-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2893
            Low: sssd security, bug fix, and enhancement update
                             23 November 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           sssd
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5292  

Reference:         ESB-2015.2808

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2015-2355.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: sssd security, bug fix, and enhancement update
Advisory ID:       RHSA-2015:2355-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-2355.html
Issue date:        2015-11-19
CVE Names:         CVE-2015-5292 
=====================================================================

1. Summary:

Updated sssd packages that fix one security issue, multiple bugs, and add
various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The System Security Services Daemon (SSSD) service provides a set of
daemons to manage access to remote directories and authentication
mechanisms.

It was found that SSSD's Privilege Attribute Certificate (PAC) responder
plug-in would leak a small amount of memory on each authentication request.
A remote attacker could potentially use this flaw to exhaust all available
memory on the system by making repeated requests to a Kerberized daemon
application configured to authenticate using the PAC responder plug-in.
(CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1205554)

Several enhancements are described in the Red Hat Enterprise Linux 7.2
Release Notes, linked to in the References section:

* SSSD smart card support (BZ#854396)
* Cache authentication in SSSD (BZ#910187)
* SSSD supports overriding automatically discovered AD site (BZ#1163806)
* SSSD can now deny SSH access to locked accounts (BZ#1175760)
* SSSD enables UID and GID mapping on individual clients (BZ#1183747)
* Background refresh of cached entries (BZ#1199533)
* Multi-step prompting for one-time and long-term passwords (BZ#1200873)
* Caching for initgroups operations (BZ#1206575)

Bugs fixed:

* When the SELinux user content on an IdM server was set to an empty
string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314)

* If the ldap_child process failed to initialize credentials and exited
with an error multiple times, operations that create files in some cases
started failing due to an insufficient amount of i-nodes. (BZ#1198477)

* The SRV queries used a hard coded TTL timeout, and environments that
wanted the SRV queries to be valid for a certain time only were blocked.
Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541)

* Previously, initgroups operation took an excessive amount of time. Now,
logins and ID processing are faster for setups with AD back end and
disabled ID mapping. (BZ#1201840)

* When an IdM client with Red Hat Enterprise Linux 7.1 or later was
connecting to a server with Red Hat Enterprise Linux 7.0 or earlier,
authentication with an AD trusted domain caused the sssd_be process to
terminate unexpectedly. (BZ#1202170)

* If replication conflict entries appeared during HBAC processing, the user
was denied access. Now, the replication conflict entries are skipped and
users are permitted access. (BZ#1202245)

* The array of SIDs no longer contains an uninitialized value and SSSD no
longer crashes. (BZ#1204203)

* SSSD supports GPOs from different domain controllers and no longer
crashes when processing GPOs from different domain controllers.
(BZ#1205852)

* SSSD could not refresh sudo rules that contained groups with special
characters, such as parentheses, in their name. (BZ#1208507)

* The IPA names are not qualified on the client side if the server already
qualified them, and IdM group members resolve even if default_domain_suffix
is used on the server side. (BZ#1211830)

* The internal cache cleanup task has been disabled by default to improve
performance of the sssd_be process. (BZ#1212489)

* Now, default_domain_suffix is not considered anymore for autofs maps.
(BZ#1216285)

* The user can set subdomain_inherit=ignore_group-members to disable
fetching group members for trusted domains. (BZ#1217350)

* The group resolution failed with an error message: "Error: 14 (Bad
address)". The binary GUID handling has been fixed. (BZ#1226119)

Enhancements added:

* The description of default_domain_suffix has been improved in the manual
pages. (BZ#1185536)

* With the new "%0" template option, users on SSSD IdM clients can now use
home directories set on AD. (BZ#1187103)

All sssd users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

854396 - [RFE] Support for smart cards
1007968 - sssd does not create AAAA record in AD
1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option
1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD
1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain
1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u
1199445 - Does sssd-ad use the most suitable attribute for group name?
1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA
1201840 - SSSD downloads too much information when fetching information about groups
1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries
1202724 - [RFE] Add a way to lookup users based on CAC identity certificates
1203642 - GPO access control looks for computer object in user's domain only
1205144 - RFE: Support one-way trusts for IPA
1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab
1205554 - Rebase SSSD to 1.13.x
1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys
1206565 - [RFE] Add dualstack and multihomed support
1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain
1206571 - [RFE] Expose D-BUS interface
1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf
1214337 - Overrides with --login work in second attempt
1214716 - idoverridegroup for ipa group with --group-name does not work
1214718 - Overridde with --login fails trusted adusers group membership resolution
1214719 - Group resolution is inconsistent with group overrides
1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set
1217127 - Override for IPA users with login does not list user all groups
1217559 - [RFE] Support GPOs from different domain controllers
1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
1234722 - sssd ad provider fails to start in rhel7.2
1242942 - well-known SID check is broken for NetBIOS prefixes
1244949 - getgrgid for user's UID on a trust client prevents getpw*
1246489 - sss_obfuscate fails with "ImportError: No module named pysss"
1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled
1250135 - Detect re-established trusts in the IPA subdomain code
1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'
1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help
1254518 - Fix crash in nss responder
1259512 - sss_override : The local override user is not found
1261155 - nsupdate exits on first GSSAPI error instead of processing other commands
1263587 - sss_override --name doesn't work with RFC2307 and ghost users
1263735 - Could not resolve AD user from root domain
1266107 - AD: Conditional jump or move depends on uninitialised value
1267176 - Memory leak / possible DoS with krb auth. [rhel 7.2]
1267580 - CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin
1267836 - PAM responder crashed if user was not set
1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
1270827 - local overrides: don't contact server with overridden name/id

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
sssd-1.13.0-40.el7.src.rpm

noarch:
python-sssdconfig-1.13.0-40.el7.noarch.rpm

x86_64:
libipa_hbac-1.13.0-40.el7.i686.rpm
libipa_hbac-1.13.0-40.el7.x86_64.rpm
libsss_idmap-1.13.0-40.el7.i686.rpm
libsss_idmap-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
python-libipa_hbac-1.13.0-40.el7.x86_64.rpm
python-sss-1.13.0-40.el7.x86_64.rpm
python-sss-murmur-1.13.0-40.el7.x86_64.rpm
sssd-1.13.0-40.el7.x86_64.rpm
sssd-ad-1.13.0-40.el7.x86_64.rpm
sssd-client-1.13.0-40.el7.i686.rpm
sssd-client-1.13.0-40.el7.x86_64.rpm
sssd-common-1.13.0-40.el7.i686.rpm
sssd-common-1.13.0-40.el7.x86_64.rpm
sssd-common-pac-1.13.0-40.el7.x86_64.rpm
sssd-dbus-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-ipa-1.13.0-40.el7.x86_64.rpm
sssd-krb5-1.13.0-40.el7.x86_64.rpm
sssd-krb5-common-1.13.0-40.el7.i686.rpm
sssd-krb5-common-1.13.0-40.el7.x86_64.rpm
sssd-ldap-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-1.13.0-40.el7.x86_64.rpm
sssd-proxy-1.13.0-40.el7.x86_64.rpm
sssd-tools-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
libipa_hbac-devel-1.13.0-40.el7.i686.rpm
libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm
libsss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-1.13.0-40.el7.i686.rpm
libsss_simpleifp-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm
libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm
sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
sssd-1.13.0-40.el7.src.rpm

noarch:
python-sssdconfig-1.13.0-40.el7.noarch.rpm

x86_64:
libipa_hbac-1.13.0-40.el7.i686.rpm
libipa_hbac-1.13.0-40.el7.x86_64.rpm
libsss_idmap-1.13.0-40.el7.i686.rpm
libsss_idmap-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
python-libipa_hbac-1.13.0-40.el7.x86_64.rpm
python-sss-1.13.0-40.el7.x86_64.rpm
python-sss-murmur-1.13.0-40.el7.x86_64.rpm
sssd-1.13.0-40.el7.x86_64.rpm
sssd-ad-1.13.0-40.el7.x86_64.rpm
sssd-client-1.13.0-40.el7.i686.rpm
sssd-client-1.13.0-40.el7.x86_64.rpm
sssd-common-1.13.0-40.el7.i686.rpm
sssd-common-1.13.0-40.el7.x86_64.rpm
sssd-common-pac-1.13.0-40.el7.x86_64.rpm
sssd-dbus-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-ipa-1.13.0-40.el7.x86_64.rpm
sssd-krb5-1.13.0-40.el7.x86_64.rpm
sssd-krb5-common-1.13.0-40.el7.i686.rpm
sssd-krb5-common-1.13.0-40.el7.x86_64.rpm
sssd-ldap-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-1.13.0-40.el7.x86_64.rpm
sssd-proxy-1.13.0-40.el7.x86_64.rpm
sssd-tools-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
libipa_hbac-devel-1.13.0-40.el7.i686.rpm
libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm
libsss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-1.13.0-40.el7.i686.rpm
libsss_simpleifp-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm
libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm
sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
sssd-1.13.0-40.el7.src.rpm

aarch64:
libipa_hbac-1.13.0-40.el7.aarch64.rpm
libsss_idmap-1.13.0-40.el7.aarch64.rpm
libsss_nss_idmap-1.13.0-40.el7.aarch64.rpm
libsss_simpleifp-1.13.0-40.el7.aarch64.rpm
python-libipa_hbac-1.13.0-40.el7.aarch64.rpm
python-sss-1.13.0-40.el7.aarch64.rpm
python-sss-murmur-1.13.0-40.el7.aarch64.rpm
sssd-1.13.0-40.el7.aarch64.rpm
sssd-ad-1.13.0-40.el7.aarch64.rpm
sssd-client-1.13.0-40.el7.aarch64.rpm
sssd-common-1.13.0-40.el7.aarch64.rpm
sssd-common-pac-1.13.0-40.el7.aarch64.rpm
sssd-dbus-1.13.0-40.el7.aarch64.rpm
sssd-debuginfo-1.13.0-40.el7.aarch64.rpm
sssd-ipa-1.13.0-40.el7.aarch64.rpm
sssd-krb5-1.13.0-40.el7.aarch64.rpm
sssd-krb5-common-1.13.0-40.el7.aarch64.rpm
sssd-ldap-1.13.0-40.el7.aarch64.rpm
sssd-libwbclient-1.13.0-40.el7.aarch64.rpm
sssd-proxy-1.13.0-40.el7.aarch64.rpm
sssd-tools-1.13.0-40.el7.aarch64.rpm

noarch:
python-sssdconfig-1.13.0-40.el7.noarch.rpm

ppc64:
libipa_hbac-1.13.0-40.el7.ppc.rpm
libipa_hbac-1.13.0-40.el7.ppc64.rpm
libsss_idmap-1.13.0-40.el7.ppc.rpm
libsss_idmap-1.13.0-40.el7.ppc64.rpm
libsss_nss_idmap-1.13.0-40.el7.ppc.rpm
libsss_nss_idmap-1.13.0-40.el7.ppc64.rpm
libsss_simpleifp-1.13.0-40.el7.ppc.rpm
libsss_simpleifp-1.13.0-40.el7.ppc64.rpm
python-libipa_hbac-1.13.0-40.el7.ppc64.rpm
python-sss-1.13.0-40.el7.ppc64.rpm
python-sss-murmur-1.13.0-40.el7.ppc64.rpm
sssd-1.13.0-40.el7.ppc64.rpm
sssd-ad-1.13.0-40.el7.ppc64.rpm
sssd-client-1.13.0-40.el7.ppc.rpm
sssd-client-1.13.0-40.el7.ppc64.rpm
sssd-common-1.13.0-40.el7.ppc.rpm
sssd-common-1.13.0-40.el7.ppc64.rpm
sssd-common-pac-1.13.0-40.el7.ppc64.rpm
sssd-dbus-1.13.0-40.el7.ppc64.rpm
sssd-debuginfo-1.13.0-40.el7.ppc.rpm
sssd-debuginfo-1.13.0-40.el7.ppc64.rpm
sssd-ipa-1.13.0-40.el7.ppc64.rpm
sssd-krb5-1.13.0-40.el7.ppc64.rpm
sssd-krb5-common-1.13.0-40.el7.ppc.rpm
sssd-krb5-common-1.13.0-40.el7.ppc64.rpm
sssd-ldap-1.13.0-40.el7.ppc64.rpm
sssd-libwbclient-1.13.0-40.el7.ppc64.rpm
sssd-proxy-1.13.0-40.el7.ppc64.rpm
sssd-tools-1.13.0-40.el7.ppc64.rpm

ppc64le:
libipa_hbac-1.13.0-40.el7.ppc64le.rpm
libsss_idmap-1.13.0-40.el7.ppc64le.rpm
libsss_nss_idmap-1.13.0-40.el7.ppc64le.rpm
libsss_simpleifp-1.13.0-40.el7.ppc64le.rpm
python-libipa_hbac-1.13.0-40.el7.ppc64le.rpm
python-sss-1.13.0-40.el7.ppc64le.rpm
python-sss-murmur-1.13.0-40.el7.ppc64le.rpm
sssd-1.13.0-40.el7.ppc64le.rpm
sssd-ad-1.13.0-40.el7.ppc64le.rpm
sssd-client-1.13.0-40.el7.ppc64le.rpm
sssd-common-1.13.0-40.el7.ppc64le.rpm
sssd-common-pac-1.13.0-40.el7.ppc64le.rpm
sssd-dbus-1.13.0-40.el7.ppc64le.rpm
sssd-debuginfo-1.13.0-40.el7.ppc64le.rpm
sssd-ipa-1.13.0-40.el7.ppc64le.rpm
sssd-krb5-1.13.0-40.el7.ppc64le.rpm
sssd-krb5-common-1.13.0-40.el7.ppc64le.rpm
sssd-ldap-1.13.0-40.el7.ppc64le.rpm
sssd-libwbclient-1.13.0-40.el7.ppc64le.rpm
sssd-proxy-1.13.0-40.el7.ppc64le.rpm
sssd-tools-1.13.0-40.el7.ppc64le.rpm

s390x:
libipa_hbac-1.13.0-40.el7.s390.rpm
libipa_hbac-1.13.0-40.el7.s390x.rpm
libsss_idmap-1.13.0-40.el7.s390.rpm
libsss_idmap-1.13.0-40.el7.s390x.rpm
libsss_nss_idmap-1.13.0-40.el7.s390.rpm
libsss_nss_idmap-1.13.0-40.el7.s390x.rpm
libsss_simpleifp-1.13.0-40.el7.s390.rpm
libsss_simpleifp-1.13.0-40.el7.s390x.rpm
python-libipa_hbac-1.13.0-40.el7.s390x.rpm
python-sss-1.13.0-40.el7.s390x.rpm
python-sss-murmur-1.13.0-40.el7.s390x.rpm
sssd-1.13.0-40.el7.s390x.rpm
sssd-ad-1.13.0-40.el7.s390x.rpm
sssd-client-1.13.0-40.el7.s390.rpm
sssd-client-1.13.0-40.el7.s390x.rpm
sssd-common-1.13.0-40.el7.s390.rpm
sssd-common-1.13.0-40.el7.s390x.rpm
sssd-common-pac-1.13.0-40.el7.s390x.rpm
sssd-dbus-1.13.0-40.el7.s390x.rpm
sssd-debuginfo-1.13.0-40.el7.s390.rpm
sssd-debuginfo-1.13.0-40.el7.s390x.rpm
sssd-ipa-1.13.0-40.el7.s390x.rpm
sssd-krb5-1.13.0-40.el7.s390x.rpm
sssd-krb5-common-1.13.0-40.el7.s390.rpm
sssd-krb5-common-1.13.0-40.el7.s390x.rpm
sssd-ldap-1.13.0-40.el7.s390x.rpm
sssd-libwbclient-1.13.0-40.el7.s390x.rpm
sssd-proxy-1.13.0-40.el7.s390x.rpm
sssd-tools-1.13.0-40.el7.s390x.rpm

x86_64:
libipa_hbac-1.13.0-40.el7.i686.rpm
libipa_hbac-1.13.0-40.el7.x86_64.rpm
libsss_idmap-1.13.0-40.el7.i686.rpm
libsss_idmap-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-1.13.0-40.el7.i686.rpm
libsss_simpleifp-1.13.0-40.el7.x86_64.rpm
python-libipa_hbac-1.13.0-40.el7.x86_64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
python-sss-1.13.0-40.el7.x86_64.rpm
python-sss-murmur-1.13.0-40.el7.x86_64.rpm
sssd-1.13.0-40.el7.x86_64.rpm
sssd-ad-1.13.0-40.el7.x86_64.rpm
sssd-client-1.13.0-40.el7.i686.rpm
sssd-client-1.13.0-40.el7.x86_64.rpm
sssd-common-1.13.0-40.el7.i686.rpm
sssd-common-1.13.0-40.el7.x86_64.rpm
sssd-common-pac-1.13.0-40.el7.x86_64.rpm
sssd-dbus-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-ipa-1.13.0-40.el7.x86_64.rpm
sssd-krb5-1.13.0-40.el7.x86_64.rpm
sssd-krb5-common-1.13.0-40.el7.i686.rpm
sssd-krb5-common-1.13.0-40.el7.x86_64.rpm
sssd-ldap-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-1.13.0-40.el7.x86_64.rpm
sssd-proxy-1.13.0-40.el7.x86_64.rpm
sssd-tools-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
libipa_hbac-devel-1.13.0-40.el7.aarch64.rpm
libsss_idmap-devel-1.13.0-40.el7.aarch64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.aarch64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.aarch64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.aarch64.rpm
sssd-debuginfo-1.13.0-40.el7.aarch64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.aarch64.rpm

ppc64:
libipa_hbac-devel-1.13.0-40.el7.ppc.rpm
libipa_hbac-devel-1.13.0-40.el7.ppc64.rpm
libsss_idmap-devel-1.13.0-40.el7.ppc.rpm
libsss_idmap-devel-1.13.0-40.el7.ppc64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.ppc.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.ppc64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.ppc.rpm
libsss_simpleifp-devel-1.13.0-40.el7.ppc64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.ppc64.rpm
sssd-debuginfo-1.13.0-40.el7.ppc.rpm
sssd-debuginfo-1.13.0-40.el7.ppc64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.ppc.rpm
sssd-libwbclient-devel-1.13.0-40.el7.ppc64.rpm

ppc64le:
libipa_hbac-devel-1.13.0-40.el7.ppc64le.rpm
libsss_idmap-devel-1.13.0-40.el7.ppc64le.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.ppc64le.rpm
libsss_simpleifp-devel-1.13.0-40.el7.ppc64le.rpm
python-libsss_nss_idmap-1.13.0-40.el7.ppc64le.rpm
sssd-debuginfo-1.13.0-40.el7.ppc64le.rpm
sssd-libwbclient-devel-1.13.0-40.el7.ppc64le.rpm

s390x:
libipa_hbac-devel-1.13.0-40.el7.s390.rpm
libipa_hbac-devel-1.13.0-40.el7.s390x.rpm
libsss_idmap-devel-1.13.0-40.el7.s390.rpm
libsss_idmap-devel-1.13.0-40.el7.s390x.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.s390.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.s390x.rpm
libsss_simpleifp-devel-1.13.0-40.el7.s390.rpm
libsss_simpleifp-devel-1.13.0-40.el7.s390x.rpm
python-libsss_nss_idmap-1.13.0-40.el7.s390x.rpm
sssd-debuginfo-1.13.0-40.el7.s390.rpm
sssd-debuginfo-1.13.0-40.el7.s390x.rpm
sssd-libwbclient-devel-1.13.0-40.el7.s390.rpm
sssd-libwbclient-devel-1.13.0-40.el7.s390x.rpm

x86_64:
libipa_hbac-devel-1.13.0-40.el7.i686.rpm
libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm
libsss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm
libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm
sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
sssd-1.13.0-40.el7.src.rpm

noarch:
python-sssdconfig-1.13.0-40.el7.noarch.rpm

x86_64:
libipa_hbac-1.13.0-40.el7.i686.rpm
libipa_hbac-1.13.0-40.el7.x86_64.rpm
libsss_idmap-1.13.0-40.el7.i686.rpm
libsss_idmap-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
python-libipa_hbac-1.13.0-40.el7.x86_64.rpm
python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm
python-sss-1.13.0-40.el7.x86_64.rpm
python-sss-murmur-1.13.0-40.el7.x86_64.rpm
sssd-1.13.0-40.el7.x86_64.rpm
sssd-ad-1.13.0-40.el7.x86_64.rpm
sssd-client-1.13.0-40.el7.i686.rpm
sssd-client-1.13.0-40.el7.x86_64.rpm
sssd-common-1.13.0-40.el7.i686.rpm
sssd-common-1.13.0-40.el7.x86_64.rpm
sssd-common-pac-1.13.0-40.el7.x86_64.rpm
sssd-dbus-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-ipa-1.13.0-40.el7.x86_64.rpm
sssd-krb5-1.13.0-40.el7.x86_64.rpm
sssd-krb5-common-1.13.0-40.el7.i686.rpm
sssd-krb5-common-1.13.0-40.el7.x86_64.rpm
sssd-ldap-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-1.13.0-40.el7.x86_64.rpm
sssd-proxy-1.13.0-40.el7.x86_64.rpm
sssd-tools-1.13.0-40.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
libipa_hbac-devel-1.13.0-40.el7.i686.rpm
libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm
libsss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm
libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-1.13.0-40.el7.i686.rpm
libsss_simpleifp-1.13.0-40.el7.x86_64.rpm
libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm
libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm
sssd-debuginfo-1.13.0-40.el7.i686.rpm
sssd-debuginfo-1.13.0-40.el7.x86_64.rpm
sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm
sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-5292
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWTkIwXlSAg2UNWIIRAnINAKDBmatLRvKwJPaSwuYki3fC/SD7XACfbUYi
8kOYYPRD0XDmFgAHtGvq2XU=
=v0PG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVlKPdn6ZAP0PgtI9AQJuIw/+PEM4xUA+nHeutNLvAg4IjrCLhMgK55sQ
/VIFCKJl8EWFHj5vpGyDkyspDQoOFV/ikZWXZLRxkgutX/QZWy3D0X/5Mrne5rc3
KEKr1Oi09H8ueamRQPXZ0aI+mqzezQuwkFN+I8qTqIBMtl9agLoEUXLns8D/HpMZ
peWWkJKkLDofcxqQHDMLxlotaElrRQQyhs01AR9MsVC4BbEiKC7Fb+HCPLu9Ifl6
a9Y5iEQpFG3FA7MkCmuoKUvrRQhaSeCBGqOnZboob4nl1XofMiyE86jPRHAknsRE
o4dfeeXWg28mFQR8G5P7/vzmWskXJL5MlQ2xJ+RRZ49bHmJzSsobqnGv+ixTAe2i
tb948As7nDFYBOuYFR+ykIO8GgdDM/UNroIWw8S6tk21nkCKHqAVXPb5o6K4j4J4
nSGegxaNWN3XD9xafw/iHeFE5SShniyvAx0K3UfHE7K52K1aHn8sWMTl3UKkkMgq
99/Jhxgz86H7qadNifv3+dyxAx1q5snFEmWCQ6FmRcVZtIryHNppFF3Zn0Z05wdG
q6qsQZF5ZRmyUFd/JLPQS2gTBWz18Tor5Hu5eke+bh/JJiu6CjRSO6Ase6zEnWuX
wDfkNC77wiHOoGhSaQPG4pgxAVXnTYIUz4HDVyjX3D3K1N3/kahqeiKihudkLuHm
DB4djmqVItk=
=3wk5
-----END PGP SIGNATURE-----