Synopsis
Moderate: sssd security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for sssd is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources.
The following packages have been upgraded to a later upstream version: sssd (1.16.4). (BZ#1658994)
Security Fix(es):
- sssd: fallback_homedir returns '/' for empty home directories in passwd file (CVE-2019-3811)
- sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Enterprise Linux Server 7 x86_64
-
Red Hat Enterprise Linux Workstation 7 x86_64
-
Red Hat Enterprise Linux Desktop 7 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 7 s390x
-
Red Hat Enterprise Linux for Power, big endian 7 ppc64
-
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
-
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Fixes
- BZ - 720688 - [RFE] return multiple server addresses to the Kerberos locator plugin
- BZ - 1350012 - kinit / sssd kerberos fail over
- BZ - 1402056 - [RFE] Make 2FA prompting configurable
- BZ - 1406678 - sssd service is starting before network service
- BZ - 1614296 - SSSD netgroups do not honor entry_cache_nowait_percentage
- BZ - 1619706 - sssd only sets the SELinux login context if it differs from the default
- BZ - 1631656 - KCM: kinit: Matching credential not found while getting default ccache
- BZ - 1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions
- BZ - 1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out
- BZ - 1653759 - sss_cache shouldn't return ENOENT when no entries match
- BZ - 1656618 - CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file
- BZ - 1658994 - Rebase SSSD to 1.16.x
- BZ - 1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so
- BZ - 1672527 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
- BZ - 1677355 - NSS responder does no refresh domain list when busy
- BZ - 1677665 - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients
- BZ - 1679173 - filter_users option is not applied to sub-domains if SSSD starts offline
- BZ - 1684979 - The HBAC code requires dereference to be enabled and fails otherwise
- BZ - 1685472 - UPN negative cache does not use values from 'filter_users' config option
- BZ - 1685581 - Extend cached_auth_timeout to cover subdomains / trusts
- BZ - 1707759 - Error accessing files on samba share randomly
- BZ - 1710286 - The server error message is not returned if password change fails
- BZ - 1711832 - The files provider does not handle resetOffline properly
CVEs
References
Vulmon