openSUSE Security Update : sssd (openSUSE-SU-2014:1407-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

sssd was updated to new upstream release 1.12.2 (bugfix release,
bnc#900159)

Changes :

- Fixed a regression where the IPA provider did not fetch
User Private Groups correctly

- An important bug in the GPO access control which
resulted in a wrong principal being used, was fixed.

- Several new options are available for deployments that
need to restrict a certain PAM service from connecting
to a certain SSSD domain. For more details, see the
description of pam_trusted_users and pam_public_domains
options in the sssd.conf(5) man page and the domains
option in the pam_sss(8) man page.

- When SSSD is acting as an IPA client in setup with
trusted AD domains, it is able to return group members
or full group memberships for users from trusted AD
domains.

- Support for the 'views' feature of IPA.

- The GPO access control was further enhanced to allow the
access control decisions while offline and map the
Windows logon rights onto Linux PAM services.

- The SSSD now ships a plugin for the rpc.idmapd daemon,
sss_rpcidmapd(5).

- A MIT Kerberos localauth plugin was added to SSSD. This
plugin helps translating principals to user names in
IPA-AD trust scenarios, allowing the krb5.conf
configuration to be less complex.

- A libwbclient plugin implementation is now part of the
SSSD. The main purpose is to map Active Directory users
and groups identified by their SID to POSIX users and
groups for the file-server use-case.

- Active Directory users ca nnow use their User Logon Name
to log in.

- The sss_cache tool was enhanced to allow invalidating
the SSH host keys.

- Groups without full POSIX information can now be used to
enroll group membership (CVE-2014-0249).

- Detection of transition from offline to online state was
improved, resulting in fewer timeouts when SSSD is
offline.

- The Active Directory provider now correctly detects
Windows Server 2012 R2. Previous versions would fall
back to the slower non-AD path with 2012 R2.

- Several other bugs related to deployments where SSSD is
acting as an AD client were fixed.

See also :

http://lists.opensuse.org/opensuse-updates/2014-11/msg00047.html
https://bugzilla.opensuse.org/show_bug.cgi?id=900159

Solution :

Update the affected sssd packages.

Risk factor :

Low / CVSS Base Score : 3.3
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 79225 ()

Bugtraq ID:

CVE ID: CVE-2014-0249

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now