Date: Fri, 29 Apr 2011 13:42:08 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: vulnerability in sssd 1.5.0+ (CVE-2011-1758) Hello all. Anyone shipping sssd 1.5.0 or higher will want to be aware of a flaw that was found in how it handled cached passwords when renewal kerberos tickets is enabled (this is a new feature in 1.5.0). Due to a bug, the cached password was overwritten with a (moderately) predictable filename, which could allow a user to authenticate as someone else if they knew the name of the cache file (under some pretty specific conditions). We've assigned the name CVE-2011-1758 to this issue and it is now fixed upstream. References: https://bugzilla.redhat.com/show_bug.cgi?id=700867 http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.