Debian Security Advisory

DSA-659-1 libpam-radius-auth -- information leak, integer underflow

Date Reported:
26 Jan 2005
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2004-1340, CVE-2005-0108.
More information:

Two problems have been discovered in the libpam-radius-auth package, the PAM RADIUS authentication module. The Common Vulnerabilities and Exposures Project identifies the following problems:

  • CAN-2004-1340

    The Debian package accidentally installed its configuration file /etc/pam_radius_auth.conf world-readable. Since it may possibly contain secrets all local users are able to read them if the administrator hasn't adjusted file permissions. This problem is Debian specific.

  • CAN-2005-0108

    Leon Juranic discovered an integer underflow in the mod_auth_radius module for Apache which is also present in libpam-radius-auth.

For the stable distribution (woody) these problems have been fixed in version 1.3.14-1.3.

For the unstable distribution (sid) these problems have been fixed in version 1.3.16-3.

We recommend that you upgrade your libpam-radius-auth package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.