1.162.1. RHSA-2011:0975: Low sssd security, bug fix, and enhancement update
SSSD PAM responderthat could allow a local attacker to force SSSD to enter an infinite loop via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system. (CVE-2010-4341)
- While running the
LDAP cache cleanuptask, an issue with a corrupted
group cacheoccurred, and the user was stripped of membership of every group except his primary group. This issue has been fixed and the aforementioned problem now no longer occurs.
- When the LDAP server defined in the first
ldap_urientry was unreachable, the login attempt to the system failed with a segmentation fault due to an issue in the failover processing. With this update, the segmentation fault no longer occurs if the first LDAP server can't be reached.
- Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
- When performing an
initgroups()request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.
- Previously, when
GECOSinformation (an entry in the
/etc/passwdfile) for a user was missing, SSSD did not look for this information in the
cnattribute as it should have. SSSD now correctly falls back to the
GECOSif the GECOS field is empty, making SSSD fully compliant with section 5.3 of RFC 2307.
- For large cache files, if a user was removed from a group in LDAP, memory allocation could grow exponentially while processing the removal from the cache, potentially resulting in an OOM (Out of Memory) situation. With this update, this issue has been fixed, and SSSD no longer allocates unnecessarily large amounts of memory when removing a user from a group in LDAP.
- When the first DNS entry defined in the
/etc/resolv.conffile was unreachable, SSSD failed to connect to any subsequent DNS server to resolve the
SRV record. This caused SSSD to permanently operate in offline mode. This bug has been fixed and SSSD is now able to connect to an alternate server if the primary server is down.
- The following bugs have also been fixed:
- Issues with
LDAP search filtersthat require escaping.
- Nested group issues with
RFC2307bis LDAPservers without the memberOf plug-in.
- Several thread-safety issues in the sss_client code.
- The sssd package has been upgraded to upstream version 1.5.1, which provides a number of bug fixes and enhancements over the previous version. The following enhancements are the most significant:
- Support for delayed online
Kerberosauthentication has been improved.
- A Kerberos access provider to honor the
.k5loginauthorization file has been added.
- The verbosity of
PAM_TEXT_INFOmessages for cached credentials has been reduced.
- Group support to the
simple access providerhas been added.
- The time delay between connecting to a network or VPN and acquiring a TGT (Ticket Granting Ticket) has been significantly reduced.
- A feature for the automatic Kerberos ticket renewal has been added.
- SSSD now provides a Kerberos ticket for long-lived processes or cron jobs even when the user logs out.
- Several new features to the
LDAP access providerhave been added.
- Support for
shadowaccess control has been added.
- Support for the
authorizedServiceaccess control has been added.
- The ability to mix-and-match
LDAPaccess control features has been added.
- An option for a separate password-change LDAP server for platforms not supporting LDAP referrals has been added.
- Support for manual page translations has been added.
- Support for searching out and returning information about netgroups stored in LDAP has been added.
- The performance of group processing of
RFC2307 LDAPservers has been improved.
- A new option,
dns_discovery_domain, which allows for better configuration of
SRV recordsfor failover, has been added.