Recommended update for sssd

Announcement ID:	SUSE-RU-2021:3185-1
Rating:	moderate
References:	bsc#1182058 bsc#1182637 bsc#1184289 bsc#1187120 bsc#1189492 bsc#1190021 jsc#ECO-3493
Cross-References:	CVE-2021-3621
CVSS scores:	CVE-2021-3621 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-3621 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15-SP2 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Description:

This update for sssd fixes the following issues:

• Fix a dependency loop by moving internal libraries to sssd-common package. (bsc#1182058)
• Moved sssctl command from sssd to sssd-tools package. (bsc#1184289)
• Create timestamp attribute in cache objects if missing. (bsc#1182637)
• Fix watchdog not terminating tasks. (bsc#1187120)
• Improve logs to record the reason why internal watchdog terminates.
• Fixed security issue with sssd: shell command injection in sssctl. (CVE-2021-3621, bsc#1189492)
• Fixes a segfault with newer libcares2 versions when the library fails to parse a dns name. (bsc#1190021)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3185=1

Package List:

• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libipa_hbac0-debuginfo-1.16.1-17.14.1
  • sssd-ad-1.16.1-17.14.1
  • sssd-krb5-common-1.16.1-17.14.1
  • libsss_idmap-devel-1.16.1-17.14.1
  • libsss_idmap0-1.16.1-17.14.1
  • sssd-winbind-idmap-debuginfo-1.16.1-17.14.1
  • libsss_idmap0-debuginfo-1.16.1-17.14.1
  • sssd-dbus-debuginfo-1.16.1-17.14.1
  • sssd-krb5-common-debuginfo-1.16.1-17.14.1
  • libsss_certmap-devel-1.16.1-17.14.1
  • libipa_hbac-devel-1.16.1-17.14.1
  • libsss_simpleifp0-debuginfo-1.16.1-17.14.1
  • sssd-ad-debuginfo-1.16.1-17.14.1
  • sssd-common-1.16.1-17.14.1
  • libipa_hbac0-1.16.1-17.14.1
  • sssd-ldap-1.16.1-17.14.1
  • libsss_nss_idmap0-1.16.1-17.14.1
  • sssd-proxy-1.16.1-17.14.1
  • sssd-proxy-debuginfo-1.16.1-17.14.1
  • sssd-dbus-1.16.1-17.14.1
  • sssd-ipa-debuginfo-1.16.1-17.14.1
  • libsss_simpleifp-devel-1.16.1-17.14.1
  • libsss_certmap0-1.16.1-17.14.1
  • libsss_nss_idmap-devel-1.16.1-17.14.1
  • sssd-krb5-1.16.1-17.14.1
  • python3-sssd-config-debuginfo-1.16.1-17.14.1
  • sssd-1.16.1-17.14.1
  • sssd-ipa-1.16.1-17.14.1
  • sssd-common-debuginfo-1.16.1-17.14.1
  • libsss_nss_idmap0-debuginfo-1.16.1-17.14.1
  • sssd-ldap-debuginfo-1.16.1-17.14.1
  • sssd-tools-debuginfo-1.16.1-17.14.1
  • sssd-debugsource-1.16.1-17.14.1
  • sssd-tools-1.16.1-17.14.1
  • python3-sssd-config-1.16.1-17.14.1
  • libsss_simpleifp0-1.16.1-17.14.1
  • libsss_certmap0-debuginfo-1.16.1-17.14.1
  • sssd-winbind-idmap-1.16.1-17.14.1
  • sssd-krb5-debuginfo-1.16.1-17.14.1

References:

• https://www.suse.com/security/cve/CVE-2021-3621.html
• https://bugzilla.suse.com/show_bug.cgi?id=1182058
• https://bugzilla.suse.com/show_bug.cgi?id=1182637
• https://bugzilla.suse.com/show_bug.cgi?id=1184289
• https://bugzilla.suse.com/show_bug.cgi?id=1187120
• https://bugzilla.suse.com/show_bug.cgi?id=1189492
• https://bugzilla.suse.com/show_bug.cgi?id=1190021
• https://jira.suse.com/browse/ECO-3493