Alerta de Segurança Debian
DSA-177-1 pam -- séria violação de segurança
- Data do Alerta:
- 17 Out 2002
- Pacotes Afetados:
- pam
- Vulnerável:
- Sim
- Referência à base de dados de segurança:
- No dicionário CVE do Mitre: CVE-2002-1227.
- Informações adicionais:
-
Uma séria violação de segurança foi descoberta. Senhas desabilitadas (i.e. aquelas com '*' no arquivo de senhas) são classificadas como senhas vazias e o acesso a essas contas é garantido através do procedimento normal de login (getty, telnet, ssh). Isso funciona para todas essas contas em que o campo shell no arquivo de senhas não se refira a
/bin/false
. Somente a versão 0.76 do PAM parece ser afetada por esse problema.Este problema foi corrigido na versão 0.76-6 para a atual distribuição instável (sid). A distribuição estável (woody), a antiga distribuição estável (potato) e a distribuição testing (sarge) não são afetadas por esse problema.
Como declarado no \FAQ do Time de Segurança do Debian, testing e instável movimentam-se rapidamente e o Time de Segurança não tem os recursos necessários para suportá-las apropriadamente. Este alerta de segurança é uma exceção a essa regra, devido ao fato de ser um problema muito sério.
Nós recomendamos que você atualize seus pacotes PAM imediatamente se você está rodando o Debian/instável.
- Corrigido em:
-
Debian GNU/Linux unstable (sid)
- Fonte:
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
- http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
- Componente independente de arquitetura:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
- Alpha:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
- ARM:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
- Intel IA-32:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
- Intel IA-64:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
- HP Precision:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
- Motorola 680x0:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
- Big endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
- Little endian MIPS:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
- PowerPC:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
- IBM S/390:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
- Sun Sparc:
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb
- http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
Checksums MD5 dos arquivos listados estão disponíveis no alerta original.