[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

ELSA-2013-0508 -- Oracle sssd and libsss_autofs

ID: oval:org.secpod.oval:def:1500040Date: (C)2013-03-20   (M)2023-12-07
Class: PATCHFamily: unix




Updated sssd packages that fix two security issues, multiple bugs, and addvarious enhancements are now available for Red Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as having lowsecurity impact. Common Vulnerability Scoring System base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section. The System Security Services Daemon provides a set of daemons tomanage access to remote directories and authentication mechanisms. Itprovides an NSS and PAM interface toward the system and a pluggableback-end system to connect to multiple different account sources. It isalso the basis to provide client auditing and policy services for projectssuch as FreeIPA.A race condition was found in the way SSSD copied and removed user homedirectories. A local attacker who is able to write into the home directoryof a different user who is being removed could use this flaw to performsymbolic link attacks, possibly allowing them to modify and deletearbitrary files with the privileges of the root user. Multiple out-of-bounds memory read flaws were found in the way the autofsand SSH service responders parsed certain SSSD packets. An attacker couldspend a specially-crafted packet that, when processed by the autofs or SSHservice responders, would cause SSSD to crash. This issue only caused atemporary denial of service, as SSSD was automatically restarted by themonitor process after the crash. The CVE-2013-0219 and CVE-2013-0220 issues were discovered by FlorianWeimer of the Red Hat Product Security Team.These updated sssd packages also include numerous bug fixes andenhancements. Space precludes documenting all of these changes in thisadvisory. Users are directed to the Red Hat Enterprise Linux 6.4 TechnicalNotes, linked to in the References, for information on the most significantof these changes.All SSSD users are advised to upgrade to these updated packages, whichupgrade SSSD to upstream version 1.9 to correct these issues, fix thesebugs and add these enhancements.

Platform:
Oracle Linux 6
Product:
sssd
libsss_autofs
Reference:
ELSA-2013-0508
CVE-2013-0219
CVE-2013-0220
CVE    2
CVE-2013-0220
CVE-2013-0219
CPE    3
cpe:/a:sssd:libsss_autofs
cpe:/a:sssd:sssd
cpe:/o:oracle:linux:6

© SecPod Technologies