Security update for sssd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2941-1 Final 1 1 2021-09-03T07:23:56Z current 2021-09-03T07:23:56Z 2021-09-03T07:23:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following issues: - CVE-2021-3621: Fixed shell command injection in sssctl via the logs-fetch and cache-expire subcommands (bsc#1189492). - Add LDAPS support for the AD provider (bsc#1183735). - Improve logs to record the reason why internal watchdog terminates a process (bsc#1187120). - Fix watchdog not terminating tasks (bsc#1187120). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2941 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/32JUFL2YE6SH6B4KF762VVSDUIQI7ZKU/ E-Mail link for openSUSE-SU-2021:2941-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183735 SUSE Bug 1183735 https://bugzilla.suse.com/1187120 SUSE Bug 1187120 https://bugzilla.suse.com/1189492 SUSE Bug 1189492 https://www.suse.com/security/cve/CVE-2021-3621/ SUSE CVE CVE-2021-3621 page openSUSE Leap 15.3 libipa_hbac-devel-1.16.1-23.11.1 libipa_hbac0-1.16.1-23.11.1 libnfsidmap-sss-1.16.1-23.11.1 libsss_certmap-devel-1.16.1-23.11.1 libsss_certmap0-1.16.1-23.11.1 libsss_idmap-devel-1.16.1-23.11.1 libsss_idmap0-1.16.1-23.11.1 libsss_nss_idmap-devel-1.16.1-23.11.1 libsss_nss_idmap0-1.16.1-23.11.1 libsss_simpleifp-devel-1.16.1-23.11.1 libsss_simpleifp0-1.16.1-23.11.1 python3-ipa_hbac-1.16.1-23.11.1 python3-sss-murmur-1.16.1-23.11.1 python3-sss_nss_idmap-1.16.1-23.11.1 python3-sssd-config-1.16.1-23.11.1 sssd-1.16.1-23.11.1 sssd-ad-1.16.1-23.11.1 sssd-common-1.16.1-23.11.1 sssd-dbus-1.16.1-23.11.1 sssd-ipa-1.16.1-23.11.1 sssd-krb5-1.16.1-23.11.1 sssd-krb5-common-1.16.1-23.11.1 sssd-ldap-1.16.1-23.11.1 sssd-proxy-1.16.1-23.11.1 sssd-tools-1.16.1-23.11.1 sssd-wbclient-1.16.1-23.11.1 sssd-wbclient-devel-1.16.1-23.11.1 sssd-winbind-idmap-1.16.1-23.11.1 libipa_hbac-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libipa_hbac0-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libnfsidmap-sss-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_certmap-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_certmap0-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_idmap-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_idmap0-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_nss_idmap-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_nss_idmap0-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_simpleifp-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 libsss_simpleifp0-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 python3-ipa_hbac-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 python3-sss-murmur-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 python3-sss_nss_idmap-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 python3-sssd-config-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-ad-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-common-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-dbus-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-ipa-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-krb5-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-krb5-common-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-ldap-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-proxy-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-tools-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-wbclient-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-wbclient-devel-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 sssd-winbind-idmap-1.16.1-23.11.1 as a component of openSUSE Leap 15.3 A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-3621 openSUSE Leap 15.3:libipa_hbac-devel-1.16.1-23.11.1 openSUSE Leap 15.3:libipa_hbac0-1.16.1-23.11.1 openSUSE Leap 15.3:libnfsidmap-sss-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_certmap-devel-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_certmap0-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_idmap-devel-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_idmap0-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_nss_idmap-devel-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_nss_idmap0-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_simpleifp-devel-1.16.1-23.11.1 openSUSE Leap 15.3:libsss_simpleifp0-1.16.1-23.11.1 openSUSE Leap 15.3:python3-ipa_hbac-1.16.1-23.11.1 openSUSE Leap 15.3:python3-sss-murmur-1.16.1-23.11.1 openSUSE Leap 15.3:python3-sss_nss_idmap-1.16.1-23.11.1 openSUSE Leap 15.3:python3-sssd-config-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-ad-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-common-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-dbus-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-ipa-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-krb5-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-krb5-common-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-ldap-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-proxy-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-tools-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-wbclient-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-wbclient-devel-1.16.1-23.11.1 openSUSE Leap 15.3:sssd-winbind-idmap-1.16.1-23.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/32JUFL2YE6SH6B4KF762VVSDUIQI7ZKU/ https://www.suse.com/security/cve/CVE-2021-3621.html CVE-2021-3621 https://bugzilla.suse.com/1189492 SUSE Bug 1189492