Thanks for the submissions! However we also need submission for
SUSE:SLE-11-SP3:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
SUSE:SLE-15:Update 	
SUSE:SLE-15-SP1:Update 
SUSE:SLE-15-SP2:Update	
SUSE:SLE-15-SP2:Update:Products:SES7:Update

(In reply to Thomas Leroy from comment #5)
> Thanks for the submissions! However we also need submission for
> SUSE:SLE-11-SP3:Update
> SUSE:SLE-12-SP1:Update
> SUSE:SLE-12-SP2:Update
> SUSE:SLE-12-SP3:Update
> SUSE:SLE-15:Update 	
These did not have the AD domain controller shipped

> SUSE:SLE-15-SP1:Update 
> SUSE:SLE-15-SP2:Update	
These two had AD domain controller but only as a tech preview, and it would be risky to backport a massive changeset to LTSS-only releases for a tech preview.


> SUSE:SLE-15-SP2:Update:Products:SES7:Update
This did not have the AD domain controller shipped

public: https://www.samba.org/samba/security/CVE-2022-32744.html

SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.1 (src):    ldb-2.4.3-150300.3.20.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.8+git.500.d5910280cc7-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

why SLE-12-SP5/ldb got no submission?

(In reply to James McDonough from comment #6)
> (In reply to Thomas Leroy from comment #5)
> > SUSE:SLE-15-SP1:Update 
> > SUSE:SLE-15-SP2:Update	
> These two had AD domain controller but only as a tech preview, and it would
> be risky to backport a massive changeset to LTSS-only releases for a tech
> preview.

Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb vulnerable as well?

(In reply to Gianluca Gabrielli from comment #12)
> (In reply to James McDonough from comment #6)
> > (In reply to Thomas Leroy from comment #5)
> > > SUSE:SLE-15-SP1:Update 
> > > SUSE:SLE-15-SP2:Update	
> > These two had AD domain controller but only as a tech preview, and it would
> > be risky to backport a massive changeset to LTSS-only releases for a tech
> > preview.
> 
> Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> vulnerable as well?
It does not affect our supported code, only the tech preview.  My above statement explains it.


(In reply to Gianluca Gabrielli from comment #11)
> why SLE-12-SP5/ldb got no submission?

It did not have AD domain controller support, so it is not affected.

(In reply to James McDonough from comment #13)
> (In reply to Gianluca Gabrielli from comment #12)
> > (In reply to James McDonough from comment #6)
> > > (In reply to Thomas Leroy from comment #5)
> > > > SUSE:SLE-15-SP1:Update 
> > > > SUSE:SLE-15-SP2:Update	
> > > These two had AD domain controller but only as a tech preview, and it would
> > > be risky to backport a massive changeset to LTSS-only releases for a tech
> > > preview.
> > 
> > Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> > vulnerable as well?
> It does not affect our supported code, only the tech preview.  My above
> statement explains it.
> 
> 
> (In reply to Gianluca Gabrielli from comment #11)
> > why SLE-12-SP5/ldb got no submission?
> 
> It did not have AD domain controller support, so it is not affected.

So only SLE-12-SP5/samba does?

(In reply to Gianluca Gabrielli from comment #14)
> (In reply to James McDonough from comment #13)
> > (In reply to Gianluca Gabrielli from comment #12)
> > > (In reply to James McDonough from comment #6)
> > > > (In reply to Thomas Leroy from comment #5)
> > > > > SUSE:SLE-15-SP1:Update 
> > > > > SUSE:SLE-15-SP2:Update	
> > > > These two had AD domain controller but only as a tech preview, and it would
> > > > be risky to backport a massive changeset to LTSS-only releases for a tech
> > > > preview.
> > > 
> > > Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> > > vulnerable as well?
> > It does not affect our supported code, only the tech preview.  My above
> > statement explains it.
> > 
> > 
> > (In reply to Gianluca Gabrielli from comment #11)
> > > why SLE-12-SP5/ldb got no submission?
> > 
> > It did not have AD domain controller support, so it is not affected.
> 
> So only SLE-12-SP5/samba does?

so it is CVE-2022-32746 not CVE-2022-32744 that affects ldb (the summary here is misleading). Also in this case the changes to ldb are infrastructure changes needed to fix a bug in samba's domain controller logging module. SLE12-SP5 is not built with domain controller (AD) support thus is not affected

Gotcha, thanks for the clarification. 

Can you explain why SR#276311 [0] backports the fix for CVE-2022-32744 to SUSE:SLE-12-SP5:Update/samba?

Moreover, I guess the same can be said for CVE-2022-32745 and CVE-2022-2031, correct?

[0] https://build.suse.de/request/show/276311

(In reply to Gianluca Gabrielli from comment #16)
> Gotcha, thanks for the clarification. 
> 
> Can you explain why SR#276311 [0] backports the fix for CVE-2022-32744 to
> SUSE:SLE-12-SP5:Update/samba?
> 
> Moreover, I guess the same can be said for CVE-2022-32745 and CVE-2022-2031,
> correct?
> 
> [0] https://build.suse.de/request/show/276311


it makes more sense to apply the patch (since it was available for the code base regardless of whether it was strictly relevant) for the complete code base (including the ldb sources) in order to keep them as up to date as possible.

Think about a subsequent security fix that depends on code already assumed to be in the release because of a previous security release.

SLE12-SP5 is additionally even more special because samba is built with a bundled version of ldb

(In reply to Noel Power from comment #17)
> it makes more sense to apply the patch (since it was available for the code
> base regardless of whether it was strictly relevant) for the complete code
> base (including the ldb sources) in order to keep them as up to date as
> possible.
> 
> Think about a subsequent security fix that depends on code already assumed
> to be in the release because of a previous security release.

Clear, and I agree with you. Wouldn't the same reason apply for SUSE:SLE-12-SP5:Update/ldb too? 
 
> SLE12-SP5 is additionally even more special because samba is built with a
> bundled version of ldb

Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5 samba uses a bundled version ldb?

(In reply to Gianluca Gabrielli from comment #18)
> (In reply to Noel Power from comment #17)
> > it makes more sense to apply the patch (since it was available for the code
> > base regardless of whether it was strictly relevant) for the complete code
> > base (including the ldb sources) in order to keep them as up to date as
> > possible.
> > 
> > Think about a subsequent security fix that depends on code already assumed
> > to be in the release because of a previous security release.
> 
> Clear, and I agree with you. Wouldn't the same reason apply for
> SUSE:SLE-12-SP5:Update/ldb too? 
yep but the update would not be as straightforward as updating the bundled ldb version, see below
>  
> > SLE12-SP5 is additionally even more special because samba is built with a
> > bundled version of ldb
> 
> Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> samba uses a bundled version ldb?
no its not we don't care about it, just at the time (under pressure with a sec release) it wasn't high on the priority list because it wasn't strictly necessary. More importantly the ldb version on sle12-sp5 is an older series than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall exactly) why we did not bump the ldb version when we aligned the sle12-sp5 samba version with sle15-sp3/sp4 (ironically because of another security release). This is the reason why ldb is bundled with samba on sle12-sp5. So, the issue here is that is most likely it is not trivial to backport the ldb fixes from ldb2.x to ldb1.x

(In reply to Noel Power from comment #19)
> (In reply to Gianluca Gabrielli from comment #18)
> > (In reply to Noel Power from comment #17)
> > > SLE12-SP5 is additionally even more special because samba is built with a
> > > bundled version of ldb
> > 
> > Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> > samba uses a bundled version ldb?
> no its not we don't care about it, just at the time (under pressure with a
> sec release) it wasn't high on the priority list because it wasn't strictly
> necessary. More importantly the ldb version on sle12-sp5 is an older series
> than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall
> exactly) why we did not bump the ldb version when we aligned the sle12-sp5
> samba version with sle15-sp3/sp4 (ironically because of another security
> release). This is the reason why ldb is bundled with samba on sle12-sp5. So,
> the issue here is that is most likely it is not trivial to backport the ldb
> fixes from ldb2.x to ldb1.x

Are you aware if SUSE:SLE-12-SP5:Update/ldb is used by packages other than samba? In case it is there only for samba, wouldn't make sense to version bump it to align with other codestreams setup and start using that one instead of the bundle one?

(In reply to Gianluca Gabrielli from comment #20)
> (In reply to Noel Power from comment #19)
> > (In reply to Gianluca Gabrielli from comment #18)
> > > (In reply to Noel Power from comment #17)
> > > > SLE12-SP5 is additionally even more special because samba is built with a
> > > > bundled version of ldb
> > > 
> > > Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> > > samba uses a bundled version ldb?
> > no its not we don't care about it, just at the time (under pressure with a
> > sec release) it wasn't high on the priority list because it wasn't strictly
> > necessary. More importantly the ldb version on sle12-sp5 is an older series
> > than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall
> > exactly) why we did not bump the ldb version when we aligned the sle12-sp5
> > samba version with sle15-sp3/sp4 (ironically because of another security
> > release). This is the reason why ldb is bundled with samba on sle12-sp5. So,
> > the issue here is that is most likely it is not trivial to backport the ldb
> > fixes from ldb2.x to ldb1.x
> 
> Are you aware if SUSE:SLE-12-SP5:Update/ldb is used by packages other than
> samba?
not in particular but there are python2 bindings (which are supported packages) provided by ldb1 (which were removed in ldb2 and not supported at in the later versions of sle15 where the samba versions match. Note: the later versions  require the newer version of ldb (ldb2) This is one of the main reasons why samba needs instead to use the bundled version of ldb
> In case it is there only for samba, wouldn't make sense to version
> bump it to align with other codestreams setup and start using that one
> instead of the bundle one?
no, see above

just to recap, 

 - SUSE:SLE-12-SP5:Update/ldb is ldb1
 - SUSE:SLE-12-SP5:Update/samba uses the ldb bundled version which is ldb2.

as ldb1 is not affected I can flag SUSE:SLE-12-SP5:Update/ldb as not affected.

 - SUSE:SLE-12-SP5:Update/samba has already been released and it include the patches for both samba and ldb2.

While the following packages are all affected, but we are not going to submit any patch due to the fact that they implement AD domain controller only as a tech preview.

 - SUSE:SLE-15-SP1:Update/samba, SUSE:SLE-15-SP1:Update/ldb 
 - SUSE:SLE-15-SP2:Update/samba, SUSE:SLE-15-SP2:Update/ldb


Is my statement correct?

(In reply to Gianluca Gabrielli from comment #22)
> just to recap, 
> 
>  - SUSE:SLE-12-SP5:Update/ldb is ldb1
>  - SUSE:SLE-12-SP5:Update/samba uses the ldb bundled version which is ldb2.
> 
> as ldb1 is not affected I can flag SUSE:SLE-12-SP5:Update/ldb as not
> affected.
> 
>  - SUSE:SLE-12-SP5:Update/samba has already been released and it include the
> patches for both samba and ldb2.
> 
> While the following packages are all affected, but we are not going to
> submit any patch due to the fact that they implement AD domain controller
> only as a tech preview.
> 
>  - SUSE:SLE-15-SP1:Update/samba, SUSE:SLE-15-SP1:Update/ldb 
>  - SUSE:SLE-15-SP2:Update/samba, SUSE:SLE-15-SP2:Update/ldb
> 
> 
> Is my statement correct?

unfortunately it appears I made a mistake here when preparing the changelog, I got confused by both the similar numbers CVE-2022-32745, CVE-2022-32746, CVE-2022-32747 (with 32744 being wrong) and the fact all the SUSE bugs in question mention ldb in the bug summary. Your statement above is true for CVE-2022-32746 the only one actually affecting ldb. I'm afraid I have made things very confusing

SUSE-SU-2022:2586-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Agreed for setting 15sp1 and 15sp2 as wontfix.
Everything done, closing