mirror of
https://git.yoctoproject.org/meta-security
synced 2026-07-15 15:37:18 +00:00
sssd: Fix for CVE-2025-11561
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This commit is contained in:
committed by
Scott Murray
parent
80b6b58e40
commit
1421bf8d3b
@@ -0,0 +1,50 @@
|
|||||||
|
From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 10 Oct 2025 12:57:40 +0200
|
||||||
|
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
If a client is joined to AD or IPA SSSD's localauth plugin can handle
|
||||||
|
the mapping of Kerberos principals to local accounts. In case it cannot
|
||||||
|
map the Kerberos principals libkrb5 is currently configured to fall back
|
||||||
|
to the default localauth plugins 'default', 'rule', 'names',
|
||||||
|
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
|
||||||
|
All plugins except 'an2ln' require some explicit configuration by either
|
||||||
|
the administrator or the local user. To avoid some unexpected mapping is
|
||||||
|
done by the 'an2ln' plugin this patch disables it in the configuration
|
||||||
|
snippets for SSSD's localauth plugin.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/8021
|
||||||
|
|
||||||
|
:relnote: After startup SSSD already creates a Kerberos configuration
|
||||||
|
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
|
||||||
|
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
|
||||||
|
Starting with this release the an2ln plugin is disabled in the
|
||||||
|
configuration snippet as well. If this file or its content are included in
|
||||||
|
the Kerberos configuration it will fix CVE-2025-11561.
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2]
|
||||||
|
CVE: CVE-2025-11561
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
src/util/domain_info_utils.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||||
|
index e131a5d96af..160e1711bcd 100644
|
||||||
|
--- a/src/util/domain_info_utils.c
|
||||||
|
+++ b/src/util/domain_info_utils.c
|
||||||
|
@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
|
||||||
|
#define LOCALAUTH_PLUGIN_CONFIG \
|
||||||
|
"[plugins]\n" \
|
||||||
|
" localauth = {\n" \
|
||||||
|
+" disable = an2ln\n" \
|
||||||
|
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
|
||||||
|
" }\n"
|
||||||
|
|
||||||
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
|
|||||||
file://musl_fixup.patch \
|
file://musl_fixup.patch \
|
||||||
file://CVE-2021-3621.patch \
|
file://CVE-2021-3621.patch \
|
||||||
file://CVE-2023-3758.patch \
|
file://CVE-2023-3758.patch \
|
||||||
|
file://CVE-2025-11561.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
|
SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
|
||||||
|
|||||||
Reference in New Issue
Block a user