Well, I still need to file a MIR for libpwquality, and a separate one for ding-libs if needed (it got split off sssd some time ago)
and actually, when the new samba is merged ldb will move to main, so having it here is probably unnecessary -- You received this bug notification because you are a member of Tieto, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/903752 Title: [MIR] sssd Status in “ding-libs” package in Ubuntu: Confirmed Status in “ldb” package in Ubuntu: Confirmed Status in “libpwquality” package in Ubuntu: New Status in “libsemanage” package in Ubuntu: Fix Released Status in “samba” package in Ubuntu: Confirmed Status in “sssd” package in Ubuntu: Fix Committed Status in “tevent” package in Ubuntu: Fix Released Bug description: sssd & ding-libs (which got split off sssd at some point): 1. Availability: - in universe for some time 2. Rationale: - https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-sssd-mir 3. Security: - no current CVE - five CVE reports in the past: CVE-2011-1758 The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname. CVE-2010-4341 The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet. CVE-2010-2940 The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. CVE-2010-0014 System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT. CVE-2009-2410 The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection. all got fixed by upstream in a timely manner. - ships a daemon that handles connections to LDAP, Kerberos servers - doesn't open privileged ports - binaries in /usr/sbin include sssd, sss_group{add,del,mod}, sss_user{add,del,mod} 4. Quality assurance: - current version doesn't install any working configuration, it is the plan to add support for debconf though <check> 5. UI standards: - not applicable 6. Dependencies: - ding-libs (libcollection-dev, libini-config-dev, libdhash-dev) - tevent (libtevent-dev) - ldb (libldb-dev) - libsemanage (libsemanage1-dev) - samba4 (libndr-dev, libndr-standard-dev, libsamba-util-dev, libdcerpc-dev, samba4-dev) - libpwquality (libpam-sss now depends on libpam-pwquality) 7. Standards compliance: - shipped by debian - lintian clean - uses dh, source format 3.0 (quilt) 8. Maintenance: - currently maintained by a team of volunteers on Debian and Ubuntu - shared git repository on git.debian.org 9. Background information: <check> To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ding-libs/+bug/903752/+subscriptions -- Mailing list: https://launchpad.net/~tieto Post to : [email protected] Unsubscribe : https://launchpad.net/~tieto More help : https://help.launchpad.net/ListHelp
