[Bug 903752] Re: [MIR] sssd

Timo Aaltonen tjaalton at ubuntu.com
Mon Apr 29 09:23:07 UTC 2013 

closing the libnl task, sssd 1.10 will build against libnl3 anyway, and
looks like netcf got fixed as well

** Changed in: libnl (Ubuntu)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libsemanage in Ubuntu.
https://bugs.launchpad.net/bugs/903752

Title:
  [MIR] sssd

Status in “ding-libs” package in Ubuntu:
  Confirmed
Status in “ldb” package in Ubuntu:
  Confirmed
Status in “libnl” package in Ubuntu:
  Won't Fix
Status in “libsemanage” package in Ubuntu:
  Fix Released
Status in “samba4” package in Ubuntu:
  Confirmed
Status in “sssd” package in Ubuntu:
  Fix Committed
Status in “tevent” package in Ubuntu:
  Confirmed

Bug description:
  1. Availability:
   - in universe for some time

  2. Rationale:
   - https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-sssd-mir

  3.  Security:
   - no current CVE
   - five CVE reports in the past:
   CVE-2011-1758 	The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname.
   CVE-2010-4341 	The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet.
   CVE-2010-2940 	The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password.
   CVE-2010-0014 	System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT.
   CVE-2009-2410   The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.

   all got fixed by upstream in a timely manner.

   - ships a daemon that handles connections to LDAP, Kerberos servers
   - doesn't open privileged ports
   - binaries in /usr/sbin include sssd, sss_group{add,del,mod}, sss_user{add,del,mod}

  4. Quality assurance:
   - current version doesn't install any working configuration, it is the plan to add support for debconf though
  <check>

  5. UI standards:
   - not applicable

  6. Dependencies:
   - ding-libs (libcollection-dev, libini-config-dev, libdhash-dev)
   - tevent (libtevent-dev)
   - ldb (libldb-dev)
   - libsemanage (libsemanage1-dev)

  7. Standards compliance:
   - shipped by debian
   - lintian clean
   - uses dh, source format 3.0 (quilt)

  8. Maintenance:
   - currently maintained by a team of volunteers on Debian and Ubuntu
   - shared git repository on git.debian.org

  9. Background information:
  <check>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ding-libs/+bug/903752/+subscriptions

More information about the foundations-bugs mailing list