6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
0.014 Low
EPSS
Percentile
86.8%
CentOS Errata and Security Advisory CESA-2015:2355
The System Security Services Daemon (SSSD) service provides a set of
daemons to manage access to remote directories and authentication
mechanisms.
It was found that SSSD’s Privilege Attribute Certificate (PAC) responder
plug-in would leak a small amount of memory on each authentication request.
A remote attacker could potentially use this flaw to exhaust all available
memory on the system by making repeated requests to a Kerberized daemon
application configured to authenticate using the PAC responder plug-in.
(CVE-2015-5292)
The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1205554)
Several enhancements are described in the Red Hat Enterprise Linux 7.2
Release Notes, linked to in the References section:
Bugs fixed:
When the SELinux user content on an IdM server was set to an empty
string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314)
If the ldap_child process failed to initialize credentials and exited
with an error multiple times, operations that create files in some cases
started failing due to an insufficient amount of i-nodes. (BZ#1198477)
The SRV queries used a hard coded TTL timeout, and environments that
wanted the SRV queries to be valid for a certain time only were blocked.
Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541)
Previously, initgroups operation took an excessive amount of time. Now,
logins and ID processing are faster for setups with AD back end and
disabled ID mapping. (BZ#1201840)
When an IdM client with Red Hat Enterprise Linux 7.1 or later was
connecting to a server with Red Hat Enterprise Linux 7.0 or earlier,
authentication with an AD trusted domain caused the sssd_be process to
terminate unexpectedly. (BZ#1202170)
If replication conflict entries appeared during HBAC processing, the user
was denied access. Now, the replication conflict entries are skipped and
users are permitted access. (BZ#1202245)
The array of SIDs no longer contains an uninitialized value and SSSD no
longer crashes. (BZ#1204203)
SSSD supports GPOs from different domain controllers and no longer
crashes when processing GPOs from different domain controllers.
(BZ#1205852)
SSSD could not refresh sudo rules that contained groups with special
characters, such as parentheses, in their name. (BZ#1208507)
The IPA names are not qualified on the client side if the server already
qualified them, and IdM group members resolve even if default_domain_suffix
is used on the server side. (BZ#1211830)
The internal cache cleanup task has been disabled by default to improve
performance of the sssd_be process. (BZ#1212489)
Now, default_domain_suffix is not considered anymore for autofs maps.
(BZ#1216285)
The user can set subdomain_inherit=ignore_group-members to disable
fetching group members for trusted domains. (BZ#1217350)
The group resolution failed with an error message: “Error: 14 (Bad
address)”. The binary GUID handling has been fixed. (BZ#1226119)
Enhancements added:
The description of default_domain_suffix has been improved in the manual
pages. (BZ#1185536)
With the new “%0” template option, users on SSSD IdM clients can now use
home directories set on AD. (BZ#1187103)
All sssd users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-November/028896.html
Affected packages:
libipa_hbac
libipa_hbac-devel
libsss_idmap
libsss_idmap-devel
libsss_nss_idmap
libsss_nss_idmap-devel
libsss_simpleifp
libsss_simpleifp-devel
python-libipa_hbac
python-libsss_nss_idmap
python-sss
python-sss-murmur
python-sssdconfig
sssd
sssd-ad
sssd-client
sssd-common
sssd-common-pac
sssd-dbus
sssd-ipa
sssd-krb5
sssd-krb5-common
sssd-ldap
sssd-libwbclient
sssd-libwbclient-devel
sssd-proxy
sssd-tools
Upstream details at:
https://access.redhat.com/errata/RHSA-2015:2355
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 7 | i686 | libipa_hbac | < 1.13.0-40.el7 | libipa_hbac-1.13.0-40.el7.i686.rpm |
CentOS | 7 | x86_64 | libipa_hbac | < 1.13.0-40.el7 | libipa_hbac-1.13.0-40.el7.x86_64.rpm |
CentOS | 7 | i686 | libipa_hbac-devel | < 1.13.0-40.el7 | libipa_hbac-devel-1.13.0-40.el7.i686.rpm |
CentOS | 7 | x86_64 | libipa_hbac-devel | < 1.13.0-40.el7 | libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm |
CentOS | 7 | i686 | libsss_idmap | < 1.13.0-40.el7 | libsss_idmap-1.13.0-40.el7.i686.rpm |
CentOS | 7 | x86_64 | libsss_idmap | < 1.13.0-40.el7 | libsss_idmap-1.13.0-40.el7.x86_64.rpm |
CentOS | 7 | i686 | libsss_idmap-devel | < 1.13.0-40.el7 | libsss_idmap-devel-1.13.0-40.el7.i686.rpm |
CentOS | 7 | x86_64 | libsss_idmap-devel | < 1.13.0-40.el7 | libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm |
CentOS | 7 | i686 | libsss_nss_idmap | < 1.13.0-40.el7 | libsss_nss_idmap-1.13.0-40.el7.i686.rpm |
CentOS | 7 | x86_64 | libsss_nss_idmap | < 1.13.0-40.el7 | libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm |