Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3094 sssd regression update 1 June 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sssd Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-4254 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/05/msg00032.html Comment: CVSS (Max): 8.8 CVE-2022-4254 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3436-2 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 31, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : sssd Version : 1.16.3-3.2+deb10u2 sssd 1.16.3-3.2+deb10u1 (DLA 3436-1) had a broken upgrade path from version 1.16.3-3.2. One could upgrade sssd-common to 1.16.3-3.2+deb10u1 while leaving libsss-certmap0 at 1.16.3-3.2; the version mismatch broke SSSD as the the fix for CVE-2022-4254 introduces new symbols which are used in sssd-common's sssd_pam. For Debian 10 buster, this problem has been fixed in version 1.16.3-3.2+deb10u2. This version differs from 1.16.3-3.2+deb10u1 only in package metadata. (Bumping the minimum version for libsss-certmap0 in sssd-common's Depends: field ensures a safe upgrade path.) We recommend that you upgrade your sssd packages. For the detailed security status of sssd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sssd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmR3ckcACgkQ05pJnDwh pVInSxAAwz2NLBkncdJIs6pRcNKA3pj9dB1IhVTDqUKCrsMmaHyiPUN3V45HTks5 LGsGeESdpocf5PuxJCCY5Sj3kd5ewSjhOet6teWV8t/XKA4t+CHdZNF5++xOec47 dMmO/aN4729Sn6PHuKxpHIXr5pnHLKQ7A9QRaa6QdI6MVUHzFi0rcX8aihG4ngYY wJgBQntQJ+AladVQpPiNVr5Z4vQWBe596BY9ckRSw1Dw1krAXpkGEPsEEtA4af4P DpEQDmGagHx1sG7SXMWRkV7PfVAEquHDlVlq8pUMAjiqBxpETTMEpg8aZYNROVv9 ljTMnuuO16zhmlLqBXd34cBA0qeDAzu0ZTKKEJ12PdWq53JSCKR+bmRyL1iKI5WA 3mtLsoX13poN2J3foIB7V8HbS8leZDE+lQaoJoffx+vevviul92PA27i7UeD4b3i dtqTbODINhYqslyIqIKqeKS15SRCwHeMbCDaA3zLHNwT3Vem8MK69NBoy0X1AJf5 bLUZL9Cj7lg1avsSPGzAEJ53upYZ5jNJs729ya/xbXXR2Nqz4G/q1M5tXHf2zuuV +75ljmottXPEoGvG3BSK69ZQ/O2Jv5Ugsg7C274ArhZB9ad6wp7FxUyfNhdOHT+a ymirkMRMoIvhNNyjjZBLVTOXiGvUbDYkcUFQeqGa+3sIJCHhOFE= =OJW3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZHfwOMkNZI30y1K9AQjGTw/9ER8+OHPcljR9ZL8oy9lRWanzCL6qfdqZ nU5Vn6E2b4sOzo09LHTGw2trHpmOpM1OoOWPw8ChRbUfLe/nZAj0Y6xbGftS452u PMyeS18yM89VY8Qau5oteffFIa/QHyO/9iH9ehSXJ82RqGBNHzR1S6qJwBdiwPDM DvLoUu137QtSBl6dUnDdAoN+zKs17iovYUCJzlhwdF6Aw0CDyqMWtDNzqEn6JOqS 6zTtG+qe01iJffo4ZV0AVQv/lHT25YTdFL/NowpKC42ROf4MthgN009xYP3Jxc8g M5Pwfp2sAyx2NqTbUCzJjGtFo/BKUoD0otZggbv8jj96jVmrKqz1caOnklq8Qdyt kVOlDE9kmeqIJ/+GFdpHhFD5hFEHTv8dzlZVAXkB7j8cWCQa7vXeZNUzjo7E2lA9 Cmg7VTX5Qy9E33Ve/nKyPwnOaVIYjOhbe7EQQK+VzkBAeVC3NmJ3k+064qKFqCNE dkWXGVGW8Yr69lUataG8Yal73fow4wcP7DYibnQghszPDqyOonGuUZkpIZSHrgBh WEtL7Xda4ZRfmMwoneKpoQOTSJj1QciNz5s85cr+bhjTYWsbzlz98SgrUOTS/Jly +IiG1zLOr4wzW463H2oh9y//fZBxZBTWx5zPeZoYaCtPLDqXtikBTpauBIVSmhOE xqyce14ieLg= =xXxt -----END PGP SIGNATURE-----