Updating to SSSD 1.0.1

Fixes: CVE-2010-0014

.cvsignore

@@ -1 +1 @@
-sssd-1.0.0.tar.gz
+sssd-1.0.1.tar.gz

cfg_dbg_timestamps.patch

@@ -1,47 +0,0 @@
-From a79fed1bece2e33759546f97ce0f22af3745ac80 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Mon, 21 Dec 2009 13:03:03 -0500
-Subject: [PATCH] Allow debug_timestamps setting on a per-domain basis
-
-This was missing from the SSSDConfig API, though it was supported
-by the daemon.
----
- server/config/SSSDConfigTest.py |    2 ++
- server/config/etc/sssd.api.conf |    1 +
- 2 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/server/config/SSSDConfigTest.py b/server/config/SSSDConfigTest.py
-index f893d98..1e79342 100755
---- a/server/config/SSSDConfigTest.py
-+++ b/server/config/SSSDConfigTest.py
-@@ -372,6 +372,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
-         options = domain.list_options()
-         control_list = [
-             'debug_level',
-+            'debug_timestamps',
-             'min_id',
-             'max_id',
-             'timeout',
-@@ -586,6 +587,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
-         options = domain.list_options()
-         control_list = [
-             'debug_level',
-+            'debug_timestamps',
-             'min_id',
-             'max_id',
-             'timeout',
-diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf
-index c8ddae4..bdb6aab 100644
---- a/server/config/etc/sssd.api.conf
-+++ b/server/config/etc/sssd.api.conf
-@@ -42,6 +42,7 @@ chpass_provider = str, None
- [domain]
- # Options available to all domains
- debug_level = int, None, 0
-+debug_timestamps = bool, None
- command = str, None
- min_id = int, None, 1000
- max_id = int, None
--- 
-1.6.5.2
-

import.log

@@ -1 +1,2 @@
 sssd-0_1_0-5_20090309git691c9b3_fc10:HEAD:sssd-0.1.0-5.20090309git691c9b3.fc10.src.rpm:1236618353
+sssd-1_0_1-1_fc13:F-11:sssd-1.0.1-1.fc13.src.rpm:1263221083

sources

@@ -1 +1 @@
-b4a21cd65157e775dd5843d6a7ded10d  sssd-1.0.0.tar.gz
+695a5fb6003dad6f4af65146e4f039bf  sssd-1.0.1.tar.gz

sssd.conf.default

@@ -1,90 +0,0 @@
-[services]
-description = Local Service Configuration
-activeServices = nss, dp, pam
-
-[services/nss]
-description = NSS Responder Configuration
-# the following prevents sssd for searching for the root user/group in
-# all domains (you can add here a comma separated list of system accounts are
-# always going to be /etc/passwd users, or that you want to filter out)
-filterGroups = root
-filterUsers = root
-
-[services/dp]
-description = Data Provider Configuration
-
-[services/pam]
-description = PAM Responder Configuration
-
-[services/monitor]
-description = Service Monitor Configuration
-#if a backend is particularly slow you can raise this timeout here
-sbusTimeout = 30
-
-[domains]
-description = Domains served by SSSD
-; domains = LOCAL,LDAP
-
-# SSSD will not start if you don't configure any domain.
-# Add new domains condifgurations as [domains/<NAME>] sections.
-# Then add the list of domains (in the order you want them to be
-# queried in the 'domains" attribute above and uncomment it
-
-# Example LOCAL domain that proxies to /etc/passwd and /etc/group files
-# This configuration is meant mostly as a migration path to be able to store
-# additional information about users while still keeping /etc/passwd
-# authoritative.
-
-; [domains/LOCAL]
-; description = LOCAL migration domain
-; enumerate = 3
-; minId = 500
-; magicPrivateGroups = FALSE
-; legacy = TRUE
-;
-; provider = proxy
-; libName = files
-; libPath = libnss_files.so.2
-
-# optionally a file named sssdproxylocal can be place in pam.d configured to
-# check pam_unix only and pam_sss can be used in the normal pam stack
-; auth-module = proxy
-; pam-target = sssdproxylocal
-
-# Example LOCAL domain that stores all users natively in the SSSD internal
-# directory. These local users and groups are not visibile in /etc/passwd, it
-# now contains only root and system accounts.
-
-; [domains/LOCAL]
-; description = LOCAL Users domain
-; enumerate = 3
-; minId = 500
-; maxId = 999
-; legacy = FALSE
-; magicPrivateGroups = TRUE
-; provider = local
-
-# Example LDAP domain that uses the proxy backend and the standard nss_ldap
-# and pam_ldap modules (Useful until we have good working native ldap backends).
-# For this to work the /etc/ldap.conf file needs to be correctly configured just
-# like you would do when using nss_ldap in nsswitch.conf, but instead of setting
-# passwd: files ldap, set passwd: files, sss instead there.
-# Also consider using the following setting in /etc/ldap.conf to avoid needless
-# delays if the ldap server is offline:
-# timelimit 10
-# bind_timelimit 5
-# nss_reconnect_maxsleeptime 2
-# nss_reconnect_sleeptime 1
-
-; [domains/LDAP]
-; description = Proxy request to our LDAP server
-; enumerate = 0
-; minId = 1000
-; legacy = TRUE
-;
-; provider = proxy
-; libName = ldap
-; libPath = libnss_ldap.so.2
-;
-#if a backend is particularly slow you can raise this timeout here
-; timeout = 60

sssd.spec

@@ -2,8 +2,8 @@
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib())")}
 
 Name: sssd
-Version: 1.0.0
-Release: 2%{?dist}
+Version: 1.0.1
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 # The entire source code is GPLv3+ except replace/ which is LGPLv3+
@@ -12,8 +12,6 @@ URL: http://fedorahosted.org/sssd
 Source: https://fedorahosted.org/released/sssd/sssd-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
-Patch1: cfg_dbg_timestamps.patch
-
 ### Patches ###
 
 ### Dependencies ###
@@ -80,7 +78,6 @@ service.
 
 %prep
 %setup -q
-%patch1 -p1 -b .cfg_dbg_timestamps
 
 %build
 NSS_LIBS=-lnss3 \
@@ -208,6 +205,9 @@ fi
 %postun client -p /sbin/ldconfig
 
 %changelog
+* Mon Jan 11 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.0.1-1
+- Fix CVE-2010-0014
+
 * Mon Dec 21 2009 Stephen Gallagher <sgallagh@redhat.com> - 1.0.0-2
 - Patch SSSDConfig API to address
 - https://bugzilla.redhat.com/show_bug.cgi?id=549482