5.5 - RHSA-2019:2177

Problem Description:

An update for sssd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources.

The following packages have been upgraded to a later upstream version: sssd (1.16.4). (BZ#1658994)

Security Fix(es):

* sssd: fallback_homedir returns '/' for empty home directories in passwd file (CVE-2019-3811)

* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

720688 - [RFE] return multiple server addresses to the Kerberos locator plugin 1350012 - kinit / sssd kerberos fail over 1402056 - [RFE] Make 2FA prompting configurable 1406678 - sssd service is starting before network service 1614296 - SSSD netgroups do not honor entry_cache_nowait_percentage 1619706 - sssd only sets the SELinux login context if it differs from the default 1631656 - KCM: kinit: Matching credential not found while getting default ccache 1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions 1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out 1653759 - sss_cache shouldn't return ENOENT when no entries match 1656618 - CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file 1658994 - Rebase SSSD to 1.16.x 1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so 1672527 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls 1677355 - NSS responder does no refresh domain list when busy 1677665 - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients 1679173 - filter_users option is not applied to sub-domains if SSSD starts offline 1684979 - The HBAC code requires dereference to be enabled and fails otherwise 1685472 - UPN negative cache does not use values from 'filter_users' config option 1685581 - Extend cached_auth_timeout to cover subdomains / trusts 1707759 - Error accessing files on samba share randomly 1710286 - The server error message is not returned if password change fails 1711832 - The files provider does not handle resetOffline properly