Alerta de Segurança Debian

DSA-177-1 pam -- séria violação de segurança

Data do Alerta:

17 Out 2002

Pacotes Afetados:

pam

Vulnerável:

Sim

Referência à base de dados de segurança:

No dicionário CVE do Mitre: CVE-2002-1227.

Informações adicionais:

Uma séria violação de segurança foi descoberta. Senhas desabilitadas (i.e. aquelas com '*' no arquivo de senhas) são classificadas como senhas vazias e o acesso a essas contas é garantido através do procedimento normal de login (getty, telnet, ssh). Isso funciona para todas essas contas em que o campo shell no arquivo de senhas não se refira a /bin/false. Somente a versão 0.76 do PAM parece ser afetada por esse problema.

Este problema foi corrigido na versão 0.76-6 para a atual distribuição instável (sid). A distribuição estável (woody), a antiga distribuição estável (potato) e a distribuição testing (sarge) não são afetadas por esse problema.

Como declarado no \FAQ do Time de Segurança do Debian, testing e instável movimentam-se rapidamente e o Time de Segurança não tem os recursos necessários para suportá-las apropriadamente. Este alerta de segurança é uma exceção a essa regra, devido ao fato de ser um problema muito sério.

Nós recomendamos que você atualize seus pacotes PAM imediatamente se você está rodando o Debian/instável.

Corrigido em:

Debian GNU/Linux unstable (sid)

Fonte:: http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
Componente independente de arquitetura:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
Alpha:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
ARM:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
Intel IA-32:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
Intel IA-64:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
HP Precision:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
Motorola 680x0:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
Big endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
Little endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
PowerPC:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
IBM S/390:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
Sun Sparc:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb

Checksums MD5 dos arquivos listados estão disponíveis no alerta original.