From patchwork Fri Dec 5 11:33:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 75948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83866D2F7E1 for ; Fri, 5 Dec 2025 11:33:40 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3685.1764934411898880171 for ; Fri, 05 Dec 2025 03:33:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QxApNZYO; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-297e239baecso21920865ad.1 for ; Fri, 05 Dec 2025 03:33:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1764934411; x=1765539211; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=loYyF/8Gxlzq/MqOCGhh+PDHDtxR0FHWwlQcxs4/Q/4=; b=QxApNZYOA3gwGZDrIUV0GlsX6fjM7zd/Mz45RNF8eC6NjvHHLAIBaOTbPPOPAHEz6/ +aCdlT6S6Aii5FhfFLV5VEkwynTA08f2ASxrDhS3f7imSii+hH+BCl47APoqDj05SRon KlQAWs1PGeqEvBwKZgmsvW7pw7688GlovkIIk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764934411; x=1765539211; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=loYyF/8Gxlzq/MqOCGhh+PDHDtxR0FHWwlQcxs4/Q/4=; b=XvUQ5Og4oOVLllKqj3hpPr45U/vbvK4omx51C44nEHBINAv07WvjNWmQ0QqAD+j1yH P41DKnL65s1UlNnQsZDypJDQgM1eJOvb5QjgA4EDPKNLo7TTk++PBFb/DTMj0xLBBk6X RNxx2ojmt7GXXRri0oeNUSpNx8zX5/CiS/cfgTpkYNGQvjOsJmgOoUu0c5oOT5OMiH3z eg93QJagLoTTK5a1lV0vNnK9YwZcr6Yfluhl0sObYKOi4VaFHIRa+6GHv/gk9/SLOTeT ieDsy504tVrf5bNuU4RWpImbXcAaOTXdnOonLYL7t3/LLnUUsKxkk7K/3gY1Y5rJCxZc 1MuA== X-Gm-Message-State: AOJu0Yy4KoJV+jd3k7e6a5cNwK73AJ6hTbFU4z720J4QTsUkqI/ubOZ6 fvBY0XPPMHBlkEsG2zI3Zfr7yUayTdUe+iXNofTppBhw/zWl+dOcGG3c5Iarg1Thvk2UZ0WG3A2 KI2RS X-Gm-Gg: ASbGncvuKKN+ed2agbtO6By4kcTaqq3HzSJOtqGOkJM244ElkE8+6rCVwhlGpPk5qz5 XZx2zGPJ+QtXZc9+zY1DYzeKhms2yHrvDxYwUvaKyUsw+NU6y9ybpdvzjEmpAANoUr7Q7BDDEHL IjLuNcFAXrlq6qoZm6XOxZyLMV+fIc0QLI6trcUL54nNF+P5mbs23lQFkomtPisHnC9Aada7IH+ QR16FdIbPGB8eShaMdnC89Gt5xyt7n9bKMTepW7wNQBZbVhrQSA2/2bl1xeQpl7j90oA9dZIT3T tebvU8EfT7BbklIXs86XQB1NjNyczBRMCQtUoq000/gYDh4vykia5HEAlZpzY5UsKpXj8Co8Gy1 IgxYEPfzv7DdQDA5LvQVcpu6P4bkFKZphm8xG1eYyQIs09wOQeZBzCKavJASdQw9tQArMCowRoS +9k/EvMURryKWxzspxEWH6rt9ySarF/jMRjg== X-Google-Smtp-Source: AGHT+IHcPdUIHGCt4p8Q5CxYPR5NwZXCJqmBB4L19fM8ESmUFcll6IwLCflaOg7arrPBYecfrkGhOQ== X-Received: by 2002:a17:903:1104:b0:295:55fc:67a0 with SMTP id d9443c01a7336-29d9ec32352mr81488265ad.2.1764934410837; Fri, 05 Dec 2025 03:33:30 -0800 (PST) Received: from MVIN00352.mvista.com ([2406:7400:54:7205:8451:cf5d:1824:de5d]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29dae4cf968sm47535555ad.34.2025.12.05.03.33.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Dec 2025 03:33:30 -0800 (PST) From: Vijay Anusuri To: yocto-patches@lists.yoctoproject.org Cc: Vijay Anusuri Subject: [meta-security][scarthgap][patch 1/2] sssd: Upgrade 2.9.2 -> 2.9.5 Date: Fri, 5 Dec 2025 17:03:15 +0530 Message-ID: <20251205113318.3647529-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Dec 2025 11:33:40 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2743 Includes security fix CVE-2023-3758 ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.9.5 Signed-off-by: Vijay Anusuri --- .../recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb} (98%) diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb similarity index 98% rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb index d61471c..cb27675 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb @@ -26,7 +26,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://musl_fixup.patch \ file://0001-sssctl-add-error-analyzer.patch \ " -SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" +SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3" UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases" From patchwork Fri Dec 5 11:33:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 75949 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82686D2F7D1 for ; Fri, 5 Dec 2025 11:33:40 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3602.1764934418412213470 for ; Fri, 05 Dec 2025 03:33:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=ZSGC7fTK; spf=pass (domain: mvista.com, ip: 209.85.214.179, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-29ba9249e9dso27768955ad.3 for ; Fri, 05 Dec 2025 03:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1764934417; x=1765539217; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KP37Jn8AuPU3zxSdAoGWKCTs2rS3zXDBjtmHdx4EdMY=; b=ZSGC7fTKNO7ZbQ5/8f1SFoyZJ2UOgSp6WFfN6xeDdvBHknij98leM0HXDB9WYWaZnj F6ERXAWPZEtJSXfNYI7+Ao08I0NDLjzF+0rjOksiWK4sImQ1oUTpRiWpjwckrx+vk3Ku /ZqYD2/p9lWOW97Hu09mPzwU6ZpHWKh8aJPzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764934417; x=1765539217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KP37Jn8AuPU3zxSdAoGWKCTs2rS3zXDBjtmHdx4EdMY=; b=SW17v4RFILyuhrJToYW0l+HtUsMJE/Y9bWqGQDscmYT3DDYVId9PWvZGpai2FogUNm rp24GidM8RH5bBP46UsImLO1FZAIlVSrm86Ns9OnHcJ+pGPPD56Cp5ePcRYUWzsIDkzs 347FTE4NHQUoUTgjg2Z8kgumTsppft8yocpvf2S8lgH/1V7jXPNz4mZWVmmrsbaPcXlu Vmg8GnZcIJ/4PBBaLtPtBGSfmjqMTndpaziPFc1QCyXTSaofI8eYWhD94XDyqPFY8yWQ mp41Kkrr+nl5mc3VhmSEr5YOL45287ZvR63KJ4/EYciBPllHdzm7iMr6p+Lhvu4jjNzb S1+w== X-Gm-Message-State: AOJu0YxW/FYylMIEhSFY3+ocXGdFuUJDD960l9A5ynPf9LEsBdHkLL3w JPCnHFVtQM4imUkBNKOXPBWsj4+2GRpSW5YQEkKVjU7s84MdzZQqDsF55ZQtqrAcaZ7AxmK5EMz 8/RuD X-Gm-Gg: ASbGncsxFwRqYUSKjRxPCPzx1hpMyWr4xEpsuQTWtV/5/1bsBMqGAgLGs8k1v5hoA0O xZVtLAaaFFcQjwEQS4b/G8Q0zQPyhlscIzCQ2WDFy5//d7n9EnG5b6Frv0R8qeATbFcprZp3wqw 2mMok+GlBawRh6ommeRcW2NvdsphpZxwv8Oqgkk6ZT48qeyGa2eDZ3Mk2mw+QH8XwD5qgMUT9KV rbkPL9qGuTLvBCqxZkyHH/L3bEpYH2Z0EkpQ+pKrNqSkPs47cRMOWa0D7n15MdfSLfECxL20ONK 4//MFDCcwEGKVpFMljFCtJ7GfYObkvwCOMH3Wh4YUqZnAprZTGXSTxtlzkdr9+nLKPE6LvzI+JF 7tM+2ull7w3aSZRKllFUJfu6w9Dn1BjbIR7rYs10SGHqzdRIZGkrlWpwG6PNW0Sq4gnAYbMVydS Yi34kU/vzdF2SKsEHCOPAB2Wg= X-Google-Smtp-Source: AGHT+IF+opoVOvRc/vEZzzpSHa1l3IpE0ktfuJZA9LVRGA/JDxIlf4BRw0cerJUezOP4ApzgtUe7RQ== X-Received: by 2002:a17:903:1209:b0:296:3f23:b909 with SMTP id d9443c01a7336-29d68401104mr124253905ad.39.1764934417362; Fri, 05 Dec 2025 03:33:37 -0800 (PST) Received: from MVIN00352.mvista.com ([2406:7400:54:7205:8451:cf5d:1824:de5d]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29dae4cf968sm47535555ad.34.2025.12.05.03.33.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Dec 2025 03:33:36 -0800 (PST) From: Vijay Anusuri To: yocto-patches@lists.yoctoproject.org Cc: Vijay Anusuri Subject: [meta-security][scarthgap][patch 2/2] sssd: Fix for CVE-2025-11561 Date: Fri, 5 Dec 2025 17:03:16 +0530 Message-ID: <20251205113318.3647529-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251205113318.3647529-1-vanusuri@mvista.com> References: <20251205113318.3647529-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Dec 2025 11:33:40 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2744 Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204] Signed-off-by: Vijay Anusuri --- .../sssd/files/CVE-2025-11561.patch | 50 +++++++++++++++++++ .../recipes-security/sssd/sssd_2.9.5.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch new file mode 100644 index 0000000..8111ca0 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch @@ -0,0 +1,50 @@ +From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204] +CVE: CVE-2025-11561 +Signed-off-by: Vijay Anusuri +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index edaf967e186..5c1f050184e 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name, + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb index cb27675..2954257 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ file://0001-sssctl-add-error-analyzer.patch \ + file://CVE-2025-11561.patch \ " SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"