| Message ID | 20251205101051.171885-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-security,kirkstone] sssd: Fix for CVE-2025-11561 | expand |
Hi Team, Any Update on this ? Thanks & Regards, Vijay On Fri, Dec 5, 2025 at 3:41 PM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport [ > https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2 > ] > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../sssd/files/CVE-2025-11561.patch | 50 +++++++++++++++++++ > recipes-security/sssd/sssd_2.5.2.bb | 1 + > 2 files changed, 51 insertions(+) > create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch > > diff --git a/recipes-security/sssd/files/CVE-2025-11561.patch > b/recipes-security/sssd/files/CVE-2025-11561.patch > new file mode 100644 > index 0000000..0bfed6d > --- /dev/null > +++ b/recipes-security/sssd/files/CVE-2025-11561.patch > @@ -0,0 +1,50 @@ > +From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001 > +From: Sumit Bose <sbose@redhat.com> > +Date: Fri, 10 Oct 2025 12:57:40 +0200 > +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +If a client is joined to AD or IPA SSSD's localauth plugin can handle > +the mapping of Kerberos principals to local accounts. In case it cannot > +map the Kerberos principals libkrb5 is currently configured to fall back > +to the default localauth plugins 'default', 'rule', 'names', > +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). > +All plugins except 'an2ln' require some explicit configuration by either > +the administrator or the local user. To avoid some unexpected mapping is > +done by the 'an2ln' plugin this patch disables it in the configuration > +snippets for SSSD's localauth plugin. > + > +Resolves: https://github.com/SSSD/sssd/issues/8021 > + > +:relnote: After startup SSSD already creates a Kerberos configuration > + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > + if the AD or IPA providers are used. This enables SSSD's localauth > plugin. > + Starting with this release the an2ln plugin is disabled in the > + configuration snippet as well. If this file or its content are included > in > + the Kerberos configuration it will fix CVE-2025-11561. > + > +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> > +Reviewed-by: Pavel Březina <pbrezina@redhat.com> > +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) > + > +Upstream-Status: Backport [ > https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2 > ] > +CVE: CVE-2025-11561 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + src/util/domain_info_utils.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c > +index e131a5d96af..160e1711bcd 100644 > +--- a/src/util/domain_info_utils.c > ++++ b/src/util/domain_info_utils.c > +@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const > char *file_name, > + #define LOCALAUTH_PLUGIN_CONFIG \ > + "[plugins]\n" \ > + " localauth = {\n" \ > ++" disable = an2ln\n" \ > + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ > + " }\n" > + > diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/ > sssd_2.5.2.bb > index c07559c..43c31ee 100644 > --- a/recipes-security/sssd/sssd_2.5.2.bb > +++ b/recipes-security/sssd/sssd_2.5.2.bb > @@ -25,6 +25,7 @@ SRC_URI = " > https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g > file://musl_fixup.patch \ > file://CVE-2021-3621.patch \ > file://CVE-2023-3758.patch \ > + file://CVE-2025-11561.patch \ > " > > SRC_URI[sha256sum] = > "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" > -- > 2.25.1 > >
On Fri, 9 Jan 2026, Vijay Anusuri wrote: > Hi Team, > > Any Update on this ? > > Thanks & Regards, > Vijay My apologies, kirkstone and scarthgap branch updates have been delayed due to travel on my part in early December followed by the holidays. I'm aiming to push out updates for them in the next few days. Scott > On Fri, Dec 5, 2025 at 3:41 PM <vanusuri@mvista.com> wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport [ > > https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2 > > ] > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../sssd/files/CVE-2025-11561.patch | 50 +++++++++++++++++++ > > recipes-security/sssd/sssd_2.5.2.bb | 1 + > > 2 files changed, 51 insertions(+) > > create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch > > > > diff --git a/recipes-security/sssd/files/CVE-2025-11561.patch > > b/recipes-security/sssd/files/CVE-2025-11561.patch > > new file mode 100644 > > index 0000000..0bfed6d > > --- /dev/null > > +++ b/recipes-security/sssd/files/CVE-2025-11561.patch > > @@ -0,0 +1,50 @@ > > +From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001 > > +From: Sumit Bose <sbose@redhat.com> > > +Date: Fri, 10 Oct 2025 12:57:40 +0200 > > +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +If a client is joined to AD or IPA SSSD's localauth plugin can handle > > +the mapping of Kerberos principals to local accounts. In case it cannot > > +map the Kerberos principals libkrb5 is currently configured to fall back > > +to the default localauth plugins 'default', 'rule', 'names', > > +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). > > +All plugins except 'an2ln' require some explicit configuration by either > > +the administrator or the local user. To avoid some unexpected mapping is > > +done by the 'an2ln' plugin this patch disables it in the configuration > > +snippets for SSSD's localauth plugin. > > + > > +Resolves: https://github.com/SSSD/sssd/issues/8021 > > + > > +:relnote: After startup SSSD already creates a Kerberos configuration > > + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > > + if the AD or IPA providers are used. This enables SSSD's localauth > > plugin. > > + Starting with this release the an2ln plugin is disabled in the > > + configuration snippet as well. If this file or its content are included > > in > > + the Kerberos configuration it will fix CVE-2025-11561. > > + > > +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> > > +Reviewed-by: Pavel Březina <pbrezina@redhat.com> > > +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) > > + > > +Upstream-Status: Backport [ > > https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2 > > ] > > +CVE: CVE-2025-11561 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + src/util/domain_info_utils.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c > > +index e131a5d96af..160e1711bcd 100644 > > +--- a/src/util/domain_info_utils.c > > ++++ b/src/util/domain_info_utils.c > > +@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const > > char *file_name, > > + #define LOCALAUTH_PLUGIN_CONFIG \ > > + "[plugins]\n" \ > > + " localauth = {\n" \ > > ++" disable = an2ln\n" \ > > + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ > > + " }\n" > > + > > diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/ > > sssd_2.5.2.bb > > index c07559c..43c31ee 100644 > > --- a/recipes-security/sssd/sssd_2.5.2.bb > > +++ b/recipes-security/sssd/sssd_2.5.2.bb > > @@ -25,6 +25,7 @@ SRC_URI = " > > https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g > > file://musl_fixup.patch \ > > file://CVE-2021-3621.patch \ > > file://CVE-2023-3758.patch \ > > + file://CVE-2025-11561.patch \ > > " > > > > SRC_URI[sha256sum] = > > "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" > > -- > > 2.25.1 > > > > >
diff --git a/recipes-security/sssd/files/CVE-2025-11561.patch b/recipes-security/sssd/files/CVE-2025-11561.patch new file mode 100644 index 0000000..0bfed6d --- /dev/null +++ b/recipes-security/sssd/files/CVE-2025-11561.patch @@ -0,0 +1,50 @@ +From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2] +CVE: CVE-2025-11561 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index e131a5d96af..160e1711bcd 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb index c07559c..43c31ee 100644 --- a/recipes-security/sssd/sssd_2.5.2.bb +++ b/recipes-security/sssd/sssd_2.5.2.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://musl_fixup.patch \ file://CVE-2021-3621.patch \ file://CVE-2023-3758.patch \ + file://CVE-2025-11561.patch \ " SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"