Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Patches » RHBA-2013:0047-01


Id RHBA-2013:0047-01
Name Red Hat 2013:0047-01 RHBA sssd bug fix update for RHEL 5 x86
Vendor Name red_hat
Product None
Content Type Recommended Recommended
Operating System(s) Linux 
Released On 07 Jan 2013 12:00:00


Red Hat 2013:0047-01 RHBA sssd bug fix update for RHEL 5 x86

Vendor Name




Released On

07 Jan 2013 12:00:00



SSSD (System Security Services Daemon) provides daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces and a pluggable back end system to connect to multiple different account sources. This update fixes the following bugs: * Previously, the SSSD daemon could deny simple paged search requests, if an LDAP (Lightweight Directory Access Protocol) server had the paging control module installed but not enabled or if a highly loaded LDAP server was restricted to a single page search operation. With this update, the "ldap_disable_paging" option disables the LDAP paging control to limit the number of SSSD lookups defined by the LDAP server. (BZ#782221) * Previously, a segmentation fault could occur when the IPA HBAC (Host-Based Access Control) code iterated over the list of groups with an entity that formed the HBAC rule without checking its validity. This update creates an empty array to allow the HBAC code to loop safely. (BZ#783081) * Previously, the SSSD daemon did not have a versioned dependency on the DBus library. Now, a versioned dependency on the DBus library is added to enable SSSD also on older versions of the DBus library. (BZ#797272) * Previously, the IPA provider checked only IPA access control policies and ignored additional access control policies when the access provider was configured to use IPA access control policies. Users could get access when the LDAP access provider denied access. Now, LDAP access control policies are checked before the IPA access control policies. (BZ#797300) * Previously, provider-specific data was freed before data that was transported between different SSSD processes. A segmentation fault could occur on shutdown when already freed memory was accessed. This update changes the order of free operations. (BZ#811912) * Previously, the SSSD daemon was limited to 1024 open files by default. Further logins were rejected if the number of simultaneous connections exceed the limit. This update sets the limit to 8000 open files or the maximum from limits.conf, whichever is less. (BZ#815154) * Previously, the SSSD daemon went offline when set to encrypt the communication with the LDAP server using GSSAPI if the first Kerberos server was down. Now, SSSD retries all key distribution centers (KDC) before going offline. (BZ#817073) * Previously, the status of a server that was unreachable was reset to neutral after a 30-seconds timeout. The server list marked a server for another retry and the cycle looped if the server list was too long. This update performs only one loop and stops when encountering a server that was checked before. (BZ#828190) * Previously, the SSSD daemon kept connections to client applications open for the lifetime of the application. SSSD could use too many file descriptors and refused new connections if many long-running applications were running simultaneously. Now, SSSD keeps a connection to a client application open only for a default interval of 60 seconds. (BZ#833169) * Previously, the SSSD daemon did not contain an option to disable source hosts processing. The LDAP query to retrieve hosts could reach the administration limit of the LDAP server and abort if the IPA server contained a large number of hosts. Now, the ipa_hbac_support_srchost option defaults to "False" to switch off source hosts support. (BZ#841677) * Previ

Related Resources

Related Vulnerabilities


Related Patches


Superseded Patches

Last Updated: 27 May 2016 11:16:10