Bugzilla – Bug 801036
VUL-1: CVE-2013-0219 CVE-2013-0220: sssd: Two security issues in sssd-1.9.2
Last modified: 2019-11-06 13:07:14 UTC
sssd upstream just released version 1.9.4 which is mostly a bug fix release and contains fixes to security problems that our current package in SP3 suffers from as well. From the changelog: * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder Other than that it also fixes a memory leak in the nss resonder and an issue in the sudo backend (Fate#314543), which affect our packages as well.
I think it was publicly posted 20130123 according to Red Hat's BZ.
CVE-2013-0219 This affects all our currently shipping sssd releases.... It is however a minor issue. CVE-2013-0220 affects the ssh and autofs responders, which only existed beginning with SLES 11 SP3 or later and openSUSE 12.3 or later. Older versions are not affected. Minor issue only -> planned update list.
Reassigning to new sssd maintainer. And closing this bug as it is handled by the planned update list for SLE11-SP2. (Factory and SLE11-SP3 are no longer affected as they ship newer sssd releases)
the issue still open since no update was released for it.
Good news - none of the distributions under active maintenance are affected by the two CVEs. Both SLES 11 SP3 and SP4 are shipping SSSD v1.9.4 which already has the CVEs addressed.
openSUSE Leap and Factory also have fixed versions
This is an autogenerated message for OBS integration: This bug (801036) was mentioned in https://build.opensuse.org/request/show/547139 Factory / sssd