ELSA-2013-0508

ELSA-2013-0508 - sssd security, bug fix and enhancement update

Type:SECURITY
Severity:LOW
Release Date:2013-02-27

Description


[1.9.2-82]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed
database update

[1.9.2-81]
- Resolves: rhbz#903078 - TOCTOU race conditions by copying
and removing directory trees

[1.9.2-80]
- Resolves: rhbz#903078 - Out-of-bounds read flaws in
autofs and ssh services responders

[1.9.2-79]
- Resolves: rhbz#902716 - Rule mismatch isn't noticed before smart refresh
on ppc64 and s390x

[1.9.2-78]
- Resolves: rhbz#896476 - SSSD should warn when pam_pwd_expiration_warning
value is higher than passwordWarning LDAP attribute.

[1.9.2-77]
- Resolves: rhbz#902436 - possible segfault when backend callback is removed

[1.9.2-76]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache

[1.9.2-75]
- Resolves: rhbz#894302 - sssd fails to update to changes on autofs maps

[1.9.2-74]
- Resolves: rhbz894381 - memory cache is not updated after user is deleted
from ldb cache

[1.9.2-73]
- Resolves: rhbz895615 - ipa-client-automount: autofs failed in s390x and
ppc64 platform

[1.9.2-72]
- Resolves: rhbz#894997 - sssd_be crashes looking up members with groups
outside the nesting limit

[1.9.2-71]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache

[1.9.2-70]
- Resolves: rhbz#894428 - wrong filter for autofs maps in sss_cache

[1.9.2-69]
- Resolves: rhbz#894738 - Failover to ldap_chpass_backup_uri doesn't work

[1.9.2-68]
- Resolves: rhbz#887961 - AD provider: getgrgid removes nested group
memberships

[1.9.2-67]
- Resolves: rhbz#878583 - IPA Trust does not show secondary groups for AD
Users for commands like id and getent

[1.9.2-66]
- Resolves: rhbz#874579 - sssd caching not working as expected for selinux
usermap contexts

[1.9.2-65]
- Resolves: rhbz#892197 - Incorrect principal searched for in keytab

[1.9.2-64]
- Resolves: rhbz#891356 - Smart refresh doesn't notice 'defaults' addition
with OpenLDAP

[1.9.2-63]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache

[1.9.2-62]
- Resolves: rhbz#886848 - user id lookup fails for case sensitive users
using proxy provider

[1.9.2-61]
- Resolves: rhbz#890520 - Failover to krb5_backup_kpasswd doesn't work

[1.9.2-60]
- Resolves: rhbz#874618 - sss_cache: fqdn not accepted

[1.9.2-59]
- Resolves: rhbz#889182 - crash in memory cache

[1.9.2-58]
- Resolves: rhbz#889168 - krb5 ticket renewal does not read the renewable
tickets from cache

[1.9.2-57]
- Resolves: rhbz#886091 - Disallow root SSH public key authentication
- Add default section to switch statement (Related: rhbz#884666)

[1.9.2-56]
- Resolves: rhbz#886038 - sssd components seem to mishandle sighup

[1.9.2-55]
- Resolves: rhbz#888800 - Memory leak in new memcache initgr cleanup function

[1.9.2-54]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed database
update

[1.9.2-53]
- Resolves: rhbz#885078 - sssd_nss crashes during enumeration if the
enumeration is taking too long

[1.9.2-52]
- Related: rhbz#875851 - sysdb upgrade failed converting db to 0.11
- Include more debugging during the sysdb upgrade

[1.9.2-51]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-50]
- Resolves: rhbz#870045 - always reread the master map from LDAP
- Resolves: rhbz#876531 - sss_cache does not work for automount maps

[1.9.2-49]
- Resolves: rhbz#884666 - sudo: if first full refresh fails, schedule
another first full refresh

[1.9.2-48]
- Resolves: rhbz#880956 - Primary server status is not always reset after
failover to backup server happened
- Silence a compilation warning in the memberof plugin (Related: rhbz#877974)
- Do not steal resolv result on error (Related: rhbz#882076)

[1.9.2-47]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider

[1.9.2-46]
- Resolves: rhbz#884600 - ldap_chpass_uri failover fails on using same
hostname

[1.9.2-45]
- Resolves: rhbz#858345 - pam_sss(crond:account): Request to sssd
failed. Timer expired

[1.9.2-44]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache

[1.9.2-43]
- Resolves: rhbz#880176 - memberUid required for primary groups to match
sudo rule

[1.9.2-42]
- Resolves: rhbz#885105 - sudo denies access with disabled
ldap_sudo_use_host_filter

[1.9.2-41]
- Resolves: rhbz#883408 - Option ldap_sudo_include_regexp named incorrectly

[1.9.2-40]
- Resolves: rhbz#880546 - krb5_kpasswd failover doesn't work
- Fix the error handler in sss_mc_create_file (Related: #789507)

[1.9.2-39]
- Resolves: rhbz#882221 - Offline sudo denies access with expired
entry_cache_timeout
- Fix several bugs found by Coverity and clang:
- Check the return value of diff_gid_lists (Related: #869071)
- Move misplaced sysdb assignment (Related: #827606)
- Remove dead assignment (Related: #827606)
- Fix copy-n-paste error in the memberof plugin (Related: #877974)

[1.9.2-38]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider
- Link sss_ssh_authorizedkeys and sss_ssh_knowhostsproxy with the client
libraries (Related: #870060)
- Move sss_ssh_knownhosts documentation to the correct section
(Related: #870060)

[1.9.2-37]
- Resolves: rhbz#884480 - user is not removed from group membership during
initgroups
- Fix incorrect synchronization in mmap cache (Related: #789507)

[1.9.2-36]
- Resolves: rhbz#883336 - sssd crashes during start if id_provider is
not mentioned

[1.9.2-35]
- Resolves: rhbz#882290 - arithmetic bug in the SSSD causes netgroup
midpoint refresh to be always set to 10 seconds

[1.9.2-34]
- Resolves: rhbz#877974 - updating top-level group does not reflect ghost
members correctly
- Resolves: rhbz#880159 - delete operation is not implemented for ghost users

[1.9.2-33]
- Resolves: rhbz#881773 - mmap cache needs update after db changes

[1.9.2-32]
- Resolves: rhbz#875677 - password expiry warning message doesn't appear
during auth
- Fix potential NULL dereference when skipping built-in AD groups
(Related: rhbz#874616)
- Add missing parameter to DEBUG message (Related: rhbz#829742)

[1.9.2-31]
- Resolves: rhbz#882076 - SSSD crashes when c-ares returns success but an
empty hostent during the DNS update
- Do not version libsss_sudo, it's not supposed to be linked against, but
dlopened (Related: rhbz#761573)

[1.9.2-30]
- Resolves: rhbz#880140 - sssd hangs at startup with broken configurations

[1.9.2-29]
- Resolves: rhbz#878420 - SIGSEGV in IPA provider when ldap_sasl_authid is not set

[1.9.2-28]
- Resolves: rhbz#874616 - Silence the DEBUG messages when ID mapping code
skips a built-in group

[1.9.2-27]
- Resolves: rhbz#824244 - sssd does not warn into sssd.log for broken
configurations

[1.9.2-26]
- Resolves: rhbz#874673 - user id lookup fails using proxy provider
- Fix a possibly uninitialized variable in the LDAP provider
- Related: rhbz#877130

[1.9.2-25]
- Resolves: rhbz#878262 - ipa password auth failing for user principal
name when shorter than IPA Realm name
- Resolves: rhbz#871843 - Nested groups are not retrieved appropriately
from cache

[1.9.2-24]
- Resolves: rhbz#870238 - IPA client cannot change AD Trusted User password

[1.9.2-23]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-22]
- Resolves: rhbz#861075 - SSSD_NSS failure to gracefully restart
after sbus failure

[1.9.2-21]
- Resolves: rhbz#877354 - ldap_connection_expire_timeout doesn't expire
ldap connections

[1.9.2-20]
- Related: rhbz#877126 - Bump the release tag

[1.9.2-20]
- Resolves: rhbz#877126 - subdomains code does not save the proper
user/group name

[1.9.2-19]
- Resolves: rhbz#877130 - LDAP provider fails to save empty groups
- Related: rhbz#869466 - check the return value of waitpid()

[1.9.2-18]
- Resolves: rhbz#870039 - sss_cache says 'Wrong DB version'

[1.9.2-17]
- Resolves: rhbz#875740 - 'defaults' entry ignored

[1.9.2-16]
- Resolves: rhbz#875738 - offline authentication failure always returns
System Error

[1.9.2-15]
- Resolves: rhbz#875851 - sysdb upgrade failed converting db to 0.11

[1.9.2-14]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place

[1.9.2-13]
- Resolves: rhbz#871160 - sudo failing for ad trusted user in IPA environment

[1.9.2-12]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place

[1.9.2-11]
- Resolves: rhbz#869678 - sssd not granting access for AD trusted user in HBAC rule

[1.9.2-10]
- Resolves: rhbz#872180 - subdomains: Invalid sub-domain request type
- Related: rhbz#867933 - invalidating the memcache with sss_cache doesn't work
if the sssd is not running

[1.9.2-9]
- Resolves: rhbz#873988 - Man page issue to list 'force_timeout' as an
option for the [sssd] section

[1.9.2-8]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage

[1.9.2-7]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage
- Resolves: rhbz#829740 - Init script reports complete before sssd is actually
working
- Resolves: rhbz#869466 - SSSD starts multiple processes due to syntax error in
ldap_uri
- Resolves: rhbz#870505 - sss_cache: Multiple domains not handled properly
- Resolves: rhbz#867933 - invalidating the memcache with sss_cache doesn't work
if the sssd is not running
- Resolves: rhbz#872110 - User appears twice on looking up a nested group

[1.9.2-6]
- Resolves: rhbz#871576 - sssd does not resolve group names from AD
- Resolves: rhbz#872324 - pam: fd leak when writing the selinux login file
in the pam responder
- Resolves: rhbz#871424 - authconfig chokes on sssd.conf with chpass_provider
directive

[1.9.2-5]
- Do not send SIGKILL to service right after sending SIGTERM
- Resolves: #771975
- Fix the initial sudo smart refresh
- Resolves: #869013
- Implement password authentication for users from trusted domains
- Resolves: #869071
- LDAP child crashed with a wrong keytab
- Resolves: #869150
- The sssd_nss process grows the memory consumption over time
- Resolves: #869443

[1.9.2-4]
- BuildRequire selinux-policy so that selinux login support is built in
- Resolves: #867932

[1.9.2-3]
- Do not segfault if namingContexts contain no values or multiple values
- Resolves: rhbz#866542

[1.9.2-2]
- Fix the 'ca' translation of the sssd-simple manual page
- Related: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.2-1]
- New upstream release 1.9.2

[1.9.1-1]
- Rebase to 1.9.1

[1.9.0-3]
- Require the latest libldb

[1.9.0-2]
- Rebase to 1.9.0
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.0-1.rc1]
- Rebase to 1.9.0 RC1
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
- Bump the selinux-policy version number to pull in required fixes

[1.8.0-33]
- Resolves: rhbz#840089 - Update the shadowLastChange attribute
with days since the Epoch, not seconds


Related CVEs


CVE-2013-0219
CVE-2013-0220

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 6 (i386) sssd-1.9.2-82.el6.src.rpmdd6b563f69565015420f0ebd43c1a1d4ELBA-2020-5921
libipa_hbac-1.9.2-82.el6.i686.rpma2c9fbd78d636430bdc25a8c908b313dELBA-2020-5921
libipa_hbac-devel-1.9.2-82.el6.i686.rpmc03d8e774fffda24872595f7104f2c67ELBA-2020-5921
libipa_hbac-python-1.9.2-82.el6.i686.rpmc1657239831346231d0535e7c8e2462aELBA-2016-0474
libsss_autofs-1.9.2-82.el6.i686.rpmeb3a41e2193cc302345e6a09b1da0f94ELBA-2014-0005
libsss_idmap-1.9.2-82.el6.i686.rpm30e27648ee115074bf50a93de45d716fELBA-2020-5921
libsss_idmap-devel-1.9.2-82.el6.i686.rpm409f0cc9273a56f01b6334f93fa688cdELBA-2020-5921
libsss_sudo-1.9.2-82.el6.i686.rpmb7ed7bc63f098281b6d2d12f3b4477beELBA-2014-0005
libsss_sudo-devel-1.9.2-82.el6.i686.rpmc97daad7acbb701c0dcd66c0bf0f7b58ELBA-2014-0005
sssd-1.9.2-82.el6.i686.rpmf9a503b18a460d1300237e353baf7b8cELBA-2020-5921
sssd-client-1.9.2-82.el6.i686.rpm3baa1e9ef10d6124d1636e03a4a3c90cELBA-2020-5921
sssd-tools-1.9.2-82.el6.i686.rpm66aae151fa7e96be7a7d2e4c40b858eaELBA-2020-5921
Oracle Linux 6 (x86_64) sssd-1.9.2-82.el6.src.rpmdd6b563f69565015420f0ebd43c1a1d4ELBA-2020-5921
libipa_hbac-1.9.2-82.el6.i686.rpma2c9fbd78d636430bdc25a8c908b313dELBA-2020-5921
libipa_hbac-1.9.2-82.el6.x86_64.rpmd489e3415de8924dc77090433f73d646ELBA-2020-5921
libipa_hbac-devel-1.9.2-82.el6.i686.rpmc03d8e774fffda24872595f7104f2c67ELBA-2020-5921
libipa_hbac-devel-1.9.2-82.el6.x86_64.rpme0ec8b4cdcec7c6f783a83c2cd1ec019ELBA-2020-5921
libipa_hbac-python-1.9.2-82.el6.x86_64.rpm48cce8d3a65d774f2016f8cb1bea57caELBA-2016-0474
libsss_autofs-1.9.2-82.el6.x86_64.rpm838e44aa5021681a25d74f567ffc1cabELBA-2014-0005
libsss_idmap-1.9.2-82.el6.i686.rpm30e27648ee115074bf50a93de45d716fELBA-2020-5921
libsss_idmap-1.9.2-82.el6.x86_64.rpm9758bcfb69a72791f507b2afcfe070beELBA-2020-5921
libsss_idmap-devel-1.9.2-82.el6.i686.rpm409f0cc9273a56f01b6334f93fa688cdELBA-2020-5921
libsss_idmap-devel-1.9.2-82.el6.x86_64.rpm7035c9e5570aef98e55e5bc2b109bcb9ELBA-2020-5921
libsss_sudo-1.9.2-82.el6.i686.rpmb7ed7bc63f098281b6d2d12f3b4477beELBA-2014-0005
libsss_sudo-1.9.2-82.el6.x86_64.rpmceb0efd91b70150ce352bf9ca478c7a4ELBA-2014-0005
libsss_sudo-devel-1.9.2-82.el6.i686.rpmc97daad7acbb701c0dcd66c0bf0f7b58ELBA-2014-0005
libsss_sudo-devel-1.9.2-82.el6.x86_64.rpm8baa8344c63567799ff35611a4a8badaELBA-2014-0005
sssd-1.9.2-82.el6.x86_64.rpmb56a4821146db33e9aebe39082c3b980ELBA-2020-5921
sssd-client-1.9.2-82.el6.i686.rpm3baa1e9ef10d6124d1636e03a4a3c90cELBA-2020-5921
sssd-client-1.9.2-82.el6.x86_64.rpm247fdf2254cafcc8444a469df3ed6b08ELBA-2020-5921
sssd-tools-1.9.2-82.el6.x86_64.rpm08cdd89c049a7fe05e2f97d9d4662fdeELBA-2020-5921



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete