================= A security bug in 1.9.0 beta6 =============== = = Subject: HBAC rules ignored if SELinux processing = is enabled = = CVE ID#: CVE-2012-3462 = = Summary: A flaw in the SSSD's access-provider = logic causes the result of the HBAC = rule processing to be ignored in the = event that the access-provider is = also handling the setup of the user's = SELinux user context. = = = = Impact: moderate = = Affects default = configuration: yes (IPA provider only) = = Introduced with: 1.9.0 beta6 = ===============================================================
==== DESCRIPTION ====
The latest development release of the SSSD is vulnerable to a security bug.
When the SSSD is configured as an IPA client and the access provider is also handling the evaluation of user's SELinux user context, the result of Host Based Access Control rules is ignored.
We decided not to release a full release, for two reasons: * the number of users running the beta is very small. Furthermore, the beta releases are not fully tested and suitable for production anyway * the next release - 1.9.0 RC1 is coming very soon. It is tentatively scheduled for 2012-08-23
==== WORKAROUND ====
If you don't rely on the evaluation of user's SELinux user context, you can turn off their processing by setting:
selinux_provider = none
in the sssd.conf config file. That would cause the correct access control code to be returned to the PAM service.
==== PATCH AVAILABILITY ====
The patch is available at: http://git.fedorahosted.org/cgit/sssd.git/commit/?id=ffcf27b0b773b580289d596...
sssd-users@lists.fedorahosted.org