Summary: | <sys-auth/sssd-1.9.5-r1: "simple_deny_groups" Access Control Bypass Security Issue (CVE-2013-0287) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | andreis.vinogradovs, maksbotan, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/52704/ | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-20 15:19:31 UTC
CVE-2013-0287 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0287): The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions. What is going on here? 1.9.6 is in the tree for a long time and in the process of stabilization. See 510870 What is going on here? 1.9.6 is in the tree for a long time and in the process of stabilization. See 510870 (In reply to Markos Chandras from comment #3) > What is going on here? 1.9.6 is in the tree for a long time and in the > process of stabilization. See 510870 Thank you for letting us know, and I am going to set this to cleanup mode to clean up the vulnerable packages. From what I see it looks like 1.9.4-r3 might be vulnerable, if the fix was included in 1.9.5-r1. Can you confirm this? (In reply to Yury German from comment #4) > (In reply to Markos Chandras from comment #3) > > What is going on here? 1.9.6 is in the tree for a long time and in the > > process of stabilization. See 510870 > > Thank you for letting us know, and I am going to set this to cleanup mode to > clean up the vulnerable packages. From what I see it looks like 1.9.4-r3 > might be vulnerable, if the fix was included in 1.9.5-r1. > > Can you confirm this? According to comment #1, there are four commits in 1.9 branch that fixed that problem back in Feb 2013. The release of 1.9.6 was in 2013-11-06 so I'd say that this is indeed fixed in 1.9.6 According to comment #1 again: "Fixed in the GIT repository (please see the vendor's advisory for details). A fix is planned to be released in version 1.9.5." I will write back to this back when the latest 1.9.6 is stabilized and I have removed all the previous ebuilds. (In reply to Markos Chandras from comment #5) > (In reply to Yury German from comment #4) > > (In reply to Markos Chandras from comment #3) > > > What is going on here? 1.9.6 is in the tree for a long time and in the > > > process of stabilization. See 510870 > > > > Thank you for letting us know, and I am going to set this to cleanup mode to > > clean up the vulnerable packages. From what I see it looks like 1.9.4-r3 > > might be vulnerable, if the fix was included in 1.9.5-r1. > > > > Can you confirm this? > > According to comment #1, there are four commits in 1.9 branch that fixed > that problem back in Feb 2013. The release of 1.9.6 was in 2013-11-06 so I'd > say that this is indeed fixed in 1.9.6 > According to comment #1 again: > "Fixed in the GIT repository (please see the vendor's advisory for details). > A fix is planned to be released in version 1.9.5." > > I will write back to this back when the latest 1.9.6 is stabilized and I > have removed all the previous ebuilds. I just realized that 1.8 is not affected so I just dropped anything between 1.9.0 and 1.9.6 + 21 May 2014; Markos Chandras <hwoarang@gentoo.org> -sssd-1.9.4-r3.ebuild, + -sssd-1.9.5-r1.ebuild, -sssd-1.9.6-r1.ebuild: + Clean up old ebuilds per #462496 + No glsa needed. Closed. |