Bug 28686 - samba, ldb new security issues CVE-2020-27840, CVE-2021-20254, and CVE-2021-20277
Summary: samba, ldb new security issues CVE-2020-27840, CVE-2021-20254, and CVE-2021-2...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-32-OK
Keywords:
: 28870 (view as bug list)
Depends on:
Blocks: 28042
  Show dependency treegraph
 
Reported: 2021-03-31 02:46 CEST by David Walser
Modified: 2021-06-16 05:28 CEST (History)
5 users (show)

See Also:
Source RPM: samba-4.12.11-1.mga8.src.rpm, ldb-2.1.4-1.mga8.src.rpm
CVE: CVE-2020-27840, CVE-2021-20254, CVE-2021-20277
Status comment:


Attachments

Description David Walser 2021-03-31 02:46:06 CEST
Samba has issued advisories on March 24:
https://www.samba.org/samba/security/CVE-2020-27840.html
https://www.samba.org/samba/security/CVE-2021-20277.html

The issues are fixed upstream in Samba 4.12.14 and ldb 2.1.5:
https://www.samba.org/samba/history/samba-4.12.14.html

It looks like Buchan has committed the ldb update in Mageia 8 SVN.

Mageia 7 is also affected.
David Walser 2021-03-31 02:46:34 CEST

Status comment: (none) => Fixed upstream in samba 4.12.14 and ldb 2.1.5
Blocks: (none) => 28042
Whiteboard: (none) => MGA7TOO

Comment 1 Buchan Milne 2021-04-01 09:16:15 CEST
For Mageia 8, ldb-2.1.5-1.mga8 was submitted to updates_testing on 2021-03-25.

ldb-1.5.8-1.1.mga7 was submitted to updates_testing on 2021-03-25, and has the relevant patches from samba's git.

It doesn't seem like samba itself is affected, and no other linux distros have shipped samba updates, only ldb.

CC: (none) => bgmilne
Assignee: bgmilne => bugsquad

Comment 2 Lewis Smith 2021-04-01 21:36:38 CEST
Thank you Buchan for your rapid work on the ldb bit.

@DavidW : what is your reaction to the last comment above? Do we still update samba?

CC: (none) => lewyssmith
Status: NEW => NEEDINFO

Comment 3 Aurelien Oudelet 2021-04-02 12:57:15 CEST
Waiting for DavidW answer.

CC: (none) => ouaurelien

Comment 4 David Walser 2021-04-04 16:07:54 CEST
As the comment at the top of the ldb spec reminds us, the samba and sssd packages must be rebuilt anyway when ldb is updated.  Let's update Samba on Mageia 8 to get the latest upstream bug fixes and rebuild Samba on Mageia 7 to incorporate the fix for Bug 28042, and rebuild sssd for both.
David Walser 2021-04-04 16:08:28 CEST

Status comment: Fixed upstream in samba 4.12.14 and ldb 2.1.5 => ldb updated, samba and sssd to be rebuilt

David Walser 2021-04-04 16:08:37 CEST

Assignee: bugsquad => bgmilne

Lewis Smith 2021-04-06 20:32:53 CEST

Status: NEEDINFO => NEW
CC: lewyssmith => (none)

Comment 5 David Walser 2021-04-18 00:33:05 CEST
RedHat has issued an advisory for this on April 14:
https://access.redhat.com/errata/RHSA-2021:1197
Comment 6 David Walser 2021-05-04 16:00:17 CEST
*** Bug 28870 has been marked as a duplicate of this bug. ***

CC: (none) => mageia

Comment 7 David Walser 2021-05-04 16:03:20 CEST
Samba has issued an advisory on April 29:
https://www.samba.org/samba/security/CVE-2021-20254.html

The issue is fixed upstream in 4.12.15:
https://www.samba.org/samba/history/samba-4.12.15.html

Summary: samba, ldb new security issues CVE-2020-27840 and CVE-2021-20277 => samba, ldb new security issues CVE-2020-27840, CVE-2021-20254, and CVE-2021-20277

Comment 8 Aurelien Oudelet 2021-05-04 16:33:12 CEST
samba-4.12.15-1.mga8.src.rpm pushed to 8/core/updates_testing by Nicolas Lécureuil.

ldb fixed and pushed by Buchan Milne for Mageia 8 and 7.

Remaining work: rebuild sssd for both releases and need to fix Mageia 7 against latest CVE.

CVE: (none) => CVE-2020-27840, CVE-2021-20254, CVE-2021-20277

David Walser 2021-05-04 16:38:10 CEST

Status comment: ldb updated, samba and sssd to be rebuilt => ldb updated, samba needs updated for mga7, and sssd to be rebuilt

Comment 9 Aurelien Oudelet 2021-05-20 18:49:34 CEST
Ping?
Comment 10 David Walser 2021-05-27 23:54:14 CEST
Debian has issued an advisory for this on April 2:
https://www.debian.org/security/2021/dsa-4884

We need to finish this one off before Mageia 7 closes, to get the Bug 28042 fix pushed out.
Comment 11 David Walser 2021-05-28 21:18:12 CEST
Ubuntu has issued advisories for this on March 24 and April 29:
https://ubuntu.com/security/notices/USN-4888-1
https://ubuntu.com/security/notices/USN-4930-1
Comment 12 David Walser 2021-05-31 01:53:14 CEST
Patch from Ubuntu added to Mageia 7 samba package to fix CVE-2021-20254.

sssd package rebuilt in Mageia 7 and Mageia 8 against updated ldb.

SRPMS for this update are ldb, samba, and sssd.  We need a full package list and advisory.  Here's a partial list for the ones I just built:
samba-4.10.18-1.3.mga7
samba-client-4.10.18-1.3.mga7
samba-common-4.10.18-1.3.mga7
samba-dc-4.10.18-1.3.mga7
libsamba-dc0-4.10.18-1.3.mga7
libkdc-samba4_2-4.10.18-1.3.mga7
libheimntlm-samba4_1-4.10.18-1.3.mga7
libsamba-devel-4.10.18-1.3.mga7
samba-krb5-printing-4.10.18-1.3.mga7
libsamba1-4.10.18-1.3.mga7
libsmbclient0-4.10.18-1.3.mga7
libsmbclient-devel-4.10.18-1.3.mga7
libwbclient0-4.10.18-1.3.mga7
libwbclient-devel-4.10.18-1.3.mga7
python2-samba-4.10.18-1.3.mga7
python3-samba-4.10.18-1.3.mga7
samba-pidl-4.10.18-1.3.mga7
samba-test-4.10.18-1.3.mga7
libsamba-test0-4.10.18-1.3.mga7
samba-winbind-4.10.18-1.3.mga7
samba-winbind-clients-4.10.18-1.3.mga7
samba-winbind-krb5-locator-4.10.18-1.3.mga7
samba-winbind-modules-4.10.18-1.3.mga7
ctdb-4.10.18-1.3.mga7
ctdb-tests-4.10.18-1.3.mga7
sssd-1.16.3-3.3.mga7
sssd-common-1.16.3-3.3.mga7
sssd-client-1.16.3-3.3.mga7
libsss_sudo-1.16.3-3.3.mga7
libsss_autofs-1.16.3-3.3.mga7
sssd-tools-1.16.3-3.3.mga7
python2-sssdconfig-1.16.3-3.3.mga7
python3-sssdconfig-1.16.3-3.3.mga7
python2-sss-1.16.3-3.3.mga7
python3-sss-1.16.3-3.3.mga7
python2-sss-murmur-1.16.3-3.3.mga7
python3-sss-murmur-1.16.3-3.3.mga7
sssd-ldap-1.16.3-3.3.mga7
sssd-krb5-common-1.16.3-3.3.mga7
sssd-krb5-1.16.3-3.3.mga7
sssd-common-pac-1.16.3-3.3.mga7
sssd-ipa-1.16.3-3.3.mga7
sssd-ad-1.16.3-3.3.mga7
sssd-proxy-1.16.3-3.3.mga7
libsss_idmap-1.16.3-3.3.mga7
libsss_idmap-devel-1.16.3-3.3.mga7
libipa_hbac-1.16.3-3.3.mga7
libipa_hbac-devel-1.16.3-3.3.mga7
python2-libipa_hbac-1.16.3-3.3.mga7
python3-libipa_hbac-1.16.3-3.3.mga7
libsss_nss_idmap-1.16.3-3.3.mga7
libsss_nss_idmap-devel-1.16.3-3.3.mga7
python2-libsss_nss_idmap-1.16.3-3.3.mga7
python3-libsss_nss_idmap-1.16.3-3.3.mga7
sssd-dbus-1.16.3-3.3.mga7
libsss_simpleifp-1.16.3-3.3.mga7
libsss_simpleifp-devel-1.16.3-3.3.mga7
sssd-libwbclient-1.16.3-3.3.mga7
sssd-libwbclient-devel-1.16.3-3.3.mga7
sssd-winbind-idmap-1.16.3-3.3.mga7
sssd-nfs-idmap-1.16.3-3.3.mga7
libsss_certmap-1.16.3-3.3.mga7
libsss_certmap-devel-1.16.3-3.3.mga7
sssd-kcm-1.16.3-3.3.mga7
sssd-ipa-2.4.0-1.1.mga8
sssd-common-2.4.0-1.1.mga8
libsss_idmap-devel-2.4.0-1.1.mga8
libsss_simpleifp-devel-2.4.0-1.1.mga8
sssd-tools-2.4.0-1.1.mga8
sssd-ad-2.4.0-1.1.mga8
sssd-kcm-2.4.0-1.1.mga8
libipa_hbac-devel-2.4.0-1.1.mga8
sssd-dbus-2.4.0-1.1.mga8
libsss_certmap-devel-2.4.0-1.1.mga8
libsss_nss_idmap-devel-2.4.0-1.1.mga8
sssd-krb5-common-2.4.0-1.1.mga8
sssd-client-2.4.0-1.1.mga8
sssd-common-pac-2.4.0-1.1.mga8
python3-sssdconfig-2.4.0-1.1.mga8
sssd-proxy-2.4.0-1.1.mga8
sssd-ldap-2.4.0-1.1.mga8
libsss_certmap-2.4.0-1.1.mga8
libsss_nss_idmap-2.4.0-1.1.mga8
sssd-krb5-2.4.0-1.1.mga8
libsss_idmap-2.4.0-1.1.mga8
libsss_autofs-2.4.0-1.1.mga8
python3-sss-2.4.0-1.1.mga8
libsss_sudo-2.4.0-1.1.mga8
libipa_hbac-2.4.0-1.1.mga8
sssd-nfs-idmap-2.4.0-1.1.mga8
python3-libipa_hbac-2.4.0-1.1.mga8
sssd-2.4.0-1.1.mga8
libsss_simpleifp-2.4.0-1.1.mga8
python3-libsss_nss_idmap-2.4.0-1.1.mga8
sssd-winbind-idmap-2.4.0-1.1.mga8
python3-sss-murmur-2.4.0-1.1.mga8

Assignee: bgmilne => qa-bugs
Status comment: ldb updated, samba needs updated for mga7, and sssd to be rebuilt => (none)

Comment 13 David Walser 2021-05-31 01:55:04 CEST
SRPMS:
ldb-1.5.8-1.1.mga7.src.rpm
ldb-2.1.5-1.mga8.src.rpm
samba-4.10.18-1.3.mga7.src.rpm
samba-4.12.15-1.mga8.src.rpm
sssd-1.16.3-3.3.mga7.src.rpm
sssd-2.4.0-1.1.mga8.src.rpm

Fixed are the three CVEs and Bug 28042.  The sssd package has to rebuilt when ldb is updated.
Comment 14 Guillaume Royer 2021-06-02 15:47:14 CEST
MGA 8 LXQt VM

Before update, test smb to acces network drive in internet box, read, write and create files ok.

Installation with David help from srpms list.

After reboot smb is ok, my network drive is accssecible. Read, write and create files ok.

For other qa team members who would like to test the update,can we have rpm list to test with QA repo tool ?

CC: (none) => guillaume.royer

Comment 15 David Walser 2021-06-10 20:54:31 CEST
Full package list is this:
ldb-utils-1.5.8-1.1.mga7
libldb-devel-1.5.8-1.1.mga7
libldb1-1.5.8-1.1.mga7
libpyldb-util-devel-1.5.8-1.1.mga7
libpyldb-util1-1.5.8-1.1.mga7
python2-ldb-1.5.8-1.1.mga7
python3-ldb-1.5.8-1.1.mga7
ldb-utils-2.1.5-1.mga8
libldb-devel-2.1.5-1.mga8
libldb2-2.1.5-1.mga8
libpyldb-util-devel-2.1.5-1.mga8
libpyldb-util2-2.1.5-1.mga8
python3-ldb-2.1.5-1.mga8

plus these:
https://bugs.mageia.org/show_bug.cgi?id=28686#c12
https://bugs.mageia.org/show_bug.cgi?id=28870#c4
Comment 16 Brian Rockwell 2021-06-16 04:08:00 CEST
MGA8 - Plasma

Upgraded Samba client on machine

The following 6 packages are going to be installed:

- lib64samba-dc0-4.12.15-1.mga8.x86_64
- lib64samba1-4.12.15-1.mga8.x86_64
- lib64smbclient0-4.12.15-1.mga8.x86_64
- lib64wbclient0-4.12.15-1.mga8.x86_64
- samba-client-4.12.15-1.mga8.x86_64
- samba-common-4.12.15-1.mga8.x86_64


no issues.  Able to connect to Share without issues.

CC: (none) => brtians1

Comment 17 Brian Rockwell 2021-06-16 04:31:53 CEST
MGA7 - i586 mate

The following 9 packages are going to be installed:

- libheimntlm-samba4_1-4.10.18-1.3.mga7.i586
- libkdc-samba4_2-4.10.18-1.3.mga7.i586
- libsamba-dc0-4.10.18-1.3.mga7.i586
- libsamba1-4.10.18-1.3.mga7.i586
- libsmbclient0-4.10.18-1.3.mga7.i586
- libwbclient0-4.10.18-1.3.mga7.i586
- samba-4.10.18-1.3.mga7.i586
- samba-client-4.10.18-1.3.mga7.i586
- samba-common-4.10.18-1.3.mga7.i586

This machine works as a samba server.  

After updates and restart services are up and able to read/post to share
Brian Rockwell 2021-06-16 04:32:07 CEST

Whiteboard: MGA7TOO => MGA7TOO MGA7_32_OK

David Walser 2021-06-16 04:43:27 CEST

Whiteboard: MGA7TOO MGA7_32_OK => MGA7TOO MGA7-32-OK

Comment 18 Brian Rockwell 2021-06-16 05:28:03 CEST
MGA8 - Vbox - 64bit - Cinnamon

I decided to do a large install even though I'm no familiar with sssd.  The service is running after the install and reboot

The following 102 packages are going to be installed:

- gcc-10.3.0-1.mga8.x86_64
- gcc-cpp-10.3.0-1.mga8.x86_64
- gettext-devel-0.21-8.mga8.x86_64
- glib-gettextize-2.66.8-1.mga8.x86_64
- gnutls-3.6.15-3.1.mga8.x86_64
- isl-0.18-2.mga8.x86_64
- ldb-utils-2.1.5-1.mga8.x86_64
- lib64acl-devel-2.2.53-2.mga8.x86_64
- lib64audit-devel-3.0-1.mga8.x86_64
- lib64bsd-devel-0.10.0-2.mga8.x86_64
- lib64cap-devel-2.46-1.mga8.x86_64
- lib64cap-ng-devel-0.8.2-1.mga8.x86_64
- lib64dhash1-0.5.0-12.mga8.x86_64
- lib64ffi-devel-3.3-2.mga8.x86_64
- lib64gcrypt-devel-1.8.7-1.mga8.x86_64
- lib64glib2.0-devel-2.66.8-1.mga8.x86_64
- lib64gmp-devel-6.2.1-1.mga8.x86_64
- lib64gnutls-devel-3.6.15-3.1.mga8.x86_64
- lib64gnutls30-3.6.15-3.1.mga8.x86_64
- lib64gnutlsxx28-3.6.15-3.1.mga8.x86_64
- lib64gpg-error-devel-1.41-1.mga8.x86_64
- lib64hogweed6-3.7.2-1.mga8.x86_64
- lib64icu-devel-68.2-1.mga8.x86_64
- lib64idn2-devel-2.3.0-4.mga8.x86_64
- lib64isl15-0.18-2.mga8.x86_64
- lib64kdc-samba4_2-4.12.15-1.mga8.x86_64
- lib64ldap2.4_2-devel-2.4.57-1.1.mga8.x86_64
- lib64ldb-devel-2.1.5-1.mga8.x86_64
- lib64ldb2-2.1.5-1.mga8.x86_64
- lib64lz4-devel-1.9.3-1.1.mga8.x86_64
- lib64lzma-devel-5.2.5-2.mga8.x86_64
- lib64mount-devel-2.36.1-5.mga8.x86_64
- lib64ncurses-devel-6.2-20201205.1.mga8.x86_64
- lib64nettle-devel-3.7.2-1.mga8.x86_64
- lib64nettle8-3.7.2-1.mga8.x86_64
- lib64nl-route3_200-3.5.0-2.mga8.x86_64
- lib64openssl-devel-1.1.1k-1.mga8.x86_64
- lib64opts25-5.18.16-6.mga8.x86_64
- lib64p11-kit-devel-0.23.22-2.mga8.x86_64
- lib64pam-devel-1.3.1-7.mga8.x86_64
- lib64pcre-devel-8.44-1.mga8.x86_64
- lib64pcre16_0-8.44-1.mga8.x86_64
- lib64pcre32_0-8.44-1.mga8.x86_64
- lib64samba-dc0-4.12.15-1.mga8.x86_64
- lib64samba-devel-4.12.15-1.mga8.x86_64
- lib64samba-test0-4.12.15-1.mga8.x86_64
- lib64samba1-4.12.15-1.mga8.x86_64
- lib64sasl2-devel-2.1.27-3.mga8.x86_64
- lib64sasl2-plug-gssapi-2.1.27-3.mga8.x86_64
- lib64smbclient0-4.12.15-1.mga8.x86_64
- lib64talloc-devel-2.3.1-1.mga8.x86_64
- lib64tasn1-devel-4.16.0-4.mga8.x86_64
- lib64tdb-devel-1.4.3-1.mga8.x86_64
- lib64tevent-devel-0.10.2-1.mga8.x86_64
- lib64unistring-devel-0.9.10-4.mga8.x86_64
- lib64uring1-0.7-2.mga8.x86_64
- lib64wbclient-devel-4.12.15-1.mga8.x86_64
- lib64wbclient0-4.12.15-1.mga8.x86_64
- lib64xml2-devel-2.9.10-7.2.mga8.x86_64
- lib64zlib-devel-1.2.11-9.mga8.x86_64
- lib64zstd-devel-1.4.8-1.mga8.x86_64
- libcap-utils-2.46-1.mga8.x86_64
- libipa_hbac-2.4.0-1.1.mga8.x86_64
- libsss_autofs-2.4.0-1.1.mga8.x86_64
- libsss_certmap-2.4.0-1.1.mga8.x86_64
- libsss_idmap-2.4.0-1.1.mga8.x86_64
- libsss_nss_idmap-2.4.0-1.1.mga8.x86_64
- libsss_sudo-2.4.0-1.1.mga8.x86_64
- libstdc++-devel-10.3.0-1.mga8.x86_64
- libstdc++-python-devel-10.3.0-1.mga8.x86_64
- libtasn1-tools-4.16.0-4.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- python3-ldb-2.1.5-1.mga8.x86_64
- python3-samba-4.12.15-1.mga8.x86_64
- python3-sssdconfig-2.4.0-1.1.mga8.noarch
- python3-talloc-2.3.1-1.mga8.x86_64
- python3-tdb-1.4.3-1.mga8.x86_64
- python3-tevent-0.10.2-1.mga8.x86_64
- samba-4.12.15-1.mga8.x86_64
- samba-client-4.12.15-1.mga8.x86_64
- samba-common-4.12.15-1.mga8.x86_64
- samba-dc-4.12.15-1.mga8.x86_64
- samba-krb5-printing-4.12.15-1.mga8.x86_64
- samba-test-4.12.15-1.mga8.x86_64
- samba-winbind-4.12.15-1.mga8.x86_64
- samba-winbind-clients-4.12.15-1.mga8.x86_64
- samba-winbind-krb5-locator-4.12.15-1.mga8.x86_64
- samba-winbind-modules-4.12.15-1.mga8.x86_64
- sssd-2.4.0-1.1.mga8.x86_64
- sssd-ad-2.4.0-1.1.mga8.x86_64
- sssd-client-2.4.0-1.1.mga8.x86_64
- sssd-common-2.4.0-1.1.mga8.x86_64
- sssd-common-pac-2.4.0-1.1.mga8.x86_64
- sssd-dbus-2.4.0-1.1.mga8.x86_64
- sssd-ipa-2.4.0-1.1.mga8.x86_64
- sssd-krb5-2.4.0-1.1.mga8.x86_64
- sssd-krb5-common-2.4.0-1.1.mga8.x86_64
- sssd-ldap-2.4.0-1.1.mga8.x86_64
- sssd-nfs-idmap-2.4.0-1.1.mga8.x86_64
- sssd-proxy-2.4.0-1.1.mga8.x86_64
- sssd-winbind-idmap-2.4.0-1.1.mga8.x86_64
- systemd-devel-246.13-2.mga8.x86_64


After starting services I went into the configuration utility and set up a share with user limitations.

That worked as designed.

Note You need to log in before you can comment on or make changes to this bug.