[MIR] sssd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libsemanage (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
samba (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Didier Roche-Tolomelli | ||
tevent (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
sssd & ding-libs (which got split off sssd at some point):
1. Availability:
- in universe for some time
2. Rationale:
- https:/
3. Security:
- no current CVE
- five CVE reports in the past:
CVE-2011-1758 The krb5_save_
CVE-2010-4341 The pam_parse_
CVE-2010-2940 The auth_send function in providers/
CVE-2010-0014 System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT.
CVE-2009-2410 The local_handler_
all got fixed by upstream in a timely manner.
- ships a daemon that handles connections to LDAP, Kerberos servers
- doesn't open privileged ports
- binaries in /usr/sbin include sssd, sss_group{
4. Quality assurance:
- current version doesn't install any working configuration, it is the plan to add support for debconf though
<check>
5. UI standards:
- not applicable
6. Dependencies:
- ding-libs (libcollection-dev, libini-config-dev, libdhash-dev)
- tevent (libtevent-dev)
- ldb (libldb-dev)
- libsemanage (libsemanage1-dev)
- samba4 (libndr-dev, libndr-
- libpwquality (libpam-sss now depends on libpam-pwquality)
7. Standards compliance:
- shipped by debian
- lintian clean
- uses dh, source format 3.0 (quilt)
8. Maintenance:
- currently maintained by a team of volunteers on Debian and Ubuntu
- shared git repository on git.debian.org
9. Background information:
<check>
description: | updated |
description: | updated |
no longer affects: | libnl (Ubuntu) |
description: | updated |
Changed in tevent (Ubuntu): | |
status: | Confirmed → Fix Released |
we just did avoid promoting libev, having libevent already in main. libverto in main does provide an abstraction layer for all these event libraries. please check to use either libverto, or libevent directly.