Skip to navigation

Security Advisory Low: sssd security, bug fix, and enhancement update

Advisory: RHSA-2011:0560-1
Type: Security Advisory
Severity: Low
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2010-4341

Details

Updated sssd packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The System Security Services Daemon (SSSD) provides a set of daemons to
manage access to remote directories and authentication mechanisms. It
provides an NSS and PAM interface toward the system and a pluggable
back-end system to connect to multiple different account sources. It is
also the basis to provide client auditing and policy services for projects
such as FreeIPA.

A flaw was found in the SSSD PAM responder that could allow a local
attacker to crash SSSD via a carefully-crafted packet. With SSSD
unresponsive, legitimate users could be denied the ability to log in to the
system. (CVE-2010-4341)

Red Hat would like to thank Sebastian Krahmer for reporting this issue.

This update also fixes several bugs and adds various enhancements.
Documentation for these bug fixes and enhancements will be available
shortly from the Technical Notes document, linked to in the References
section.

Users of SSSD should upgrade to these updated packages, which upgrade SSSD
to upstream version 1.5.1 to correct this issue, and fix the bugs and add
the enhancements noted in the Technical Notes.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
sssd-1.5.1-34.el6.src.rpm
File outdated by:  RHBA-2014:0005
    MD5: 3e2ad221b61dc94ba06993722987e8c0
SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
 
IA-32:
sssd-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8608c7f8d95aebd79e743fbc63e9b51a
SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: a572d500d33f7ff14233c2d581021f1a
SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b
 
x86_64:
sssd-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 6f2f68568b5d5cc143939c45b3f786b5
SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 61d51d958245c93bcca01997348402ed
SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: aec0062859309254c6eea97b7764ed5a
SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: c500d76c46a7583db32586e50a78dab7
SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
sssd-1.5.1-34.el6.src.rpm
File outdated by:  RHBA-2014:0005
    MD5: 3e2ad221b61dc94ba06993722987e8c0
SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
 
IA-32:
sssd-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8608c7f8d95aebd79e743fbc63e9b51a
SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: a572d500d33f7ff14233c2d581021f1a
SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b
 
PPC:
sssd-1.5.1-34.el6.ppc64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 78a3f9745b344906be66fba8591d9ff5
SHA-256: e290e99bcc9a63c92160afcc46545f07fb44de3b6abaf7e0ff545a7d1416dc7f
sssd-client-1.5.1-34.el6.ppc.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8070362c2499adafe981d2500d8c3787
SHA-256: 0d87800321deefba69def8ddec7b85ad3d4834c1f331b59c58e2482b5cd8a9a0
sssd-client-1.5.1-34.el6.ppc64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 9b859b9894dfc23cc15272cf00851106
SHA-256: ecc9ebdafcbab291f6c417bd4a84607866c58bf8ce920b3288d4f63fa21b9d68
sssd-debuginfo-1.5.1-34.el6.ppc.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8d8283b5d5409a4bd31a6c947cd9b549
SHA-256: 584ae73398098621ce5c4b675d2625eb3ef9d03161c7086546299a56f4b6ab47
sssd-debuginfo-1.5.1-34.el6.ppc64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 3b4f75abf6f04735dc2b909accc16e57
SHA-256: 719efa4d0cd5b2aa64802f969519ef740bd0b21f3a283eb03e4eb9683a771c88
sssd-tools-1.5.1-34.el6.ppc64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 4d2469363a8955d550e49f57275d5860
SHA-256: 980a52c95ee87dac6036538deba05250ed48db7bd749e32a518e2aa22147c10f
 
s390x:
sssd-1.5.1-34.el6.s390x.rpm
File outdated by:  RHBA-2014:0005
    MD5: 7317b8798ae6a528fb2a088061bc4f5a
SHA-256: d8477d1c76539bbd796427f765032bd63623a594f56ef12869ae231d12045be5
sssd-client-1.5.1-34.el6.s390.rpm
File outdated by:  RHBA-2014:0005
    MD5: bb774089693a269362908f6eb25a778f
SHA-256: 09bf00749782c6eb87baeef34b7aeb3223bcaf767f9343619bf09b925130e31f
sssd-client-1.5.1-34.el6.s390x.rpm
File outdated by:  RHBA-2014:0005
    MD5: 5ac9aba45836b8caf9d59ea7fad05a35
SHA-256: f38d1b3973a2a3e08aa49639605332769e287362be89d580aa721d82840d4271
sssd-debuginfo-1.5.1-34.el6.s390.rpm
File outdated by:  RHBA-2014:0005
    MD5: bf3fb549dd584e12698947ffe9505a9f
SHA-256: 01109c1db6eb7a6dc75e0d7ef2f738f3e8b9740c51dcc81e948ae7bf48e44399
sssd-debuginfo-1.5.1-34.el6.s390x.rpm
File outdated by:  RHBA-2014:0005
    MD5: ef19c4877a130664450287cc9f6105b1
SHA-256: 1d575d4f3bd4cbc766127d6a59c2b4ef81a8ff7c1f0dfdf6cf44cfe57ff93f79
sssd-tools-1.5.1-34.el6.s390x.rpm
File outdated by:  RHBA-2014:0005
    MD5: f8a72644011a2235f9776b9a245cce6d
SHA-256: 9131784e9db4b96a1e7608fa0e214fba1b1868ab404c78ecccae880eea223676
 
x86_64:
sssd-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 6f2f68568b5d5cc143939c45b3f786b5
SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 61d51d958245c93bcca01997348402ed
SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: aec0062859309254c6eea97b7764ed5a
SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: c500d76c46a7583db32586e50a78dab7
SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
sssd-1.5.1-34.el6.src.rpm
File outdated by:  RHBA-2014:0005
    MD5: 3e2ad221b61dc94ba06993722987e8c0
SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
 
IA-32:
sssd-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8608c7f8d95aebd79e743fbc63e9b51a
SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: a572d500d33f7ff14233c2d581021f1a
SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b
 
x86_64:
sssd-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 6f2f68568b5d5cc143939c45b3f786b5
SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 8617676ee6530301e60a261ed657363c
SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: 61d51d958245c93bcca01997348402ed
SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm
File outdated by:  RHBA-2014:0005
    MD5: 69c6ab648eb468b0c725ec90df52e73e
SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: aec0062859309254c6eea97b7764ed5a
SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm
File outdated by:  RHBA-2014:0005
    MD5: c500d76c46a7583db32586e50a78dab7
SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

442680 - Better support for Kerberos ticket cache management
598501 - SSSD doesn't follow LDAP referrals when using non-anonymous bind
633406 - the krb5 locator plugin isn't packaged for multilib
633487 - SSSD initgroups does not behave as expected
640602 - sssd is not escaping correctly LDAP searches
644072 - Rebase SSSD to 1.5
645438 - NSS responder dies if DP dies during a request
645449 - 'getent passwd <username>' returns nothing if its uidNumber gt 2147483647.
647816 - Login screen freezes for more than 2mins when configured SSSD for proxy auth.
649286 - SSSD will sometimes lose groups from the cache
658158 - sssd stops on upgrade
659401 - SSSD shutdown sometimes hangs
660323 - Provide an option to specify DNS domain for service discovery
661163 - CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins
667059 - nss client blocks when enumerating local domain after restart.
667326 - '-s' option in sss_obfuscate command is a bit redundant.
667349 - Obfuscated passwords can kill LDAP provider if OpenLDAP uses NSS.
670511 - SSSD and sftp-only jailed users with pubkey login
670763 - Missing primary group with simple access provider.
670804 - Nested groups are not unrolled during the first enumeration.
671478 - authconfig-tui/gtk removes "ldap_user_home_directory" from sssd.conf
674141 - Traceback call messages displayed while "sss_obfuscate" command is executed as a non-root user.
674164 - sss_obfuscate fails if there's no domain named "default".
674172 - Group members are not sanitized in nested group processing
674515 - -p option always uses empty string to obfuscate password.
675284 - "no matching rule" message logged on all successful requests.
676401 - Remove HBAC time rules from SSSD
676911 - SSSD attempts to use START_TLS over LDAPS for authentication
677318 - Does not read renewable ccache at startup.
677588 - sssd crashes at the next tgt renewals it tries.
678091 - SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
678410 - name service caches names, so id command shows recently deleted users
678593 - User information not updated on login for secondary domains
678614 - SSSD needs to look at IPA's compat tree for netgroups
678777 - IPA provider does not update removed group memberships on initgroups
679082 - SSSD IPA provider should honor the krb5_realm option
680367 - sssd not thread-safe
682340 - sssd-be segmentation fault - ipa-client on ipa-server
682807 - sssd_nss core dumps with certain lookups
682850 - IPA provider should use realm instead of ipa_domain for base DN
683158 - multiple problems with sssd + ldap (Active-Directory) and groups members.
683255 - sudo/ldap lookup via sssd gets stuck for 5min waiting on netgroup
683860 - sssd 1.5.1-9 breaks AD authentication
683885 - SSSD should skip over groups with multiple names
688491 - authconfig fails when access_provider is set as krb5 in sssd.conf.
689886 - group memberships are not populated correctly during IPA provider initgroups
690131 - Traceback messages seen while interrupting sss_obfuscate using ctrl+d.
690421 - [abrt] sssd-1.2.1-28.el6_0.4: _talloc_free: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
690866 - Groups with a zero-length memberuid attribute can cause SSSD to stop caching and responding to requests
691678 - SSSD needs to fall back to 'cn' for GECOS information (was: SSSD configuration problem when configured with MSAD)
692472 - Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
694146 - SSSD consumes GBs of RAM, possible memory leak
694444 - Unable to resolve SRV record when called with _srv_,<fixed ldap uri> in ldap_uri
694783 - SSSD crashes during getent when anonymous bind is disabled.
696972 - [REGRESSION] Filters not honoured against fully-qualified users.
701700 - sssd client libraries use select() but should use poll() instead


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/