================= A security bug in 1.9.0 beta6 ===============
= Subject: HBAC rules ignored if SELinux processing
= is enabled
= CVE ID#: CVE-2012-3462
= Summary: A flaw in the SSSD's access-provider
= logic causes the result of the HBAC
= rule processing to be ignored in the
= event that the access-provider is
= also handling the setup of the user's
= SELinux user context.
= Impact: moderate
= Affects default
= configuration: yes (IPA provider only)
= Introduced with: 1.9.0 beta6
==== DESCRIPTION ====
The latest development release of the SSSD is vulnerable to a security bug.
When the SSSD is configured as an IPA client and the access provider is
also handling the evaluation of user's SELinux user context, the result
of Host Based Access Control rules is ignored.
We decided not to release a full release, for two reasons:
* the number of users running the beta is very small. Furthermore,
the beta releases are not fully tested and suitable for production
* the next release - 1.9.0 RC1 is coming very soon. It is tentatively
scheduled for 2012-08-23
==== WORKAROUND ====
If you don't rely on the evaluation of user's SELinux user context, you
can turn off their processing by setting:
selinux_provider = none
in the sssd.conf config file. That would cause the correct access control
code to be returned to the PAM service.
==== PATCH AVAILABILITY ====
The patch is available at:
Freeipa-interest mailing list