This script is Copyright (C) 2015 Tenable Network Security, Inc.
The remote Scientific Linux host is missing one or more security
It was found that SSSD's Privilege Attribute Certificate (PAC)
responder plug-in would leak a small amount of memory on each
authentication request. A remote attacker could potentially use this
flaw to exhaust all available memory on the system by making repeated
requests to a Kerberized daemon application configured to authenticate
using the PAC responder plug-in. (CVE-2015-5292)
The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous
- SSSD smart card support * Cache authentication in SSSD *
SSSD supports overriding automatically discovered AD
site * SSSD can now deny SSH access to locked accounts *
SSSD enables UID and GID mapping on individual clients *
Background refresh of cached entries * Multi-step
prompting for one-time and long-term passwords * Caching
for initgroups operations
Bugs fixed :
- When the SELinux user content on an IdM server was set
to an empty string, the SSSD SELinux evaluation utility
returned an error.
- If the ldap_child process failed to initialize
credentials and exited with an error multiple times,
operations that create files in some cases started
failing due to an insufficient amount of i-nodes.
- The SRV queries used a hard-coded TTL timeout, and
environments that wanted the SRV queries to be valid for
a certain time only were blocked. Now, SSSD parses the
TTL value out of the DNS packet.
- Previously, initgroups operation took an excessive
amount of time. Now, logins and ID processing are faster
for setups with AD back end and disabled ID mapping.
- When an IdM client with Scientific Linux 7.1 or later
was connecting to a server with Scientific Linux 7.0 or
earlier, authentication with an AD trusted domain caused
the sssd_be process to terminate unexpectedly.
- If replication conflict entries appeared during HBAC
processing, the user was denied access. Now, the
replication conflict entries are skipped and users are
- The array of SIDs no longer contains an uninitialized
value and SSSD no longer crashes.
- SSSD supports GPOs from different domain controllers and
no longer crashes when processing GPOs from different
- SSSD could not refresh sudo rules that contained groups
with special characters, such as parentheses, in their
- The IPA names are not qualified on the client side if
the server already qualified them, and IdM group members
resolve even if default_domain_suffix is used on the
- The internal cache cleanup task has been disabled by
default to improve performance of the sssd_be process.
- Now, default_domain_suffix is not considered anymore for
- The user can set subdomain_inherit=ignore_group-members
to disable fetching group members for trusted domains.
- The group resolution failed with an error message:
'Error: 14 (Bad address)'. The binary GUID handling has
Enhancements added :
- The description of default_domain_suffix has been
improved in the manual pages.
- With the new '%0' template option, users on SSSD IdM
clients can now use home directories set on AD.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 6.8