ASA-202012-13: pam: authentication bypass

Arch Linux 754 Published by

A pam security update has been released for Arch Linux.



ASA-202012-13: pam: authentication bypass


Arch Linux Security Advisory ASA-202012-13
=========================================
Severity: High
Date : 2020-12-09
CVE-ID : CVE-2020-27780
Package : pam
Type : authentication bypass
Remote : No
Link :   https://security.archlinux.org/AVG-1297

Summary
======
The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.

Resolution
=========
Upgrade to 1.5.0-2.

# pacman -Syu "pam>=1.5.0-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
The issue can be mitigated by setting a non-empty password for the root
user.

Description
==========
An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.

Impact
=====
In some unusual configurations, a remote user might be able to bypass
authentication.

References
=========
  https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5
  https://github.com/linux-pam/linux-pam/pull/300
  https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
  https://security.archlinux.org/CVE-2020-27780



openSUSE-SU-2020:2269-1: important: Security update for openssl-1_0_0

DLA 2499-1: sympa security update

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...