[Bug 903752] Re: [MIR] sssd

Didier Roche didrocks at ubuntu.com
Thu Nov 14 14:12:23 UTC 2013


Hum, I just ran check-mir on sssd and it seems quite some build-deps are
still not in main with the latest release, Timo can you have look
please?

 * libpam-dev does not exist (pure virtual?)
 * libdhash-dev binary and source package is in universe
 * libcollection-dev binary and source package is in universe
 * libini-config-dev binary and source package is in universe

 * libsasl2-modules-ldap is in universe, but its source cyrus-sasl2 is already in main; file an ubuntu-archive bug for promoting the current preferred alternative
-> I don't think that one will be an issue
 * libpam-pwquality is in universe, but its source libpwquality is already in main; file an ubuntu-archive bug for promoting the current preferred alternative
-> same, shouldn't be an issue (as per your other request)


Also, what is going to pull sssd to main, will it be directly seeded?
Thanks! Feel free to just reassign the MIR to me directly once you answered those questions

** Changed in: sssd (Ubuntu)
     Assignee: (unassigned) => Timo Aaltonen (tjaalton)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libsemanage in Ubuntu.
https://bugs.launchpad.net/bugs/903752

Title:
  [MIR] sssd

Status in “libsemanage” package in Ubuntu:
  Fix Released
Status in “samba” package in Ubuntu:
  Fix Released
Status in “sssd” package in Ubuntu:
  Fix Committed
Status in “tevent” package in Ubuntu:
  Fix Released

Bug description:
  sssd & ding-libs (which got split off sssd at some point):

  1. Availability:
   - in universe for some time

  2. Rationale:
   - https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-sssd-mir

  3.  Security:
   - no current CVE
   - five CVE reports in the past:
   CVE-2011-1758 	The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname.
   CVE-2010-4341 	The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet.
   CVE-2010-2940 	The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password.
   CVE-2010-0014 	System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT.
   CVE-2009-2410   The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.

   all got fixed by upstream in a timely manner.

   - ships a daemon that handles connections to LDAP, Kerberos servers
   - doesn't open privileged ports
   - binaries in /usr/sbin include sssd, sss_group{add,del,mod}, sss_user{add,del,mod}

  4. Quality assurance:
   - current version doesn't install any working configuration, it is the plan to add support for debconf though
  <check>

  5. UI standards:
   - not applicable

  6. Dependencies:
   - ding-libs (libcollection-dev, libini-config-dev, libdhash-dev)
   - tevent (libtevent-dev)
   - ldb (libldb-dev)
   - libsemanage (libsemanage1-dev)
   - samba4 (libndr-dev, libndr-standard-dev, libsamba-util-dev, libdcerpc-dev, samba4-dev)
   - libpwquality (libpam-sss now depends on libpam-pwquality)

  7. Standards compliance:
   - shipped by debian
   - lintian clean
   - uses dh, source format 3.0 (quilt)

  8. Maintenance:
   - currently maintained by a team of volunteers on Debian and Ubuntu
   - shared git repository on git.debian.org

  9. Background information:
  <check>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsemanage/+bug/903752/+subscriptions



More information about the foundations-bugs mailing list