[El-errata] ELSA-2018-3158 Low: Oracle Linux 7 sssd security, bug fix, and enhancement update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Nov 6 15:09:56 PST 2018
Oracle Linux Security Advisory ELSA-2018-3158
http://linux.oracle.com/errata/ELSA-2018-3158.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
libipa_hbac-1.16.2-13.el7.i686.rpm
libipa_hbac-1.16.2-13.el7.x86_64.rpm
libipa_hbac-devel-1.16.2-13.el7.i686.rpm
libipa_hbac-devel-1.16.2-13.el7.x86_64.rpm
libsss_autofs-1.16.2-13.el7.x86_64.rpm
libsss_certmap-1.16.2-13.el7.i686.rpm
libsss_certmap-1.16.2-13.el7.x86_64.rpm
libsss_certmap-devel-1.16.2-13.el7.i686.rpm
libsss_certmap-devel-1.16.2-13.el7.x86_64.rpm
libsss_idmap-1.16.2-13.el7.i686.rpm
libsss_idmap-1.16.2-13.el7.x86_64.rpm
libsss_idmap-devel-1.16.2-13.el7.i686.rpm
libsss_idmap-devel-1.16.2-13.el7.x86_64.rpm
libsss_nss_idmap-1.16.2-13.el7.i686.rpm
libsss_nss_idmap-1.16.2-13.el7.x86_64.rpm
libsss_nss_idmap-devel-1.16.2-13.el7.i686.rpm
libsss_nss_idmap-devel-1.16.2-13.el7.x86_64.rpm
libsss_simpleifp-1.16.2-13.el7.i686.rpm
libsss_simpleifp-1.16.2-13.el7.x86_64.rpm
libsss_simpleifp-devel-1.16.2-13.el7.i686.rpm
libsss_simpleifp-devel-1.16.2-13.el7.x86_64.rpm
libsss_sudo-1.16.2-13.el7.x86_64.rpm
python-libipa_hbac-1.16.2-13.el7.x86_64.rpm
python-libsss_nss_idmap-1.16.2-13.el7.x86_64.rpm
python-sss-1.16.2-13.el7.x86_64.rpm
python-sss-murmur-1.16.2-13.el7.x86_64.rpm
python-sssdconfig-1.16.2-13.el7.noarch.rpm
sssd-1.16.2-13.el7.x86_64.rpm
sssd-ad-1.16.2-13.el7.x86_64.rpm
sssd-client-1.16.2-13.el7.i686.rpm
sssd-client-1.16.2-13.el7.x86_64.rpm
sssd-common-1.16.2-13.el7.x86_64.rpm
sssd-common-pac-1.16.2-13.el7.x86_64.rpm
sssd-dbus-1.16.2-13.el7.x86_64.rpm
sssd-ipa-1.16.2-13.el7.x86_64.rpm
sssd-kcm-1.16.2-13.el7.x86_64.rpm
sssd-krb5-1.16.2-13.el7.x86_64.rpm
sssd-krb5-common-1.16.2-13.el7.x86_64.rpm
sssd-ldap-1.16.2-13.el7.x86_64.rpm
sssd-libwbclient-1.16.2-13.el7.x86_64.rpm
sssd-libwbclient-devel-1.16.2-13.el7.i686.rpm
sssd-libwbclient-devel-1.16.2-13.el7.x86_64.rpm
sssd-polkit-rules-1.16.2-13.el7.x86_64.rpm
sssd-proxy-1.16.2-13.el7.x86_64.rpm
sssd-tools-1.16.2-13.el7.x86_64.rpm
sssd-winbind-idmap-1.16.2-13.el7.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/sssd-1.16.2-13.el7.src.rpm
Description of changes:
[1.16.2-13]
- Resolves: rhbz#1593756 - sssd needs to require a newer version of
libtalloc and libtevent to avoid an issue
in GPO processing
[1.16.2-12]
- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more
than one certificate is converted into an SSH key
- Resolves: rhbz#1583360 - The IPA selinux provider can return an error
if SELinux is completely disabled
[1.16.2-11]
- Resolves: rhbz#1602781 - Local users failed to login with same password
[1.16.2-10]
- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can
cause the memory cache to be skipped
[1.16.2-9]
- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password
[1.16.2-8]
- Resolves: rhbz#1607313 - When sssd is running as non-root user, the
sudo pipe is created as sssd:sssd but then the private pipe ownership fails
[1.16.2-7]
- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in
case an invalid profile is found
[1.16.2-6]
- Resolves: rhbz#1582975 - The search filter for detecting POSIX
attributes in global catalog is too broad and can cause a high load on
the servers
[1.16.2-5]
- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX
attributes stored in AD GC also for regular AD DC queries
- Resolves: rhbz#1416528 - sssd in cross realm trust configuration
should be able to use AD KDCs from a client site defined in sssd.conf or
a snippet
- Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd
[1.16.2-4]
- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information
leak from the sssd-sudo responder [rhel-7]
- Resolves: rhbz#1450778 - Full information regarding priority of lookup
of principal in keytab not in man page
[1.16.2-3]
- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains
of a directly joined AD client
- Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working
after update to RHEL-7.5
- Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more
gracefully
- Resolves: rhbz#1509691 - Document how to change the regular expression
for SSSD so that group names with an @-sign can be parsed
[1.16.2-2]
- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of
the 1.16 branch
[1.16.2-1]
- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release
of the 1.16 branch
- Resolves: rhbz#1523019 - Reset password with two factor authentication
fails
- Resolves: rhbz#1534749 - Requesting an AD user's private group and
then the user itself returns an emty homedir
- Resolves: rhbz#1537272 - SSH public key authentication keeps working
after keys are removed from ID view
- Resolves: rhbz#1537279 - Certificate is not removed from cache when
it's removed from the override
- Resolves: rhbz#1562025 - externalUser sudo attribute must be
fully-qualified
- Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily
- Resolves: rhbz#1508530 - How should sudo behave without sudoHost
attribute?
- Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be
enhanced to better explain how the keys are retrieved and how X.509
certificates can be used
- Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with
multiple domains if the first domain uses mid_id/max_id
- Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS
update process is terminated with a signal
- Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA
master for AD users
- Resolves: rhbz#1514061 - ID override GID from Default Trust View is
not properly resolved in case domain resolution order is set
- Resolves: rhbz#1571466 - Utilizing domain_resolution_order in
sssd.conf breaks SELinux user map
- Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a
warning in case the ldap schema is manually changed to something
different than 'ad'.
[1.16.0-25]
- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information
about external groups on a long lived memory context, causing memory
growth of the sssd_be process
[1.16.0-24]
- Related: rhbz#1578291 - Samba can not register sss idmap module
because it's using an outdated SMB_IDMAP_INTERFACE_VERSION
[1.16.0-23]
- Resolves: rhbz#1578291 - Samba can not register sss idmap module
because it's using an outdated SMB_IDMAP_INTERFACE_VERSION
[1.16.0-22]
- Resolves: rhbz#1516266 - Give a more detailed debug and system-log
message if krb5_init_context() failed
- Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is
offline and 'krb5_store_password_if_offline = True'
- Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child
(updated)
- Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option
- Resolves: rhbz#1459348 - extend sss-certmap man page regarding
priority processing
- Resolves: rhbz#1220767 - Group renaming issue when "id_provider =
ldap" is set
- Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent.
sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0
error 4 in sssd_nss[55612687e000+39000]
[1.16.0-21]
- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear
the sssd cache
[1.16.0-20]
- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex
interface can cause the ns-slapd process on IPA server to crash
More information about the El-errata
mailing list