Security update for sssd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2289-1 Final 1 1 2018-08-09T20:46:43Z current 2018-08-09T20:46:43Z 2018-08-09T20:46:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following security issue: - CVE-2018-10852: Set stricter permissions on /var/lib/sss/pipes/sudo to prevent the disclosure of sudo rules for arbitrary users (bsc#1098377). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00035.html E-Mail link for openSUSE-SU-2018:2289-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 libipa_hbac-devel-1.16.1-lp150.2.3.1 libipa_hbac0-1.16.1-lp150.2.3.1 libnfsidmap-sss-1.16.1-lp150.2.3.1 libsss_certmap-devel-1.16.1-lp150.2.3.1 libsss_certmap0-1.16.1-lp150.2.3.1 libsss_idmap-devel-1.16.1-lp150.2.3.1 libsss_idmap0-1.16.1-lp150.2.3.1 libsss_nss_idmap-devel-1.16.1-lp150.2.3.1 libsss_nss_idmap0-1.16.1-lp150.2.3.1 libsss_simpleifp-devel-1.16.1-lp150.2.3.1 libsss_simpleifp0-1.16.1-lp150.2.3.1 python3-ipa_hbac-1.16.1-lp150.2.3.1 python3-sss-murmur-1.16.1-lp150.2.3.1 python3-sss_nss_idmap-1.16.1-lp150.2.3.1 python3-sssd-config-1.16.1-lp150.2.3.1 sssd-1.16.1-lp150.2.3.1 sssd-32bit-1.16.1-lp150.2.3.1 sssd-ad-1.16.1-lp150.2.3.1 sssd-dbus-1.16.1-lp150.2.3.1 sssd-ipa-1.16.1-lp150.2.3.1 sssd-krb5-1.16.1-lp150.2.3.1 sssd-krb5-common-1.16.1-lp150.2.3.1 sssd-ldap-1.16.1-lp150.2.3.1 sssd-proxy-1.16.1-lp150.2.3.1 sssd-tools-1.16.1-lp150.2.3.1 sssd-wbclient-1.16.1-lp150.2.3.1 sssd-wbclient-devel-1.16.1-lp150.2.3.1 sssd-winbind-idmap-1.16.1-lp150.2.3.1 libipa_hbac-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libipa_hbac0-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libnfsidmap-sss-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_certmap-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_certmap0-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_idmap-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_idmap0-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_nss_idmap-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_nss_idmap0-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_simpleifp-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libsss_simpleifp0-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-ipa_hbac-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-sss-murmur-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-sss_nss_idmap-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-sssd-config-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-32bit-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-ad-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-dbus-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-ipa-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-krb5-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-krb5-common-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-ldap-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-proxy-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-tools-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-wbclient-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-wbclient-devel-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 sssd-winbind-idmap-1.16.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3. CVE-2018-10852 openSUSE Leap 15.0:libipa_hbac-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libipa_hbac0-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libnfsidmap-sss-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_certmap-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_certmap0-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_idmap-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_idmap0-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_nss_idmap-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_nss_idmap0-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_simpleifp-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:libsss_simpleifp0-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:python3-ipa_hbac-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:python3-sss-murmur-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:python3-sss_nss_idmap-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:python3-sssd-config-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-32bit-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-ad-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-dbus-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-ipa-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-krb5-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-krb5-common-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-ldap-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-proxy-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-tools-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-wbclient-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-wbclient-devel-1.16.1-lp150.2.3.1 openSUSE Leap 15.0:sssd-winbind-idmap-1.16.1-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00035.html https://www.suse.com/security/cve/CVE-2018-10852.html CVE-2018-10852 https://bugzilla.suse.com/1098377 SUSE Bug 1098377