ELSA-2015-2355
- ULN >
- Oracle Linux Errata repository >
- ELSA-2015-2355
ELSA-2015-2355 - sssd security, bug fix, and enhancement update
| Type: | SECURITY |
| Severity: | LOW |
| Release Date: | 2015-11-24 |
Description
[1.13.0-40]
- Resolves: rhbz#1270827 - local overrides: don't contact server with
overridden name/id
[1.13.0-39]
- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
[1.13.0-38]
- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.
[1.13.0-37]
- Resolves: rhbz#1267836 - PAM responder crashed if user was not set
[1.13.0-36]
- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on
uninitialised value
[1.13.0-35]
- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA
subdomain code
[1.13.0-34]
- Fix a Coverity warning in dyndns code
- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead
of processing other commands
[1.13.0-33]
- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead
of processing other commands
[1.13.0-32]
- Resolves: rhbz#1263735 - Could not resolve AD user from root domain
[1.13.0-31]
- Remove -d from sss_override manpage
- Related: rhbz#1259512 - sss_override : The local override user is not found
[1.13.0-30]
- Patches required for better handling of failover with one-way trusts
- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain
code
[1.13.0-29]
- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307
and ghost users
[1.13.0-28]
- Resolves: rhbz#1259512 - sss_override : The local override user is not found
[1.13.0-27]
- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code
[1.13.0-26]
- Resolves: rhbz#1256398 - sssd cannot resolve user names containing
backslash with ldap provider
[1.13.0-25]
- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug
but is not listed in the man page or in
the arguments help
[1.13.0-24]
- Resolves: rhbz#1254518 - Fix crash in nss responder
[1.13.0-23]
- Support import/export for local overrides
- Support FQDNs for local overrides
- Resolves: rhbz#1254184 - sss_override does not work correctly when
'use_fully_qualified_names = True'
[1.13.0-22]
- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to
other cache attributes
[1.13.0-21]
- Resolves: rhbz#1250415 - sssd: p11_child hardening
[1.13.0-20]
- Related: rhbz#1250135 - Detect re-established trusts in the IPA
subdomain code
[1.13.0-19]
- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC
identity certificates
[1.13.0-18]
- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected
[1.13.0-17]
- Fix wildcard_limit=0
- Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
[1.13.0-16]
- Fix race condition in invalidating the memory cache
- Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
[1.13.0-15]
- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo
enabled
[1.13.0-14]
- Bump release number
- Related: rhbz#1246489 - sss_obfuscate fails with 'ImportError: No module
named pysss'
[1.13.0-13]
- Fix missing dependency of sssd-tools
- Resolves: rhbz#1246489 - sss_obfuscate fails with 'ImportError: No module
named pysss'
[1.13.0-12]
- More memory cache related fixes
- Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
[1.13.0-11]
- Remove binary blob from SC patches as patch(1) can't handle those
- Related: rhbz#854396 - [RFE] Support for smart cards
[1.13.0-10]
- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client
prevents getpw*
[1.13.0-9]
- Fix memory cache integration tests
- Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
- Resolves: rhbz#854396 - [RFE] Support for smart cards
[1.13.0-8]
- Remove OTP from PAM stack correctly
- Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when
user logs in with password and token code from IPA
- Handle sssd-owned keytabs when sssd runs as root
- Related: rhbz#1205144 - RFE: Support one-way trusts for IPA
[1.13.0-7]
- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients
[1.13.0-6]
- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support
- Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant
v6 in ipa domain
[1.13.0-5]
- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes
[1.13.0-4]
- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2
[1.13.0-3]
- Add support for InfoPipe wildcard requests
- Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
[1.13.0-2]
- Also package the initgr memcache
- Related: rhbz#1205554 - Rebase SSSD to 1.13.x
[1.13.0-1]
- Rebase to 1.13.0 upstream
- Related: rhbz#1205554 - Rebase SSSD to 1.13.x
- Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD
- Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
[1.13.0.3alpha]
- Don't default to SSSD user
- Related: rhbz#1205554 - Rebase SSSD to 1.13.x
[1.13.0.2alpha]
- Related: rhbz#1205554 - Rebase SSSD to 1.13.x
- GPO default should be permissve
[1.13.0.1alpha]
- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x
- Relax the libldb requirement
- Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in
libtevent.so.0.9.21
- Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to
binary SIDs
- Resolves: rhbz#1219285 - Unable to resolve group memberships for AD
users when using sssd-1.12.2-58.el7_1.6.x86_64
client in combination with
ipa-server-3.0.0-42.el6.x86_64 with AD Trust
- Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers
- Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains
- Resolves: rhbz#1217127 - Override for IPA users with login does not list
user all groups
- Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix
and use_fully_qualified_names set
- Resolves: rhbz#1214719 - Group resolution is inconsistent with group
overrides
- Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers
group membership resolution
- Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name
does not work
- Resolves: rhbz#1214337 - Overrides with --login work in second attempt
- Resolves: rhbz#1212489 - Disable the cleanup task by default
- Resolves: rhbz#1211830 - external users do not resolve with
'default_domain_suffix' set in IPA server sssd.conf
- Resolves: rhbz#1210854 - Only set the selinux context if the context
differs from the local one
- Resolves: rhbz#1209483 - When using id_provider=proxy with
auth_provider=ldap, it does not work as expected
- Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management
Editor naming for some policies but not for all
- Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters
- Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
- Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if
the IPA domain differs from machine hostname's
domain
- Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix
when checking for host keys
- Resolves: rhbz#1204203 - sssd crashes intermittently
- Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because
sss is written in nsswitch.conf as default
- Resolves: rhbz#1203642 - GPO access control looks for computer object
in user's domain only
- Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough
with broken replication entries
- Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by
UPN and doesn't find anything
- Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when
user logs in with password and token code from IPA
- Resolves: rhbz#1199541 - Read and use the TTL value when resolving a
SRV query
- Resolves: rhbz#1199533 - [RFE] Implement background refresh for users,
groups or other cache objects
- Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute
for group name?
- Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error
- Resolves: rhbz#1187103 - [RFE] User's home directories are not taken
from AD when there is an IPA trust with AD
- Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set
to AD domain, IPA user are not able to log unless
use_fully_qualified_names is set
- Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when
account naturally expires
- Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option:
kerberos discovery is not using this option
- Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due
to missing or invalid keytab
[1.12.2-61]
- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID
[1.12.2-60]
- Filter out domain-local groups during AD initgroups operation
- Related: rhbz#1201840 - SSSD downloads too much information when fetching
information about groups
[1.12.2-59]
- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching
information about groups
Related CVEs
| CVE-2015-5292 |
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
| Oracle Linux 7 (x86_64) | sssd-1.13.0-40.el7.src.rpm | f5931e39b694ac6bdf077275ddc969cb | ELBA-2021-0341 |
| libipa_hbac-1.13.0-40.el7.i686.rpm | 01d4f3b3c545745d69c28fddf7f36d01 | ELBA-2021-0341 | |
| libipa_hbac-1.13.0-40.el7.x86_64.rpm | 94590b08d5792c54bb77585dd3651eab | ELBA-2021-0341 | |
| libipa_hbac-devel-1.13.0-40.el7.i686.rpm | a1f2eb0c88a025353fbe1833c02187ea | ELBA-2021-0341 | |
| libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm | a7c98c785ac847f426f0dd7c365037a7 | ELBA-2021-0341 | |
| libsss_idmap-1.13.0-40.el7.i686.rpm | d955b0a5987668f6c0de2eb1bdcea0ca | ELBA-2021-0341 | |
| libsss_idmap-1.13.0-40.el7.x86_64.rpm | 3e819a0513507db19c4b85e63e2044db | ELBA-2021-0341 | |
| libsss_idmap-devel-1.13.0-40.el7.i686.rpm | 64961e32dcf861ccc4ca6e6ccc9add62 | ELBA-2021-0341 | |
| libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm | 119f8489cb0529cd82d685650fae2a1c | ELBA-2021-0341 | |
| libsss_nss_idmap-1.13.0-40.el7.i686.rpm | 4110d1d20931cdf43c3f90b4635038e0 | ELBA-2021-0341 | |
| libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm | 484a0b1a9de77d919ce7369390297783 | ELBA-2021-0341 | |
| libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm | 27bb13bcecc8ee81ded2b48f001b24ec | ELBA-2021-0341 | |
| libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm | 32a755c66b85e4bfebfa152d1895355c | ELBA-2021-0341 | |
| libsss_simpleifp-1.13.0-40.el7.i686.rpm | eb171b206b41a2d9f35eea4cc74bb848 | ELBA-2021-0341 | |
| libsss_simpleifp-1.13.0-40.el7.x86_64.rpm | ad33197c436b1fa61aa4da3d08a33614 | ELBA-2021-0341 | |
| libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm | 6d1d8b17669d29d1c2dee058a3ad8382 | ELBA-2021-0341 | |
| libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm | 3029b63fba74e11a760402e143ca0282 | ELBA-2021-0341 | |
| python-libipa_hbac-1.13.0-40.el7.x86_64.rpm | 9e9ff90abaf0527a622162dd06fbd1da | ELBA-2021-0341 | |
| python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm | ee85e471a5b3cc99b2b7ebaf309fdfc5 | ELBA-2021-0341 | |
| python-sss-1.13.0-40.el7.x86_64.rpm | cff2532cb4dd794f1621e5b216385380 | ELBA-2021-0341 | |
| python-sss-murmur-1.13.0-40.el7.x86_64.rpm | d8f2b7a15503e2429889cde39b8d1447 | ELBA-2021-0341 | |
| python-sssdconfig-1.13.0-40.el7.noarch.rpm | 3036935fc7902bfa865557ef9a33e644 | ELBA-2021-0341 | |
| sssd-1.13.0-40.el7.x86_64.rpm | c247c70564d358f751da91d1c209fa13 | ELBA-2021-0341 | |
| sssd-ad-1.13.0-40.el7.x86_64.rpm | 7011c3bf13202facc477738334cb1580 | ELBA-2021-0341 | |
| sssd-client-1.13.0-40.el7.i686.rpm | 63712dee62ccf3463fbd331c3e764046 | ELBA-2021-0341 | |
| sssd-client-1.13.0-40.el7.x86_64.rpm | 5ad69b2e7bf5131a8ab442e27aa518b8 | ELBA-2021-0341 | |
| sssd-common-1.13.0-40.el7.i686.rpm | 8ca43d656c180be1fad81241df2c220a | ELBA-2021-0341 | |
| sssd-common-1.13.0-40.el7.x86_64.rpm | 7e7f52aa7a4018fd6a25f0bfcdc39315 | ELBA-2021-0341 | |
| sssd-common-pac-1.13.0-40.el7.x86_64.rpm | c2d28cd0710112955a8d5cfdca7b433a | ELBA-2021-0341 | |
| sssd-dbus-1.13.0-40.el7.x86_64.rpm | ccc7378533dd5666fee38eda754d0744 | ELBA-2021-0341 | |
| sssd-ipa-1.13.0-40.el7.x86_64.rpm | b25c1cfd423118be7191fee2732c490a | ELBA-2021-0341 | |
| sssd-krb5-1.13.0-40.el7.x86_64.rpm | 3bd408d307de69ae105284ed4847b065 | ELBA-2021-0341 | |
| sssd-krb5-common-1.13.0-40.el7.i686.rpm | 6c1c4edcd4bdd3cad8d0e0545e2809a9 | ELBA-2021-0341 | |
| sssd-krb5-common-1.13.0-40.el7.x86_64.rpm | dced64839d9e388b9c9eac46f1474abc | ELBA-2021-0341 | |
| sssd-ldap-1.13.0-40.el7.x86_64.rpm | 2436703418ca1ce7aade5e175e455f47 | ELBA-2021-0341 | |
| sssd-libwbclient-1.13.0-40.el7.x86_64.rpm | 8baf0cc359f448e1aac31723be60f06c | ELBA-2021-0341 | |
| sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm | 0b40aa40d52157b17d3cb00dfd22dd47 | ELBA-2021-0341 | |
| sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm | 54adcb89ce9b7d55ebc810ed15aa77ea | ELBA-2021-0341 | |
| sssd-proxy-1.13.0-40.el7.x86_64.rpm | 05eb2c8b55f43fd9fbd686e4d5e74964 | ELBA-2021-0341 | |
| sssd-tools-1.13.0-40.el7.x86_64.rpm | a52c51973bd791265e93351ca1ddc122 | ELBA-2021-0341 | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
