Details on PAM vulnerable configuration

From versions 1.0.1-6 to 1.0.1-9, the pam-auth-update utility included in the libpam-runtime package in Debian testing and unstable suffered from a bug whereby systems could be inadvertently configured to allow access with or without a correct password (#519927). Although the majority of users will not have been affected by this bug, those that are affected should consider their machines to be compromised, particularly if those machines are configured to allow access from the Internet.

Beginning with version 1.0.1-10, released on 7th August 2009, libpam-runtime no longer permits this incorrect configuration, and on upgrade will detect if your system was affected by this bug.

If you were shown a message on upgrade directing you to this webpage, you should assume that your system has been compromised. Unless you are familiar with recovering from security failures, viruses, and malicious software you should re-install this system from scratch or obtain the services of a skilled system administrator. The securing-debian-howto includes information on recovering from a system compromise.

The Debian project apologizes that previous versions of libpam-runtime did not detect and prevent this situation.