Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 11 May 2012 14:04:43 -0600
From: Jonathan Niehof <jtniehof@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: pam_shield

Requestor: Jonathan Niehof, jtniehof@...il.com
package: pam_shield, http://www.heiho.net/pam_shield/index.html

Type of vulnerability:
This utility is intended to block IP addresses showing suspicious
behaviour, to disarm a potential attack. In versions before 0.9.4, if
configuration option "allow_missing_dns" is set to no, it performs no
blocking. This setting is used in the example configuration file,
which is installed by default in Debian. Thus, systems using the
suggested or default configuration receive no protection.

This vulnerability provides no vector for an attacker, local or
remote, to gain any privileges. It simply fails to provide the
intended protection.

Mainline fix: https://github.com/walterdejong/pam_shield/commit/afa7b246018787fe6028289c414c33292641e1e0
Debian bug report and fix:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658830

Vulnerable versions: mainline up to and including 0.9.3. Debian up to
and including 0.9.2-3.2
First fixed versions: mainline 0.9.4. Debian 0.9.2-3.3

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.