Advisories » MGASA-2015-0213

Updated pam packages fix security vulnerabilities

Publication date: 12 May 2015
Modification date: 12 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-7041 , CVE-2014-2583

Description

Updated pam packages fix security vulnerabilities:

The pam_userdb module for Pam uses a case-insensitive method to compare hashed
passwords, which makes it easier for attackers to guess the password via a
brute force attack (CVE-2013-7041).

Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create
aribitrary files or possibly bypass authentication via a .. (dot dot) in the
PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the
check_tty funtion, which is used by the format_timestamp_name function
(CVE-2014-2583).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=11937
• https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146370.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583

SRPMS

4/core

• pam-1.1.8-7.1.mga4