Too loose Depends constraints in sssd-common causes critical crash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Ubuntu Security team recently released ".11" of SSSD.
`sssd` correctly specifies a hard dependency on "sssd-common (= 2.2.3-3ubuntu0.11)"
`sssd-common` only specifies "libsss-certmap0 (>= 2.2.3)", which means `libsss-certmap0` could stay on 2.2.3-3ubuntu0*.10*
This causes the following critical error:
> sssd_pam[10488]: /usr/libexec/
The user-experience is a immediate crash to black screen, lost work due to session termination, and inability to log in again until `libsss-certmap0` has been updated.
The issue can be reproduced on an Ubuntu 20.04 machine connected to AD running the previous .10 release of SSSD, and upgraded using "apt install sssd".
Note that a blanket "apt upgrade" is not always possible, as it will restart services such as Docker and Databases, which may have critical impact on production. It should be the responsibility of "Depends" to specify exactly what the software needs to function correctly. In this case it was a breaking change between 2.2.3-3ubuntu0.10 and 2.2.3-3ubuntu0.11 in `libsss-certmap0`, so the "Depends" of sssd-common should be updated to reflect that minimum requirement.
Status changed to 'Confirmed' because the bug affects multiple users.