|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-3758: sssd: race condition during authorization leads to GPO policies functioning inconsistently | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | SUSE Samba Team <samba> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | abergmann, camila.matos, scabrero |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/402613/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-3758:7.1:(AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-04-18 19:09:46 UTC
Patches seem to be available through the following commits: - d7db797 (master) [0] - f4ebe14 (sssd-2-8) [1] - e1bfbc2 (sssd-2-9) [2] All of these are related to PR 7302 (closed) [3]. [0] https://github.com/SSSD/sssd/commit/d7db7971682da2dbf7642ac94940d6b0577ec35a [1] https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 [2] https://github.com/SSSD/sssd/commit/e1bfbc2493c4194988acc3b2413df3dde0735ae3 [3] https://github.com/SSSD/sssd/pull/7302 File 'ad_gpo.c', containing the fixed code, has been added only to branches down until sssd-1-12, meaning versions <= 1.11 are likely not affected by this issue. See [0] for more information on these changes. [0] https://github.com/SSSD/sssd/commit/60cab26b12df9a2153823972cde0c38ca86e01b9 The fix inside ding-libs is only needed for the SLE-12-SP2 code-stream so that the sssd fix can be compiled. SUSE:SLE-12-SP2:Update ding-libs v0.5.0 SUSE:SLE-12-SP5:GA ding-libs v0.6.1 SUSE:SLE-15:Update ding-libs v0.6.1 The newer code streams have the needed new hash key constant string type. SUSE-SU-2024:1549-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1223100 CVE References: CVE-2023-3758 Maintenance Incident: [SUSE:Maintenance:33609](https://smelt.suse.de/incident/33609/) Sources used: openSUSE Leap 15.3 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): sssd-1.16.1-150300.23.43.1 SUSE Enterprise Storage 7.1 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise Micro 5.1 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise Micro 5.2 (src): sssd-1.16.1-150300.23.43.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): sssd-1.16.1-150300.23.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1563-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1223100 CVE References: CVE-2023-3758 Maintenance Incident: [SUSE:Maintenance:33610](https://smelt.suse.de/incident/33610/) Sources used: SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sssd-1.16.1-150200.17.32.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sssd-1.16.1-150200.17.32.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sssd-1.16.1-150200.17.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1579-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1223100 CVE References: CVE-2023-3758 Maintenance Incident: [SUSE:Maintenance:33608](https://smelt.suse.de/incident/33608/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): sssd-2.5.2-150500.10.17.1 Basesystem Module 15-SP5 (src): sssd-2.5.2-150500.10.17.1 openSUSE Leap 15.5 (src): sssd-2.5.2-150500.10.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1578-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1223100 CVE References: CVE-2023-3758 Maintenance Incident: [SUSE:Maintenance:33607](https://smelt.suse.de/incident/33607/) Sources used: SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sssd-2.5.2-150400.4.27.1 SUSE Manager Proxy 4.3 (src): sssd-2.5.2-150400.4.27.1 SUSE Manager Retail Branch Server 4.3 (src): sssd-2.5.2-150400.4.27.1 SUSE Manager Server 4.3 (src): sssd-2.5.2-150400.4.27.1 openSUSE Leap 15.4 (src): sssd-2.5.2-150400.4.27.1 openSUSE Leap Micro 5.3 (src): sssd-2.5.2-150400.4.27.1 openSUSE Leap Micro 5.4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Micro 5.3 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise Micro 5.4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sssd-2.5.2-150400.4.27.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sssd-2.5.2-150400.4.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1577-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed. Category: security (important) Bug References: 1160688, 1223100 CVE References: CVE-2023-3758 Jira References: PED-7677, SLE-9298 Maintenance Incident: [SUSE:Maintenance:33606](https://smelt.suse.de/incident/33606/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sssd-1.16.1-7.61.1 SUSE Linux Enterprise Server 12 SP5 (src): sssd-1.16.1-7.61.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sssd-1.16.1-7.61.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): sssd-1.16.1-7.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1941-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed. Category: security (important) Bug References: 1223050, 1223100 CVE References: CVE-2023-3758 Jira References: PED-7677 Maintenance Incident: [SUSE:Maintenance:34169](https://smelt.suse.de/incident/34169/) Sources used: openSUSE Leap 15.6 (src): sssd-2.9.3-150600.3.3.1 Basesystem Module 15-SP6 (src): sssd-2.9.3-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |