update: sssd

[dongsupark]

Name: sssd
CVEs: CVE-2021-3621, CVE-2023-3758
CVSSs: 8.8, 7.1
Action Needed: CVE-2021-3621: update to >= 2.5.2-r1, CVE-2023-3758: update to >= 2.9.5

Summary:

• CVE-2021-3621: A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
• CVE-2023-3758: A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2223762

refmap.gentoo:

• CVE-2021-3621: https://bugs.gentoo.org/808911, https://security.gentoo.org/glsa/202407-05
• CVE-2023-3758: TBD

[dongsupark]

Correction: as for CVE-2021-3621, Flatcar/Gentoo already has a custom patch, so it is not that urgent as I expected.
However, GLSA 202407-05 started to require 2.5.2-r1, so we could either update to the version or add to the allowlist to make GLSA tests pass.

[chewi]

That CVE is quite old. Gentoo patched 2.5.2 at the time and took Jeremi's patch for 2.3.1. Both patches were dropped after 2.6, which isn't vulnerable.

Of the other two patches, the test_ca one was from Gentoo and no longer needed, and the disable-nsupdate-realm one is tiny.

In short, updating to the latest should not be a problem.

[dongsupark]

Removed CVE-2021-3621, but CVE-2023-3758 is still open.