[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] vulnerability in sssd 1.5.0+ (CVE-2011-1758)
From: Vincent Danen <vdanen () redhat ! com>
Date: 2011-04-29 19:42:08
Message-ID: 20110429194208.GV2160 () redhat ! com
[Download RAW message or body]
Hello all.
Anyone shipping sssd 1.5.0 or higher will want to be aware of a flaw
that was found in how it handled cached passwords when renewal kerberos
tickets is enabled (this is a new feature in 1.5.0). Due to a bug, the
cached password was overwritten with a (moderately) predictable
filename, which could allow a user to authenticate as someone else if
they knew the name of the cache file (under some pretty specific
conditions).
We've assigned the name CVE-2011-1758 to this issue and it is now fixed
upstream.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=700867
http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic