libipa_hbac, libsss_idmap, libsss_nss_idmap, libsss_simpleifp, python, sssd security update

ID CESA-2015:2355
Type centos
Reporter CentOS Project
Modified 2015-11-30T19:52:40


CentOS Errata and Security Advisory CESA-2015:2355

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms.

It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1205554)

Several enhancements are described in the Red Hat Enterprise Linux 7.2 Release Notes, linked to in the References section:

  • SSSD smart card support (BZ#854396)
  • Cache authentication in SSSD (BZ#910187)
  • SSSD supports overriding automatically discovered AD site (BZ#1163806)
  • SSSD can now deny SSH access to locked accounts (BZ#1175760)
  • SSSD enables UID and GID mapping on individual clients (BZ#1183747)
  • Background refresh of cached entries (BZ#1199533)
  • Multi-step prompting for one-time and long-term passwords (BZ#1200873)
  • Caching for initgroups operations (BZ#1206575)

Bugs fixed:

  • When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314)

  • If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes. (BZ#1198477)

  • The SRV queries used a hard coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541)

  • Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping. (BZ#1201840)

  • When an IdM client with Red Hat Enterprise Linux 7.1 or later was connecting to a server with Red Hat Enterprise Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly. (BZ#1202170)

  • If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access. (BZ#1202245)

  • The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes. (BZ#1204203)

  • SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers. (BZ#1205852)

  • SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name. (BZ#1208507)

  • The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side. (BZ#1211830)

  • The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process. (BZ#1212489)

  • Now, default_domain_suffix is not considered anymore for autofs maps. (BZ#1216285)

  • The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains. (BZ#1217350)

  • The group resolution failed with an error message: "Error: 14 (Bad address)". The binary GUID handling has been fixed. (BZ#1226119)

Enhancements added:

  • The description of default_domain_suffix has been improved in the manual pages. (BZ#1185536)

  • With the new "%0" template option, users on SSSD IdM clients can now use home directories set on AD. (BZ#1187103)

All sssd users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

Merged security bulletin from advisories:

Affected packages: libipa_hbac libipa_hbac-devel libsss_idmap libsss_idmap-devel libsss_nss_idmap libsss_nss_idmap-devel libsss_simpleifp libsss_simpleifp-devel python-libipa_hbac python-libsss_nss_idmap python-sss python-sss-murmur python-sssdconfig sssd sssd-ad sssd-client sssd-common sssd-common-pac sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-libwbclient sssd-libwbclient-devel sssd-proxy sssd-tools

Upstream details at: