Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2025-11-20 14:46:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new.2061 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd" Thu Nov 20 14:46:13 2025 rev:145 rq:1318458 version:2.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2025-08-03 13:36:40.169606499 +0200 +++ /work/SRC/openSUSE:Factory/.sssd.new.2061/sssd.changes 2025-11-20 14:46:17.516012447 +0100 @@ -1,0 +2,7 @@ +Tue Nov 18 09:38:39 UTC 2025 - Samuel Cabrero <[email protected]> + +- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561); + (bsc#1251827); + add 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch + +------------------------------------------------------------------- New: ---- 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ----------(New B)---------- New: (bsc#1251827); add 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.9CVLu8/_old 2025-11-20 14:46:18.468052833 +0100 +++ /var/tmp/diff_new_pack.9CVLu8/_new 2025-11-20 14:46:18.472053003 +0100 @@ -30,6 +30,7 @@ Source5: %name.keyring Source6: %name-rpmlintrc Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch +Patch2: 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch @@ -343,29 +344,6 @@ %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%package -n libsss_simpleifp0 -Summary: The SSSD D-Bus responder helper library -License: GPL-3.0-or-later -Group: System/Libraries -# Even though sssd has obsoleted simpleifp, the plan here is to retain ABI -# compatibility with the existing SUSE 15.x product line. ...at least, until -# sssd completely removes SIFP from source. - -%description -n libsss_simpleifp0 -This subpackage provides a library that simplifies the D-Bus API for -the SSSD InfoPipe responder. - -%package -n libsss_simpleifp-devel -Summary: Development files for the SSSD D-Bus responder helper library -License: GPL-3.0-or-later -Group: Development/Libraries/C and C++ -Requires: libsss_simpleifp0 = %version - -%description -n libsss_simpleifp-devel -This subpackage provides the development files for sssd's simpleifp, -a library that simplifies the D-Bus API for the SSSD InfoPipe -responder. - %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD License: LGPL-3.0-or-later @@ -440,8 +418,7 @@ --with-selinux=yes \ --with-subid %else - --with-selinux=no \ - --with-libsifp + --with-selinux=no %endif %make_build all @@ -558,7 +535,6 @@ %ldconfig_scriptlets -n libipa_hbac0 %ldconfig_scriptlets -n libsss_idmap0 %ldconfig_scriptlets -n libsss_nss_idmap0 -%ldconfig_scriptlets -n libsss_simpleifp0 %verifyscript %verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam ++++++ 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ++++++ >From 9c194d8de3a4e579a91d7360a498522f919880e9 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 10 Oct 2025 12:57:40 +0200 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a client is joined to AD or IPA SSSD's localauth plugin can handle the mapping of Kerberos principals to local accounts. In case it cannot map the Kerberos principals libkrb5 is currently configured to fall back to the default localauth plugins 'default', 'rule', 'names', 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). All plugins except 'an2ln' require some explicit configuration by either the administrator or the local user. To avoid some unexpected mapping is done by the 'an2ln' plugin this patch disables it in the configuration snippets for SSSD's localauth plugin. Resolves: https://github.com/SSSD/sssd/issues/8021 :relnote: After startup SSSD already creates a Kerberos configuration snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin if the AD or IPA providers are used. This enables SSSD's localauth plugin. Starting with this release the an2ln plugin is disabled in the configuration snippet as well. If this file or its content are included in the Kerberos configuration it will fix CVE-2025-11561. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) (cherry picked from commit a08e5862693ed1191ba464351ae43c779b509096) --- src/util/domain_info_utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 677b76ff3..00f22b19d 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -747,6 +747,7 @@ done: #define LOCALAUTH_PLUGIN_CONFIG \ "[plugins]\n" \ " localauth = {\n" \ +" disable = an2ln\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ " }\n" -- 2.51.1 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.9CVLu8/_old 2025-11-20 14:46:18.520055040 +0100 +++ /var/tmp/diff_new_pack.9CVLu8/_new 2025-11-20 14:46:18.524055209 +0100 @@ -1,5 +1,5 @@ -mtime: 1753994117 -commit: 0e0d1361c8452d81d3f95f3e2e6ee1170e16356d1e2c4145af472ea204b6b873 +mtime: 1763475864 +commit: d21340366b65700bc9cdadb21987a6747f3f200d1f21e6cc91ddf3d047b1d5c3 url: https://src.opensuse.org/jengelh/sssd revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-11-18 15:24:42.000000000 +0100 @@ -0,0 +1 @@ +.osc
