Debian Package Tracker
Register | Log in
Subscribe

sssd

System Security Services Daemon -- metapackage

Choose email to subscribe with

general
  • source: sssd (main)
  • version: 2.8.1-2
  • maintainer: Debian SSSD Team (archive) (DMD)
  • uploaders: Dominik George [DMD] – Timo Aaltonen [DMD]
  • arch: any
  • std-ver: 4.4.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.15.0-3+deb9u1
  • o-o-sec: 1.15.0-3+deb9u2
  • oldstable: 1.16.3-3.2
  • stable: 2.4.1-2
  • testing: 2.8.1-2
  • unstable: 2.8.1-2
versioned links
  • 1.15.0-3+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.15.0-3+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.16.3-3.2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.8.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libipa-hbac-dev
  • libipa-hbac0
  • libnss-sss (2 bugs: 0, 2, 0, 0)
  • libpam-sss (3 bugs: 0, 3, 0, 0)
  • libsss-certmap-dev
  • libsss-certmap0
  • libsss-idmap-dev
  • libsss-idmap0
  • libsss-nss-idmap-dev
  • libsss-nss-idmap0
  • libsss-simpleifp-dev
  • libsss-simpleifp0
  • libsss-sudo (3 bugs: 0, 3, 0, 0)
  • python3-libipa-hbac
  • python3-libsss-nss-idmap
  • python3-sss (1 bugs: 0, 1, 0, 0)
  • sssd (25 bugs: 0, 25, 0, 0)
  • sssd-ad (1 bugs: 0, 1, 0, 0)
  • sssd-ad-common
  • sssd-common (4 bugs: 0, 3, 1, 0)
  • sssd-dbus
  • sssd-idp
  • sssd-ipa
  • sssd-kcm
  • sssd-krb5 (2 bugs: 0, 2, 0, 0)
  • sssd-krb5-common
  • sssd-ldap (2 bugs: 0, 2, 0, 0)
  • sssd-proxy
  • sssd-tools
action needed
A new upstream version is available: 2.8.2 high
A new upstream version 2.8.2 is available, you should consider packaging it.
Created: 2022-12-10 Last update: 2023-02-08 21:09
5 security issues in buster high

There are 5 open security issues in buster.

1 important issue:
  • CVE-2022-4254: sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters
4 issues postponed or untriaged:
  • CVE-2019-3811: (needs triaging) A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot().
  • CVE-2021-3621: (needs triaging) A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
  • CVE-2018-16838: (needs triaging) CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions
  • CVE-2018-16883: (needs triaging) sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
Created: 2023-01-25 Last update: 2023-02-04 03:30
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2022-07-27 Last update: 2023-02-08 21:03
Depends on packages which need a new maintainer normal
The packages that sssd depends on which need a new maintainer are:
  • xml-core (#660687)
    • Build-Depends: xml-core
Created: 2019-11-22 Last update: 2023-02-08 20:33
Multiarch hinter reports 4 issue(s) normal
There are issues with the multiarch metadata for this package.
  • libipa-hbac0 could be marked Multi-Arch: same
  • libsss-certmap0 could be marked Multi-Arch: same
  • libsss-idmap0 could be marked Multi-Arch: same
  • libsss-nss-idmap0 could be marked Multi-Arch: same
Created: 2022-10-18 Last update: 2023-02-08 19:01
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2022-03-18 Last update: 2023-02-08 17:08
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 2.8.2-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit 44da1a91519f74f0b691b988a8faac832f9c06e2
Author: Sam Morris <sam@robots.org.uk>
Date:   Thu Jan 12 13:03:45 2023 +0000

    Ship libsubid_sss.so in sssd-common package

commit b6953e55729ee21e8caaa6cbf45494815026c896
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jan 10 16:43:44 2023 +0200

    version bump

commit ffcadcd184ef06a3ac69656ec3415a00f5659335
Merge: edc62ebea 796b6daee
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jan 10 16:43:04 2023 +0200

    Merge branch 'upstream'

commit 796b6daee338bc600e5757d4804a17687106a7e1
Author: Pavel Březina <pbrezina@redhat.com>
Date:   Fri Dec 9 13:39:40 2022 +0100

    Release sssd-2.8.2

commit 37f934f2762b9bd67b286a1ada2cb5d8d7c451ee
Author: Pavel Březina <pbrezina@redhat.com>
Date:   Fri Dec 9 13:38:26 2022 +0100

    pot: update pot files

commit 5d4f9dfd6c3d0e7285414b9e006f1799dfee7e5a
Author: Weblate <noreply@weblate.org>
Date:   Fri Dec 9 13:27:56 2022 +0100

    po: update translations
    
    (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/zh_CN/
    
    po: update translations
    
    (Ukrainian) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/
    
    po: update translations
    
    (Korean) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/
    
    po: update translations
    
    (Korean) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/
    
    po: update translations
    
    (Japanese) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ja/
    
    po: update translations
    
    (French) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/fr/
    
    po: update translations
    
    (Ukrainian) currently translated at 100.0% (704 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/
    
    po: update translations
    
    (Korean) currently translated at 96.4% (679 of 704 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

commit 16c814adecb97b41dd8d0c5022c1037adf9bd633
Author: aborah-sudo <aborah@redhat.com>
Date:   Mon Sep 26 13:43:22 2022 +0530

    Tests: port proxy_provider/rfc2307bis
    
    https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis
    
    Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 4a658e6ccf7a3b2cd5fb9d1827d0caec6b8dc961)

commit 5b7a4b4fef47edfc1658dfac5df12d027e6cd60b
Author: Madhuri Upadhye <mupadhye@redhat.com>
Date:   Thu Dec 8 13:26:30 2022 +0530

    Tests: Minor fixes for alltests
    
    Enable files domain.
    
    Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
    
    Reviewed-by: Anuj Borah <aborah@redhat.com>
    (cherry picked from commit 81eb0606d5ea1ce79c0fdd1d71784bb01a682e03)

commit 98412a4ec5f86cd20f3b508465462612abc4a7ff
Author: Alejandro López <allopez@redhat.com>
Date:   Thu Dec 8 10:33:57 2022 +0100

    BACKEND: Reload resolv.conf after initialization
    
    Once the backend initialization is finished, in particular after D-Bus
    is initialized, reload the resolv.conf file to retrieve any change
    signaled through D-Bus before its initialization.
    
    Resolves: https://github.com/SSSD/sssd/issues/6383
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    (cherry picked from commit 34d55884c6349d2c576a625bfbfcbfbc4f3c146f)

commit 20037ae5354a874f04802844c930c6b52704c5c7
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Dec 5 17:46:52 2022 +0100

    p11: fix size of argument array
    
    Currently 19 options can be set for p11_child and the a NULL at the end
    the array must have 20 elements.
    
    Resolves: https://github.com/SSSD/sssd/issues/6479
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>
    (cherry picked from commit aac303e84b71325d3c45fa7a22f83f7f54d4b7a2)

commit a8b6be403cf7af10effcba6433a6bd98f9138955
Author: Dan Lavu <dlavu@redhat.com>
Date:   Mon Oct 31 15:53:26 2022 -0400

    Adding Ported DynDNS Testcases
    
    This is merged branch of two following PRs, 6363 and 6344 which are now closed.
    
    6344 Add the tests but are unreliable.
    
    6363 contains the following changes, rewriting the suite.
    * change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture
    * disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests
    * removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched
    * created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache
    * cleaned up the functions and code for readability
    
    Signed-off-by: Dan Lavu <dlavu@redhat.com>

commit 99d46b2fa33754d3c35e32f1f842b1fc4f1644a4
Author: Tomas Halman <thalman@redhat.com>
Date:   Wed Nov 2 17:35:57 2022 +0100

    RESOLV: Configuration option for DNS search
    
    DNS search may increase the time of name resolution significantly.
    Particularly when SSSD is misconfigured or the DNS server is
    unreachable.
    
    With this patch SSSD can avoid DNS search and the list
    of domains from resolv.conf is ignored. To avoid DNS search in
    kerberos library SSSD appends the dot to the server names before
    they are written into KDC info file.
    
    :relnote: SSSD can be configured not to perform a DNS search
    during DNS name resolution. This behavior is governed by the
    new dns_resolver_use_search_list. This parameter can
    be used in the domain section. Default value is true - that
    means that SSSD follows the system settings.
    
    Resolves: https://github.com/SSSD/sssd/issues/5390
    
    Reviewed-by: Alejandro Lopez <allopez@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 2fda8e7b7e71dd5ebdc7297449d3afc52ac9eb03)

commit f17bb003c85dbf962c2b868a969a14302ec464bc
Author: Alexey Tikhonov <atikhono@redhat.com>
Date:   Thu Dec 1 21:22:54 2022 +0100

    BUILD: deprecate `--enable-files-domain` build option
    
    :relnote:`--enable-files-domain` configure option is deprecated and
    will be removed in one of the next versions of SSSD.
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 714ababe8c96cd3a43d3c114cf853ce4a259fd0f)

commit be569b0cb393582e428e606518824f5368834188
Author: Alexey Tikhonov <atikhono@redhat.com>
Date:   Mon Dec 5 11:25:36 2022 +0100

    Updated .pot/.po files

commit 64c9905533811cbf5d193690d85220a9a8df38aa
Author: Alexey Tikhonov <atikhono@redhat.com>
Date:   Fri Dec 2 18:28:50 2022 +0100

    Translations: add missing `tools/sssctl/sssctl_cert.c` and macros
    
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 8b09c9387e55b177d6b1ec65afe65e354e19b96b)

commit 464c78beb529e29368412805f5b12b650d4f100b
Author: Shridhar Gadekar <sgadekar@redhat.com>
Date:   Fri Dec 2 01:40:03 2022 +0530

    Test: gssapi test fix
    
    minor flake8 fixes
    
    Reviewed-by: Jakub Vávra <jvavra@redhat.com>
    Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
    (cherry picked from commit 664a436e9ce758554938183d1475e7353020e495)

commit 0b4679616d63a854548cb8bc2bf871e0b531e2de
Author: 김인수 <simmon@nplob.com>
Date:   Sun Nov 20 17:19:54 2022 +0000

    po: update translations
    
    (Korean) currently translated at 100.0% (663 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

commit f1dc6cddecb14d4385899e0951b593fef2bd66cb
Author: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Date:   Sat Nov 12 09:08:36 2022 +0000

    po: update translations
    
    (Georgian) currently translated at 7.8% (52 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ka/

commit 0909e8a15bfc6af1ebebccb8188364ea1a0e08d7
Author: Yuri Chornoivan <yurchor@ukr.net>
Date:   Sun Oct 9 10:54:32 2022 +0000

    po: update translations
    
    (Ukrainian) currently translated at 100.0% (663 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/

commit 8290b0e7e69bd15a9b5f82b4e97327a3d9556d39
Author: Elena Mishina <lepata@basealt.ru>
Date:   Mon Oct 10 10:56:09 2022 +0000

    po: update translations
    
    (Russian) currently translated at 100.0% (663 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ru/

commit 5bd2aa9b8b7f654dd8c170cb84f094b633da9cf2
Author: Piotr Drąg <piotrdrag@gmail.com>
Date:   Sun Oct 9 10:52:10 2022 +0000

    po: update translations
    
    (Polish) currently translated at 100.0% (663 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/pl/

commit 72eed034953843a66db485c153a5208e1b0fceba
Author: 김인수 <simmon@nplob.com>
Date:   Sun Oct 9 12:40:09 2022 +0000

    po: update translations
    
    (Korean) currently translated at 100.0% (663 of 663 strings)
    Translation: SSSD/SSSD-2-8
    Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

commit 12e39a45613a5b5d1236d911386cf28edd96f147
Author: Sumit Bose <sbose@redhat.com>
Date:   Thu Nov 24 18:22:05 2022 +0100

    certmap: Add documentation for some internal functions
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit b0bdf712eb632f94e9925d32fb703bdfd574e11d)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 925d8a9f1281f984ebfacc5d00ba561de54366b6
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:21:08 2022 +0200

    certmap: add LDAPU1 rules to man page
    
    This patch adds the new LDAPU1 mapping rule templates to the sss-certmap
    man page.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 882f560e68a881a95d7f66745a3530176bdd0a66)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 17142068c58255b2809a4cdb3c8feb43d5393cdb
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:20:13 2022 +0200

    certmap: add tests for new attributes and LDAPU1 rules
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 4ac53fb5ef95cd2c94f076299aa4d3213c3c9be6)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 698d56882477753de37e078f7b1647aea6016f65
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:19:21 2022 +0200

    certmap: add LDAPU1 mapping rules
    
    Add mapping rule templates for the new discovered attributes, templates
    for certificate hashes and templates to select individual DN components.
    To avoid issues with older versions of the library the new templates
    must use the prefix LDAPU1.
    
    :feature: New mapping template for serial number, subject key id, SID,
              certificate hashes and DN components are added to
              libsss_certmap.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 1303c6241bb27ef902787dcd526aeaae3417063a)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 8a6a874ba4cb3d245160dba967aa32173041a3d8
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:15:59 2022 +0200

    certmap: dump new attributes in sss_cert_dump_content()
    
    Add the newly discovered certificate values, i.e. serial number, subject
    key id and SID to the output of sss_cert_dump_content() which is used
    e.g. by 'sssctl cert-show'.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 0a906107322fffc17757480f9e540796f9f181ce)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 3f336da42d87fa86749264343f5933485c4bd973
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:11:59 2022 +0200

    certmap: add get_digest_list() and get_hash()
    
    Add support to calculate hash/digest values of binary data, e.g. of a
    certificate.
    
    Resolves: https://github.com/SSSD/sssd/issues/6404
    
    (cherry picked from commit 3676a4fba473b93df2b32fb143ef0b261d04d9f6)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 9a45e6162760c6d6b1e94644e5eb51d87b0d49c6
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 13:03:51 2022 +0200

    sssctl: add cert-eval-rule sub-command
    
    The new 'cert-eval-rule' sub-command of sssctl show the results of given
    matching and mapping rules on a given certificate. This should help to
    find suitable mapping and matching rules and to understand why given
    certificate is matched or not.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 11483f1ec046f1062df68f1544e49fd59473084e)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 6ad29f9999324b951d4ae7b214558cc8e26636a9
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 12:55:12 2022 +0200

    certmap: add bin_to_hex() helper function
    
    This patch adds a helper function to format hexadecimal strings of
    binary data.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit c4085c9a7d1ec54c1b830583128148a0c7b807d8)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 8d8e3c7c616a347e2de8d7a1117e5a4ebd996a2d
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 12:49:34 2022 +0200

    certmap: fix for SAN URI
    
    The URI was not added to the list of subject alternative names.
    
    (cherry picked from commit f293507d9f6efda9908a3ec971ce7f4eac284ae1)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit 47f3408e9ea122fab7c1f847b5ffcd1839f5b4b1
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 12:46:45 2022 +0200

    certmap: add support for SID extension
    
    Check if the SID extension is available, read the SID and make it
    available.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 9e1b711b2611e7390bcbcd4a9682dd18e71c3d72)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit a2bca35c7f7b0d7b1f5a633284d54be15ed4858b
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 12:45:02 2022 +0200

    certamp: add support for subject key id
    
    Read the subject key id from the certificate and make it available.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 10d977a3675a8145314edea0bebd7b9ac01eda89)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit cca0233ef16fd7be5ebc931b0f673486a52130fd
Author: Sumit Bose <sbose@redhat.com>
Date:   Mon Oct 24 12:41:59 2022 +0200

    certmap: add support for serial number
    
    Read the serial number of the certificate and make it available.
    
    Resolves: https://github.com/SSSD/sssd/issues/6403
    
    (cherry picked from commit 3f8bc8720ff871490c6a6233b1a21bc1d2018cf1)
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>

commit cd1a94e58f64770d40bb995f35a8cab8c6f44ae9
Author: Alexey Tikhonov <atikhono@redhat.com>
Date:   Wed Nov 16 21:22:12 2022 +0100

    SYSDB: pre-existence of MPG group in the cache isn't an error
    
    Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
    (cherry picked from commit e4dd11f2c2cd59031f904a1e30ed5b67edbdd54f)

commit 65e944bd577a1ea5772135db583725ca4e73c8cc
Author: aborah-sudo <aborah@redhat.com>
Date:   Fri Nov 25 08:58:53 2022 +0530

    Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207
    
    test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by
    disable "implicit files provider"
    
    Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
    Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
    (cherry picked from commit ad0a8c6a33ea5bbad8058112b95bef00bb76d5c9)

commit 35a28524e407bf4b05a17c7c7f0b48799a18e8bf
Author: Sumit Bose <sbose@redhat.com>
Date:   Tue Nov 22 14:43:21 2022 +0100

    pac: relax default check
    
    To avoid issues with the UPN check during PAC validation  when
    'ldap_user_principal' is set to a not existing attribute to skip reading
    user principals a new 'pac_check' option, 'check_upn_allow_missing' is
    added to the default options. With this option only a log message is
    shown but the check will not fail.
    
    Resolves: https://github.com/SSSD/sssd/issues/6451
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
    (cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)

commit a3304cc6b27b2f0678d0dcb4130865aa09442f5d
Author: Sumit Bose <sbose@redhat.com>
Date:   Tue Nov 22 13:39:26 2022 +0100

    ipa: do not add guessed principal to the cache
    
    Currently on IPA clients a calculated principal based on the user name
    and the Kerberos realm is added to the cached user object. This code is
    quite old and might have been necessary at times when sub-domain support
    was added to SSSD. But since quite some time SSSD is capable of
    generating the principal on the fly during authentication if nothing is
    stored in the cache.
    
    Removing the code makes the cache more consistent with other use-cases,
    e.g. with the IPA server where this attribute is empty, and allows to
    properly detect a missing UPN, e.g. during the PAC validation.
    
    Resolves: https://github.com/SSSD/sssd/issues/6451
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
    (cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)

commit b00c72d29b172a91b3eac5bc7b8ed275b883ec61
Author: Sumit Bose <sbose@redhat.com>
Date:   Wed Nov 16 09:28:54 2022 +0100

    PAC: allow to disable UPN check
    
    Currently it was not possible to skip the UPN check which checks if the
    UPN in the PAC and the one stored in SSSD's cache are different.
    Additionally the related debug message will show both principals if they
    differ.
    
    Resolves: https://github.com/SSSD/sssd/issues/6451
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
    (cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)

commit ece9434865a1b0a5c782f6bfb622f261920a155e
Author: Cole Robinson <crobinso@redhat.com>
Date:   Sun Nov 27 10:29:18 2022 -0500

    MAN: Fix option typo on sssd-kcm.8
    
    The option is called krb5_renewable_lifetime, not krb5_renew_lifetime
    
    Signed-off-by: Cole Robinson <crobinso@redhat.com>
    
    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>
    (cherry picked from commit 340691fae95a2fc66c85d5da8db14f227b2c88a8)

commit 765fe3de67e3c27665f90fd0df626bf801f8a31c
Author: Jakub Vavra <jvavra@redhat.com>
Date:   Thu Nov 24 20:58:26 2022 +0100

    Tests: Fix automount OU removal from AD.
    
    Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
    (cherry picked from commit fc3fad982e39d560a80c1a8b922455a190718cb7)

commit 0253f7c3f5433f1853bc14af5b736a6382e945f5
Author: Justin Stephenson <jstephen@redhat.com>
Date:   Fri Nov 18 11:21:24 2022 -0500

    CI: Update core github actions
    
    Update dependent actions to address:
    https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
    (cherry picked from commit 4a6eb258c33c8adeb78c053aa8401729f0f6bbec)

commit 77ef7b256d2fd0d4565c01462dc12f0acfda91a9
Author: Iker Pedrosa <ipedrosa@redhat.com>
Date:   Thu Nov 24 13:20:38 2022 +0100

    ci: fix codeql
    
    libsemanage1-dev renamed to libsemanage-dev in debian and its
    derivatives.
    
    Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
    
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    (cherry picked from commit 336b1facdc043f21aab7e67e46c3c736fa64d303)

commit 8c4da49374d0f94c8d8d0600ec50a0bab2a07aa6
Author: Pavel Březina <pbrezina@redhat.com>
Date:   Fri Nov 25 11:15:52 2022 +0100

    ci: install correct python development package
    
    The package name has changed on new Ubuntu.
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    (cherry picked from commit ae614c17b3874862200b78e57c158554b62a8273)

commit dc71321f72ab9962259660f52001319ea6724fb7
Author: Pavel Březina <pbrezina@redhat.com>
Date:   Thu Nov 24 18:41:02 2022 +0100

    ci: make /dev/shm writable
    
    We build SSSD in /dev/shm which is mounted on read-only file system on
    new podman version. We need to mount it as tmpfs to make it writable.
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    (cherry picked from commit f5c0e7b391879782b0e93fe02265c3bef7cb9edf)

commit 49b107175e817ec38d8ffbc7fea4052327bb3cae
Author: Justin Stephenson <jstephen@redhat.com>
Date:   Mon Nov 14 11:08:23 2022 -0500

    SSSCTL: Add debug option to help message
    
    Reviewed-by: Alejandro López <allopez@redhat.com>
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    (cherry picked from commit 2f99cd31bc43406a9d400129260654ebd6bccc15)

commit e3be45977f34ab34de6734388cdc0217ea55c8c3
Author: Jakub Vavra <jvavra@redhat.com>
Date:   Tue Nov 22 10:58:51 2022 +0100

    Tests: Update fixture using adcli to handle password from stdin.
    
    Adcli changed handling password dialog for bz2124030 so
    the automation needs to be updated to work properly.
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 14748ff981ac5825a55c06350db05dce23732299)

commit a34b4f5e87a9c9a66c72eb6d5a1c1813f530bd52
Author: Steeve Goveas <sgoveas@redhat.com>
Date:   Mon Oct 17 11:39:00 2022 +0530

    Tests: Cannot SSH with AD user to ipa-client with invalid keytab
    
    `krb5_validate` and `pac_check` settings conflict. Setting krb5_validate
    to false skips the pac_check enabling the login
    
    Verifies:
      #6355
      https://bugzilla.redhat.com/show_bug.cgi?id=2127822
      https://bugzilla.redhat.com/show_bug.cgi?id=2128902
    
    Reviewed-by: Anuj Borah <aborah@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    (cherry picked from commit 790e7a779f4385b8ad95878ee79a44fdaac46325)

commit 581617c099ae9df3ac9920955887908b3b9dd404
Author: Alexey Tikhonov <atikhono@redhat.com>
Date:   Thu Nov 10 22:18:06 2022 +0100

    SSSCTL: don't require 'root' for "analyze" cmd
    
    :relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    (cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)
    
    Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
    Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Created: 2023-01-09 Last update: 2023-02-03 16:09
lintian reports 94 warnings normal
Lintian reports 94 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-01-11 Last update: 2023-01-11 04:36
1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:
  • CVE-2021-3621: (needs triaging) A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-07-04 Last update: 2023-02-04 03:30
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.4.0).
Created: 2019-09-29 Last update: 2023-01-10 23:39
testing migrations
  • This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • This package will soon be part of the auto-libunistring transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2023-01-28] sssd 2.8.1-2 MIGRATED to testing (Debian testing watch)
  • [2023-01-10] Accepted sssd 2.8.1-2 (source) into unstable (Sergio Durigan Junior) (signed by: Timo Aaltonen)
  • [2022-11-25] sssd 2.8.1-1 MIGRATED to testing (Debian testing watch)
  • [2022-11-23] Accepted sssd 2.8.1-1 (source) into unstable (Timo Aaltonen)
  • [2022-09-24] sssd 2.7.4-1 MIGRATED to testing (Debian testing watch)
  • [2022-09-22] Accepted sssd 2.7.4-1 (source) into unstable (Timo Aaltonen)
  • [2022-08-17] Accepted sssd 2.7.3-2 (source) into unstable (Timo Aaltonen)
  • [2022-07-08] sssd 2.7.3-1 MIGRATED to testing (Debian testing watch)
  • [2022-07-06] Accepted sssd 2.7.3-1 (source) into unstable (Timo Aaltonen)
  • [2022-06-25] sssd 2.7.2-3 MIGRATED to testing (Debian testing watch)
  • [2022-06-22] Accepted sssd 2.7.2-3 (source) into unstable (Sergio Durigan Junior) (signed by: Timo Aaltonen)
  • [2022-06-22] Accepted sssd 2.7.2-2 (source) into unstable (Timo Aaltonen)
  • [2022-06-22] Accepted sssd 2.7.2-1 (source) into unstable (Timo Aaltonen)
  • [2022-06-11] sssd 2.7.1-2 MIGRATED to testing (Debian testing watch)
  • [2022-06-09] Accepted sssd 2.7.1-2 (source) into unstable (Timo Aaltonen)
  • [2022-06-06] Accepted sssd 2.7.1-1 (source) into unstable (Timo Aaltonen)
  • [2022-05-27] Accepted sssd 2.7.0-1 (source amd64) into unstable, unstable (Debian FTP Masters) (signed by: Timo Aaltonen)
  • [2022-04-20] sssd 2.6.3-3 MIGRATED to testing (Debian testing watch)
  • [2022-04-10] Accepted sssd 2.6.3-3 (source) into unstable (Timo Aaltonen)
  • [2022-03-29] Accepted sssd 2.6.3-2 (source) into unstable (Timo Aaltonen)
  • [2022-02-13] sssd 2.6.3-1 MIGRATED to testing (Debian testing watch)
  • [2022-02-11] Accepted sssd 2.6.3-1 (source) into unstable (Timo Aaltonen)
  • [2021-11-24] sssd 2.6.1-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-17] Accepted sssd 2.6.1-1 (source) into unstable (Timo Aaltonen)
  • [2021-11-14] sssd 2.5.2-5 MIGRATED to testing (Debian testing watch)
  • [2021-11-12] Accepted sssd 2.5.2-5 (source) into unstable (Timo Aaltonen)
  • [2021-10-15] sssd 2.5.2-4 MIGRATED to testing (Debian testing watch)
  • [2021-10-12] Accepted sssd 2.5.2-4 (source) into unstable (Timo Aaltonen)
  • [2021-09-25] sssd 2.5.2-3 MIGRATED to testing (Debian testing watch)
  • [2021-09-22] Accepted sssd 2.5.2-3 (source) into unstable (Timo Aaltonen)
  • 1
  • 2
bugs [bug history graph]
  • all: 46 47
  • RC: 0
  • I&N: 44
  • M&W: 2 3
  • F&P: 0
  • patch: 2
links
  • homepage
  • lintian (0, 94)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (30, 50)
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.8.1-1ubuntu1
  • 27 bugs (1 patch)
  • patches for 2.8.1-1ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing