[Bug 903752] Re: [MIR] sssd

Fri Nov 15 07:58:03 UTC 2013

@Timo: something needs to "pin" sssd in main. So either seeding it in
the supported seed or installed by default. It seems you want the first
one, right?

Just waiting on djing-libs to be fixed/acked and if you agree with
seeding that one to the support seed, I'll promote/do it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libsemanage in Ubuntu.
https://bugs.launchpad.net/bugs/903752

Title:
  [MIR] sssd

Status in “libsemanage” package in Ubuntu:
  Fix Released
Status in “samba” package in Ubuntu:
  Fix Released
Status in “sssd” package in Ubuntu:
  Fix Committed
Status in “tevent” package in Ubuntu:
  Fix Released

Bug description:
  sssd & ding-libs (which got split off sssd at some point):

  1. Availability:
   - in universe for some time

  2. Rationale:
   - https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-sssd-mir

  3.  Security:
   - no current CVE
   - five CVE reports in the past:
   CVE-2011-1758 	The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname.
   CVE-2010-4341 	The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet.
   CVE-2010-2940 	The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password.
   CVE-2010-0014 	System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT.
   CVE-2009-2410   The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.

   all got fixed by upstream in a timely manner.

   - ships a daemon that handles connections to LDAP, Kerberos servers
   - doesn't open privileged ports
   - binaries in /usr/sbin include sssd, sss_group{add,del,mod}, sss_user{add,del,mod}

  4. Quality assurance:
   - current version doesn't install any working configuration, it is the plan to add support for debconf though
  <check>

  5. UI standards:
   - not applicable

  6. Dependencies:
   - ding-libs (libcollection-dev, libini-config-dev, libdhash-dev)
   - tevent (libtevent-dev)
   - ldb (libldb-dev)
   - libsemanage (libsemanage1-dev)
   - samba4 (libndr-dev, libndr-standard-dev, libsamba-util-dev, libdcerpc-dev, samba4-dev)
   - libpwquality (libpam-sss now depends on libpam-pwquality)

  7. Standards compliance:
   - shipped by debian
   - lintian clean
   - uses dh, source format 3.0 (quilt)

  8. Maintenance:
   - currently maintained by a team of volunteers on Debian and Ubuntu
   - shared git repository on git.debian.org

  9. Background information:
  <check>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsemanage/+bug/903752/+subscriptions