Will the COPR repos will be republished?
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
*Greg Bloom* @greggish
On 12 October 2017 at 02:41, Sumit Bose <sbose(a)redhat.com> wrote:
=============== A security bug in SSSD 1.12 and later
= Subject: Unsanitized input when searching in local cache
= CVE ID#: CVE-2017-12173
= Summary: SSSD stores its cached data in an LDAP like local
= file using libldb. To lookup cached data LDAP search
= filters like '(objectClass=user)(name=user_name)' are
= However, in sysdb_search_user_by_upn_res(), the input
= not sanitized and allows to manipulate the search
= for cache lookups.
= This would allow a logged in user to discover the
= hash of a different user.
= Impact: Moderate
= Affects default
= configuration: When configured with tools like realmd or
= Introduced with: 1.12.0
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using
To lookup cached data LDAP search filters like
'(objectClass=user)(name=user_name)' are used. However, in
sysdb_search_user_by_upn_res(), the input is not sanitized and allows to
manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a
While in the default configuration the sssd.conf parameter
is set to 'False' it is typically switched to 'True' by tools like
ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials'
set to 'False' in all [domain/...] sections of sssd.conf. Additionally the
already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at:
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org