Debians sikkerhedsbulletin
DSA-177-1 pam -- alvorligt sikkerhedsbrud
- Rapporteret den:
- 17. okt 2002
- Berørte pakker:
- pam
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2002-1227.
- Yderligere oplysninger:
-
Et alvorligt sikkerhedsbrud er opdaget i PAM. Adgangskoder som er slået fra (dvs. dem med "*" i adgangskodefilen) blev klassificeret som tomme adgangskoder og adgang til sådanne konti gives via den almindelige login-procedure (getty, telnet, ssh). Det fungerer sådan for alle sådanne konti hvis shell-felt i adgangskodefilen ikke peger på
/bin/false
. Kun version 0.76 af PAM lader til at være påvirket af dette problem.Dette problem er rettet i version 0.76-6 i den aktuelle ustabile distribution (sid). Den stabile distribution (woody), den gamle stabile distribution (potato) og test-distributionen (sarge) er ikke påvirket af dette problem.
Som beskrevet i Debians sikkerhedsteams OSS, "testing" og "unstable" ændrer sig hele tiden og sikkerhedsteamet har ikke de nødvendige ressourcer til at understøtte disse på den rigtige måde. Denne sikkerhedsbulletin er en undtagelse fra denne regel, på grund af problemets alvor.
Vi anbefaler at du omgående opgraderer dine PAM-pakker hvis du kører Debian/unstable.
- Rettet i:
-
Debian GNU/Linux unstable (sid)
- Kildekode:
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- Arkitekturuafhængig komponent:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- Alpha:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- ARM:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- Intel IA-32:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- Intel IA-64:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- HP Precision:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- Motorola 680x0:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- Big endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- Little endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- PowerPC:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- IBM S/390:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- Sun Sparc:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.