.gitignore

@@ -1 +1,11 @@
-SOURCES/sssd-2.9.4.tar.gz
+/sssd-2.6.2.tar.gz
+/sssd-2.7.0.tar.gz
+/sssd-2.7.2.tar.gz
+/sssd-2.7.3.tar.gz
+/sssd-2.8.1.tar.gz
+/sssd-2.8.2.tar.gz
+/sssd-2.9.0.tar.gz
+/sssd-2.9.1.tar.gz
+/sssd-2.9.2.tar.gz
+/sssd-2.9.3.tar.gz
+/sssd-2.9.4.tar.gz

.sssd.metadata

@@ -1 +0,0 @@
-574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz

0020-p11_child-Add-timeout-parameter.patch

@@ -0,0 +1,262 @@
+From 629cb8dfc8077f13464a47bf9af5bdc9c2e9b950 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Thu, 20 Mar 2025 18:11:40 +0100
+Subject: [PATCH] p11_child: Add timeout parameter
+
+p11_child communication with OCSP server may take a long time
+because of network issues. Then p11_child is killed after
+`p11_child_timeout` and the authentication fails.
+
+This is not desirable when `certificate_verification` is
+set to `soft_ocsp`. This update will pass the timeout to the
+child process so it can cancel the OCSP verification
+before it is terminated.
+
+Resolves: https://github.com/SSSD/sssd/issues/6601
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Scott Poore <spoore@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 2cf2e83a223f0eb74bd81a7fcaf726c62d577719)
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/p11_child/p11_child.h               |  4 +++-
+ src/p11_child/p11_child_common.c        | 19 +++++++++++++---
+ src/p11_child/p11_child_openssl.c       | 29 ++++++++++++++++++++++---
+ src/responder/ifp/ifp_users.c           | 12 +++++++++-
+ src/responder/pam/pamsrv_p11.c          | 12 +++++++++-
+ src/responder/ssh/ssh_cert_to_ssh_key.c | 10 ++++++++-
+ 6 files changed, 76 insertions(+), 10 deletions(-)
+
+diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
+index e3547ce23..2bc83990c 100644
+--- a/src/p11_child/p11_child.h
++++ b/src/p11_child/p11_child.h
+@@ -27,6 +27,7 @@
+ 
+ /* for CK_MECHANISM_TYPE */
+ #include <p11-kit/pkcs11.h>
++#include <time.h>
+ 
+ /* Time to wait for new slot events. */
+ #define PKCS11_SLOT_EVENT_WAIT_TIME 1
+@@ -59,7 +60,8 @@ enum pin_mode {
+ };
+ 
+ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
+-                     bool wait_for_card, struct p11_ctx **p11_ctx);
++                     bool wait_for_card, time_t timeout,
++                     struct p11_ctx **p11_ctx);
+ 
+ errno_t init_verification(struct p11_ctx *p11_ctx,
+                           struct cert_verify_opts *cert_verify_opts);
+diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
+index 5eab9b063..9d690669c 100644
+--- a/src/p11_child/p11_child_common.c
++++ b/src/p11_child/p11_child_common.c
+@@ -63,12 +63,12 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
+                    const char *cert_b64, const char *pin,
+                    const char *module_name, const char *token_name,
+                    const char *key_id, const char *label, const char *uri,
+-                   char **multi)
++                   time_t timeout, char **multi)
+ {
+     int ret;
+     struct p11_ctx *p11_ctx;
+ 
+-    ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
++    ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, timeout, &p11_ctx);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
+         return ret;
+@@ -165,6 +165,7 @@ int main(int argc, const char *argv[])
+     char *label = NULL;
+     char *cert_b64 = NULL;
+     long chain_id = 0;
++    long timeout = -1;
+     bool wait_for_card = false;
+     char *uri = NULL;
+ 
+@@ -202,6 +203,8 @@ int main(int argc, const char *argv[])
+          _("PKCS#11 URI to restrict selection"), NULL},
+         {"chain-id", 0, POPT_ARG_LONG, &chain_id,
+          0, _("Tevent chain ID used for logging purposes"), NULL},
++        {"timeout", 0, POPT_ARG_LONG, &timeout,
++         0, _("OCSP communication timeout"), NULL},
+         POPT_TABLEEND
+     };
+ 
+@@ -382,9 +385,19 @@ int main(int argc, const char *argv[])
+         }
+     }
+ 
++    /* sanity check for timeout value */
++    if (timeout > INT32_MAX) {
++        fprintf(stderr,
++                "Timeout value [%li] is too long, using [%d]\n",
++                timeout, INT32_MAX);
++        timeout = INT32_MAX;
++    } else if (timeout < -1) {
++        timeout = -1;
++    }
++
+     ret = do_work(main_ctx, mode, ca_db, cert_verify_opts, wait_for_card,
+                   cert_b64, pin, module_name, token_name, key_id, label, uri,
+-                  &multi);
++                  timeout, &multi);
+ 
+ done:
+     fprintf(stdout, "%d\n%s", ret, multi ? multi : "");
+diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
+index 45a4930ba..468d8cf5c 100644
+--- a/src/p11_child/p11_child_openssl.c
++++ b/src/p11_child/p11_child_openssl.c
+@@ -44,6 +44,7 @@ struct p11_ctx {
+     const char *ca_db;
+     bool wait_for_card;
+     struct cert_verify_opts *cert_verify_opts;
++    time_t ocsp_deadline;
+ };
+ 
+ static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
+@@ -390,8 +391,19 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
+ 
+     OCSP_request_add1_nonce(ocsp_req, NULL, -1);
+ 
+-    ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
+-                                  req_timeout);
++    if (p11_ctx->ocsp_deadline != -1  && p11_ctx->cert_verify_opts->soft_ocsp) {
++        req_timeout = p11_ctx->ocsp_deadline - time(NULL);
++        if (req_timeout <= 0) {
++            /* no time left for OCSP */
++            DEBUG(SSSDBG_TRACE_INTERNAL,
++                  "Timeout before we could run OCSP request.\n");
++            req_timeout = 0;
++        }
++    }
++    if (req_timeout != 0) {
++        ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
++                                      req_timeout);
++    }
+     if (ocsp_resp == NULL) {
+         if (p11_ctx->cert_verify_opts->soft_ocsp) {
+             tmp_str = get_issuer_subject_str(p11_ctx, cert);
+@@ -580,7 +592,8 @@ static int p11_ctx_destructor(struct p11_ctx *p11_ctx)
+ }
+ 
+ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
+-                     bool wait_for_card, struct p11_ctx **p11_ctx)
++                     bool wait_for_card, time_t timeout,
++                     struct p11_ctx **p11_ctx)
+ {
+     int ret;
+     struct p11_ctx *ctx;
+@@ -591,6 +604,16 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
+         return ENOMEM;
+     }
+ 
++    if (timeout == 1) {
++        /* timeout of 1 sec is too short (see -1 in deadline calculation),
++         * increasing to 2 and hope that the ocsp operation finishes
++         * before p11_child is terminated.
++         */
++        timeout = 2;
++    }
++    /* timeout <= 0 means no timeout specified */
++    ctx->ocsp_deadline = timeout > 0 ? time(NULL) + timeout - 1 : -1;
++
+     /* See https://wiki.openssl.org/index.php/Library_Initialization for
+      * details. */
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
+index 7acd46ef1..6c147d74d 100644
+--- a/src/responder/ifp/ifp_users.c
++++ b/src/responder/ifp/ifp_users.c
+@@ -1128,7 +1128,7 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    state->extra_args = talloc_zero_array(state, const char *, 8);
++    state->extra_args = talloc_zero_array(state, const char *, 10);
+     if (state->extra_args == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+         ret = ENOMEM;
+@@ -1143,6 +1143,16 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx,
+         state->extra_args[arg_c++] = "--verify";
+     }
+     state->extra_args[arg_c++] = "--verification";
++    if (state->timeout > 0) {
++        state->extra_args[arg_c++] = talloc_asprintf(state, "%d",
++                                                     state->timeout);
++        if (state->extra_args[arg_c - 1] == NULL) {
++            DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
++            ret = ENOMEM;
++            goto done;
++        }
++        state->extra_args[arg_c++] = "--timeout";
++    }
+ 
+     ret = p11_child_exec(req);
+ 
+diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
+index 2f973d89f..1490ca28d 100644
+--- a/src/responder/pam/pamsrv_p11.c
++++ b/src/responder/pam/pamsrv_p11.c
+@@ -746,7 +746,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
+     struct timeval tv;
+     int pipefd_to_child[2] = PIPE_INIT;
+     int pipefd_from_child[2] = PIPE_INIT;
+-    const char *extra_args[20] = { NULL };
++    const char *extra_args[22] = { NULL };
+     uint8_t *write_buf = NULL;
+     size_t write_buf_len = 0;
+     size_t arg_c;
+@@ -778,6 +778,16 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
+     /* extra_args are added in revers order */
+     arg_c = 0;
+ 
++    if (timeout > 0) {
++        extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", timeout);
++        if (extra_args[arg_c - 1] == NULL) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
++            ret = ENOMEM;
++            goto done;
++        }
++        extra_args[arg_c++] = "--timeout";
++    }
++
+     chain_id = sss_chain_id_get();
+ 
+     extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", chain_id);
+diff --git a/src/responder/ssh/ssh_cert_to_ssh_key.c b/src/responder/ssh/ssh_cert_to_ssh_key.c
+index b8bc8b7ab..53c33c279 100644
+--- a/src/responder/ssh/ssh_cert_to_ssh_key.c
++++ b/src/responder/ssh/ssh_cert_to_ssh_key.c
+@@ -91,7 +91,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
+     }
+     state->valid_keys = 0;
+ 
+-    state->extra_args = talloc_zero_array(state, const char *, 8);
++    state->extra_args = talloc_zero_array(state, const char *, 10);
+     if (state->extra_args == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+         ret = ENOMEM;
+@@ -108,6 +108,14 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
+         state->extra_args[arg_c++] = "--verify";
+     }
+     state->extra_args[arg_c++] = "--verification";
++    if (timeout > 0) {
++        state->extra_args[arg_c++] = talloc_asprintf(state, "%lu", timeout);
++        if (state->extra_args[arg_c - 1] == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++        state->extra_args[arg_c++] = "--timeout";
++    }
+ 
+     state->certs = talloc_zero_array(state, const char *, cert_count);
+     if (state->certs == NULL) {
+-- 
+2.51.0
+

0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch

@@ -0,0 +1,49 @@
+From b25abc587657366a864b119c6ae899d440812c1f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index a6fae06af..81eec9eac 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ done:
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
+-- 
+2.51.0
+

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: sssd-qe, ftrivino
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1 @@
+SHA512 (sssd-2.9.4.tar.gz) = 9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2

sssd.spec

@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 5%{?dist}.2.0.1
+Release: 5%{?dist}.3
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -46,6 +46,8 @@ Patch0016: 0016-KCM-fix-memory-leak.patch
 Patch0017: 0017-KCM-another-memory-leak-fixed.patch
 Patch0018: 0018-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
 Patch0019: 0019-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
+Patch0020: 0020-p11_child-Add-timeout-parameter.patch
+Patch0021: 0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 
 ### Downstream Patches ###
 
@@ -1230,6 +1232,10 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Fri Oct 17 2025 Alejandro López <allopez@redhat.com> - 2.9.4-5.3
+- Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z]
+- Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z]	
+
 * Fri Apr 25 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-5.2
 - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z]
 - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z]