Detections
Analytics

openSUSE Security Update : sssd (openSUSE-SU-2014:1407-1)

low Nessus Plugin ID 79225

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

sssd was updated to new upstream release 1.12.2 (bugfix release, bnc#900159)

Changes :

 - Fixed a regression where the IPA provider did not fetch User Private Groups correctly

 - An important bug in the GPO access control which resulted in a wrong principal being used, was fixed.

 - Several new options are available for deployments that need to restrict a certain PAM service from connecting to a certain SSSD domain. For more details, see the description of pam_trusted_users and pam_public_domains options in the sssd.conf(5) man page and the domains option in the pam_sss(8) man page.

 - When SSSD is acting as an IPA client in setup with trusted AD domains, it is able to return group members or full group memberships for users from trusted AD domains.

 - Support for the 'views' feature of IPA.

 - The GPO access control was further enhanced to allow the access control decisions while offline and map the Windows logon rights onto Linux PAM services.

 - The SSSD now ships a plugin for the rpc.idmapd daemon, sss_rpcidmapd(5).

 - A MIT Kerberos localauth plugin was added to SSSD. This plugin helps translating principals to user names in IPA-AD trust scenarios, allowing the krb5.conf configuration to be less complex.

 - A libwbclient plugin implementation is now part of the SSSD. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups for the file-server use-case.

 - Active Directory users ca nnow use their User Logon Name to log in.

 - The sss_cache tool was enhanced to allow invalidating the SSH host keys.

 - Groups without full POSIX information can now be used to enroll group membership (CVE-2014-0249).

 - Detection of transition from offline to online state was improved, resulting in fewer timeouts when SSSD is offline.

 - The Active Directory provider now correctly detects Windows Server 2012 R2. Previous versions would fall back to the slower non-AD path with 2012 R2.

 - Several other bugs related to deployments where SSSD is acting as an AD client were fixed.

Solution

Update the affected sssd packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=900159

https://lists.opensuse.org/opensuse-updates/2014-11/msg00047.html

Plugin Details

Severity: Low

ID: 79225

File Name: openSUSE-2014-658.nasl

Version: 1.6

Type: local

Agent: unix

Published: 11/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Low

Base Score: 3.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:sssd-krb5-common, p-cpe:/a:novell:opensuse:libsss_sudo-debuginfo, p-cpe:/a:novell:opensuse:python-ipa_hbac, p-cpe:/a:novell:opensuse:libipa_hbac-devel, p-cpe:/a:novell:opensuse:python-ipa_hbac-debuginfo, p-cpe:/a:novell:opensuse:libnfsidmap-sss-debuginfo, p-cpe:/a:novell:opensuse:python-sss_nss_idmap, p-cpe:/a:novell:opensuse:sssd-wbclient, p-cpe:/a:novell:opensuse:sssd-krb5-common-debuginfo, p-cpe:/a:novell:opensuse:sssd-wbclient-debuginfo, p-cpe:/a:novell:opensuse:sssd-proxy, p-cpe:/a:novell:opensuse:sssd-tools-debuginfo, p-cpe:/a:novell:opensuse:sssd-32bit, p-cpe:/a:novell:opensuse:sssd-krb5-debuginfo, p-cpe:/a:novell:opensuse:sssd-proxy-debuginfo, p-cpe:/a:novell:opensuse:libipa_hbac0, p-cpe:/a:novell:opensuse:sssd-tools, p-cpe:/a:novell:opensuse:libnfsidmap-sss, p-cpe:/a:novell:opensuse:sssd-debuginfo, p-cpe:/a:novell:opensuse:sssd-ad, p-cpe:/a:novell:opensuse:libipa_hbac0-debuginfo, p-cpe:/a:novell:opensuse:libsss_simpleifp0-debuginfo, p-cpe:/a:novell:opensuse:libsss_idmap-devel, p-cpe:/a:novell:opensuse:sssd-ldap-debuginfo, p-cpe:/a:novell:opensuse:python-sssd-config, p-cpe:/a:novell:opensuse:libsss_idmap0-debuginfo, p-cpe:/a:novell:opensuse:sssd-wbclient-devel, p-cpe:/a:novell:opensuse:libsss_nss_idmap-devel, p-cpe:/a:novell:opensuse:python-sssd-config-debuginfo, p-cpe:/a:novell:opensuse:libsss_sudo, p-cpe:/a:novell:opensuse:sssd-ldap, p-cpe:/a:novell:opensuse:python-sss_nss_idmap-debuginfo, cpe:/o:novell:opensuse:13.2, p-cpe:/a:novell:opensuse:sssd-dbus, p-cpe:/a:novell:opensuse:sssd, p-cpe:/a:novell:opensuse:libsss_simpleifp0, p-cpe:/a:novell:opensuse:libsss_nss_idmap0-debuginfo, p-cpe:/a:novell:opensuse:sssd-krb5, p-cpe:/a:novell:opensuse:sssd-ipa-debuginfo, p-cpe:/a:novell:opensuse:sssd-ipa, p-cpe:/a:novell:opensuse:libsss_simpleifp-devel, p-cpe:/a:novell:opensuse:sssd-debuginfo-32bit, p-cpe:/a:novell:opensuse:sssd-debugsource, p-cpe:/a:novell:opensuse:sssd-ad-debuginfo, p-cpe:/a:novell:opensuse:sssd-dbus-debuginfo, p-cpe:/a:novell:opensuse:libsss_idmap0, p-cpe:/a:novell:opensuse:libsss_nss_idmap0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 11/5/2014

Reference Information

CVE: CVE-2014-0249