL-0: CVE-2021-20251: samba: Bad password count not incremented atomically</issue>
<issue tracker="bnc" id="1201492">VUL-0: CVE-2022-32745: samba, ldb: AD users can crash the server process with an LDAP add or modify request</issue>
<issue tracker="bnc" id="1200102">SLES 15 SP3 - smbd dumps core randomly - ref:_00D1igLOd._5005q5zV47:ref</issue>
<issue tracker="bnc" id="1205126">VUL-0: CVE-2022-42898: krb5: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems</issue>
<issue tracker="bnc" id="1205386">VUL-0: CVE-2022-37967: samba: Windows Kerberos Elevation of Privilege Vulnerability.</issue>
<issue tracker="bnc" id="1205385">VUL-0: CVE-2022-37966: samba: Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.</issue>
<issue tracker="bnc" id="1201490">VUL-0: CVE-2022-32746: samba,ldb: Use-after-free occurring in database audit logging module</issue>
<issue tracker="bnc" id="1206504">VUL-0: CVE-2022-38023: samba: RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided</issue>
<issue tracker="bnc" id="1204254">VUL-0: CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3()</issue>
<issue tracker="bnc" id="1201689">bind9.16 and samba-ad-dc-4.15.7 using bind as backed systemd issue</issue>
<issue tracker="bnc" id="1201495">VUL-0: CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords</issue>
<issue tracker="bnc" id="1201496">VUL-0: CVE-2022-32742: samba: Server memory information leak via SMB1</issue>
<packager>scabrero</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for samba</summary>
<description>This update for samba fixes the following issues:
- CVE-2021-20251: Fixed an issue where the bad password count would
not be properly incremented, which could allow attackers to brute
force a user's password (bsc#1206546).
- Updated to version 4.15.13:
- CVE-2022-37966: Fixed an issue where a weak cipher would be
selected to encrypt session keys, which could lead to privilege
escalation (bsc#1205385).
- CVE-2022-37967: Fixed a potential privilege escalation issue via
constrained delegation due to weak a cryptographic algorithm
being selected (bsc#1205386).
- CVE-2022-38023: Disabled weak ciphers by default in the Netlogon
Secure channel (bsc#1206504).
- Updated to version 4.15.12:
- CVE-2022-42898: Fixed several buffer overflow vulnerabilities on
32-bit systems (bsc#1205126).
- Updated to version 4.15.11:
- CVE-2022-3437: Fixed a buffer overflow in Heimdal unwrap_des3()
(bsc#1204254).
- Updated to version 4.15.10:
- Fixed a potential crash due to a concurrency issue (bsc#1200102).
- Updated to version 4.15.9:
- CVE-2022-32742: Fixed an information leak that could be triggered
via SMB1 (bsc#1201496).
- CVE-2022-32746: Fixed a memory corruption issue in database
audit logging (bsc#1201490).
- CVE-2022-2031: Fixed AD restrictions bypass associated with
changing passwords (bsc#1201495).
- CVE-2022-32745: Fixed a remote server crash that could be
triggered with certain LDAP requests (bsc#1201492).
- CVE-2022-32744: Fixed an issue where AD users could have forged
password change requests on behalf of other users (bsc#1201493).
Other fixes:
- Fixed a problem when using bind as samba-ad-dc backend related to
the named service (bsc#1201689).
</description>
</patchinfo>