LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

December 2015

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA December 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Low: sssd on SL7.x x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Mon, 21 Dec 2015 23:11:41 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (127 lines)

Synopsis:          Low: sssd security, bug fix, and enhancement update
Advisory ID:       SLSA-2015:2355-1
Issue Date:        2015-11-19
CVE Numbers:       CVE-2015-5292
--

It was found that SSSD's Privilege Attribute Certificate (PAC) responder
plug-in would leak a small amount of memory on each authentication
request. A remote attacker could potentially use this flaw to exhaust all
available memory on the system by making repeated requests to a Kerberized
daemon application configured to authenticate using the PAC responder
plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous version.

* SSSD smart card support * Cache authentication in SSSD * SSSD supports
overriding automatically discovered AD site * SSSD can now deny SSH access
to locked accounts * SSSD enables UID and GID mapping on individual
clients * Background refresh of cached entries * Multi-step prompting for
one-time and long-term passwords * Caching for initgroups operations

Bugs fixed:

* When the SELinux user content on an IdM server was set to an empty
string, the SSSD SELinux evaluation utility returned an error.

* If the ldap_child process failed to initialize credentials and exited
with an error multiple times, operations that create files in some cases
started failing due to an insufficient amount of i-nodes.

* The SRV queries used a hard coded TTL timeout, and environments that
wanted the SRV queries to be valid for a certain time only were blocked.
Now, SSSD parses the TTL value out of the DNS packet.

* Previously, initgroups operation took an excessive amount of time. Now,
logins and ID processing are faster for setups with AD back end and
disabled ID mapping.

* When an IdM client with Scientific Linux 7.1 or later was connecting to
a server with Scientific Linux 7.0 or earlier, authentication with an AD
trusted domain caused the sssd_be process to terminate unexpectedly.

* If replication conflict entries appeared during HBAC processing, the
user was denied access. Now, the replication conflict entries are skipped
and users are permitted access.

* The array of SIDs no longer contains an uninitialized value and SSSD no
longer crashes.

* SSSD supports GPOs from different domain controllers and no longer
crashes when processing GPOs from different domain controllers.

* SSSD could not refresh sudo rules that contained groups with special
characters, such as parentheses, in their name.

* The IPA names are not qualified on the client side if the server already
qualified them, and IdM group members resolve even if
default_domain_suffix is used on the server side.

* The internal cache cleanup task has been disabled by default to improve
performance of the sssd_be process.

* Now, default_domain_suffix is not considered anymore for autofs maps.

* The user can set subdomain_inherit=ignore_group-members to disable
fetching group members for trusted domains.

* The group resolution failed with an error message: "Error: 14 (Bad
address)". The binary GUID handling has been fixed.

Enhancements added:

* The description of default_domain_suffix has been improved in the manual
pages.

* With the new "%0" template option, users on SSSD IdM clients can now use
home directories set on AD.
--

SL7
  x86_64
    libipa_hbac-1.13.0-40.el7.i686.rpm
    libipa_hbac-1.13.0-40.el7.x86_64.rpm
    libsss_idmap-1.13.0-40.el7.i686.rpm
    libsss_idmap-1.13.0-40.el7.x86_64.rpm
    libsss_nss_idmap-1.13.0-40.el7.i686.rpm
    libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
    python-libipa_hbac-1.13.0-40.el7.x86_64.rpm
    python-sss-1.13.0-40.el7.x86_64.rpm
    python-sss-murmur-1.13.0-40.el7.x86_64.rpm
    sssd-1.13.0-40.el7.x86_64.rpm
    sssd-ad-1.13.0-40.el7.x86_64.rpm
    sssd-client-1.13.0-40.el7.i686.rpm
    sssd-client-1.13.0-40.el7.x86_64.rpm
    sssd-common-1.13.0-40.el7.i686.rpm
    sssd-common-1.13.0-40.el7.x86_64.rpm
    sssd-common-pac-1.13.0-40.el7.x86_64.rpm
    sssd-dbus-1.13.0-40.el7.x86_64.rpm
    sssd-debuginfo-1.13.0-40.el7.i686.rpm
    sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
    sssd-ipa-1.13.0-40.el7.x86_64.rpm
    sssd-krb5-1.13.0-40.el7.x86_64.rpm
    sssd-krb5-common-1.13.0-40.el7.i686.rpm
    sssd-krb5-common-1.13.0-40.el7.x86_64.rpm
    sssd-ldap-1.13.0-40.el7.x86_64.rpm
    sssd-libwbclient-1.13.0-40.el7.x86_64.rpm
    sssd-proxy-1.13.0-40.el7.x86_64.rpm
    sssd-tools-1.13.0-40.el7.x86_64.rpm
    libipa_hbac-devel-1.13.0-40.el7.i686.rpm
    libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm
    libsss_idmap-devel-1.13.0-40.el7.i686.rpm
    libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm
    libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm
    libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm
    libsss_simpleifp-1.13.0-40.el7.i686.rpm
    libsss_simpleifp-1.13.0-40.el7.x86_64.rpm
    libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm
    libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm
    python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
    sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm
    sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm
  noarch
    python-sssdconfig-1.13.0-40.el7.noarch.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV