[El-errata] ELSA-2013-0508 Low: Oracle Linux 6 sssd security, bug fix and enhancement update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Feb 28 06:07:28 PST 2013
Oracle Linux Security Advisory ELSA-2013-0508
https://rhn.redhat.com/errata/RHSA-2013-0508.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
i386:
libipa_hbac-1.9.2-82.el6.i686.rpm
libipa_hbac-devel-1.9.2-82.el6.i686.rpm
libipa_hbac-python-1.9.2-82.el6.i686.rpm
libsss_autofs-1.9.2-82.el6.i686.rpm
libsss_idmap-1.9.2-82.el6.i686.rpm
libsss_idmap-devel-1.9.2-82.el6.i686.rpm
libsss_sudo-1.9.2-82.el6.i686.rpm
libsss_sudo-devel-1.9.2-82.el6.i686.rpm
sssd-1.9.2-82.el6.i686.rpm
sssd-client-1.9.2-82.el6.i686.rpm
sssd-tools-1.9.2-82.el6.i686.rpm
x86_64:
libipa_hbac-1.9.2-82.el6.i686.rpm
libipa_hbac-1.9.2-82.el6.x86_64.rpm
libipa_hbac-devel-1.9.2-82.el6.i686.rpm
libipa_hbac-devel-1.9.2-82.el6.x86_64.rpm
libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
libsss_autofs-1.9.2-82.el6.x86_64.rpm
libsss_idmap-1.9.2-82.el6.i686.rpm
libsss_idmap-1.9.2-82.el6.x86_64.rpm
libsss_idmap-devel-1.9.2-82.el6.i686.rpm
libsss_idmap-devel-1.9.2-82.el6.x86_64.rpm
libsss_sudo-1.9.2-82.el6.x86_64.rpm
libsss_sudo-devel-1.9.2-82.el6.i686.rpm
libsss_sudo-devel-1.9.2-82.el6.x86_64.rpm
sssd-1.9.2-82.el6.x86_64.rpm
sssd-client-1.9.2-82.el6.i686.rpm
sssd-client-1.9.2-82.el6.x86_64.rpm
sssd-tools-1.9.2-82.el6.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/sssd-1.9.2-82.el6.src.rpm
Description of changes:
[1.9.2-82]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed
database update
[1.9.2-81]
- Resolves: rhbz#903078 - TOCTOU race conditions by copying
and removing directory trees
[1.9.2-80]
- Resolves: rhbz#903078 - Out-of-bounds read flaws in
autofs and ssh services responders
[1.9.2-79]
- Resolves: rhbz#902716 - Rule mismatch isn't noticed before smart refresh
on ppc64 and s390x
[1.9.2-78]
- Resolves: rhbz#896476 - SSSD should warn when pam_pwd_expiration_warning
value is higher than passwordWarning LDAP
attribute.
[1.9.2-77]
- Resolves: rhbz#902436 - possible segfault when backend callback is removed
[1.9.2-76]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache
[1.9.2-75]
- Resolves: rhbz#894302 - sssd fails to update to changes on autofs maps
[1.9.2-74]
- Resolves: rhbz894381 - memory cache is not updated after user is deleted
from ldb cache
[1.9.2-73]
- Resolves: rhbz895615 - ipa-client-automount: autofs failed in s390x and
ppc64 platform
[1.9.2-72]
- Resolves: rhbz#894997 - sssd_be crashes looking up members with groups
outside the nesting limit
[1.9.2-71]
- Resolves: rhbz#895132 - Modifications using sss_usermod tool are not
reflected in memory cache
[1.9.2-70]
- Resolves: rhbz#894428 - wrong filter for autofs maps in sss_cache
[1.9.2-69]
- Resolves: rhbz#894738 - Failover to ldap_chpass_backup_uri doesn't work
[1.9.2-68]
- Resolves: rhbz#887961 - AD provider: getgrgid removes nested group
memberships
[1.9.2-67]
- Resolves: rhbz#878583 - IPA Trust does not show secondary groups for AD
Users for commands like id and getent
[1.9.2-66]
- Resolves: rhbz#874579 - sssd caching not working as expected for selinux
usermap contexts
[1.9.2-65]
- Resolves: rhbz#892197 - Incorrect principal searched for in keytab
[1.9.2-64]
- Resolves: rhbz#891356 - Smart refresh doesn't notice "defaults" addition
with OpenLDAP
[1.9.2-63]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache
[1.9.2-62]
- Resolves: rhbz#886848 - user id lookup fails for case sensitive users
using proxy provider
[1.9.2-61]
- Resolves: rhbz#890520 - Failover to krb5_backup_kpasswd doesn't work
[1.9.2-60]
- Resolves: rhbz#874618 - sss_cache: fqdn not accepted
[1.9.2-59]
- Resolves: rhbz#889182 - crash in memory cache
[1.9.2-58]
- Resolves: rhbz#889168 - krb5 ticket renewal does not read the renewable
tickets from cache
[1.9.2-57]
- Resolves: rhbz#886091 - Disallow root SSH public key authentication
- Add default section to switch statement (Related: rhbz#884666)
[1.9.2-56]
- Resolves: rhbz#886038 - sssd components seem to mishandle sighup
[1.9.2-55]
- Resolves: rhbz#888800 - Memory leak in new memcache initgr cleanup
function
[1.9.2-54]
- Resolves: rhbz#888614 - Failure in memberof can lead to failed database
update
[1.9.2-53]
- Resolves: rhbz#885078 - sssd_nss crashes during enumeration if the
enumeration is taking too long
[1.9.2-52]
- Related: rhbz#875851 - sysdb upgrade failed converting db to 0.11
- Include more debugging during the sysdb upgrade
[1.9.2-51]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal
[1.9.2-50]
- Resolves: rhbz#870045 - always reread the master map from LDAP
- Resolves: rhbz#876531 - sss_cache does not work for automount maps
[1.9.2-49]
- Resolves: rhbz#884666 - sudo: if first full refresh fails, schedule
another first full refresh
[1.9.2-48]
- Resolves: rhbz#880956 - Primary server status is not always reset after
failover to backup server happened
- Silence a compilation warning in the memberof plugin (Related:
rhbz#877974)
- Do not steal resolv result on error (Related: rhbz#882076)
[1.9.2-47]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider
[1.9.2-46]
- Resolves: rhbz#884600 - ldap_chpass_uri failover fails on using same
hostname
[1.9.2-45]
- Resolves: rhbz#858345 - pam_sss(crond:account): Request to sssd
failed. Timer expired
[1.9.2-44]
- Resolves: rhbz#878419 - sss_userdel doesn't remove entries from in-memory
cache
[1.9.2-43]
- Resolves: rhbz#880176 - memberUid required for primary groups to match
sudo rule
[1.9.2-42]
- Resolves: rhbz#885105 - sudo denies access with disabled
ldap_sudo_use_host_filter
[1.9.2-41]
- Resolves: rhbz#883408 - Option ldap_sudo_include_regexp named incorrectly
[1.9.2-40]
- Resolves: rhbz#880546 - krb5_kpasswd failover doesn't work
- Fix the error handler in sss_mc_create_file (Related: #789507)
[1.9.2-39]
- Resolves: rhbz#882221 - Offline sudo denies access with expired
entry_cache_timeout
- Fix several bugs found by Coverity and clang:
- Check the return value of diff_gid_lists (Related: #869071)
- Move misplaced sysdb assignment (Related: #827606)
- Remove dead assignment (Related: #827606)
- Fix copy-n-paste error in the memberof plugin (Related: #877974)
[1.9.2-38]
- Resolves: rhbz#882923 - Negative cache timeout is not working for proxy
provider
- Link sss_ssh_authorizedkeys and sss_ssh_knowhostsproxy with the client
libraries (Related: #870060)
- Move sss_ssh_knownhosts documentation to the correct section
(Related: #870060)
[1.9.2-37]
- Resolves: rhbz#884480 - user is not removed from group membership during
initgroups
- Fix incorrect synchronization in mmap cache (Related: #789507)
[1.9.2-36]
- Resolves: rhbz#883336 - sssd crashes during start if id_provider is
not mentioned
[1.9.2-35]
- Resolves: rhbz#882290 - arithmetic bug in the SSSD causes netgroup
midpoint refresh to be always set to 10 seconds
[1.9.2-34]
- Resolves: rhbz#877974 - updating top-level group does not reflect ghost
members correctly
- Resolves: rhbz#880159 - delete operation is not implemented for ghost
users
[1.9.2-33]
- Resolves: rhbz#881773 - mmap cache needs update after db changes
[1.9.2-32]
- Resolves: rhbz#875677 - password expiry warning message doesn't appear
during auth
- Fix potential NULL dereference when skipping built-in AD groups
(Related: rhbz#874616)
- Add missing parameter to DEBUG message (Related: rhbz#829742)
[1.9.2-31]
- Resolves: rhbz#882076 - SSSD crashes when c-ares returns success but an
empty hostent during the DNS update
- Do not version libsss_sudo, it's not supposed to be linked against, but
dlopened (Related: rhbz#761573)
[1.9.2-30]
- Resolves: rhbz#880140 - sssd hangs at startup with broken configurations
[1.9.2-29]
- Resolves: rhbz#878420 - SIGSEGV in IPA provider when ldap_sasl_authid
is not set
[1.9.2-28]
- Resolves: rhbz#874616 - Silence the DEBUG messages when ID mapping code
skips a built-in group
[1.9.2-27]
- Resolves: rhbz#824244 - sssd does not warn into sssd.log for broken
configurations
[1.9.2-26]
- Resolves: rhbz#874673 - user id lookup fails using proxy provider
- Fix a possibly uninitialized variable in the LDAP provider
- Related: rhbz#877130
[1.9.2-25]
- Resolves: rhbz#878262 - ipa password auth failing for user principal
name when shorter than IPA Realm name
- Resolves: rhbz#871843 - Nested groups are not retrieved appropriately
from cache
[1.9.2-24]
- Resolves: rhbz#870238 - IPA client cannot change AD Trusted User password
[1.9.2-23]
- Resolves: rhbz#877972 - ldap_sasl_authid no longer accepts full principal
[1.9.2-22]
- Resolves: rhbz#861075 - SSSD_NSS failure to gracefully restart
after sbus failure
[1.9.2-21]
- Resolves: rhbz#877354 - ldap_connection_expire_timeout doesn't expire
ldap connections
[1.9.2-20]
- Related: rhbz#877126 - Bump the release tag
[1.9.2-20]
- Resolves: rhbz#877126 - subdomains code does not save the proper
user/group name
[1.9.2-19]
- Resolves: rhbz#877130 - LDAP provider fails to save empty groups
- Related: rhbz#869466 - check the return value of waitpid()
[1.9.2-18]
- Resolves: rhbz#870039 - sss_cache says 'Wrong DB version'
[1.9.2-17]
- Resolves: rhbz#875740 - "defaults" entry ignored
[1.9.2-16]
- Resolves: rhbz#875738 - offline authentication failure always returns
System Error
[1.9.2-15]
- Resolves: rhbz#875851 - sysdb upgrade failed converting db to 0.11
[1.9.2-14]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place
[1.9.2-13]
- Resolves: rhbz#871160 - sudo failing for ad trusted user in IPA
environment
[1.9.2-12]
- Resolves: rhbz#870278 - ipa client setup should configure host properly
in a trust is in place
[1.9.2-11]
- Resolves: rhbz#869678 - sssd not granting access for AD trusted user
in HBAC rule
[1.9.2-10]
- Resolves: rhbz#872180 - subdomains: Invalid sub-domain request type
- Related: rhbz#867933 - invalidating the memcache with sss_cache
doesn't work
if the sssd is not running
[1.9.2-9]
- Resolves: rhbz#873988 - Man page issue to list 'force_timeout' as an
option for the [sssd] section
[1.9.2-8]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage
[1.9.2-7]
- Resolves: rhbz#873032 - Move sss_cache to the main subpackage
- Resolves: rhbz#829740 - Init script reports complete before sssd is
actually
working
- Resolves: rhbz#869466 - SSSD starts multiple processes due to syntax
error in
ldap_uri
- Resolves: rhbz#870505 - sss_cache: Multiple domains not handled properly
- Resolves: rhbz#867933 - invalidating the memcache with sss_cache
doesn't work
if the sssd is not running
- Resolves: rhbz#872110 - User appears twice on looking up a nested group
[1.9.2-6]
- Resolves: rhbz#871576 - sssd does not resolve group names from AD
- Resolves: rhbz#872324 - pam: fd leak when writing the selinux login file
in the pam responder
- Resolves: rhbz#871424 - authconfig chokes on sssd.conf with
chpass_provider
directive
[1.9.2-5]
- Do not send SIGKILL to service right after sending SIGTERM
- Resolves: #771975
- Fix the initial sudo smart refresh
- Resolves: #869013
- Implement password authentication for users from trusted domains
- Resolves: #869071
- LDAP child crashed with a wrong keytab
- Resolves: #869150
- The sssd_nss process grows the memory consumption over time
- Resolves: #869443
[1.9.2-4]
- BuildRequire selinux-policy so that selinux login support is built in
- Resolves: #867932
[1.9.2-3]
- Do not segfault if namingContexts contain no values or multiple values
- Resolves: rhbz#866542
[1.9.2-2]
- Fix the "ca" translation of the sssd-simple manual page
- Related: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
[1.9.2-1]
- New upstream release 1.9.2
[1.9.1-1]
- Rebase to 1.9.1
[1.9.0-3]
- Require the latest libldb
[1.9.0-2]
- Rebase to 1.9.0
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
[1.9.0-1.rc1]
- Rebase to 1.9.0 RC1
- Resolves: rhbz#827606 - Rebase SSSD to 1.9 in 6.4
- Bump the selinux-policy version number to pull in required fixes
[1.8.0-33]
- Resolves: rhbz#840089 - Update the shadowLastChange attribute
with days since the Epoch, not seconds
-------------- next part --------------
More information about the El-errata
mailing list