Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 12 May 2012 00:03:41 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jonathan Niehof <jtniehof@...il.com>
Subject: Re: CVE request: pam_shield

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2012 02:04 PM, Jonathan Niehof wrote:
> Requestor: Jonathan Niehof, jtniehof@...il.com package: pam_shield,
> http://www.heiho.net/pam_shield/index.html
> 
> Type of vulnerability: This utility is intended to block IP
> addresses showing suspicious behaviour, to disarm a potential
> attack. In versions before 0.9.4, if configuration option
> "allow_missing_dns" is set to no, it performs no blocking. This
> setting is used in the example configuration file, which is
> installed by default in Debian. Thus, systems using the suggested
> or default configuration receive no protection.
> 
> This vulnerability provides no vector for an attacker, local or 
> remote, to gain any privileges. It simply fails to provide the 
> intended protection.
> 
> Mainline fix:
> https://github.com/walterdejong/pam_shield/commit/afa7b246018787fe6028289c414c33292641e1e0
>
> 
Debian bug report and fix:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658830
> 
> Vulnerable versions: mainline up to and including 0.9.3. Debian up
> to and including 0.9.2-3.2 First fixed versions: mainline 0.9.4.
> Debian 0.9.2-3.3

Please use CVE-2012-2350 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPrf08AAoJEBYNRVNeJnmTP10QAMbritfcSQm60+Rjgkg6FKF/
X45IzwYAxWyIG+zSCE00j+w6pfESMiip1v0tOgdghkdSAdkTqUW2qKUZpyqoZbUR
9RE18yCTNkepgGo8GLzNypIhGSRIe3OttnVrvS1Hpia7caUOj6HjVQ6hL83KSSsj
i15LusFkX6AdttF6rlMfDIlwBl1Smo4cqq6XK6rYD5224eRo/X7oc40vITmLazeL
CuI0R/dhCXko7zJgWpGpR4ZjUT7Kh9UmSkICRrjO7W9x15KfH/gYpTn5h98DVbbn
BJxbJIRJ3SNm8E/TvuCQOjHwA08avKbhh/GbCzMMsHx9HdiwvQIYQ9EtSjQg0uQp
kJuSArU8IF42CrQo6Y2vl7PjspwsH2JeVtCN0eD3dSwolYI/0K3gi4iJPVCkUr39
uigNj26/17a6OeW/6340U47PuQuN4EjZ0wJYvxgNLsGfJlfMnh1NJ5IMEe9LFPDT
H54a6cdHGaAh8yQ7vBtdEiU9jvIKUaWaP2KRRMs3Czqd7B+B+7E3WLzvKVJJZo9u
HUyQeB9CEe8EaPx3bLdVU8Zfxu8iUu5pqYrKPm03GAm5LQGXgmArCJJwzfdCfQf0
TAeApI2ORlPrT100NPKPgHH5u0ltd/d1CQ1AkTx2IR7L2Ylq5SjH0AaOX0oisnvg
1fhv5SLXUwsxmGLPwYDz
=ZJa3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.