Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> TESTING - sssd security update for SL6
dawson
 Posted: Jun 6 2011, 09:07 PM
Quote Post


Member


Group: Members
Posts: 1
Member No.: 240
Joined: 3-June 11









Hello,
There is a security update for sssd, classified as low.
This updated pulls in alot of dependencies for packages that are currently only in SL 6.1 alpha. Because of these multiple dependencies, we are very cautious about this update, especially since it is classified as low.
We are especially nervous about the dependency krb5. krb5 is version 1.8 in SL 6.0, and version 1.9 in SL 6.1. We already know of one lab where this update breaks outgoing kerberos clients.
We currently do not have a date set for when this update will go out.

To test or update

SL6
-------

yum --enablerepo=sl-testing update sssd\*

or you can download rpm's by hand at

http://ftp.scientificlinux.org/linux/scientific/6rolling/testing/i386/sssd/
http://ftp.scientificlinux.org/linux/scientific/6rolling/testing/x86_64/sssd/

sssd-1.5.1-34.el6
krb5-1.9-9.el6
libcollection-0.6.0-6.el6
libdhash-0.4.2-6.el6
libini_config-0.6.1-6.el6
libpath_utils-0.2.1-6.el6
libref_array-0.1.1-6.el6

Thanks
Troy Dawson
PM
^
joutlan
 Posted: Jun 6 2011, 09:57 PM
Quote Post


SLF Inceptor
*******

Group: Admins
Posts: 867
Member No.: 1
Joined: 8-April 11









Here we go. Great. Thanks Troy for the update! biggrin.gif

--------------------
DΞLL Precision M6700: 17 inch NB//i7-quad w/USB 3.0, 16.0GB, Quadro K5000M 2.0GB DDR3, RGBLED //W8P64/Scientific Linux 6.4 x64
DΞLL Vostro 3350 Nirvana: 13 inch NB w/ IntelSSD// W8Px64 (Work;Games)
Nexus 4 //Android
PMEmail PosterUsers Website
^
redman
 Posted: Jun 7 2011, 05:49 AM
Quote Post


Retired SLF Administrator
********

Group: Admins
Posts: 1276
Member No.: 2
Joined: 8-April 11









Good, thanks for the info wink.gif

--------------------
"Sometimes the best helping hand you can give is a good, firm push."
PM
^
sgallagh
 Posted: Jun 8 2011, 12:19 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 257
Joined: 8-June 11









SSSD does not have a hard requirement on Kerberos 1.9. The spec file can be modified to build against Kerberos 1.8, though Scientific Linux will then lose the support for the FAST protocol.

This can be done by modifying the specfile to change the
BuildRequires: krb5-devel >= 1.9
to
BuildRequires: krb5-devel

This version of SSSD will run fine, albeit without support for the Kerberos FAST protocol. When Kerberos 1.9 is eventually released, you MUST do a rebuild of SSSD in order to gain this functionality. While the Kerberos 1.9 library is backwards-compatible for all 1.8 features, detection of FAST support is a compile-time action.

For what it's worth, the security bug that this errata addresses is very low. It is a denial of service that requires local access to the machine to accomplish. A malicious user (one with a legitimate login to the system) could send a carefully crafted message to the PAM socket of the SSSD. The result would be that the SSSD would enter an infinite loop and would no longer answer requests for user logins until the sssd_pam process was restarted (which would happen automatically after about thirty seconds, as the heartbeat checks from the monitor process would not be getting replies).

--
Stephen Gallagher
Lead Developer - System Security Services Daemon
PM
^
joutlan
 Posted: Jun 8 2011, 05:31 PM
Quote Post


SLF Inceptor
*******

Group: Admins
Posts: 867
Member No.: 1
Joined: 8-April 11









QUOTE (sgallagh @ Jun 8 2011, 08:19 AM)
SSSD does not have a hard requirement on Kerberos 1.9. The spec file can be modified to build against Kerberos 1.8, though Scientific Linux will then lose the support for the FAST protocol.

This can be done by modifying the specfile to change the
BuildRequires: krb5-devel >= 1.9
to
BuildRequires: krb5-devel

This version of SSSD will run fine, albeit without support for the Kerberos FAST protocol. When Kerberos 1.9 is eventually released, you MUST do a rebuild of SSSD in order to gain this functionality. While the Kerberos 1.9 library is backwards-compatible for all 1.8 features, detection of FAST support is a compile-time action.

For what it's worth, the security bug that this errata addresses is very low. It is a denial of service that requires local access to the machine to accomplish. A malicious user (one with a legitimate login to the system) could send a carefully crafted message to the PAM socket of the SSSD. The result would be that the SSSD would enter an infinite loop and would no longer answer requests for user logins until the sssd_pam process was restarted (which would happen automatically after about thirty seconds, as the heartbeat checks from the monitor process would not be getting replies).

--
Stephen Gallagher
Lead Developer - System Security Services Daemon


Stephen....I appreciate your posting that information over here. It's also interesting from my personal point of view to read a professional's explanation of a problem because the net is full of "self made" hackers. Also, IMO, this is exactly why SL is another class by itself (with RHEL). My son is studying Computer Science this fall at UCF...should he be? LOL He's NOT doing what i do.... http://fuzedglobal.com/forums/public/style_emoticons/default/facepalm.gif

That said, welcome to forum! biggrin.gif

--------------------
DΞLL Precision M6700: 17 inch NB//i7-quad w/USB 3.0, 16.0GB, Quadro K5000M 2.0GB DDR3, RGBLED //W8P64/Scientific Linux 6.4 x64
DΞLL Vostro 3350 Nirvana: 13 inch NB w/ IntelSSD// W8Px64 (Work;Games)
Nexus 4 //Android
PMEmail PosterUsers Website
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll