libasn1-8-7.8.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12580 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libasn1-8-7.8.0-1.1 on GA media These are all security issues fixed in the libasn1-8-7.8.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12580 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12580 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-14870/ SUSE CVE CVE-2019-14870 page https://www.suse.com/security/cve/CVE-2021-3671/ SUSE CVE CVE-2021-3671 page https://www.suse.com/security/cve/CVE-2021-44758/ SUSE CVE CVE-2021-44758 page https://www.suse.com/security/cve/CVE-2022-3437/ SUSE CVE CVE-2022-3437 page https://www.suse.com/security/cve/CVE-2022-41916/ SUSE CVE CVE-2022-41916 page https://www.suse.com/security/cve/CVE-2022-42898/ SUSE CVE CVE-2022-42898 page https://www.suse.com/security/cve/CVE-2022-44640/ SUSE CVE CVE-2022-44640 page openSUSE Tumbleweed libasn1-8-7.8.0-1.1 libgssapi3-7.8.0-1.1 libhcrypto4-7.8.0-1.1 libhdb9-7.8.0-1.1 libheimbase1-7.8.0-1.1 libheimdal-devel-7.8.0-1.1 libheimedit0-7.8.0-1.1 libheimntlm0-7.8.0-1.1 libhx509-5-7.8.0-1.1 libkadm5clnt7-7.8.0-1.1 libkadm5srv8-7.8.0-1.1 libkafs0-7.8.0-1.1 libkdc2-7.8.0-1.1 libkrb5-26-7.8.0-1.1 libotp0-7.8.0-1.1 libroken18-7.8.0-1.1 libsl0-7.8.0-1.1 libwind0-7.8.0-1.1 libasn1-8-7.8.0-1.1 as a component of openSUSE Tumbleweed libgssapi3-7.8.0-1.1 as a component of openSUSE Tumbleweed libhcrypto4-7.8.0-1.1 as a component of openSUSE Tumbleweed libhdb9-7.8.0-1.1 as a component of openSUSE Tumbleweed libheimbase1-7.8.0-1.1 as a component of openSUSE Tumbleweed libheimdal-devel-7.8.0-1.1 as a component of openSUSE Tumbleweed libheimedit0-7.8.0-1.1 as a component of openSUSE Tumbleweed libheimntlm0-7.8.0-1.1 as a component of openSUSE Tumbleweed libhx509-5-7.8.0-1.1 as a component of openSUSE Tumbleweed libkadm5clnt7-7.8.0-1.1 as a component of openSUSE Tumbleweed libkadm5srv8-7.8.0-1.1 as a component of openSUSE Tumbleweed libkafs0-7.8.0-1.1 as a component of openSUSE Tumbleweed libkdc2-7.8.0-1.1 as a component of openSUSE Tumbleweed libkrb5-26-7.8.0-1.1 as a component of openSUSE Tumbleweed libotp0-7.8.0-1.1 as a component of openSUSE Tumbleweed libroken18-7.8.0-1.1 as a component of openSUSE Tumbleweed libsl0-7.8.0-1.1 as a component of openSUSE Tumbleweed libwind0-7.8.0-1.1 as a component of openSUSE Tumbleweed All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. CVE-2019-14870 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14870.html CVE-2019-14870 https://bugzilla.suse.com/1158109 SUSE Bug 1158109 A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server. CVE-2021-3671 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3671.html CVE-2021-3671 https://bugzilla.suse.com/1191622 SUSE Bug 1191622 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. CVE-2021-44758 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-44758.html CVE-2021-44758 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. CVE-2022-3437 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-3437.html CVE-2022-3437 https://bugzilla.suse.com/1204254 SUSE Bug 1204254 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 https://bugzilla.suse.com/1208992 SUSE Bug 1208992 Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue. CVE-2022-41916 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41916.html CVE-2022-41916 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." CVE-2022-42898 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-42898.html CVE-2022-42898 https://bugzilla.suse.com/1205126 SUSE Bug 1205126 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 https://bugzilla.suse.com/1207423 SUSE Bug 1207423 https://bugzilla.suse.com/1207690 SUSE Bug 1207690 https://bugzilla.suse.com/1211487 SUSE Bug 1211487 Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). CVE-2022-44640 openSUSE Tumbleweed:libasn1-8-7.8.0-1.1 openSUSE Tumbleweed:libgssapi3-7.8.0-1.1 openSUSE Tumbleweed:libhcrypto4-7.8.0-1.1 openSUSE Tumbleweed:libhdb9-7.8.0-1.1 openSUSE Tumbleweed:libheimbase1-7.8.0-1.1 openSUSE Tumbleweed:libheimdal-devel-7.8.0-1.1 openSUSE Tumbleweed:libheimedit0-7.8.0-1.1 openSUSE Tumbleweed:libheimntlm0-7.8.0-1.1 openSUSE Tumbleweed:libhx509-5-7.8.0-1.1 openSUSE Tumbleweed:libkadm5clnt7-7.8.0-1.1 openSUSE Tumbleweed:libkadm5srv8-7.8.0-1.1 openSUSE Tumbleweed:libkafs0-7.8.0-1.1 openSUSE Tumbleweed:libkdc2-7.8.0-1.1 openSUSE Tumbleweed:libkrb5-26-7.8.0-1.1 openSUSE Tumbleweed:libotp0-7.8.0-1.1 openSUSE Tumbleweed:libroken18-7.8.0-1.1 openSUSE Tumbleweed:libsl0-7.8.0-1.1 openSUSE Tumbleweed:libwind0-7.8.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-44640.html CVE-2022-44640 https://bugzilla.suse.com/1205667 SUSE Bug 1205667 https://bugzilla.suse.com/1206730 SUSE Bug 1206730