[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request - Debian/Ubuntu PAM auth module
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-09-17 1:33:22
Message-ID: Pine.GSO.4.51.0909162133170.7046 () faron ! mitre ! org
[Download RAW message or body]


======================================================
Name: CVE-2009-3232
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232
Reference: MLIST:[oss-security] 20090908 CVE request - Debian/Ubuntu PAM auth module selection
Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/08/7
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
Reference: CONFIRM:https://launchpad.net/bugs/410171
Reference: UBUNTU:USN-828-1
Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-828-1
Reference: BID:36306
Reference: URL:http://www.securityfocus.com/bid/36306
Reference: SECUNIA:36620
Reference: URL:http://secunia.com/advisories/36620

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian
GNU/Linux, does not properly handle an "empty selection" for system
authentication modules in certain rare configurations, which causes
any attempt to be successful and allows remote attackers to bypass
authentication.


[prev in list] [next in list] [prev in thread] [next in thread]