Scientific Linux Security Update : sssd on SL7.x x86_64

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing one or more security

Description :

It was found that SSSD's Privilege Attribute Certificate (PAC)
responder plug-in would leak a small amount of memory on each
authentication request. A remote attacker could potentially use this
flaw to exhaust all available memory on the system by making repeated
requests to a Kerberized daemon application configured to authenticate
using the PAC responder plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous

- SSSD smart card support * Cache authentication in SSSD *
SSSD supports overriding automatically discovered AD
site * SSSD can now deny SSH access to locked accounts *
SSSD enables UID and GID mapping on individual clients *
Background refresh of cached entries * Multi-step
prompting for one-time and long-term passwords * Caching
for initgroups operations

Bugs fixed :

- When the SELinux user content on an IdM server was set
to an empty string, the SSSD SELinux evaluation utility
returned an error.

- If the ldap_child process failed to initialize
credentials and exited with an error multiple times,
operations that create files in some cases started
failing due to an insufficient amount of i-nodes.

- The SRV queries used a hard-coded TTL timeout, and
environments that wanted the SRV queries to be valid for
a certain time only were blocked. Now, SSSD parses the
TTL value out of the DNS packet.

- Previously, initgroups operation took an excessive
amount of time. Now, logins and ID processing are faster
for setups with AD back end and disabled ID mapping.

- When an IdM client with Scientific Linux 7.1 or later
was connecting to a server with Scientific Linux 7.0 or
earlier, authentication with an AD trusted domain caused
the sssd_be process to terminate unexpectedly.

- If replication conflict entries appeared during HBAC
processing, the user was denied access. Now, the
replication conflict entries are skipped and users are
permitted access.

- The array of SIDs no longer contains an uninitialized
value and SSSD no longer crashes.

- SSSD supports GPOs from different domain controllers and
no longer crashes when processing GPOs from different
domain controllers.

- SSSD could not refresh sudo rules that contained groups
with special characters, such as parentheses, in their

- The IPA names are not qualified on the client side if
the server already qualified them, and IdM group members
resolve even if default_domain_suffix is used on the
server side.

- The internal cache cleanup task has been disabled by
default to improve performance of the sssd_be process.

- Now, default_domain_suffix is not considered anymore for
autofs maps.

- The user can set subdomain_inherit=ignore_group-members
to disable fetching group members for trusted domains.

- The group resolution failed with an error message:
'Error: 14 (Bad address)'. The binary GUID handling has
been fixed.

Enhancements added :

- The description of default_domain_suffix has been
improved in the manual pages.

- With the new '%0' template option, users on SSSD IdM
clients can now use home directories set on AD.

See also :

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 87575 ()

Bugtraq ID:

CVE ID: CVE-2015-5292

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now