Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3094
sssd regression update
1 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sssd
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-4254
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/05/msg00032.html
Comment: CVSS (Max): 8.8 CVE-2022-4254 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3436-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 31, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : sssd
Version : 1.16.3-3.2+deb10u2
sssd 1.16.3-3.2+deb10u1 (DLA 3436-1) had a broken upgrade path from
version 1.16.3-3.2.
One could upgrade sssd-common to 1.16.3-3.2+deb10u1 while leaving
libsss-certmap0 at 1.16.3-3.2; the version mismatch broke SSSD as the
the fix for CVE-2022-4254 introduces new symbols which are used in
sssd-common's sssd_pam.
For Debian 10 buster, this problem has been fixed in version
1.16.3-3.2+deb10u2. This version differs from 1.16.3-3.2+deb10u1 only
in package metadata. (Bumping the minimum version for libsss-certmap0
in sssd-common's Depends: field ensures a safe upgrade path.)
We recommend that you upgrade your sssd packages.
For the detailed security status of sssd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sssd
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmR3ckcACgkQ05pJnDwh
pVInSxAAwz2NLBkncdJIs6pRcNKA3pj9dB1IhVTDqUKCrsMmaHyiPUN3V45HTks5
LGsGeESdpocf5PuxJCCY5Sj3kd5ewSjhOet6teWV8t/XKA4t+CHdZNF5++xOec47
dMmO/aN4729Sn6PHuKxpHIXr5pnHLKQ7A9QRaa6QdI6MVUHzFi0rcX8aihG4ngYY
wJgBQntQJ+AladVQpPiNVr5Z4vQWBe596BY9ckRSw1Dw1krAXpkGEPsEEtA4af4P
DpEQDmGagHx1sG7SXMWRkV7PfVAEquHDlVlq8pUMAjiqBxpETTMEpg8aZYNROVv9
ljTMnuuO16zhmlLqBXd34cBA0qeDAzu0ZTKKEJ12PdWq53JSCKR+bmRyL1iKI5WA
3mtLsoX13poN2J3foIB7V8HbS8leZDE+lQaoJoffx+vevviul92PA27i7UeD4b3i
dtqTbODINhYqslyIqIKqeKS15SRCwHeMbCDaA3zLHNwT3Vem8MK69NBoy0X1AJf5
bLUZL9Cj7lg1avsSPGzAEJ53upYZ5jNJs729ya/xbXXR2Nqz4G/q1M5tXHf2zuuV
+75ljmottXPEoGvG3BSK69ZQ/O2Jv5Ugsg7C274ArhZB9ad6wp7FxUyfNhdOHT+a
ymirkMRMoIvhNNyjjZBLVTOXiGvUbDYkcUFQeqGa+3sIJCHhOFE=
=OJW3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZHfwOMkNZI30y1K9AQjGTw/9ER8+OHPcljR9ZL8oy9lRWanzCL6qfdqZ
nU5Vn6E2b4sOzo09LHTGw2trHpmOpM1OoOWPw8ChRbUfLe/nZAj0Y6xbGftS452u
PMyeS18yM89VY8Qau5oteffFIa/QHyO/9iH9ehSXJ82RqGBNHzR1S6qJwBdiwPDM
DvLoUu137QtSBl6dUnDdAoN+zKs17iovYUCJzlhwdF6Aw0CDyqMWtDNzqEn6JOqS
6zTtG+qe01iJffo4ZV0AVQv/lHT25YTdFL/NowpKC42ROf4MthgN009xYP3Jxc8g
M5Pwfp2sAyx2NqTbUCzJjGtFo/BKUoD0otZggbv8jj96jVmrKqz1caOnklq8Qdyt
kVOlDE9kmeqIJ/+GFdpHhFD5hFEHTv8dzlZVAXkB7j8cWCQa7vXeZNUzjo7E2lA9
Cmg7VTX5Qy9E33Ve/nKyPwnOaVIYjOhbe7EQQK+VzkBAeVC3NmJ3k+064qKFqCNE
dkWXGVGW8Yr69lUataG8Yal73fow4wcP7DYibnQghszPDqyOonGuUZkpIZSHrgBh
WEtL7Xda4ZRfmMwoneKpoQOTSJj1QciNz5s85cr+bhjTYWsbzlz98SgrUOTS/Jly
+IiG1zLOr4wzW463H2oh9y//fZBxZBTWx5zPeZoYaCtPLDqXtikBTpauBIVSmhOE
xqyce14ieLg=
=xXxt
-----END PGP SIGNATURE-----