Date: Wed, 16 Sep 2009 21:33:22 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security <oss-security@...ts.openwall.com> cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request - Debian/Ubuntu PAM auth module selection ====================================================== Name: CVE-2009-3232 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232 Reference: MLIST:[oss-security] 20090908 CVE request - Debian/Ubuntu PAM auth module selection Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/08/7 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927 Reference: CONFIRM:https://launchpad.net/bugs/410171 Reference: UBUNTU:USN-828-1 Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-828-1 Reference: BID:36306 Reference: URL:http://www.securityfocus.com/bid/36306 Reference: SECUNIA:36620 Reference: URL:http://secunia.com/advisories/36620 pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.