Security update for sssd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20019-1 Final 1 1 2026-01-02T16:58:52Z current 2026-01-02T16:58:52Z 2026-01-02T16:58:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following issues: - CVE-2025-11561: Fixed default Kerberos configuration allowing privilege escalation on AD-joined Linux systems (bsc#1244325) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-119 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620019-1/ Link for SUSE-SU-2026:20019-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023724.html E-Mail link for SUSE-SU-2026:20019-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1244325 SUSE Bug 1244325 https://bugzilla.suse.com/1251827 SUSE Bug 1251827 https://www.suse.com/security/cve/CVE-2025-11561/ SUSE CVE CVE-2025-11561 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 libipa_hbac-devel-2.9.5-160000.3.1 libipa_hbac0-2.9.5-160000.3.1 libnfsidmap-sss-2.9.5-160000.3.1 libsss_certmap-devel-2.9.5-160000.3.1 libsss_certmap0-2.9.5-160000.3.1 libsss_idmap-devel-2.9.5-160000.3.1 libsss_idmap0-2.9.5-160000.3.1 libsss_nss_idmap-devel-2.9.5-160000.3.1 libsss_nss_idmap0-2.9.5-160000.3.1 python3-ipa_hbac-2.9.5-160000.3.1 python3-sss-murmur-2.9.5-160000.3.1 python3-sss_nss_idmap-2.9.5-160000.3.1 python3-sssd-config-2.9.5-160000.3.1 sssd-2.9.5-160000.3.1 sssd-ad-2.9.5-160000.3.1 sssd-dbus-2.9.5-160000.3.1 sssd-ipa-2.9.5-160000.3.1 sssd-kcm-2.9.5-160000.3.1 sssd-krb5-2.9.5-160000.3.1 sssd-krb5-common-2.9.5-160000.3.1 sssd-ldap-2.9.5-160000.3.1 sssd-proxy-2.9.5-160000.3.1 sssd-tools-2.9.5-160000.3.1 sssd-winbind-idmap-2.9.5-160000.3.1 libipa_hbac-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libipa_hbac0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libnfsidmap-sss-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_certmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_certmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_idmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_idmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_nss_idmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libsss_nss_idmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python3-ipa_hbac-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python3-sss-murmur-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python3-sss_nss_idmap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python3-sssd-config-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-ad-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-dbus-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-ipa-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-kcm-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-krb5-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-krb5-common-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-ldap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-proxy-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-tools-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 sssd-winbind-idmap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libipa_hbac-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libipa_hbac0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libnfsidmap-sss-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_certmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_certmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_idmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_idmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_nss_idmap-devel-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libsss_nss_idmap0-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python3-ipa_hbac-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python3-sss-murmur-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python3-sss_nss_idmap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python3-sssd-config-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-ad-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-dbus-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-ipa-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-kcm-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-krb5-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-krb5-common-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-ldap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-proxy-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-tools-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 sssd-winbind-idmap-2.9.5-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts. CVE-2025-11561 SUSE Linux Enterprise Server 16.0:libipa_hbac-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libipa_hbac0-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libnfsidmap-sss-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_certmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_certmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_idmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_idmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_nss_idmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:libsss_nss_idmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:python3-ipa_hbac-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:python3-sss-murmur-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:python3-sss_nss_idmap-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:python3-sssd-config-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-ad-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-dbus-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-ipa-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-kcm-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-krb5-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-krb5-common-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-ldap-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-proxy-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-tools-2.9.5-160000.3.1 SUSE Linux Enterprise Server 16.0:sssd-winbind-idmap-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libipa_hbac-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libipa_hbac0-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libnfsidmap-sss-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_certmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_certmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_idmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_idmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_nss_idmap-devel-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libsss_nss_idmap0-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python3-ipa_hbac-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python3-sss-murmur-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python3-sss_nss_idmap-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python3-sssd-config-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-ad-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-dbus-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-ipa-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-kcm-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-krb5-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-krb5-common-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-ldap-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-proxy-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-tools-2.9.5-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:sssd-winbind-idmap-2.9.5-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620019-1/ https://www.suse.com/security/cve/CVE-2025-11561.html CVE-2025-11561 https://bugzilla.suse.com/1251827 SUSE Bug 1251827