ELSA-2013-0508

ULN >
Oracle Linux Errata repository >
ELSA-2013-0508

ELSA-2013-0508 - sssd security, bug fix and enhancement update

Type:	SECURITY
Severity:	LOW
Release Date:	2013-02-27

Description

[1.9.2-82]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed
database update

[1.9.2-81]
- Resolves: rhbz#903078 - TOCTOU race conditions by copying
and removing directory trees

[1.9.2-80]
- Resolves: rhbz#903078 - Out-of-bounds read flaws in
autofs and ssh services responders

[1.9.2-79]
- Resolves: rhbz#902716 - Rule mismatch isn't noticed before smart refresh
on ppc64 and s390x

[1.9.2-78]
- Resolves: rhbz#896476 - SSSD should warn when pam_pwd_expiration_warning
value is higher than passwordWarning LDAP attribute.

[1.9.2-77]
- Resolves: rhbz#902436 - possible segfault when backend callback is removed

[1.9.2-76]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache

[1.9.2-75]
- Resolves: rhbz#894302 - sssd fails to update to changes on autofs maps

[1.9.2-74]
- Resolves: rhbz894381 - memory cache is not updated after user is deleted
from ldb cache

[1.9.2-73]
- Resolves: rhbz895615 - ipa-client-automount: autofs failed in s390x and
ppc64 platform

[1.9.2-72]
- Resolves: rhbz#894997 - sssd_be crashes looking up members with groups
outside the nesting limit

[1.9.2-71]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache

[1.9.2-70]
- Resolves: rhbz#894428 - wrong filter for autofs maps in sss_cache

[1.9.2-69]
- Resolves: rhbz#894738 - Failover to ldap_chpass_backup_uri doesn't work

[1.9.2-68]
- Resolves: rhbz#887961 - AD provider: getgrgid removes nested group
memberships

[1.9.2-67]
- Resolves: rhbz#878583 - IPA Trust does not show secondary groups for AD
Users for commands like id and getent

[1.9.2-66]
- Resolves: rhbz#874579 - sssd caching not working as expected for selinux
usermap contexts

[1.9.2-65]
- Resolves: rhbz#892197 - Incorrect principal searched for in keytab

[1.9.2-64]
- Resolves: rhbz#891356 - Smart refresh doesn't notice 'defaults' addition
with OpenLDAP

[1.9.2-63]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache

[1.9.2-62]
- Resolves: rhbz#886848 - user id lookup fails for case sensitive users
using proxy provider

[1.9.2-61]
- Resolves: rhbz#890520 - Failover to krb5_backup_kpasswd doesn't work

[1.9.2-60]
- Resolves: rhbz#874618 - sss_cache: fqdn not accepted

[1.9.2-59]
- Resolves: rhbz#889182 - crash in memory cache

[1.9.2-58]
- Resolves: rhbz#889168 - krb5 ticket renewal does not read the renewable
tickets from cache

[1.9.2-57]
- Resolves: rhbz#886091 - Disallow root SSH public key authentication
- Add default section to switch statement (Related: rhbz#884666)

[1.9.2-56]
- Resolves: rhbz#886038 - sssd components seem to mishandle sighup

[1.9.2-55]
- Resolves: rhbz#888800 - Memory leak in new memcache initgr cleanup function

[1.9.2-54]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed database
update

[1.9.2-53]
- Resolves: rhbz#885078 - sssd_nss crashes during enumeration if the
enumeration is taking too long

[1.9.2-52]
- Related: rhbz#875851 - sysdb upgrade failed converting db to 0.11
- Include more debugging during the sysdb upgrade

[1.9.2-51]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-50]
- Resolves: rhbz#870045 - always reread the master map from LDAP
- Resolves: rhbz#876531 - sss_cache does not work for automount maps

[1.9.2-49]
- Resolves: rhbz#884666 - sudo: if first full refresh fails, schedule
another first full refresh

[1.9.2-48]
- Resolves: rhbz#880956 - Primary server status is not always reset after
failover to backup server happened
- Silence a compilation warning in the memberof plugin (Related: rhbz#877974)
- Do not steal resolv result on error (Related: rhbz#882076)

[1.9.2-47]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider

[1.9.2-46]
- Resolves: rhbz#884600 - ldap_chpass_uri failover fails on using same
hostname

[1.9.2-45]
- Resolves: rhbz#858345 - pam_sss(crond:account): Request to sssd
failed. Timer expired

[1.9.2-44]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache

[1.9.2-43]
- Resolves: rhbz#880176 - memberUid required for primary groups to match
sudo rule

[1.9.2-42]
- Resolves: rhbz#885105 - sudo denies access with disabled
ldap_sudo_use_host_filter

[1.9.2-41]
- Resolves: rhbz#883408 - Option ldap_sudo_include_regexp named incorrectly

[1.9.2-40]
- Resolves: rhbz#880546 - krb5_kpasswd failover doesn't work
- Fix the error handler in sss_mc_create_file (Related: #789507)

[1.9.2-39]
- Resolves: rhbz#882221 - Offline sudo denies access with expired
entry_cache_timeout
- Fix several bugs found by Coverity and clang:
- Check the return value of diff_gid_lists (Related: #869071)
- Move misplaced sysdb assignment (Related: #827606)
- Remove dead assignment (Related: #827606)
- Fix copy-n-paste error in the memberof plugin (Related: #877974)

[1.9.2-38]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider
- Link sss_ssh_authorizedkeys and sss_ssh_knowhostsproxy with the client
libraries (Related: #870060)
- Move sss_ssh_knownhosts documentation to the correct section
(Related: #870060)

[1.9.2-37]
- Resolves: rhbz#884480 - user is not removed from group membership during
initgroups
- Fix incorrect synchronization in mmap cache (Related: #789507)

[1.9.2-36]
- Resolves: rhbz#883336 - sssd crashes during start if id_provider is
not mentioned

[1.9.2-35]
- Resolves: rhbz#882290 - arithmetic bug in the SSSD causes netgroup
midpoint refresh to be always set to 10 seconds

[1.9.2-34]
- Resolves: rhbz#877974 - updating top-level group does not reflect ghost
members correctly
- Resolves: rhbz#880159 - delete operation is not implemented for ghost users

[1.9.2-33]
- Resolves: rhbz#881773 - mmap cache needs update after db changes

[1.9.2-32]
- Resolves: rhbz#875677 - password expiry warning message doesn't appear
during auth
- Fix potential NULL dereference when skipping built-in AD groups
(Related: rhbz#874616)
- Add missing parameter to DEBUG message (Related: rhbz#829742)

[1.9.2-31]
- Resolves: rhbz#882076 - SSSD crashes when c-ares returns success but an
empty hostent during the DNS update
- Do not version libsss_sudo, it's not supposed to be linked against, but
dlopened (Related: rhbz#761573)

[1.9.2-30]
- Resolves: rhbz#880140 - sssd hangs at startup with broken configurations

[1.9.2-29]
- Resolves: rhbz#878420 - SIGSEGV in IPA provider when ldap_sasl_authid is not set

[1.9.2-28]
- Resolves: rhbz#874616 - Silence the DEBUG messages when ID mapping code
skips a built-in group

[1.9.2-27]
- Resolves: rhbz#824244 - sssd does not warn into sssd.log for broken
configurations

[1.9.2-26]
- Resolves: rhbz#874673 - user id lookup fails using proxy provider
- Fix a possibly uninitialized variable in the LDAP provider
- Related: rhbz#877130

[1.9.2-25]
- Resolves: rhbz#878262 - ipa password auth failing for user principal
name when shorter than IPA Realm name
- Resolves: rhbz#871843 - Nested groups are not retrieved appropriately
from cache

[1.9.2-24]
- Resolves: rhbz#870238 - IPA client cannot change AD Trusted User password

[1.9.2-23]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-22]
- Resolves: rhbz#861075 - SSSD_NSS failure to gracefully restart
after sbus failure

[1.9.2-21]
- Resolves: rhbz#877354 - ldap_connection_expire_timeout doesn't expire
ldap connections

[1.9.2-20]
- Related: rhbz#877126 - Bump the release tag

[1.9.2-20]
- Resolves: rhbz#877126 - subdomains code does not save the proper
user/group name

[1.9.2-19]
- Resolves: rhbz#877130 - LDAP provider fails to save empty groups
- Related: rhbz#869466 - check the return value of waitpid()

[1.9.2-18]
- Resolves: rhbz#870039 - sss_cache says 'Wrong DB version'

[1.9.2-17]
- Resolves: rhbz#875740 - 'defaults' entry ignored

[1.9.2-16]
- Resolves: rhbz#875738 - offline authentication failure always returns
System Error

[1.9.2-15]
- Resolves: rhbz#875851 - sysdb upgrade failed converting db to 0.11

[1.9.2-14]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place

[1.9.2-13]
- Resolves: rhbz#871160 - sudo failing for ad trusted user in IPA environment

[1.9.2-12]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place

[1.9.2-11]
- Resolves: rhbz#869678 - sssd not granting access for AD trusted user in HBAC rule

[1.9.2-10]
- Resolves: rhbz#872180 - subdomains: Invalid sub-domain request type
- Related: rhbz#867933 - invalidating the memcache with sss_cache doesn't work
if the sssd is not running

[1.9.2-9]
- Resolves: rhbz#873988 - Man page issue to list 'force_timeout' as an
option for the [sssd] section

[1.9.2-8]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage

[1.9.2-7]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage
- Resolves: rhbz#829740 - Init script reports complete before sssd is actually
working
- Resolves: rhbz#869466 - SSSD starts multiple processes due to syntax error in
ldap_uri
- Resolves: rhbz#870505 - sss_cache: Multiple domains not handled properly
- Resolves: rhbz#867933 - invalidating the memcache with sss_cache doesn't work
if the sssd is not running
- Resolves: rhbz#872110 - User appears twice on looking up a nested group

[1.9.2-6]
- Resolves: rhbz#871576 - sssd does not resolve group names from AD
- Resolves: rhbz#872324 - pam: fd leak when writing the selinux login file
in the pam responder
- Resolves: rhbz#871424 - authconfig chokes on sssd.conf with chpass_provider
directive

[1.9.2-5]
- Do not send SIGKILL to service right after sending SIGTERM
- Resolves: #771975
- Fix the initial sudo smart refresh
- Resolves: #869013
- Implement password authentication for users from trusted domains
- Resolves: #869071
- LDAP child crashed with a wrong keytab
- Resolves: #869150
- The sssd_nss process grows the memory consumption over time
- Resolves: #869443

[1.9.2-4]
- BuildRequire selinux-policy so that selinux login support is built in
- Resolves: #867932

[1.9.2-3]
- Do not segfault if namingContexts contain no values or multiple values
- Resolves: rhbz#866542

[1.9.2-2]
- Fix the 'ca' translation of the sssd-simple manual page
- Related: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.2-1]
- New upstream release 1.9.2

[1.9.1-1]
- Rebase to 1.9.1

[1.9.0-3]
- Require the latest libldb

[1.9.0-2]
- Rebase to 1.9.0
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.0-1.rc1]
- Rebase to 1.9.0 RC1
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
- Bump the selinux-policy version number to pull in required fixes

[1.8.0-33]
- Resolves: rhbz#840089 - Update the shadowLastChange attribute
with days since the Epoch, not seconds

Related CVEs

CVE-2013-0219

CVE-2013-0220

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory

Oracle Linux 6 (i386)	sssd-1.9.2-82.el6.src.rpm	dd6b563f69565015420f0ebd43c1a1d4	ELBA-2020-5921
	libipa_hbac-1.9.2-82.el6.i686.rpm	a2c9fbd78d636430bdc25a8c908b313d	ELBA-2020-5921
	libipa_hbac-devel-1.9.2-82.el6.i686.rpm	c03d8e774fffda24872595f7104f2c67	ELBA-2020-5921
	libipa_hbac-python-1.9.2-82.el6.i686.rpm	c1657239831346231d0535e7c8e2462a	ELBA-2016-0474
	libsss_autofs-1.9.2-82.el6.i686.rpm	eb3a41e2193cc302345e6a09b1da0f94	ELBA-2014-0005
	libsss_idmap-1.9.2-82.el6.i686.rpm	30e27648ee115074bf50a93de45d716f	ELBA-2020-5921
	libsss_idmap-devel-1.9.2-82.el6.i686.rpm	409f0cc9273a56f01b6334f93fa688cd	ELBA-2020-5921
	libsss_sudo-1.9.2-82.el6.i686.rpm	b7ed7bc63f098281b6d2d12f3b4477be	ELBA-2014-0005
	libsss_sudo-devel-1.9.2-82.el6.i686.rpm	c97daad7acbb701c0dcd66c0bf0f7b58	ELBA-2014-0005
	sssd-1.9.2-82.el6.i686.rpm	f9a503b18a460d1300237e353baf7b8c	ELBA-2020-5921
	sssd-client-1.9.2-82.el6.i686.rpm	3baa1e9ef10d6124d1636e03a4a3c90c	ELBA-2020-5921
	sssd-tools-1.9.2-82.el6.i686.rpm	66aae151fa7e96be7a7d2e4c40b858ea	ELBA-2020-5921

Oracle Linux 6 (x86_64)	sssd-1.9.2-82.el6.src.rpm	dd6b563f69565015420f0ebd43c1a1d4	ELBA-2020-5921
	libipa_hbac-1.9.2-82.el6.i686.rpm	a2c9fbd78d636430bdc25a8c908b313d	ELBA-2020-5921
	libipa_hbac-1.9.2-82.el6.x86_64.rpm	d489e3415de8924dc77090433f73d646	ELBA-2020-5921
	libipa_hbac-devel-1.9.2-82.el6.i686.rpm	c03d8e774fffda24872595f7104f2c67	ELBA-2020-5921
	libipa_hbac-devel-1.9.2-82.el6.x86_64.rpm	e0ec8b4cdcec7c6f783a83c2cd1ec019	ELBA-2020-5921
	libipa_hbac-python-1.9.2-82.el6.x86_64.rpm	48cce8d3a65d774f2016f8cb1bea57ca	ELBA-2016-0474
	libsss_autofs-1.9.2-82.el6.x86_64.rpm	838e44aa5021681a25d74f567ffc1cab	ELBA-2014-0005
	libsss_idmap-1.9.2-82.el6.i686.rpm	30e27648ee115074bf50a93de45d716f	ELBA-2020-5921
	libsss_idmap-1.9.2-82.el6.x86_64.rpm	9758bcfb69a72791f507b2afcfe070be	ELBA-2020-5921
	libsss_idmap-devel-1.9.2-82.el6.i686.rpm	409f0cc9273a56f01b6334f93fa688cd	ELBA-2020-5921
	libsss_idmap-devel-1.9.2-82.el6.x86_64.rpm	7035c9e5570aef98e55e5bc2b109bcb9	ELBA-2020-5921
	libsss_sudo-1.9.2-82.el6.i686.rpm	b7ed7bc63f098281b6d2d12f3b4477be	ELBA-2014-0005
	libsss_sudo-1.9.2-82.el6.x86_64.rpm	ceb0efd91b70150ce352bf9ca478c7a4	ELBA-2014-0005
	libsss_sudo-devel-1.9.2-82.el6.i686.rpm	c97daad7acbb701c0dcd66c0bf0f7b58	ELBA-2014-0005
	libsss_sudo-devel-1.9.2-82.el6.x86_64.rpm	8baa8344c63567799ff35611a4a8bada	ELBA-2014-0005
	sssd-1.9.2-82.el6.x86_64.rpm	b56a4821146db33e9aebe39082c3b980	ELBA-2020-5921
	sssd-client-1.9.2-82.el6.i686.rpm	3baa1e9ef10d6124d1636e03a4a3c90c	ELBA-2020-5921
	sssd-client-1.9.2-82.el6.x86_64.rpm	247fdf2254cafcc8444a469df3ed6b08	ELBA-2020-5921
	sssd-tools-1.9.2-82.el6.x86_64.rpm	08cdd89c049a7fe05e2f97d9d4662fde	ELBA-2020-5921

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691