Synopsis: Low: sssd security, bug fix, and enhancement update
Advisory ID: SLSA-2015:2355-1
Issue Date: 2015-11-19
CVE Numbers: CVE-2015-5292
It was found that SSSD’s Privilege Attribute Certificate (PAC) responder
plug-in would leak a small amount of memory on each authentication
request. A remote attacker could potentially use this flaw to exhaust all
available memory on the system by making repeated requests to a Kerberized
daemon application configured to authenticate using the PAC responder
The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous version.
* SSSD smart card support * Cache authentication in SSSD * SSSD supports
overriding automatically discovered AD site * SSSD can now deny SSH access
to locked accounts * SSSD enables UID and GID mapping on individual
clients * Background refresh of cached entries * Multi-step prompting for
one-time and long-term passwords * Caching for initgroups operations
* When the SELinux user content on an IdM server was set to an empty
string, the SSSD SELinux evaluation utility returned an error.
* If the ldap_child process failed to initialize credentials and exited
with an error multiple times, operations that create files in some cases
started failing due to an insufficient amount of i-nodes.
* The SRV queries used a hard coded TTL timeout, and environments that
wanted the SRV queries to be valid for a certain time only were blocked.
Now, SSSD parses the TTL value out of the DNS packet.
* Previously, initgroups operation took an excessive amount of time. Now,
logins and ID processing are faster for setups with AD back end and
disabled ID mapping.
* When an IdM client with Scientific Linux 7.1 or later was connecting to
a server with Scientific Linux 7.0 or earlier, authentication with an AD
trusted domain caused the sssd_be process to terminate unexpectedly.
* If replication conflict entries appeared during HBAC processing, the
user was denied access. Now, the replication conflict entries are skipped
and users are permitted access.
* The array of SIDs no longer contains an uninitialized value and SSSD no
* SSSD supports GPOs from different domain controllers and no longer
crashes when processing GPOs from different domain controllers.
* SSSD could not refresh sudo rules that contained groups with special
characters, such as parentheses, in their name.
* The IPA names are not qualified on the client side if the server already
qualified them, and IdM group members resolve even if
default_domain_suffix is used on the server side.
* The internal cache cleanup task has been disabled by default to improve
performance of the sssd_be process.
* Now, default_domain_suffix is not considered anymore for autofs maps.
* The user can set subdomain_inherit=ignore_group-members to disable
fetching group members for trusted domains.
* The group resolution failed with an error message: “Error: 14 (Bad
address)”. The binary GUID handling has been fixed.
* The description of default_domain_suffix has been improved in the manual
* With the new “%0” template option, users on SSSD IdM clients can now use
home directories set on AD.
– Scientific Linux Development Team