Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Low: sssd security, bug fix and enhancement update

Related Vulnerabilities: CVE-2013-0219   CVE-2013-0220   CVE-2013-0219   CVE-2013-0220  

Source

Synopsis

Low: sssd security, bug fix and enhancement update

Type/Severity

Security Advisory: Low

Topic

Updated sssd packages that fix two security issues, multiple bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

The System Security Services Daemon (SSSD) provides a set of daemons to
manage access to remote directories and authentication mechanisms. It
provides an NSS and PAM interface toward the system and a pluggable
back-end system to connect to multiple different account sources. It is
also the basis to provide client auditing and policy services for projects
such as FreeIPA.

A race condition was found in the way SSSD copied and removed user home
directories. A local attacker who is able to write into the home directory
of a different user who is being removed could use this flaw to perform
symbolic link attacks, possibly allowing them to modify and delete
arbitrary files with the privileges of the root user. (CVE-2013-0219)

Multiple out-of-bounds memory read flaws were found in the way the autofs
and SSH service responders parsed certain SSSD packets. An attacker could
spend a specially-crafted packet that, when processed by the autofs or SSH
service responders, would cause SSSD to crash. This issue only caused a
temporary denial of service, as SSSD was automatically restarted by the
monitor process after the crash. (CVE-2013-0220)

The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian
Weimer of the Red Hat Product Security Team.

These updated sssd packages also include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical
Notes, linked to in the References, for information on the most significant
of these changes.

All SSSD users are advised to upgrade to these updated packages, which
upgrade SSSD to upstream version 1.9 to correct these issues, fix these
bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Enterprise Linux Server 6 i386
  • Red Hat Enterprise Linux Workstation 6 x86_64
  • Red Hat Enterprise Linux Workstation 6 i386
  • Red Hat Enterprise Linux Desktop 6 x86_64
  • Red Hat Enterprise Linux Desktop 6 i386
  • Red Hat Enterprise Linux for IBM z Systems 6 s390x
  • Red Hat Enterprise Linux for Power, big endian 6 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 i386

Fixes

  • BZ - 743505 - [RFE] Implement "AD friendly" schema mapping
  • BZ - 761573 - [RFE] Integrate with SUDO utility
  • BZ - 766000 - [RFE]Add support for central management of the SELinux user mappings
  • BZ - 768165 - [RFE] Support range retrievals
  • BZ - 768168 - [RFE] Allow Constructing uid from Active Directory objectSid
  • BZ - 789470 - [RFE] Introduce the concept of a Primary Server in SSSD
  • BZ - 789507 - [RFE] SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides
  • BZ - 790105 - Filter out inappropriate IP addresses from IPA dynamic DNS update
  • BZ - 790107 - Document sss_tools better
  • BZ - 799009 - Warn to syslog when dereference requests fail
  • BZ - 799928 - [RFE] Hash the hostname/port information in the known_hosts file.
  • BZ - 801431 - [RFE] sudo: send username and uid while requesting default options
  • BZ - 801719 - "Error looking up public keys" while ssh to replica using IP address.
  • BZ - 802718 - Unable to lookup user aliases with proxy provider.
  • BZ - 805920 - [RFE] Introduce concept of Ghost User instead of using Fake User
  • BZ - 805921 - Document the expectations about ghost users showing in the lookups
  • BZ - 808307 - No info in sssd manpages for "ldap_sasl_minssf"
  • BZ - 811987 - autofs: maximum key name must be PATH_MAX
  • BZ - 813327 - [RFE] support looking up autofs maps via SSSD
  • BZ - 814249 - [RFE] for faster SSSD startup
  • BZ - 822404 - sssd does not provide maps for automounter when custom schema is being used
  • BZ - 824244 - sssd does not warn into sssd.log for broken configurations
  • BZ - 827036 - Add support for terminating idle connections in sssd_nss
  • BZ - 829740 - Init script reports complete before sssd is actually working
  • BZ - 832103 - [RFE] Optimize memberOf search criteria with AD
  • BZ - 832120 - [RFE] Add AD provider
  • BZ - 845251 - sssd does not try another server when unable to resolve hostname
  • BZ - 845253 - Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection
  • BZ - 848547 - [TECH PREVIEW] Support DIR: credential caches for multiple TGT support
  • BZ - 852948 - ldap_chpass_update_last_change is not included in the manual page
  • BZ - 854619 - SSSD cannot cope with empty naming context coming from Novell eDirectory
  • BZ - 854997 - Add details about TGT validation to sssd-krb5 man page
  • BZ - 857047 - [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT)
  • BZ - 860667 - [man sssd-ldap] 'ldap_access_filter' description needs to be updated
  • BZ - 861075 - SSSD_NSS failure to gracefully restart after sbus failure
  • BZ - 861076 - Flip the default value of ldap_initgroups_use_matching_rule_in_chain
  • BZ - 861079 - Collect Krb5 Trace on High Debug Levels
  • BZ - 861082 - Manpage has ldap_autofs_search_base as experimental feature
  • BZ - 861091 - pam_sss report System Error on wrong password
  • BZ - 863131 - sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU
  • BZ - 866542 - sssd_be crashes while looking up users
  • BZ - 867932 - Selinuxusermap rule is not honoured
  • BZ - 867933 - invalidating the memcache with sss_cache doesn't work if the sssd is not running
  • BZ - 869013 - Sudo smart refresh doesn't occur on time
  • BZ - 869071 - Password authentication for users from trusted domains does not work
  • BZ - 869150 - ldap_child crashes on using invalid keytab during gssapi connection
  • BZ - 869443 - The sssd_nss process grows the memory consumption over time
  • BZ - 869678 - sssd not granting access for AD trusted user in HBAC rule
  • BZ - 870039 - sss_cache says 'Wrong DB version'
  • BZ - 870045 - always reread the master map from LDAP
  • BZ - 870060 - SSH host keys are not being removed from the cache
  • BZ - 870238 - IPA client cannot change AD Trusted User password
  • BZ - 870278 - ipa client setup should configure host properly in a trust is in place
  • BZ - 870280 - ipa reconfigure functionality needed for fixing clients to support trusts
  • BZ - 870505 - sss_cache: Multiple domains not handled properly
  • BZ - 871160 - sudo failing for ad trusted user in IPA environment
  • BZ - 871576 - sssd does not resolve group names from AD
  • BZ - 871843 - Nested groups are not retrieved appropriately from cache
  • BZ - 872110 - User appears twice on looking up a nested group
  • BZ - 872180 - subdomains: Invalid sub-domain request type.
  • BZ - 872324 - pam: fd leak when writing the selinux login file in the pam responder
  • BZ - 872683 - sssd_be segfaults with enumeration enabled and anonymous LDAP access disabled
  • BZ - 873032 - Move sss_cache to the main subpackage
  • BZ - 873988 - Man page issue to list 'force_timeout' as an option for the [sssd] section
  • BZ - 874579 - sssd caching not working as expected for selinux usermap contexts
  • BZ - 874616 - Silence the DEBUG messages when ID mapping code skips a built-in group
  • BZ - 874618 - sss_cache: fqdn not accepted
  • BZ - 874673 - user id lookup fails using proxy provider
  • BZ - 875677 - password expiry warning message doesn't appear during auth
  • BZ - 875738 - offline authentication failure always returns System Error
  • BZ - 875740 - "defaults" entry ignored
  • BZ - 875851 - sysdb upgrade failed converting db to 0.11
  • BZ - 876531 - sss_cache does not work for automount maps
  • BZ - 877126 - subdomains code does not save the proper user/group name
  • BZ - 877130 - LDAP provider fails to save empty groups
  • BZ - 877354 - ldap_connection_expire_timeout doesn't expire ldap connections
  • BZ - 877972 - ldap_sasl_authid no longer accepts full principal
  • BZ - 877974 - updating top-level group does not reflect ghost members correctly
  • BZ - 878262 - ipa password auth failing for user principal name when shorter than IPA Realm name
  • BZ - 878419 - sss_userdel doesn't remove entries from in-memory cache
  • BZ - 878420 - SIGSEGV in IPA provider when ldap_sasl_authid is not set
  • BZ - 878583 - IPA Trust does not show secondary groups for AD Users for commands like id and getent
  • BZ - 880140 - sssd hangs at startup with broken configurations
  • BZ - 880159 - delete operation is not implemented for ghost users
  • BZ - 880176 - memberUid required for primary groups to match sudo rule
  • BZ - 880546 - krb5_kpasswd failover doesn't work
  • BZ - 880956 - Primary server status is not always reset after failover to backup server happened
  • BZ - 881773 - mmap cache needs update after db changes
  • BZ - 882076 - SSSD crashes when c-ares returns success but an empty hostent during the DNS update
  • BZ - 882221 - Offline sudo denies access with expired entry_cache_timeout
  • BZ - 882290 - arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds
  • BZ - 882923 - Negative cache timeout is not working for proxy provider
  • BZ - 883336 - sssd crashes during start if id_provider is not mentioned
  • BZ - 883408 - Make it clear that ldap_sudo_include_regexp can only handle wildcards
  • BZ - 884254 - CVE-2013-0219 sssd: TOCTOU race conditions by copying and removing directory trees
  • BZ - 884480 - user is not removed from group membership during initgroups
  • BZ - 884600 - ldap_chpass_uri failover fails on using same hostname
  • BZ - 884601 - CVE-2013-0220 sssd: Out-of-bounds read flaws in autofs and ssh services responders
  • BZ - 884666 - sudo: if first full refresh fails, schedule another first full refresh
  • BZ - 885078 - sssd_nss crashes during enumeration if the enumeration is taking too long
  • BZ - 885105 - sudo denies access with disabled ldap_sudo_use_host_filter
  • BZ - 886038 - sssd components seem to mishandle sighup
  • BZ - 886091 - Disallow root SSH public key authentication
  • BZ - 886848 - user id lookup fails for case sensitive users using proxy provider
  • BZ - 887961 - AD provider: getgrgid removes nested group memberships
  • BZ - 888614 - Failure in memberof can lead to failed database update
  • BZ - 888800 - MEmory leak in new memcache initgr cleanup function
  • BZ - 889168 - krb5 ticket renewal does not read the renewable tickets from cache
  • BZ - 889182 - crash in memory cache
  • BZ - 890520 - Failover to krb5_backup_kpasswd doesn't work
  • BZ - 891356 - Smart refresh doesn't notice "defaults" addition with OpenLDAP
  • BZ - 892197 - Incorrect principal searched for in keytab
  • BZ - 894302 - sssd fails to update to changes on autofs maps
  • BZ - 894381 - memory cache is not updated after user is deleted from ldb cache
  • BZ - 894428 - wrong filter for autofs maps in sss_cache
  • BZ - 894738 - Failover to ldap_chpass_backup_uri doesn't work
  • BZ - 894997 - sssd_be crashes looking up members with groups outside the nesting limit
  • BZ - 895132 - Modifications using sss_usermod tool are not reflected in memory cache
  • BZ - 895615 - ipa-client-automount: autofs failed in s390x and ppc64 platform
  • BZ - 896476 - SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.
  • BZ - 902436 - possible segfault when backend callback is removed
  • BZ - 902716 - Rule mismatch isn't noticed before smart refresh on ppc64 and s390x

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started