Fix changelog

ERROR: '' is not a date (sssd.changes:1851) Please fix with your own tools or try /usr/lib/obs/service/source_validators/helpers/fix_changelog Signed-off-by: Samuel Cabrero <scabrero@suse.com>
CVE-2025-11561: Disable Kerberos localauth an2ln plugin for AD
2025-11-18 16:30:27 +01:00 · 2025-11-18 13:15:51 +01:00
3 changed files with 69 additions and 3 deletions
--- a/0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
+++ b/0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
@@ -0,0 +1,49 @@
+From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index edaf967e1..5c1f05018 100644
+--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ done:
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
+"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
+-- 
+2.51.1
+
--- a/sssd.changes
+++ b/sssd.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov 18 11:15:49 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Install file in krb5.conf.d to include sssd krb5 config snippets;
+  (bsc#1244325);
+- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561);
+  (bsc#1251827); Add patch
+  0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
+
 -------------------------------------------------------------------
 Tue Mar 25 17:42:38 UTC 2025 - Samuel Cabrero <scabrero@suse.de>

@@ -1839,7 +1848,6 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
  connect to an auth server

 -------------------------------------------------------------------
-
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de

 - Update to new upstream release 1.8.0
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,7 @@ Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
 Patch4:         symvers.patch
+Patch5:         0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -468,6 +469,10 @@ ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
 %python3_fix_shebang
 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze

+mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
+ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
+       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
+
 %check
 # sss_config-tests fails
 %make_build check || :
@@ -773,7 +778,6 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
-%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -782,11 +786,16 @@ fi
 %_mandir/??/man5/sssd-krb5.5*

 %files krb5-common
+%dir %pubconfpath/krb5.include.d
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/krb5_child
 %_libexecdir/%name/ldap_child
+%dir %{_datadir}/sssd/krb5-snippets
+%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
+%exclude %_datadir/%name/krb5-snippets/sssd_enable_idp

 %files ldap
 %dir %_libdir/%name/