Scientific Linux Security Update : sssd on SL7.x x86_64

Medium Nessus Plugin ID 87575


The remote Scientific Linux host is missing one or more security updates.


It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version.

- SSSD smart card support * Cache authentication in SSSD * SSSD supports overriding automatically discovered AD site * SSSD can now deny SSH access to locked accounts * SSSD enables UID and GID mapping on individual clients * Background refresh of cached entries * Multi-step prompting for one-time and long-term passwords * Caching for initgroups operations

Bugs fixed :

- When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error.

- If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes.

- The SRV queries used a hard-coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet.

- Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping.

- When an IdM client with Scientific Linux 7.1 or later was connecting to a server with Scientific Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly.

- If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access.

- The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes.

- SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers.

- SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name.

- The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side.

- The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process.

- Now, default_domain_suffix is not considered anymore for autofs maps.

- The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains.

- The group resolution failed with an error message:
'Error: 14 (Bad address)'. The binary GUID handling has been fixed.

Enhancements added :

- The description of default_domain_suffix has been improved in the manual pages.

- With the new '%0' template option, users on SSSD IdM clients can now use home directories set on AD.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 87575

File Name: sl_20151119_sssd_on_SL7_x.nasl

Version: $Revision: 2.1 $

Type: local

Agent: unix

Published: 2015/12/22

Modified: 2015/12/22

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2015/11/19

Reference Information

CVE: CVE-2015-5292