Security update for sssd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0552-1 Final 1 1 2019-03-06T08:47:58Z current 2019-03-06T08:47:58Z 2019-03-06T08:47:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following issues: Security vulnerability fixed: - CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories (bsc#1121759) Other bug fixes and changes: - Skip sdap_save_grpmem() if ignore_group_members is set. (bsc#1082568) - Only search for primary group if it is not already cached (bsc#1082568) - Install /var/lib/sss/mc directory to correct sssd cache invalidation behaviour. Spec patch authored by Josef Cejka. (bsc#1039567) to fix a segfault in sudo provider (bsc#977224). - Fix a segfault in sss_cache (bsc#976038). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-552,SUSE-SLE-SERVER-12-2019-552 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190552-1/ Link for SUSE-SU-2019:0552-1 https://www.suse.com/support/update/announcement/2019/suse-su-20190552-1.html E-Mail link for SUSE-SU-2019:0552-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1039567 SUSE Bug 1039567 https://bugzilla.suse.com/1082568 SUSE Bug 1082568 https://bugzilla.suse.com/1121759 SUSE Bug 1121759 https://bugzilla.suse.com/976038 SUSE Bug 976038 https://bugzilla.suse.com/977224 SUSE Bug 977224 https://www.suse.com/security/cve/CVE-2019-3811/ SUSE CVE CVE-2019-3811 page SUSE Linux Enterprise Server 12-LTSS libipa_hbac-devel-1.11.5.1-10.16.1 libipa_hbac0-1.11.5.1-10.16.1 libsss_idmap-devel-1.11.5.1-10.16.1 libsss_idmap0-1.11.5.1-10.16.1 libsss_nss_idmap-devel-1.11.5.1-10.16.1 libsss_nss_idmap0-1.11.5.1-10.16.1 libsss_sudo-1.11.5.1-10.16.1 python-ipa_hbac-1.11.5.1-10.16.1 python-sss_nss_idmap-1.11.5.1-10.16.1 python-sssd-config-1.11.5.1-10.16.1 sssd-1.11.5.1-10.16.1 sssd-32bit-1.11.5.1-10.16.1 sssd-64bit-1.11.5.1-10.16.1 sssd-ad-1.11.5.1-10.16.1 sssd-ipa-1.11.5.1-10.16.1 sssd-krb5-1.11.5.1-10.16.1 sssd-krb5-common-1.11.5.1-10.16.1 sssd-ldap-1.11.5.1-10.16.1 sssd-proxy-1.11.5.1-10.16.1 sssd-tools-1.11.5.1-10.16.1 libipa_hbac0-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS libsss_idmap0-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS libsss_sudo-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS python-sssd-config-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-32bit-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-ad-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-ipa-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-krb5-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-krb5-common-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-ldap-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-proxy-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS sssd-tools-1.11.5.1-10.16.1 as a component of SUSE Linux Enterprise Server 12-LTSS A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc. All versions before 2.1 are vulnerable. CVE-2019-3811 SUSE Linux Enterprise Server 12-LTSS:libipa_hbac0-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:libsss_idmap0-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:libsss_sudo-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:python-sssd-config-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-32bit-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-ad-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-ipa-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-krb5-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-krb5-common-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-ldap-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-proxy-1.11.5.1-10.16.1 SUSE Linux Enterprise Server 12-LTSS:sssd-tools-1.11.5.1-10.16.1 moderate 2.7 AV:A/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190552-1/ https://www.suse.com/security/cve/CVE-2019-3811.html CVE-2019-3811 https://bugzilla.suse.com/1121759 SUSE Bug 1121759