Bug 31574

Summary: gssntlmssp new security issues CVE-2023-2556[3-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, neoser10, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: gssntlmssp-1.1.0-3.mga9.src.rpm CVE:
Status comment:

David Walser 2023-02-19 17:10:54 CET

Status comment: (none) => Fixed upstream in 1.2.0
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-02-19 18:21:02 CET 
Done for mga8 and Cauldron!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2023-02-19 20:03:27 CET 
Thanks for instant fix, DavidG.
Assigning to you, assuming you will quickly pass it - with advisory - to QA for M8.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 3 David Walser 2023-02-19 21:32:30 CET 
gssntlmssp-devel-1.2.0-1.mga8
gssntlmssp-1.2.0-1.mga8

from gssntlmssp-1.2.0-1.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.2.0 => (none)

Comment 4 Len Lawrence 2023-02-21 00:44:58 CET 
$ urpmq -i gssntlmssp
[...]
Summary     : GSSAPI NTLMSSP Mechanism

Just a FYI.  Sounds like developer country: General Security Services API
No idea how to test this but it updates cleanly.

CC: (none) => tarazed25

Comment 5 Mauricio Andrés Bustamante Viveros 2023-02-21 01:00:30 CET 
I think this can be tested with SAMBA in server mode, acting as NT4 Server
The SAMBA configured as AD, may be can be used to test trying to connect from M$ desktop not joined to domain

CC: (none) => neoser10

Comment 6 Herman Viaene 2023-02-21 11:25:05 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous updates, so trying to find something
# urpmq --whatrequires gssntlmssp
gssntlmssp
# urpmq --whatrequires-recursive gssntlmssp
gssntlmssp
Not very helpfull, so trying to do something along the line suggested by Mauricio, but that takes more time......

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2023-02-21 11:44:41 CET 
Looking for guidance found https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Reading this, I make the conclusion that that would take me at least a day to study and try/fail cycles to get this working. I don't have that time today or tomorrow.
So, up to the higher powers to decide, but as Len I wouldn't object to an OK based on clean install and no ill effects on usual networking.
Comment 8 Thomas Andrews 2023-03-19 23:12:42 CET 
When our two most experienced QA testers both say a clean update should be enough, we should listen to them. Sorry it took me so long, guys.

Validating.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-23 23:51:43 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2023-03-24 06:57:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0108.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED