Scientific Linux Security Update : sssd on SL7.x x86_64
Medium Nessus Plugin ID 87575
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionIt was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292)
The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version.
- SSSD smart card support * Cache authentication in SSSD * SSSD supports overriding automatically discovered AD site * SSSD can now deny SSH access to locked accounts * SSSD enables UID and GID mapping on individual clients * Background refresh of cached entries * Multi-step prompting for one-time and long-term passwords * Caching for initgroups operations
Bugs fixed :
- When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error.
- If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes.
- The SRV queries used a hard-coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet.
- Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping.
- When an IdM client with Scientific Linux 7.1 or later was connecting to a server with Scientific Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly.
- If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access.
- The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes.
- SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers.
- SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name.
- The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side.
- The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process.
- Now, default_domain_suffix is not considered anymore for autofs maps.
- The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains.
- The group resolution failed with an error message:
'Error: 14 (Bad address)'. The binary GUID handling has been fixed.
Enhancements added :
- The description of default_domain_suffix has been improved in the manual pages.
- With the new '%0' template option, users on SSSD IdM clients can now use home directories set on AD.
SolutionUpdate the affected packages.