This update contains a major security update for Samba. samba has received security fixes: - CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share ; - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution ; - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services ; samba was updated to version 4.15.4; ; + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; ; ; + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; ; ; - Build samba with embedded talloc, pytalloc, pytalloc-util, tdb, pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries. The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and their manpages in /usr/lib[64]/samba/man This avoids removing old functionality. samba was updated to 4.15.4: * Duplicate SMB file_ids leading to Windows client cache poisoning; ; * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; ; * kill_tcp_connections does not work; ; * Can"t connect to Windows shares not requiring authentication using KDE/Gnome; ; * smbclient -L doesn"t set client max protocol to NT1 before calling the Reconnecting with SMB1 for workgroup listing path; ; * Cross device copy of the crossrename module always fails; ; * symlinkat function from VFS cap module always fails with an error; ; * Fix possible fsp pointer deference; ; * Missing pop_sec_ctx in error path inside close_directory; ; * smbd --build-options no longer works without an smb.conf file; ; - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version . The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba sssd was updated: - Build with the newer samba versions; ; - Fix a dependency loop by moving internal libraries to sssd-common package; ; p11-kit was updated: Update to 0.23.2; ; * Fix forking issues with libffi * Fix various crashes in corner cases * Updated translations * Build fixes - Fix multiple integer overflows in rpc code : - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER ca-certificates was updated: - p11-kit 0.23.1 supports pem-directory-hash. This update also ships: - libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba. apparmor was updated: - Update samba apparmor profiles for samba 4.15 ; yast2-samba-client was updated: - With latest versions of samba calling "net ads lookup" with "-U%" fails; . - yast-samba-client fails to join if /etc/samba/smb.conf or /etc/krb5.conf don"t exist; - Do not stop nmbd while nmbstatus is running, it is not necessary anymore; ;