1.162. sssd

1.162.1. RHSA-2011:0975: Low sssd security, bug fix, and enhancement update

Updated sssd packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is linked to from the security description below.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA.


This update was released as errata RHSA-2011:0975 – Low: sssd security, bug fix, and enhancement update.

Security fix:

A flaw was found in the SSSD PAM responder that could allow a local attacker to force SSSD to enter an infinite loop via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system. (CVE-2010-4341)
Red Hat would like to thank Sebastian Krahmer for reporting this issue.

Bug Fixes:

While running the LDAP cache cleanup task, an issue with a corrupted group cache occurred, and the user was stripped of membership of every group except his primary group. This issue has been fixed and the aforementioned problem now no longer occurs.
When the LDAP server defined in the first ldap_uri entry was unreachable, the login attempt to the system failed with a segmentation fault due to an issue in the failover processing. With this update, the segmentation fault no longer occurs if the first LDAP server can't be reached.
Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
When performing an initgroups() request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.
Previously, when GECOS information (an entry in the /etc/passwd file) for a user was missing, SSSD did not look for this information in the cn attribute as it should have. SSSD now correctly falls back to the cn attribute for GECOS if the GECOS field is empty, making SSSD fully compliant with section 5.3 of RFC 2307.
For large cache files, if a user was removed from a group in LDAP, memory allocation could grow exponentially while processing the removal from the cache, potentially resulting in an OOM (Out of Memory) situation. With this update, this issue has been fixed, and SSSD no longer allocates unnecessarily large amounts of memory when removing a user from a group in LDAP.
When the first DNS entry defined in the /etc/resolv.conf file was unreachable, SSSD failed to connect to any subsequent DNS server to resolve the SRV record. This caused SSSD to permanently operate in offline mode. This bug has been fixed and SSSD is now able to connect to an alternate server if the primary server is down.
The following bugs have also been fixed:
  • Issues with LDAP search filters that require escaping.
  • Nested group issues with RFC2307bis LDAP servers without the memberOf plug-in.
  • Several thread-safety issues in the sss_client code.


The sssd package has been upgraded to upstream version 1.5.1, which provides a number of bug fixes and enhancements over the previous version. The following enhancements are the most significant:
  • Support for delayed online Kerberos authentication has been improved.
  • A Kerberos access provider to honor the .k5login authorization file has been added.
  • The verbosity of PAM_TEXT_INFO messages for cached credentials has been reduced.
  • Group support to the simple access provider has been added.
  • The time delay between connecting to a network or VPN and acquiring a TGT (Ticket Granting Ticket) has been significantly reduced.
  • A feature for the automatic Kerberos ticket renewal has been added.
  • SSSD now provides a Kerberos ticket for long-lived processes or cron jobs even when the user logs out.
  • Several new features to the LDAP access provider have been added.
  • Support for shadow access control has been added.
  • Support for the authorizedService access control has been added.
  • The ability to mix-and-match LDAP access control features has been added.
  • An option for a separate password-change LDAP server for platforms not supporting LDAP referrals has been added.
  • Support for manual page translations has been added.
  • Support for searching out and returning information about netgroups stored in LDAP has been added.
  • The performance of group processing of RFC2307 LDAP servers has been improved.
  • A new option, dns_discovery_domain, which allows for better configuration of SRV records for failover, has been added.
Users of SSSD should upgrade to these updated packages, which upgrade sssd to upstream version 1.5.1 to correct this issue, fix these bugs, and add these enhancements.