On Mon, Jul 02, 2018 at 02:35:45PM +0200, Salvatore Bonaccorso wrote: > Source: sssd > Version: 1.16.2-1 > Severity: important > Tags: security upstream > Forwarded: https://pagure.io/SSSD/sssd/issue/3766 > > Hi, > > The following vulnerability was published for sssd. > > CVE-2018-10852[0]: > | The UNIX pipe which sudo uses to contact SSSD and read the available > | sudo rules from SSSD has too wide permissions, which means that anyone > | who can send a message using the same raw protocol that sudo and SSSD > | use can read the sudo rules available for any user. This affects > | versions of SSSD before 1.16.3.
This is fixed in https://pagure.io/SSSD/sssd/c/ed90a20a0f0e936eb00d268080716c0384ffb01d and this bug is almost a year old. Can we please get that fixed in time for the buster release (along with https://security-tracker.debian.org/tracker/CVE-2019-3811 and https://security-tracker.debian.org/tracker/CVE-2018-16883) Cheers, Moritz