Säkerhetsbulletin från Debian
DSA-177-1 pam -- grav säkerhetsöverträdelse
- Rapporterat den:
- 2002-10-17
- Berörda paket:
- pam
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2002-1227.
- Ytterligare information:
-
En allvarlig säkerhetsöverträdelse upptäcktes i PAM. Inaktiverade lösenord (dvs. de med ”*” lösenordsfilen) klassificerades som tomma lösenord och tillgång till dessa konton gavs via den vanliga inloggningsproceduren (getty, telnet, ssh). Detta fungerar för alla konton av den typen vars skalfält i lösenordsfilen inte anger
/bin/false. Endast version 0.76 av PAM verkar vara berört av detta problem.Detta problem har rättats i version 0.76-6 för den nuvarande instabila utgåvan (Sid). Varken den stabila utgåvan (Woody), den gamla stabila utgåvan (Potato) eller testningsutgåvan (Sarge) berörs av detta problem.
I Debians säkerhetsgrupps frågor och svar-dokument står det att uttestningsutgåvan och den instabila utgåvan är mål som rör sig fort och att säkerhetsgruppen inte har de resurser som behövs för att ge dessa ett fullgott stöd. Denna säkerhetsbulletin är ett undantag från den regeln, på grund av problemets allvarlighetsgrad.
Vi rekommenderar att ni uppgraderar era PAM-paket omedelbart om ni kör den instabila utgåvan av Debian.
- Rättat i:
-
Debian GNU/Linux unstable (sid)
- Källkod:
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- Arkitekturoberoende komponent:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- Alpha:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- ARM:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- Intel IA-32:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- Intel IA-64:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- HP Precision:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- Motorola 680x0:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- Big endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- Little endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- PowerPC:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- IBM S/390:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- Sun Sparc:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.