1.162. sssd
1.162.1. RHSA-2011:0975: Low sssd security, bug fix, and enhancement update
Updated sssd packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is linked to from the security description below.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA.
Important
This update was released as errata RHSA-2011:0975 – Low: sssd security, bug fix, and enhancement update.
Security fix:
A flaw was found in the
SSSD PAM responder
that could allow a local attacker to force SSSD to enter an infinite loop via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system. (CVE-2010-4341)
Red Hat would like to thank Sebastian Krahmer for reporting this issue.
Bug Fixes:
- BZ#675007
- While running the
LDAP cache cleanup
task, an issue with a corruptedgroup cache
occurred, and the user was stripped of membership of every group except his primary group. This issue has been fixed and the aforementioned problem now no longer occurs. - BZ#676027
- When the LDAP server defined in the first
ldap_uri
entry was unreachable, the login attempt to the system failed with a segmentation fault due to an issue in the failover processing. With this update, the segmentation fault no longer occurs if the first LDAP server can't be reached. - BZ#678412
- Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
- BZ#678778
- When performing an
initgroups()
request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache. - BZ#691900
- Previously, when
GECOS
information (an entry in the/etc/passwd
file) for a user was missing, SSSD did not look for this information in thecn
attribute as it should have. SSSD now correctly falls back to thecn
attribute forGECOS
if the GECOS field is empty, making SSSD fully compliant with section 5.3 of RFC 2307. - BZ#694149
- For large cache files, if a user was removed from a group in LDAP, memory allocation could grow exponentially while processing the removal from the cache, potentially resulting in an OOM (Out of Memory) situation. With this update, this issue has been fixed, and SSSD no longer allocates unnecessarily large amounts of memory when removing a user from a group in LDAP.
- BZ#707574
- When the first DNS entry defined in the
/etc/resolv.conf
file was unreachable, SSSD failed to connect to any subsequent DNS server to resolve theSRV record
. This caused SSSD to permanently operate in offline mode. This bug has been fixed and SSSD is now able to connect to an alternate server if the primary server is down. - BZ#665314
- The following bugs have also been fixed:
- Issues with
LDAP search filters
that require escaping. - Nested group issues with
RFC2307bis LDAP
servers without the memberOf plug-in. - Several thread-safety issues in the sss_client code.
Enhancements:
- BZ#665314
- The sssd package has been upgraded to upstream version 1.5.1, which provides a number of bug fixes and enhancements over the previous version. The following enhancements are the most significant:
- Support for delayed online
Kerberos
authentication has been improved. - A Kerberos access provider to honor the
.k5login
authorization file has been added. - The verbosity of
PAM_TEXT_INFO
messages for cached credentials has been reduced. - Group support to the
simple access provider
has been added. - The time delay between connecting to a network or VPN and acquiring a TGT (Ticket Granting Ticket) has been significantly reduced.
- A feature for the automatic Kerberos ticket renewal has been added.
- SSSD now provides a Kerberos ticket for long-lived processes or cron jobs even when the user logs out.
- Several new features to the
LDAP access provider
have been added. - Support for
shadow
access control has been added. - Support for the
authorizedService
access control has been added. - The ability to mix-and-match
LDAP
access control features has been added. - An option for a separate password-change LDAP server for platforms not supporting LDAP referrals has been added.
- Support for manual page translations has been added.
- Support for searching out and returning information about netgroups stored in LDAP has been added.
- The performance of group processing of
RFC2307 LDAP
servers has been improved. - A new option,
dns_discovery_domain
, which allows for better configuration ofSRV records
for failover, has been added.
Users of SSSD should upgrade to these updated packages, which upgrade sssd to upstream version 1.5.1 to correct this issue, fix these bugs, and add these enhancements.