Debian has issued an advisory on February 28: https://www.debian.org/security/2019/dsa-4397 The issue appears to have been fixed upstream in the following versions: 1.2.4, 1.3.8, 1.4.6, 1.5.4, 1.6.2 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Severity: normal => major
Slightly more informative reference: https://www.cybersecurity-help.cz/vdb/SB2019022703?affChecked=1 Note that ldb 1.6.x is for Samba 4.11.x (1.5.x is for Samba 4.10.x).
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => bgmilne, bruno, geiger.david68210, lists.jjorge, marja11, smelror
Advisory: ======================== Updated ldb packages fix security vulnerability: Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare() function of ldb, resulting in denial of service (CVE-2019-3824). The ldb package has been updated to version 1.2.4 to fix this issue. The sssd and samba packages have been rebuilt against the updated ldb. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3824 https://www.debian.org/security/2019/dsa-4397 ======================== Updated packages in core/updates_testing: ======================== libldb1-1.2.4-1.mga6 ldb-utils-1.2.4-1.mga6 libldb-devel-1.2.4-1.mga6 python-ldb-1.2.4-1.mga6 libpyldb-util1-1.2.4-1.mga6 libpyldb-util-devel-1.2.4-1.mga6 sssd-1.13.4-9.4.mga6 sssd-common-1.13.4-9.4.mga6 sssd-client-1.13.4-9.4.mga6 libsss_sudo-1.13.4-9.4.mga6 libsss_autofs-1.13.4-9.4.mga6 sssd-tools-1.13.4-9.4.mga6 python-sssdconfig-1.13.4-9.4.mga6 python3-sssdconfig-1.13.4-9.4.mga6 python-sss-1.13.4-9.4.mga6 python3-sss-1.13.4-9.4.mga6 python-sss-murmur-1.13.4-9.4.mga6 python3-sss-murmur-1.13.4-9.4.mga6 sssd-ldap-1.13.4-9.4.mga6 sssd-krb5-common-1.13.4-9.4.mga6 sssd-krb5-1.13.4-9.4.mga6 sssd-common-pac-1.13.4-9.4.mga6 sssd-ipa-1.13.4-9.4.mga6 sssd-ad-1.13.4-9.4.mga6 sssd-proxy-1.13.4-9.4.mga6 libsss_idmap-1.13.4-9.4.mga6 libsss_idmap-devel-1.13.4-9.4.mga6 libipa_hbac-1.13.4-9.4.mga6 libipa_hbac-devel-1.13.4-9.4.mga6 python-libipa_hbac-1.13.4-9.4.mga6 python3-libipa_hbac-1.13.4-9.4.mga6 libsss_nss_idmap-1.13.4-9.4.mga6 libsss_nss_idmap-devel-1.13.4-9.4.mga6 python-libsss_nss_idmap-1.13.4-9.4.mga6 python3-libsss_nss_idmap-1.13.4-9.4.mga6 sssd-dbus-1.13.4-9.4.mga6 libsss_simpleifp-1.13.4-9.4.mga6 libsss_simpleifp-devel-1.13.4-9.4.mga6 sssd-libwbclient-1.13.4-9.4.mga6 sssd-libwbclient-devel-1.13.4-9.4.mga6 samba-4.7.12-1.2.mga6 samba-client-4.7.12-1.2.mga6 samba-common-4.7.12-1.2.mga6 samba-dc-4.7.12-1.2.mga6 libsamba-dc0-4.7.12-1.2.mga6 libkdc-samba4_2-4.7.12-1.2.mga6 libsamba-devel-4.7.12-1.2.mga6 samba-krb5-printing-4.7.12-1.2.mga6 libsamba1-4.7.12-1.2.mga6 libsmbclient0-4.7.12-1.2.mga6 libsmbclient-devel-4.7.12-1.2.mga6 libwbclient0-4.7.12-1.2.mga6 libwbclient-devel-4.7.12-1.2.mga6 python-samba-4.7.12-1.2.mga6 samba-pidl-4.7.12-1.2.mga6 samba-test-4.7.12-1.2.mga6 libsamba-test0-4.7.12-1.2.mga6 samba-winbind-4.7.12-1.2.mga6 samba-winbind-clients-4.7.12-1.2.mga6 samba-winbind-krb5-locator-4.7.12-1.2.mga6 samba-winbind-modules-4.7.12-1.2.mga6 ctdb-4.7.12-1.2.mga6 ctdb-tests-4.7.12-1.2.mga6 from SRPMS: ldb-1.2.4-1.mga6.src.rpm sssd-1.13.4-9.4.mga6.src.rpm samba-4.7.12-1.2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsCC: bgmilne, bruno, geiger.david68210, lists.jjorge, marja11, smelror => (none)Version: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e Skipped installation of devel packages and samba server. At CLI: $ smbclient -V Version 4.7.12 $ smbclient -L mach1 Enter MYGROUP\tester6's password: Anonymous login successful Sharename Type Comment --------- ---- ------- beelden Disk beelden video Disk video stamboomViaene Disk IPC$ IPC IPC Service (Samba Server Version 4.7.12) HP-Officejet-Pro-8100 Printer HP Officejet Pro 8100 Boomaga Printer Boomaga Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- VIA8ENE9 VIA8ENE9 WORKGROUP MACH1 That all looks OK. $ smbclient -L mach1 -U herman -W WORKGROUP Enter WORKGROUP\herman's password: session setup failed: NT_STATUS_LOGON_FAILURE And I am quite sure I entered the correct samba-user password Continuing later .....
CC: (none) => herman.viaene
The update also includes the sssd daemon. At CLI: # systemctl -l status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: inactive (dead) # systemctl -l start sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. # systemctl -l status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since ma 2019-03-11 14:31:48 CET; 11s ago Process: 20204 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4) mrt 11 14:31:47 mach6.hviaene.thuis systemd[1]: Starting System Security Services Daemon... mrt 11 14:31:48 mach6.hviaene.thuis sssd[20204]: Configuration file: /etc/sssd/sssd.conf does not exist mrt 11 14:31:48 mach6.hviaene.thuis systemd[1]: sssd.service: Control process exited, code=exited statu mrt 11 14:31:48 mach6.hviaene.thuis systemd[1]: Failed to start System Security Services Daemon. mrt 11 14:31:48 mach6.hviaene.thuis systemd[1]: sssd.service: Unit entered failed state. mrt 11 14:31:48 mach6.hviaene.thuis systemd[1]: sssd.service: Failed with result 'exit-code'.
The sssd stuff is superseded with bug 24513. There sssd is OK, so it is here with the newer version Repeated the SMB tests from Comment 4 above with the same results, but after making sure about the users password I get: $ smbclient -L mach1 -U herman -W WORKGROUP Enter WORKGROUP\herman's password: Sharename Type Comment --------- ---- ------- beelden Disk beelden video Disk video stamboomViaene Disk IPC$ IPC IPC Service (Samba Server Version 4.7.12) herman Disk Home Directories HP-Officejet-Pro-8100 Printer HP Officejet Pro 8100 Boomaga Printer Boomaga Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- MYGROUP MACH6 VIA8ENE9 VIA8ENE9 WORKGROUP MACH1 So this is OK as well. If the higher powers agree this is enough of a test, I will not object an OK.
Blocks: (none) => 24513
Going to validate both of them. Advisory for this one in Comment 3.
Whiteboard: (none) => MGA6-32-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0152.html
Status: NEW => RESOLVEDResolution: (none) => FIXED