Will the COPR repos will be republished?
------
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857
On 12 October 2017 at 02:41, Sumit Bose <sbose@redhat.com> wrote:
=============== A security bug in SSSD 1.12 and later =========================https://pagure.io/SSSD/sssd/c/
=
= Subject: Unsanitized input when searching in local cache database
=
= CVE ID#: CVE-2017-12173
=
= Summary: SSSD stores its cached data in an LDAP like local database
= file using libldb. To lookup cached data LDAP search
= filters like '(objectClass=user)(name=user_name)' are used.
= However, in sysdb_search_user_by_upn_res(), the input is
= not sanitized and allows to manipulate the search filter
= for cache lookups.
=
= This would allow a logged in user to discover the password
= hash of a different user.
=
= Impact: Moderate
=
= Affects default
= configuration: When configured with tools like realmd or
= ipa-client-install
=
= Introduced with: 1.12.0
=
============================================================ ==================
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using libldb.
To lookup cached data LDAP search filters like
'(objectClass=user)(name=user_name)' are used. However, in
sysdb_search_user_by_upn_res(), the input is not sanitized and allows to
manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a different
user.
While in the default configuration the sssd.conf parameter 'cache_credentials'
is set to 'False' it is typically switched to 'True' by tools like realmd or
ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials' should be
set to 'False' in all [domain/...] sections of sssd.conf. Additionally the
already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at:
1f2662c8f97c9c0fa250055d4b6750 abfc6d0835?branch=master
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org