Security update for sssd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0051-1 Final 1 1 2019-01-13T19:56:29Z current 2019-01-13T19:56:29Z 2019-01-13T19:56:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd provides the following fixes: This security issue was fixed: - CVE-2018-10852: Set stricter permissions on /var/lib/sss/pipes/sudo to prevent the disclosure of sudo rules for arbitrary users (bsc#1098377) These non-security issues were fixed: - Fix a segmentation fault in sss_cache command. (bsc#1072728) - Fix a failure in autofs initialisation sequence upon system boot. (bsc#1010700) - Fix race condition on boot between SSSD and autofs. (bsc#1010700) - Fix a bug where file descriptors were not closed (bsc#1080156) - Fix an issue where sssd logs were not rotated properly (bsc#1080156) - Remove whitespaces from netgroup entries (bsc#1087320) - Remove misleading log messages (bsc#1101877) - exit() the forked process if exec()-ing a child process fails (bsc#1110299) - Do not schedule the machine renewal task if adcli is not executable (bsc#1110299) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00014.html E-Mail link for openSUSE-SU-2019:0051-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libipa_hbac-devel-1.13.4-12.1 libipa_hbac0-1.13.4-12.1 libsss_idmap-devel-1.13.4-12.1 libsss_idmap0-1.13.4-12.1 libsss_nss_idmap-devel-1.13.4-12.1 libsss_nss_idmap0-1.13.4-12.1 libsss_sudo-1.13.4-12.1 python-ipa_hbac-1.13.4-12.1 python-sss_nss_idmap-1.13.4-12.1 python-sssd-config-1.13.4-12.1 sssd-1.13.4-12.1 sssd-32bit-1.13.4-12.1 sssd-ad-1.13.4-12.1 sssd-ipa-1.13.4-12.1 sssd-krb5-1.13.4-12.1 sssd-krb5-common-1.13.4-12.1 sssd-ldap-1.13.4-12.1 sssd-proxy-1.13.4-12.1 sssd-tools-1.13.4-12.1 libipa_hbac-devel-1.13.4-12.1 as a component of openSUSE Leap 42.3 libipa_hbac0-1.13.4-12.1 as a component of openSUSE Leap 42.3 libsss_idmap-devel-1.13.4-12.1 as a component of openSUSE Leap 42.3 libsss_idmap0-1.13.4-12.1 as a component of openSUSE Leap 42.3 libsss_nss_idmap-devel-1.13.4-12.1 as a component of openSUSE Leap 42.3 libsss_nss_idmap0-1.13.4-12.1 as a component of openSUSE Leap 42.3 libsss_sudo-1.13.4-12.1 as a component of openSUSE Leap 42.3 python-ipa_hbac-1.13.4-12.1 as a component of openSUSE Leap 42.3 python-sss_nss_idmap-1.13.4-12.1 as a component of openSUSE Leap 42.3 python-sssd-config-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-32bit-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-ad-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-ipa-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-krb5-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-krb5-common-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-ldap-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-proxy-1.13.4-12.1 as a component of openSUSE Leap 42.3 sssd-tools-1.13.4-12.1 as a component of openSUSE Leap 42.3 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3. CVE-2018-10852 openSUSE Leap 42.3:libipa_hbac-devel-1.13.4-12.1 openSUSE Leap 42.3:libipa_hbac0-1.13.4-12.1 openSUSE Leap 42.3:libsss_idmap-devel-1.13.4-12.1 openSUSE Leap 42.3:libsss_idmap0-1.13.4-12.1 openSUSE Leap 42.3:libsss_nss_idmap-devel-1.13.4-12.1 openSUSE Leap 42.3:libsss_nss_idmap0-1.13.4-12.1 openSUSE Leap 42.3:libsss_sudo-1.13.4-12.1 openSUSE Leap 42.3:python-ipa_hbac-1.13.4-12.1 openSUSE Leap 42.3:python-sss_nss_idmap-1.13.4-12.1 openSUSE Leap 42.3:python-sssd-config-1.13.4-12.1 openSUSE Leap 42.3:sssd-1.13.4-12.1 openSUSE Leap 42.3:sssd-32bit-1.13.4-12.1 openSUSE Leap 42.3:sssd-ad-1.13.4-12.1 openSUSE Leap 42.3:sssd-ipa-1.13.4-12.1 openSUSE Leap 42.3:sssd-krb5-1.13.4-12.1 openSUSE Leap 42.3:sssd-krb5-common-1.13.4-12.1 openSUSE Leap 42.3:sssd-ldap-1.13.4-12.1 openSUSE Leap 42.3:sssd-proxy-1.13.4-12.1 openSUSE Leap 42.3:sssd-tools-1.13.4-12.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00014.html https://www.suse.com/security/cve/CVE-2018-10852.html CVE-2018-10852 https://bugzilla.suse.com/1098377 SUSE Bug 1098377