Synopsis: Low: sssd security, bug fix, and enhancement update Advisory ID: SLSA-2015:2355-1 Issue Date: 2015-11-19 CVE Numbers: CVE-2015-5292 -- It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292) The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version. * SSSD smart card support * Cache authentication in SSSD * SSSD supports overriding automatically discovered AD site * SSSD can now deny SSH access to locked accounts * SSSD enables UID and GID mapping on individual clients * Background refresh of cached entries * Multi-step prompting for one-time and long-term passwords * Caching for initgroups operations Bugs fixed: * When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error. * If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes. * The SRV queries used a hard coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet. * Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping. * When an IdM client with Scientific Linux 7.1 or later was connecting to a server with Scientific Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly. * If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access. * The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes. * SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers. * SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name. * The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side. * The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process. * Now, default_domain_suffix is not considered anymore for autofs maps. * The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains. * The group resolution failed with an error message: "Error: 14 (Bad address)". The binary GUID handling has been fixed. Enhancements added: * The description of default_domain_suffix has been improved in the manual pages. * With the new "%0" template option, users on SSSD IdM clients can now use home directories set on AD. -- SL7 x86_64 libipa_hbac-1.13.0-40.el7.i686.rpm libipa_hbac-1.13.0-40.el7.x86_64.rpm libsss_idmap-1.13.0-40.el7.i686.rpm libsss_idmap-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-1.13.0-40.el7.i686.rpm libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-libipa_hbac-1.13.0-40.el7.x86_64.rpm python-sss-1.13.0-40.el7.x86_64.rpm python-sss-murmur-1.13.0-40.el7.x86_64.rpm sssd-1.13.0-40.el7.x86_64.rpm sssd-ad-1.13.0-40.el7.x86_64.rpm sssd-client-1.13.0-40.el7.i686.rpm sssd-client-1.13.0-40.el7.x86_64.rpm sssd-common-1.13.0-40.el7.i686.rpm sssd-common-1.13.0-40.el7.x86_64.rpm sssd-common-pac-1.13.0-40.el7.x86_64.rpm sssd-dbus-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-ipa-1.13.0-40.el7.x86_64.rpm sssd-krb5-1.13.0-40.el7.x86_64.rpm sssd-krb5-common-1.13.0-40.el7.i686.rpm sssd-krb5-common-1.13.0-40.el7.x86_64.rpm sssd-ldap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-1.13.0-40.el7.x86_64.rpm sssd-proxy-1.13.0-40.el7.x86_64.rpm sssd-tools-1.13.0-40.el7.x86_64.rpm libipa_hbac-devel-1.13.0-40.el7.i686.rpm libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm libsss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-1.13.0-40.el7.i686.rpm libsss_simpleifp-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm noarch python-sssdconfig-1.13.0-40.el7.noarch.rpm - Scientific Linux Development Team