sssd security, bug fix and enhancement update

2013-02-27T00:00:00
ID ELSA-2013-0508
Type oraclelinux
Reporter Oracle
Modified 2013-02-27T00:00:00

Description

[1.9.2-82] - Resolves: rhbz#888614 - Failure in memberof can lead to failed database update

[1.9.2-81] - Resolves: rhbz#903078 - TOCTOU race conditions by copying and removing directory trees

[1.9.2-80] - Resolves: rhbz#903078 - Out-of-bounds read flaws in autofs and ssh services responders

[1.9.2-79] - Resolves: rhbz#902716 - Rule mismatch isn't noticed before smart refresh on ppc64 and s390x

[1.9.2-78] - Resolves: rhbz#896476 - SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.

[1.9.2-77] - Resolves: rhbz#902436 - possible segfault when backend callback is removed

[1.9.2-76] - Resolves: rhbz#895132 - Modifications using sss_usermod tool are not reflected in memory cache

[1.9.2-75] - Resolves: rhbz#894302 - sssd fails to update to changes on autofs maps

[1.9.2-74] - Resolves: rhbz894381 - memory cache is not updated after user is deleted from ldb cache

[1.9.2-73] - Resolves: rhbz895615 - ipa-client-automount: autofs failed in s390x and ppc64 platform

[1.9.2-72] - Resolves: rhbz#894997 - sssd_be crashes looking up members with groups outside the nesting limit

[1.9.2-71] - Resolves: rhbz#895132 - Modifications using sss_usermod tool are not reflected in memory cache

[1.9.2-70] - Resolves: rhbz#894428 - wrong filter for autofs maps in sss_cache

[1.9.2-69] - Resolves: rhbz#894738 - Failover to ldap_chpass_backup_uri doesn't work

[1.9.2-68] - Resolves: rhbz#887961 - AD provider: getgrgid removes nested group memberships

[1.9.2-67] - Resolves: rhbz#878583 - IPA Trust does not show secondary groups for AD Users for commands like id and getent

[1.9.2-66] - Resolves: rhbz#874579 - sssd caching not working as expected for selinux usermap contexts

[1.9.2-65] - Resolves: rhbz#892197 - Incorrect principal searched for in keytab

[1.9.2-64] - Resolves: rhbz#891356 - Smart refresh doesn't notice 'defaults' addition with OpenLDAP

[1.9.2-63] - Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory cache

[1.9.2-62] - Resolves: rhbz#886848 - user id lookup fails for case sensitive users using proxy provider

[1.9.2-61] - Resolves: rhbz#890520 - Failover to krb5_backup_kpasswd doesn't work

[1.9.2-60] - Resolves: rhbz#874618 - sss_cache: fqdn not accepted

[1.9.2-59] - Resolves: rhbz#889182 - crash in memory cache

[1.9.2-58] - Resolves: rhbz#889168 - krb5 ticket renewal does not read the renewable tickets from cache

[1.9.2-57] - Resolves: rhbz#886091 - Disallow root SSH public key authentication - Add default section to switch statement (Related: rhbz#884666)

[1.9.2-56] - Resolves: rhbz#886038 - sssd components seem to mishandle sighup

[1.9.2-55] - Resolves: rhbz#888800 - Memory leak in new memcache initgr cleanup function

[1.9.2-54] - Resolves: rhbz#888614 - Failure in memberof can lead to failed database update

[1.9.2-53] - Resolves: rhbz#885078 - sssd_nss crashes during enumeration if the enumeration is taking too long

[1.9.2-52] - Related: rhbz#875851 - sysdb upgrade failed converting db to 0.11 - Include more debugging during the sysdb upgrade

[1.9.2-51] - Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-50] - Resolves: rhbz#870045 - always reread the master map from LDAP - Resolves: rhbz#876531 - sss_cache does not work for automount maps

[1.9.2-49] - Resolves: rhbz#884666 - sudo: if first full refresh fails, schedule another first full refresh

[1.9.2-48] - Resolves: rhbz#880956 - Primary server status is not always reset after failover to backup server happened - Silence a compilation warning in the memberof plugin (Related: rhbz#877974) - Do not steal resolv result on error (Related: rhbz#882076)

[1.9.2-47] - Resolves: rhbz#882923 - Negative cache timeout is not working for proxy provider

[1.9.2-46] - Resolves: rhbz#884600 - ldap_chpass_uri failover fails on using same hostname

[1.9.2-45] - Resolves: rhbz#858345 - pam_sss(crond:account): Request to sssd failed. Timer expired

[1.9.2-44] - Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory cache

[1.9.2-43] - Resolves: rhbz#880176 - memberUid required for primary groups to match sudo rule

[1.9.2-42] - Resolves: rhbz#885105 - sudo denies access with disabled ldap_sudo_use_host_filter

[1.9.2-41] - Resolves: rhbz#883408 - Option ldap_sudo_include_regexp named incorrectly

[1.9.2-40] - Resolves: rhbz#880546 - krb5_kpasswd failover doesn't work - Fix the error handler in sss_mc_create_file (Related: #789507)

[1.9.2-39] - Resolves: rhbz#882221 - Offline sudo denies access with expired entry_cache_timeout - Fix several bugs found by Coverity and clang: - Check the return value of diff_gid_lists (Related: #869071) - Move misplaced sysdb assignment (Related: #827606) - Remove dead assignment (Related: #827606) - Fix copy-n-paste error in the memberof plugin (Related: #877974)

[1.9.2-38] - Resolves: rhbz#882923 - Negative cache timeout is not working for proxy provider - Link sss_ssh_authorizedkeys and sss_ssh_knowhostsproxy with the client libraries (Related: #870060) - Move sss_ssh_knownhosts documentation to the correct section (Related: #870060)

[1.9.2-37] - Resolves: rhbz#884480 - user is not removed from group membership during initgroups - Fix incorrect synchronization in mmap cache (Related: #789507)

[1.9.2-36] - Resolves: rhbz#883336 - sssd crashes during start if id_provider is not mentioned

[1.9.2-35] - Resolves: rhbz#882290 - arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds

[1.9.2-34] - Resolves: rhbz#877974 - updating top-level group does not reflect ghost members correctly - Resolves: rhbz#880159 - delete operation is not implemented for ghost users

[1.9.2-33] - Resolves: rhbz#881773 - mmap cache needs update after db changes

[1.9.2-32] - Resolves: rhbz#875677 - password expiry warning message doesn't appear during auth - Fix potential NULL dereference when skipping built-in AD groups (Related: rhbz#874616) - Add missing parameter to DEBUG message (Related: rhbz#829742)

[1.9.2-31] - Resolves: rhbz#882076 - SSSD crashes when c-ares returns success but an empty hostent during the DNS update - Do not version libsss_sudo, it's not supposed to be linked against, but dlopened (Related: rhbz#761573)

[1.9.2-30] - Resolves: rhbz#880140 - sssd hangs at startup with broken configurations

[1.9.2-29] - Resolves: rhbz#878420 - SIGSEGV in IPA provider when ldap_sasl_authid is not set

[1.9.2-28] - Resolves: rhbz#874616 - Silence the DEBUG messages when ID mapping code skips a built-in group

[1.9.2-27] - Resolves: rhbz#824244 - sssd does not warn into sssd.log for broken configurations

[1.9.2-26] - Resolves: rhbz#874673 - user id lookup fails using proxy provider - Fix a possibly uninitialized variable in the LDAP provider - Related: rhbz#877130

[1.9.2-25] - Resolves: rhbz#878262 - ipa password auth failing for user principal name when shorter than IPA Realm name - Resolves: rhbz#871843 - Nested groups are not retrieved appropriately from cache

[1.9.2-24] - Resolves: rhbz#870238 - IPA client cannot change AD Trusted User password

[1.9.2-23] - Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-22] - Resolves: rhbz#861075 - SSSD_NSS failure to gracefully restart after sbus failure

[1.9.2-21] - Resolves: rhbz#877354 - ldap_connection_expire_timeout doesn't expire ldap connections

[1.9.2-20] - Related: rhbz#877126 - Bump the release tag

[1.9.2-20] - Resolves: rhbz#877126 - subdomains code does not save the proper user/group name

[1.9.2-19] - Resolves: rhbz#877130 - LDAP provider fails to save empty groups - Related: rhbz#869466 - check the return value of waitpid()

[1.9.2-18] - Resolves: rhbz#870039 - sss_cache says 'Wrong DB version'

[1.9.2-17] - Resolves: rhbz#875740 - 'defaults' entry ignored

[1.9.2-16] - Resolves: rhbz#875738 - offline authentication failure always returns System Error

[1.9.2-15] - Resolves: rhbz#875851 - sysdb upgrade failed converting db to 0.11

[1.9.2-14] - Resolves: rhbz#870278 - ipa client setup should configure host properly in a trust is in place

[1.9.2-13] - Resolves: rhbz#871160 - sudo failing for ad trusted user in IPA environment

[1.9.2-12] - Resolves: rhbz#870278 - ipa client setup should configure host properly in a trust is in place

[1.9.2-11] - Resolves: rhbz#869678 - sssd not granting access for AD trusted user in HBAC rule

[1.9.2-10] - Resolves: rhbz#872180 - subdomains: Invalid sub-domain request type - Related: rhbz#867933 - invalidating the memcache with sss_cache doesn't work if the sssd is not running

[1.9.2-9] - Resolves: rhbz#873988 - Man page issue to list 'force_timeout' as an option for the [sssd] section

[1.9.2-8] - Resolves: rhbz#873032 - Move sss_cache to the main subpackage

[1.9.2-7] - Resolves: rhbz#873032 - Move sss_cache to the main subpackage - Resolves: rhbz#829740 - Init script reports complete before sssd is actually working - Resolves: rhbz#869466 - SSSD starts multiple processes due to syntax error in ldap_uri - Resolves: rhbz#870505 - sss_cache: Multiple domains not handled properly - Resolves: rhbz#867933 - invalidating the memcache with sss_cache doesn't work if the sssd is not running - Resolves: rhbz#872110 - User appears twice on looking up a nested group

[1.9.2-6] - Resolves: rhbz#871576 - sssd does not resolve group names from AD - Resolves: rhbz#872324 - pam: fd leak when writing the selinux login file in the pam responder - Resolves: rhbz#871424 - authconfig chokes on sssd.conf with chpass_provider directive

[1.9.2-5] - Do not send SIGKILL to service right after sending SIGTERM - Resolves: #771975 - Fix the initial sudo smart refresh - Resolves: #869013 - Implement password authentication for users from trusted domains - Resolves: #869071 - LDAP child crashed with a wrong keytab - Resolves: #869150 - The sssd_nss process grows the memory consumption over time - Resolves: #869443

[1.9.2-4] - BuildRequire selinux-policy so that selinux login support is built in - Resolves: #867932

[1.9.2-3] - Do not segfault if namingContexts contain no values or multiple values - Resolves: rhbz#866542

[1.9.2-2] - Fix the 'ca' translation of the sssd-simple manual page - Related: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.2-1] - New upstream release 1.9.2

[1.9.1-1] - Rebase to 1.9.1

[1.9.0-3] - Require the latest libldb

[1.9.0-2] - Rebase to 1.9.0 - Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.0-1.rc1] - Rebase to 1.9.0 RC1 - Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4 - Bump the selinux-policy version number to pull in required fixes

[1.8.0-33] - Resolves: rhbz#840089 - Update the shadowLastChange attribute with days since the Epoch, not seconds