Date: Mon, 8 Jun 2020 08:59:02 +0000 From: "Gollub, Daniel" <daniel.gollub@...l.att.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter References: CVE-2020-13881, pam_tacplus#149 TACACS+ shared secret gets logged (syslog) by the PAM tacplus , if the PAM module is configured with the debug parameter. The secrets get logged at DEBUG loglevel. pam_tacplus 1.5.3 avoids the logging of the secret, via upstream commit 4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 . The original README of pam_tacplus held a configuration example with the debug parameter set, which might have resulted in some setups, which are running in debug-mode, based on the example configuration. This issue got reported by Adarsh Pandey from Arista Networks .  https://github.com/kravietz/pam_tacplus/  https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0  https://github.com/kravietz/pam_tacplus/issues/149 Thanks Daniel
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.