CVE-2015-5292
Published: 29 October 2015
Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.
Notes
| Author | Note |
|---|---|
| sbeattie | according to debian, the responder part is not built, so might not be affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
sssd Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.13.1-2)
|
| bionic |
Not vulnerable
(1.13.1-2)
|
|
| cosmic |
Not vulnerable
(1.13.1-2)
|
|
| disco |
Not vulnerable
(1.13.1-2)
|
|
| precise |
Not vulnerable
(code not present)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Not vulnerable
(1.13.1-2)
|
|
| yakkety |
Not vulnerable
(1.13.1-2)
|
|
| zesty |
Not vulnerable
(1.13.1-2)
|
|
|
Patches: vendor: https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch upstream: https://git.fedorahosted.org/cgit/sssd.git/commit/?id=b4c44ebb8997d3debb33607c123ccfd9926e0cba |
||