deleted file mode 100644
@@ -1,50 +0,0 @@
-From 9fdc7f2b4ed50a5ce788a86f2a5be448668381f5 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 10 Oct 2025 12:57:40 +0200
-Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a client is joined to AD or IPA SSSD's localauth plugin can handle
-the mapping of Kerberos principals to local accounts. In case it cannot
-map the Kerberos principals libkrb5 is currently configured to fall back
-to the default localauth plugins 'default', 'rule', 'names',
-'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
-All plugins except 'an2ln' require some explicit configuration by either
-the administrator or the local user. To avoid some unexpected mapping is
-done by the 'an2ln' plugin this patch disables it in the configuration
-snippets for SSSD's localauth plugin.
-
-Resolves: https://github.com/SSSD/sssd/issues/8021
-
-:relnote: After startup SSSD already creates a Kerberos configuration
- snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
- if the AD or IPA providers are used. This enables SSSD's localauth plugin.
- Starting with this release the an2ln plugin is disabled in the
- configuration snippet as well. If this file or its content are included in
- the Kerberos configuration it will fix CVE-2025-11561.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204]
-CVE: CVE-2025-11561
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- src/util/domain_info_utils.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
-index edaf967..5c1f050 100644
---- a/src/util/domain_info_utils.c
-+++ b/src/util/domain_info_utils.c
-@@ -751,6 +751,7 @@ done:
- #define LOCALAUTH_PLUGIN_CONFIG \
- "[plugins]\n" \
- " localauth = {\n" \
-+" disable = an2ln\n" \
- " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
- " }\n"
-
similarity index 98%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.8.bb
@@ -25,9 +25,8 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
file://0001-sssctl-add-error-analyzer.patch \
- file://CVE-2025-11561.patch \
"
-SRC_URI[sha256sum] = "6b5284a4d72b67c0897699794360d79e0f67461957e20273c2649f025e76c248"
+SRC_URI[sha256sum] = "a786fef1c1929984f991747f160f4dbc3f2827d0efa413b6a621aff400337ace"
UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
Release notes: https://sssd.io/release-notes/sssd-2.9.8.html Signed-off-by: Lennart Koschick <lennart@koschick.eu> --- .../sssd/files/CVE-2025-11561.patch | 50 ------------------- .../sssd/{sssd_2.9.7.bb => sssd_2.9.8.bb} | 3 +- 2 files changed, 1 insertion(+), 52 deletions(-) delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.7.bb => sssd_2.9.8.bb} (98%)