import OL sssd-2.10.2-3.0.1.el10_0.3
This commit is contained in:
parent
6fc2203a2e
commit
4b4375f35d
@ -0,0 +1,49 @@
|
||||
From e9da1315ec32e2eb65e4159b2318f8a756768b9d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 10 Oct 2025 12:57:40 +0200
|
||||
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a client is joined to AD or IPA SSSD's localauth plugin can handle
|
||||
the mapping of Kerberos principals to local accounts. In case it cannot
|
||||
map the Kerberos principals libkrb5 is currently configured to fall back
|
||||
to the default localauth plugins 'default', 'rule', 'names',
|
||||
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
|
||||
All plugins except 'an2ln' require some explicit configuration by either
|
||||
the administrator or the local user. To avoid some unexpected mapping is
|
||||
done by the 'an2ln' plugin this patch disables it in the configuration
|
||||
snippets for SSSD's localauth plugin.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/8021
|
||||
|
||||
:relnote: After startup SSSD already creates a Kerberos configuration
|
||||
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
|
||||
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
|
||||
Starting with this release the an2ln plugin is disabled in the
|
||||
configuration snippet as well. If this file or its content are included in
|
||||
the Kerberos configuration it will fix CVE-2025-11561.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
|
||||
---
|
||||
src/util/domain_info_utils.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index 79400e901..4a27e8123 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -747,6 +747,7 @@ done:
|
||||
#define LOCALAUTH_PLUGIN_CONFIG \
|
||||
"[plugins]\n" \
|
||||
" localauth = {\n" \
|
||||
+" disable = an2ln\n" \
|
||||
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
|
||||
" }\n"
|
||||
|
||||
--
|
||||
2.51.0
|
||||
|
||||
26
2002-orabug32810448-restore-default-debug-sss_cache.patch
Normal file
26
2002-orabug32810448-restore-default-debug-sss_cache.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From: Alex Burmashev <alexander.burmashev@oracle.com>
|
||||
Date: Tue, 04 May 2021 13:31:41 +0100
|
||||
Subject: [PATCH] restore default debug level for sss_cache
|
||||
|
||||
We want only fatal failures to be logged, otherwise in some conditions log is.
|
||||
flooded with unneeded "errors"
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5488
|
||||
|
||||
Orabug: 32810448
|
||||
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
||||
|
||||
Patch migrated from ol8 to ol9 without any modification
|
||||
Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
|
||||
diff -uNr a/src/tools/sss_cache.c b/src/tools/sss_cache.c
|
||||
--- a/src/tools/sss_cache.c 2024-06-26 02:11:39.000000000 -0700
|
||||
+++ b/src/tools/sss_cache.c 2024-09-05 16:17:12.686336046 -0700
|
||||
@@ -722,7 +722,7 @@
|
||||
struct cache_tool_ctx *ctx = NULL;
|
||||
int idb = INVALIDATE_NONE;
|
||||
struct input_values values = { 0 };
|
||||
- int debug = SSSDBG_TOOLS_DEFAULT;
|
||||
+ int debug = SSSDBG_FATAL_FAILURE;
|
||||
errno_t ret = EOK;
|
||||
|
||||
poptContext pc = NULL;
|
||||
10
sssd.spec
10
sssd.spec
@ -57,17 +57,19 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.10.2
|
||||
Release: 3%{?dist}.2
|
||||
Release: 3.0.1%{?dist}.3
|
||||
Summary: System Security Services Daemon
|
||||
License: GPL-3.0-or-later
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz
|
||||
Source1: sssd.sysusers
|
||||
Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-KCM-fix-memory-leak.patch
|
||||
Patch0002: 0002-KCM-another-memory-leak-fixed.patch
|
||||
Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
|
||||
Patch0004: 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -1118,6 +1120,12 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Nov 06 2025 EL Errata <el-errata_ww@oracle.com> - 2.10.2-3.0.1.3
|
||||
- Restore default debug level for sss_cache [Orabug: 32810448]
|
||||
|
||||
* Mon Oct 20 2025 Masahiro Matsuya <mmatsuya@redhat.com> - 2.10.2-3.3
|
||||
- Resolves: RHEL-120286 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.0.z]
|
||||
|
||||
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.10.2-3.2
|
||||
- Resolves: RHEL-79158 - Disk cache failure with large db sizes
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user