Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: sssd #1489

Closed
dongsupark opened this issue Jul 1, 2024 · 3 comments · Fixed by flatcar/scripts#2501
Closed

update: sssd #1489

dongsupark opened this issue Jul 1, 2024 · 3 comments · Fixed by flatcar/scripts#2501
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Jul 1, 2024
edited
Loading

Name: sssd
CVEs: CVE-2021-3621, CVE-2023-3758
CVSSs: 8.8, 7.1
Action Needed: CVE-2021-3621: update to >= 2.5.2-r1, CVE-2023-3758: update to >= 2.9.5

Summary:

  • CVE-2021-3621: A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
  • CVE-2023-3758: A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

refmap.gentoo:
@dongsupark dongsupark added security security concerns advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS labels Jul 1, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Jul 1, 2024
@dongsupark dongsupark moved this from 🪵Backlog to 🌱 Upcoming / Focus in Flatcar tactical, release planning, and roadmap Jul 3, 2024
@dongsupark
Copy link
Member Author

Correction: as for CVE-2021-3621, Flatcar/Gentoo already has a custom patch, so it is not that urgent as I expected.
However, GLSA 202407-05 started to require 2.5.2-r1, so we could either update to the version or add to the allowlist to make GLSA tests pass.

@chewi
Copy link
Contributor

chewi commented Jul 5, 2024

That CVE is quite old. Gentoo patched 2.5.2 at the time and took Jeremi's patch for 2.3.1. Both patches were dropped after 2.6, which isn't vulnerable.

Of the other two patches, the test_ca one was from Gentoo and no longer needed, and the disable-nsupdate-realm one is tiny.

In short, updating to the latest should not be a problem.

@dongsupark dongsupark moved this from 🌱 Upcoming / Focus to 🪵Backlog in Flatcar tactical, release planning, and roadmap Jul 8, 2024
@github-actions github-actions bot mentioned this issue Jul 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Aug 22, 2024
Closed
@dongsupark
Copy link
Member Author

Removed CVE-2021-3621, but CVE-2023-3758 is still open.

@github-actions github-actions bot mentioned this issue Sep 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Oct 22, 2024
Open
@github-actions github-actions bot mentioned this issue Nov 22, 2024
Open
@krnowak krnowak mentioned this issue Dec 3, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: Implemented
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update SSSD, move to portage-stable flatcar/scripts
2 participants
@chewi @dongsupark