|
Message-ID: <CANQXiXODXWhoO5gj7qe6gCPOyjkbYGraRNc25Ls+iX+MxOZuwA@mail.gmail.com> Date: Fri, 11 May 2012 14:04:43 -0600 From: Jonathan Niehof <jtniehof@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: pam_shield Requestor: Jonathan Niehof, jtniehof@...il.com package: pam_shield, http://www.heiho.net/pam_shield/index.html Type of vulnerability: This utility is intended to block IP addresses showing suspicious behaviour, to disarm a potential attack. In versions before 0.9.4, if configuration option "allow_missing_dns" is set to no, it performs no blocking. This setting is used in the example configuration file, which is installed by default in Debian. Thus, systems using the suggested or default configuration receive no protection. This vulnerability provides no vector for an attacker, local or remote, to gain any privileges. It simply fails to provide the intended protection. Mainline fix: https://github.com/walterdejong/pam_shield/commit/afa7b246018787fe6028289c414c33292641e1e0 Debian bug report and fix: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658830 Vulnerable versions: mainline up to and including 0.9.3. Debian up to and including 0.9.2-3.2 First fixed versions: mainline 0.9.4. Debian 0.9.2-3.3
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.