Advisories ยป MGASA-2015-0213

Updated pam packages fix security vulnerabilities

Publication date: 12 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-7041 , CVE-2014-2583


Updated pam packages fix security vulnerabilities:

The pam_userdb module for Pam uses a case-insensitive method to compare hashed
passwords, which makes it easier for attackers to guess the password via a
brute force attack (CVE-2013-7041).

Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create
aribitrary files or possibly bypass authentication via a .. (dot dot) in the
PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the
check_tty funtion, which is used by the format_timestamp_name function