Summary: | <sys-auth/sssd-1.12.1: incorrect expansion of group membership when encountering a non-POSIX group (CVE-2014-0249) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hwoarang |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1101751 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=516764 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-05-28 08:24:40 UTC
Upstream ticket is already fixed https://fedorahosted.org/sssd/ticket/2343 Patches are included in releases sssd-1.12.1 and sssd-1.11.7 CVE-2014-0249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0249): The System Security Services Daemon (SSSD) 1.11.6 does not properly identify group membership when a non-POSIX group is in a group membership chain, which allows local users to bypass access restrictions via unspecified vectors. *sssd-1.12.1 (14 Sep 2014) 14 Sep 2014; Markos Chandras <hwoarang@gentoo.org> +sssd-1.12.1.ebuild, metadata.xml: Version bump Maintainer(s): please let us know when the ebuild is ready for stabilization. I have been using it in production for a while. seems ok. Feel free to go ahead with the stabilization (note there are might be quite a few reverse deps to stabilize to the process may not be very smooth) Arches, please test and mark stable: =sys-auth/sssd-1.12.1 Target Keywords : "amd64 x86" Thank you! amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #7) > x86 stable. > > Maintainer(s), please cleanup. > Security, please vote. GLSA Vote: No (In reply to Agostino Sarubbo from comment #7) > x86 stable. > > Maintainer(s), please cleanup. > Security, please vote. This may going to be a problem. New sssd lacks some functionality because samba4 is masked. Some people still use 1.8 or 1.9 because of that. I am going to leave these ebuilds around for a while and clean up later on. GLSA vote: no. (In reply to Markos Chandras from comment #9) > (In reply to Agostino Sarubbo from comment #7) > > x86 stable. > > > > Maintainer(s), please cleanup. > > Security, please vote. > > This may going to be a problem. New sssd lacks some functionality because > samba4 is masked. Some people still use 1.8 or 1.9 because of that. I am > going to leave these ebuilds around for a while and clean up later on. Markos, just a gentle nudge to see if anything changed. @Markos, any changes on this? Can you purge the vulnerable ebuilds yet? Thanks. @Maintainer, please purge the old packages or let us know if you need more time. |