Date: Tue, 8 Sep 2009 16:09:59 -0700 From: Kees Cook <kees@...ntu.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security <oss-security@...ts.openwall.com> Subject: CVE request - Debian/Ubuntu PAM auth module selection Hi, I'd like to request a CVE for an issue that came up in the Debian and Ubuntu configuration tools used on PAM. From the USN http://www.ubuntu.com/usn/usn-828-1: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations. Also tracked as: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927 https://bugs.launchpad.net/bugs/410171 This was a Debian and Ubuntu specific issue, and only Ubuntu had supported releases with this flaw present (the issue never made it to Debian stable). Thanks, -Kees -- Kees Cook Ubuntu Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.