[El-errata] ELSA-2013-0508 Low: Oracle Linux 6 sssd security, bug fix and enhancement update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Feb 28 06:07:28 PST 2013


Oracle Linux Security Advisory ELSA-2013-0508

https://rhn.redhat.com/errata/RHSA-2013-0508.html

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
libipa_hbac-1.9.2-82.el6.i686.rpm
libipa_hbac-devel-1.9.2-82.el6.i686.rpm
libipa_hbac-python-1.9.2-82.el6.i686.rpm
libsss_autofs-1.9.2-82.el6.i686.rpm
libsss_idmap-1.9.2-82.el6.i686.rpm
libsss_idmap-devel-1.9.2-82.el6.i686.rpm
libsss_sudo-1.9.2-82.el6.i686.rpm
libsss_sudo-devel-1.9.2-82.el6.i686.rpm
sssd-1.9.2-82.el6.i686.rpm
sssd-client-1.9.2-82.el6.i686.rpm
sssd-tools-1.9.2-82.el6.i686.rpm

x86_64:
libipa_hbac-1.9.2-82.el6.i686.rpm
libipa_hbac-1.9.2-82.el6.x86_64.rpm
libipa_hbac-devel-1.9.2-82.el6.i686.rpm
libipa_hbac-devel-1.9.2-82.el6.x86_64.rpm
libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
libsss_autofs-1.9.2-82.el6.x86_64.rpm
libsss_idmap-1.9.2-82.el6.i686.rpm
libsss_idmap-1.9.2-82.el6.x86_64.rpm
libsss_idmap-devel-1.9.2-82.el6.i686.rpm
libsss_idmap-devel-1.9.2-82.el6.x86_64.rpm
libsss_sudo-1.9.2-82.el6.x86_64.rpm
libsss_sudo-devel-1.9.2-82.el6.i686.rpm
libsss_sudo-devel-1.9.2-82.el6.x86_64.rpm
sssd-1.9.2-82.el6.x86_64.rpm
sssd-client-1.9.2-82.el6.i686.rpm
sssd-client-1.9.2-82.el6.x86_64.rpm
sssd-tools-1.9.2-82.el6.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/sssd-1.9.2-82.el6.src.rpm



Description of changes:

[1.9.2-82]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed
                           database update

[1.9.2-81]
- Resolves: rhbz#903078 - TOCTOU race conditions by copying
                           and removing directory trees

[1.9.2-80]
- Resolves: rhbz#903078 - Out-of-bounds read flaws in
                           autofs and ssh services responders

[1.9.2-79]
- Resolves: rhbz#902716 - Rule mismatch isn't noticed before smart refresh
                           on ppc64 and s390x

[1.9.2-78]
- Resolves: rhbz#896476 - SSSD should warn when pam_pwd_expiration_warning
                           value is higher than passwordWarning LDAP 
attribute.

[1.9.2-77]
- Resolves: rhbz#902436 - possible segfault when backend callback is removed

[1.9.2-76]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
                           reflected in memory cache

[1.9.2-75]
- Resolves: rhbz#894302 - sssd fails to update to changes on autofs maps

[1.9.2-74]
- Resolves: rhbz894381 - memory cache is not updated after user is deleted
                          from ldb cache

[1.9.2-73]
- Resolves: rhbz895615 - ipa-client-automount: autofs failed in s390x and
                          ppc64 platform

[1.9.2-72]
- Resolves: rhbz#894997 - sssd_be crashes looking up members with groups
                           outside the nesting limit

[1.9.2-71]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
                           reflected in memory cache

[1.9.2-70]
- Resolves: rhbz#894428 - wrong filter for autofs maps in sss_cache

[1.9.2-69]
- Resolves: rhbz#894738 - Failover to ldap_chpass_backup_uri doesn't work

[1.9.2-68]
- Resolves: rhbz#887961 - AD provider: getgrgid removes nested group
                           memberships

[1.9.2-67]
- Resolves: rhbz#878583 - IPA Trust does not show secondary groups for AD
                           Users for commands like id and getent

[1.9.2-66]
- Resolves: rhbz#874579 - sssd caching not working as expected for selinux
                           usermap contexts

[1.9.2-65]
- Resolves: rhbz#892197 - Incorrect principal searched for in keytab

[1.9.2-64]
- Resolves: rhbz#891356 - Smart refresh doesn't notice "defaults" addition
                           with OpenLDAP

[1.9.2-63]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
                           cache

[1.9.2-62]
- Resolves: rhbz#886848 - user id lookup fails for case sensitive users
                           using proxy provider

[1.9.2-61]
- Resolves: rhbz#890520 - Failover to krb5_backup_kpasswd doesn't work

[1.9.2-60]
- Resolves: rhbz#874618 - sss_cache: fqdn not accepted

[1.9.2-59]
- Resolves: rhbz#889182 - crash in memory cache

[1.9.2-58]
- Resolves: rhbz#889168 - krb5 ticket renewal does not read the renewable
                           tickets from cache

[1.9.2-57]
- Resolves: rhbz#886091 - Disallow root SSH public key authentication
- Add default section to switch statement (Related: rhbz#884666)

[1.9.2-56]
- Resolves: rhbz#886038 - sssd components seem to mishandle sighup

[1.9.2-55]
- Resolves: rhbz#888800 - Memory leak in new memcache initgr cleanup 
function

[1.9.2-54]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed database
                           update

[1.9.2-53]
- Resolves: rhbz#885078 - sssd_nss crashes during enumeration if the
                           enumeration is taking too long

[1.9.2-52]
- Related: rhbz#875851 - sysdb upgrade failed converting db to 0.11
- Include more debugging during the sysdb upgrade

[1.9.2-51]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-50]
- Resolves: rhbz#870045 - always reread the master map from LDAP
- Resolves: rhbz#876531 - sss_cache does not work for automount maps

[1.9.2-49]
- Resolves: rhbz#884666 - sudo: if first full refresh fails, schedule
                           another first full refresh

[1.9.2-48]
- Resolves: rhbz#880956 - Primary server status is not always reset after
                           failover to backup server happened
- Silence a compilation warning in the memberof plugin (Related: 
rhbz#877974)
- Do not steal resolv result on error (Related: rhbz#882076)

[1.9.2-47]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
                           provider

[1.9.2-46]
- Resolves: rhbz#884600 - ldap_chpass_uri failover fails on using same
                           hostname

[1.9.2-45]
- Resolves: rhbz#858345 - pam_sss(crond:account): Request to sssd
                           failed. Timer expired

[1.9.2-44]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
                           cache

[1.9.2-43]
- Resolves: rhbz#880176 - memberUid required for primary groups to match
                           sudo rule

[1.9.2-42]
- Resolves: rhbz#885105 - sudo denies access with disabled
                           ldap_sudo_use_host_filter

[1.9.2-41]
- Resolves: rhbz#883408 - Option ldap_sudo_include_regexp named incorrectly

[1.9.2-40]
- Resolves: rhbz#880546 - krb5_kpasswd failover doesn't work
- Fix the error handler in sss_mc_create_file (Related: #789507)

[1.9.2-39]
- Resolves: rhbz#882221 - Offline sudo denies access with expired
                           entry_cache_timeout
- Fix several bugs found by Coverity and clang:
- Check the return value of diff_gid_lists (Related: #869071)
- Move misplaced sysdb assignment (Related: #827606)
- Remove dead assignment (Related: #827606)
- Fix copy-n-paste error in the memberof plugin (Related: #877974)

[1.9.2-38]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
                           provider
- Link sss_ssh_authorizedkeys and sss_ssh_knowhostsproxy with the client
   libraries (Related: #870060)
- Move sss_ssh_knownhosts documentation to the correct section
   (Related: #870060)

[1.9.2-37]
- Resolves: rhbz#884480 - user is not removed from group membership during
                           initgroups
- Fix incorrect synchronization in mmap cache (Related: #789507)

[1.9.2-36]
- Resolves: rhbz#883336 - sssd crashes during start if id_provider is
                           not mentioned

[1.9.2-35]
- Resolves: rhbz#882290 - arithmetic bug in the SSSD causes netgroup
                           midpoint refresh to be always set to 10 seconds

[1.9.2-34]
- Resolves: rhbz#877974 - updating top-level group does not reflect ghost
                           members correctly
- Resolves: rhbz#880159 - delete operation is not implemented for ghost 
users

[1.9.2-33]
- Resolves: rhbz#881773 - mmap cache needs update after db changes

[1.9.2-32]
- Resolves: rhbz#875677 - password expiry warning message doesn't appear
                           during auth
- Fix potential NULL dereference when skipping built-in AD groups
   (Related: rhbz#874616)
- Add missing parameter to DEBUG message (Related: rhbz#829742)

[1.9.2-31]
- Resolves: rhbz#882076 - SSSD crashes when c-ares returns success but an
                           empty hostent during the DNS update
- Do not version libsss_sudo, it's not supposed to be linked against, but
   dlopened (Related: rhbz#761573)

[1.9.2-30]
- Resolves: rhbz#880140 - sssd hangs at startup with broken configurations

[1.9.2-29]
- Resolves: rhbz#878420 - SIGSEGV in IPA provider when ldap_sasl_authid 
is not set

[1.9.2-28]
- Resolves: rhbz#874616 - Silence the DEBUG messages when ID mapping code
                           skips a built-in group

[1.9.2-27]
- Resolves: rhbz#824244 - sssd does not warn into sssd.log for broken
                           configurations

[1.9.2-26]
- Resolves: rhbz#874673 - user id lookup fails using proxy provider
- Fix a possibly uninitialized variable in the LDAP provider
- Related: rhbz#877130

[1.9.2-25]
- Resolves: rhbz#878262 - ipa password auth failing for user principal
                           name when shorter than IPA Realm name
- Resolves: rhbz#871843 - Nested groups are not retrieved appropriately
                           from cache

[1.9.2-24]
- Resolves: rhbz#870238 - IPA client cannot change AD Trusted User password

[1.9.2-23]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal

[1.9.2-22]
- Resolves: rhbz#861075 - SSSD_NSS failure to gracefully restart
                           after sbus failure

[1.9.2-21]
- Resolves: rhbz#877354 - ldap_connection_expire_timeout doesn't expire
                           ldap connections

[1.9.2-20]
- Related: rhbz#877126 - Bump the release tag

[1.9.2-20]
- Resolves: rhbz#877126 - subdomains code does not save the proper
                           user/group name

[1.9.2-19]
- Resolves: rhbz#877130 - LDAP provider fails to save empty groups
- Related: rhbz#869466 - check the return value of waitpid()

[1.9.2-18]
- Resolves: rhbz#870039 - sss_cache says 'Wrong DB version'

[1.9.2-17]
- Resolves: rhbz#875740 - "defaults" entry ignored

[1.9.2-16]
- Resolves: rhbz#875738 - offline authentication failure always returns
                           System Error

[1.9.2-15]
- Resolves: rhbz#875851 - sysdb upgrade failed converting db to 0.11

[1.9.2-14]
- Resolves: rhbz#870278 -  ipa client setup should configure host properly
                            in a trust is in place

[1.9.2-13]
- Resolves: rhbz#871160 - sudo failing for ad trusted user in IPA 
environment

[1.9.2-12]
- Resolves: rhbz#870278 -  ipa client setup should configure host properly
                            in a trust is in place

[1.9.2-11]
- Resolves: rhbz#869678 - sssd not granting access for AD trusted user 
in HBAC rule

[1.9.2-10]
- Resolves: rhbz#872180 - subdomains: Invalid sub-domain request type
- Related: rhbz#867933 - invalidating the memcache with sss_cache 
doesn't work
                          if the sssd is not running

[1.9.2-9]
- Resolves: rhbz#873988 - Man page issue to list 'force_timeout' as an
                           option for the [sssd] section

[1.9.2-8]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage

[1.9.2-7]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage
- Resolves: rhbz#829740 - Init script reports complete before sssd is 
actually
                           working
- Resolves: rhbz#869466 - SSSD starts multiple processes due to syntax 
error in
                           ldap_uri
- Resolves: rhbz#870505 - sss_cache: Multiple domains not handled properly
- Resolves: rhbz#867933 - invalidating the memcache with sss_cache 
doesn't work
                           if the sssd is not running
- Resolves: rhbz#872110 - User appears twice on looking up a nested group

[1.9.2-6]
- Resolves: rhbz#871576 - sssd does not resolve group names from AD
- Resolves: rhbz#872324 - pam: fd leak when writing the selinux login file
                           in the pam responder
- Resolves: rhbz#871424 - authconfig chokes on sssd.conf with 
chpass_provider
                           directive

[1.9.2-5]
- Do not send SIGKILL to service right after sending SIGTERM
- Resolves: #771975
- Fix the initial sudo smart refresh
- Resolves: #869013
- Implement password authentication for users from trusted domains
- Resolves: #869071
- LDAP child crashed with a wrong keytab
- Resolves: #869150
- The sssd_nss process grows the memory consumption over time
- Resolves: #869443

[1.9.2-4]
- BuildRequire selinux-policy so that selinux login support is built in
- Resolves: #867932

[1.9.2-3]
- Do not segfault if namingContexts contain no values or multiple values
- Resolves: rhbz#866542

[1.9.2-2]
- Fix the "ca" translation of the sssd-simple manual page
- Related: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.2-1]
- New upstream release 1.9.2

[1.9.1-1]
- Rebase to 1.9.1

[1.9.0-3]
- Require the latest libldb

[1.9.0-2]
- Rebase to 1.9.0
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4

[1.9.0-1.rc1]
- Rebase to 1.9.0 RC1
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
- Bump the selinux-policy version number to pull in required fixes

[1.8.0-33]
- Resolves: rhbz#840089 - Update the shadowLastChange attribute
                           with days since the Epoch, not seconds

-------------- next part --------------



More information about the El-errata mailing list