Bugzilla – Bug 1198397
VUL-1: CVE-2021-3670: samba,ldb: MaxQueryDuration not honoured in Samba AD DC LDAP
Last modified: 2022-05-09 16:18:05 UTC
Samba's AD DC does not seem to honour MaxQueryDuration
does this affect both ldb and samba?
a fix was in ldb, but it seems commits are also in samba?
(In reply to Marcus Meissner from comment #1)
> does this affect both ldb and samba?
> a fix was in ldb, but it seems commits are also in samba?
Yes, it has two parts, ldb and samba and it only affects to the AD DC role.
As the Samba team is not considering this a security issue (see samba bug), SUSE is currently not backporting fixes to its samba and ldb versions.
Future version updates will include fixes for this denial of service attack.
SUSE-SU-2022:1576-1: An update that fixes one vulnerability is now available.
Category: security (low)
Bug References: 1198397
CVE References: CVE-2021-3670
openSUSE Leap 15.3 (src): ldb-2.4.2-150300.3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): ldb-2.4.2-150300.3.15.1
SUSE Linux Enterprise Micro 5.2 (src): ldb-2.4.2-150300.3.15.1
SUSE Linux Enterprise Micro 5.1 (src): ldb-2.4.2-150300.3.15.1
SUSE Enterprise Storage 7.1 (src): ldb-2.4.2-150300.3.15.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.