Synopsis

Low: sssd security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Topic

Updated sssd packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

The System Security Services Daemon (SSSD) provides a set of daemons to
manage access to remote directories and authentication mechanisms. It
provides an NSS and PAM interface toward the system and a pluggable
back-end system to connect to multiple different account sources. It is
also the basis to provide client auditing and policy services for projects
such as FreeIPA.

A flaw was found in the SSSD PAM responder that could allow a local
attacker to crash SSSD via a carefully-crafted packet. With SSSD
unresponsive, legitimate users could be denied the ability to log in to the
system. (CVE-2010-4341)

Red Hat would like to thank Sebastian Krahmer for reporting this issue.

This update also fixes several bugs and adds various enhancements.
Documentation for these bug fixes and enhancements will be available
shortly from the Technical Notes document, linked to in the References
section.

Users of SSSD should upgrade to these updated packages, which upgrade SSSD
to upstream version 1.5.1 to correct this issue, and fix the bugs and add
the enhancements noted in the Technical Notes.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386

Fixes

• BZ - 442680 - Better support for Kerberos ticket cache management
• BZ - 598501 - SSSD doesn't follow LDAP referrals when using non-anonymous bind
• BZ - 633406 - the krb5 locator plugin isn't packaged for multilib
• BZ - 633487 - SSSD initgroups does not behave as expected
• BZ - 640602 - sssd is not escaping correctly LDAP searches
• BZ - 644072 - Rebase SSSD to 1.5
• BZ - 645438 - NSS responder dies if DP dies during a request
• BZ - 645449 - 'getent passwd <username>' returns nothing if its uidNumber gt 2147483647.
• BZ - 647816 - Login screen freezes for more than 2mins when configured SSSD for proxy auth.
• BZ - 649286 - SSSD will sometimes lose groups from the cache
• BZ - 658158 - sssd stops on upgrade
• BZ - 659401 - SSSD shutdown sometimes hangs
• BZ - 660323 - Provide an option to specify DNS domain for service discovery
• BZ - 661163 - CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins
• BZ - 667059 - nss client blocks when enumerating local domain after restart.
• BZ - 667326 - '-s' option in sss_obfuscate command is a bit redundant.
• BZ - 667349 - Obfuscated passwords can kill LDAP provider if OpenLDAP uses NSS.
• BZ - 670511 - SSSD and sftp-only jailed users with pubkey login
• BZ - 670763 - Missing primary group with simple access provider.
• BZ - 670804 - Nested groups are not unrolled during the first enumeration.
• BZ - 671478 - authconfig-tui/gtk removes "ldap_user_home_directory" from sssd.conf
• BZ - 674141 - Traceback call messages displayed while "sss_obfuscate" command is executed as a non-root user.
• BZ - 674164 - sss_obfuscate fails if there's no domain named "default".
• BZ - 674172 - Group members are not sanitized in nested group processing
• BZ - 674515 - -p option always uses empty string to obfuscate password.
• BZ - 675284 - "no matching rule" message logged on all successful requests.
• BZ - 676401 - Remove HBAC time rules from SSSD
• BZ - 676911 - SSSD attempts to use START_TLS over LDAPS for authentication
• BZ - 677318 - Does not read renewable ccache at startup.
• BZ - 677588 - sssd crashes at the next tgt renewals it tries.
• BZ - 678091 - SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
• BZ - 678410 - name service caches names, so id command shows recently deleted users
• BZ - 678593 - User information not updated on login for secondary domains
• BZ - 678614 - SSSD needs to look at IPA's compat tree for netgroups
• BZ - 678777 - IPA provider does not update removed group memberships on initgroups
• BZ - 679082 - SSSD IPA provider should honor the krb5_realm option
• BZ - 680367 - sssd not thread-safe
• BZ - 682340 - sssd-be segmentation fault - ipa-client on ipa-server
• BZ - 682807 - sssd_nss core dumps with certain lookups
• BZ - 682850 - IPA provider should use realm instead of ipa_domain for base DN
• BZ - 683158 - multiple problems with sssd + ldap (Active-Directory) and groups members.
• BZ - 683255 - sudo/ldap lookup via sssd gets stuck for 5min waiting on netgroup
• BZ - 683860 - sssd 1.5.1-9 breaks AD authentication
• BZ - 683885 - SSSD should skip over groups with multiple names
• BZ - 688491 - authconfig fails when access_provider is set as krb5 in sssd.conf.
• BZ - 689886 - group memberships are not populated correctly during IPA provider initgroups
• BZ - 690131 - Traceback messages seen while interrupting sss_obfuscate using ctrl+d.
• BZ - 690421 - [abrt] sssd-1.2.1-28.el6_0.4: _talloc_free: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
• BZ - 690866 - Groups with a zero-length memberuid attribute can cause SSSD to stop caching and responding to requests
• BZ - 691678 - SSSD needs to fall back to 'cn' for GECOS information (was: SSSD configuration problem when configured with MSAD)
• BZ - 692472 - Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
• BZ - 694146 - SSSD consumes GBs of RAM, possible memory leak
• BZ - 694444 - Unable to resolve SRV record when called with _srv_,<fixed ldap uri> in ldap_uri
• BZ - 694783 - SSSD crashes during getent when anonymous bind is disabled.
• BZ - 696972 - [REGRESSION] Filters not honoured against fully-qualified users.
• BZ - 701700 - sssd client libraries use select() but should use poll() instead

CVEs

• CVE-2010-4341

References

• https://access.redhat.com/security/updates/classification/#low
• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/index.html

Red Hat Enterprise Linux Server 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
x86_64
sssd-1.5.1-34.el6.x86_64.rpm	SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm	SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm	SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
i386
sssd-1.5.1-34.el6.i686.rpm	SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm	SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b

Red Hat Enterprise Linux Workstation 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
x86_64
sssd-1.5.1-34.el6.x86_64.rpm	SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm	SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm	SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
i386
sssd-1.5.1-34.el6.i686.rpm	SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm	SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b

Red Hat Enterprise Linux Desktop 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
x86_64
sssd-1.5.1-34.el6.x86_64.rpm	SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm	SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm	SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
i386
sssd-1.5.1-34.el6.i686.rpm	SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm	SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
s390x
sssd-1.5.1-34.el6.s390x.rpm	SHA-256: d8477d1c76539bbd796427f765032bd63623a594f56ef12869ae231d12045be5
sssd-client-1.5.1-34.el6.s390.rpm	SHA-256: 09bf00749782c6eb87baeef34b7aeb3223bcaf767f9343619bf09b925130e31f
sssd-client-1.5.1-34.el6.s390x.rpm	SHA-256: f38d1b3973a2a3e08aa49639605332769e287362be89d580aa721d82840d4271
sssd-debuginfo-1.5.1-34.el6.s390.rpm	SHA-256: 01109c1db6eb7a6dc75e0d7ef2f738f3e8b9740c51dcc81e948ae7bf48e44399
sssd-debuginfo-1.5.1-34.el6.s390.rpm	SHA-256: 01109c1db6eb7a6dc75e0d7ef2f738f3e8b9740c51dcc81e948ae7bf48e44399
sssd-debuginfo-1.5.1-34.el6.s390x.rpm	SHA-256: 1d575d4f3bd4cbc766127d6a59c2b4ef81a8ff7c1f0dfdf6cf44cfe57ff93f79
sssd-debuginfo-1.5.1-34.el6.s390x.rpm	SHA-256: 1d575d4f3bd4cbc766127d6a59c2b4ef81a8ff7c1f0dfdf6cf44cfe57ff93f79
sssd-tools-1.5.1-34.el6.s390x.rpm	SHA-256: 9131784e9db4b96a1e7608fa0e214fba1b1868ab404c78ecccae880eea223676

Red Hat Enterprise Linux for Power, big endian 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
ppc64
sssd-1.5.1-34.el6.ppc64.rpm	SHA-256: e290e99bcc9a63c92160afcc46545f07fb44de3b6abaf7e0ff545a7d1416dc7f
sssd-client-1.5.1-34.el6.ppc.rpm	SHA-256: 0d87800321deefba69def8ddec7b85ad3d4834c1f331b59c58e2482b5cd8a9a0
sssd-client-1.5.1-34.el6.ppc64.rpm	SHA-256: ecc9ebdafcbab291f6c417bd4a84607866c58bf8ce920b3288d4f63fa21b9d68
sssd-debuginfo-1.5.1-34.el6.ppc.rpm	SHA-256: 584ae73398098621ce5c4b675d2625eb3ef9d03161c7086546299a56f4b6ab47
sssd-debuginfo-1.5.1-34.el6.ppc.rpm	SHA-256: 584ae73398098621ce5c4b675d2625eb3ef9d03161c7086546299a56f4b6ab47
sssd-debuginfo-1.5.1-34.el6.ppc64.rpm	SHA-256: 719efa4d0cd5b2aa64802f969519ef740bd0b21f3a283eb03e4eb9683a771c88
sssd-debuginfo-1.5.1-34.el6.ppc64.rpm	SHA-256: 719efa4d0cd5b2aa64802f969519ef740bd0b21f3a283eb03e4eb9683a771c88
sssd-tools-1.5.1-34.el6.ppc64.rpm	SHA-256: 980a52c95ee87dac6036538deba05250ed48db7bd749e32a518e2aa22147c10f

Red Hat Enterprise Linux Server from RHUI 6

SRPM
sssd-1.5.1-34.el6.src.rpm	SHA-256: b6e01b5b853589418e887f74c675881243af9590c08cce9cc8a2ef1f1d9c9c51
x86_64
sssd-1.5.1-34.el6.x86_64.rpm	SHA-256: 8e2ada0622a423b9db1ba7c3a5efbbae0f89e9a32cbf35e6ff42b6b602e2ba22
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-client-1.5.1-34.el6.x86_64.rpm	SHA-256: 346a6310b8bec6e37435240d44898c30dbb6c8eec86d858e1f53865b95498640
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-debuginfo-1.5.1-34.el6.x86_64.rpm	SHA-256: 6240409bf38d80f7549af680b9506990ffe2ec566de4385fcb4597995b8172ec
sssd-tools-1.5.1-34.el6.x86_64.rpm	SHA-256: b3c00671992e460a015e92a5d9f848accddd5e46a13c2d4578b9a0a22475e9a8
i386
sssd-1.5.1-34.el6.i686.rpm	SHA-256: 7b8464c0c0f87172f2c96053550d5cb766217a11f2e188d2667c117874933925
sssd-client-1.5.1-34.el6.i686.rpm	SHA-256: 55ed627d7e4842b84b3bed9fd87f6eb60f106dd25f7e4d7fb602ca68c032cc24
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-debuginfo-1.5.1-34.el6.i686.rpm	SHA-256: 0be87d68c4adae1b4e6f262370e331ef775f7830c0f793c79bc017e91412e892
sssd-tools-1.5.1-34.el6.i686.rpm	SHA-256: 5935b272150fe2029b3b26e2123069a91ac4adf856557372a5174c1fa6039e0b