From 8d6343c01f13847267e1d6ca812637ecd8b11584 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 11 Jan 2010 14:46:43 +0000 Subject: [PATCH] Updating to SSSD 1.0.1 Fixes: CVE-2010-0014 --- .cvsignore | 2 +- cfg_dbg_timestamps.patch | 47 --------------------- import.log | 1 + sources | 2 +- sssd.conf.default | 90 ---------------------------------------- sssd.spec | 10 ++--- 6 files changed, 8 insertions(+), 144 deletions(-) delete mode 100644 cfg_dbg_timestamps.patch delete mode 100644 sssd.conf.default diff --git a/.cvsignore b/.cvsignore index 77325be..7d55feb 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -sssd-1.0.0.tar.gz +sssd-1.0.1.tar.gz diff --git a/cfg_dbg_timestamps.patch b/cfg_dbg_timestamps.patch deleted file mode 100644 index e5657ac..0000000 --- a/cfg_dbg_timestamps.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a79fed1bece2e33759546f97ce0f22af3745ac80 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 21 Dec 2009 13:03:03 -0500 -Subject: [PATCH] Allow debug_timestamps setting on a per-domain basis - -This was missing from the SSSDConfig API, though it was supported -by the daemon. ---- - server/config/SSSDConfigTest.py | 2 ++ - server/config/etc/sssd.api.conf | 1 + - 2 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/server/config/SSSDConfigTest.py b/server/config/SSSDConfigTest.py -index f893d98..1e79342 100755 ---- a/server/config/SSSDConfigTest.py -+++ b/server/config/SSSDConfigTest.py -@@ -372,6 +372,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - options = domain.list_options() - control_list = [ - 'debug_level', -+ 'debug_timestamps', - 'min_id', - 'max_id', - 'timeout', -@@ -586,6 +587,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - options = domain.list_options() - control_list = [ - 'debug_level', -+ 'debug_timestamps', - 'min_id', - 'max_id', - 'timeout', -diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf -index c8ddae4..bdb6aab 100644 ---- a/server/config/etc/sssd.api.conf -+++ b/server/config/etc/sssd.api.conf -@@ -42,6 +42,7 @@ chpass_provider = str, None - [domain] - # Options available to all domains - debug_level = int, None, 0 -+debug_timestamps = bool, None - command = str, None - min_id = int, None, 1000 - max_id = int, None --- -1.6.5.2 - diff --git a/import.log b/import.log index a33040c..58d8bf5 100644 --- a/import.log +++ b/import.log @@ -1 +1,2 @@ sssd-0_1_0-5_20090309git691c9b3_fc10:HEAD:sssd-0.1.0-5.20090309git691c9b3.fc10.src.rpm:1236618353 +sssd-1_0_1-1_fc13:F-11:sssd-1.0.1-1.fc13.src.rpm:1263221083 diff --git a/sources b/sources index 312d573..29eccee 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b4a21cd65157e775dd5843d6a7ded10d sssd-1.0.0.tar.gz +695a5fb6003dad6f4af65146e4f039bf sssd-1.0.1.tar.gz diff --git a/sssd.conf.default b/sssd.conf.default deleted file mode 100644 index 1eaed3d..0000000 --- a/sssd.conf.default +++ /dev/null @@ -1,90 +0,0 @@ -[services] -description = Local Service Configuration -activeServices = nss, dp, pam - -[services/nss] -description = NSS Responder Configuration -# the following prevents sssd for searching for the root user/group in -# all domains (you can add here a comma separated list of system accounts are -# always going to be /etc/passwd users, or that you want to filter out) -filterGroups = root -filterUsers = root - -[services/dp] -description = Data Provider Configuration - -[services/pam] -description = PAM Responder Configuration - -[services/monitor] -description = Service Monitor Configuration -#if a backend is particularly slow you can raise this timeout here -sbusTimeout = 30 - -[domains] -description = Domains served by SSSD -; domains = LOCAL,LDAP - -# SSSD will not start if you don't configure any domain. -# Add new domains condifgurations as [domains/] sections. -# Then add the list of domains (in the order you want them to be -# queried in the 'domains" attribute above and uncomment it - -# Example LOCAL domain that proxies to /etc/passwd and /etc/group files -# This configuration is meant mostly as a migration path to be able to store -# additional information about users while still keeping /etc/passwd -# authoritative. - -; [domains/LOCAL] -; description = LOCAL migration domain -; enumerate = 3 -; minId = 500 -; magicPrivateGroups = FALSE -; legacy = TRUE -; -; provider = proxy -; libName = files -; libPath = libnss_files.so.2 - -# optionally a file named sssdproxylocal can be place in pam.d configured to -# check pam_unix only and pam_sss can be used in the normal pam stack -; auth-module = proxy -; pam-target = sssdproxylocal - -# Example LOCAL domain that stores all users natively in the SSSD internal -# directory. These local users and groups are not visibile in /etc/passwd, it -# now contains only root and system accounts. - -; [domains/LOCAL] -; description = LOCAL Users domain -; enumerate = 3 -; minId = 500 -; maxId = 999 -; legacy = FALSE -; magicPrivateGroups = TRUE -; provider = local - -# Example LDAP domain that uses the proxy backend and the standard nss_ldap -# and pam_ldap modules (Useful until we have good working native ldap backends). -# For this to work the /etc/ldap.conf file needs to be correctly configured just -# like you would do when using nss_ldap in nsswitch.conf, but instead of setting -# passwd: files ldap, set passwd: files, sss instead there. -# Also consider using the following setting in /etc/ldap.conf to avoid needless -# delays if the ldap server is offline: -# timelimit 10 -# bind_timelimit 5 -# nss_reconnect_maxsleeptime 2 -# nss_reconnect_sleeptime 1 - -; [domains/LDAP] -; description = Proxy request to our LDAP server -; enumerate = 0 -; minId = 1000 -; legacy = TRUE -; -; provider = proxy -; libName = ldap -; libPath = libnss_ldap.so.2 -; -#if a backend is particularly slow you can raise this timeout here -; timeout = 60 diff --git a/sssd.spec b/sssd.spec index 7bb4e67..5dd6044 100644 --- a/sssd.spec +++ b/sssd.spec @@ -2,8 +2,8 @@ %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib())")} Name: sssd -Version: 1.0.0 -Release: 2%{?dist} +Version: 1.0.1 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon # The entire source code is GPLv3+ except replace/ which is LGPLv3+ @@ -12,8 +12,6 @@ URL: http://fedorahosted.org/sssd Source: https://fedorahosted.org/released/sssd/sssd-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) -Patch1: cfg_dbg_timestamps.patch - ### Patches ### ### Dependencies ### @@ -80,7 +78,6 @@ service. %prep %setup -q -%patch1 -p1 -b .cfg_dbg_timestamps %build NSS_LIBS=-lnss3 \ @@ -208,6 +205,9 @@ fi %postun client -p /sbin/ldconfig %changelog +* Mon Jan 11 2010 Stephen Gallagher - 1.0.1-1 +- Fix CVE-2010-0014 + * Mon Dec 21 2009 Stephen Gallagher - 1.0.0-2 - Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482