SHARE

Conectiva Linux Security Announcement: Package: pam

Written By

Web Webster

Jul 27, 2000

Date: Thu, 27 Jul 2000 11:27:52 -0300
From: Security secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CONECTIVA LINUX SECURITY ANNOUNCEMENT – PAM

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : pam
SUMMARY : Remote users being treated as local ones
DATE    : 2000-07-27
AFFECTED CONECTIVA VERSIONS : 4.0, 4.0es, 4.1, 4.2, 5.0 and 5.1

DESCRIPTION
Redhat has identified a problem with the pam_console module which
also affects Conectiva Linux.

This module incorrectly identifies remote X logins for displays
other than :0 (:1, :2, etc.) as local ones, thus giving the console
to this user. Having the console, the remote user could issue
commands like reboot to remotely reboot the system (after providing
his or her password).

Note that this vulnerability is only exploitable if the system
is running a graphical login manager (gdm, kdm, etc.), XDMCP is
enabled and remote access is granted. This is *not* the default
configuration for Conectiva Linux.

SOLUTION
All users should upgrade.

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/pam-0.72-15cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/pam-0.72-15cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/pam-0.72-15cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/pam-0.72-15cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/pam-0.72-15cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/pam-0.72-15cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/pam-0.72-15cl.src.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/pam-0.72-15cl.src.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/pam-0.72-15cl.src.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/pam-0.72-15cl.src.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/pam-0.72-15cl.src.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/pam-0.72-15cl.src.rpm

All packages are signed with Conectiva’s PGP key. The key can be
obtained at
http://www.conectiva.com.br/conectiva/contato.html

subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br

unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Conectiva Linux Security Announcement: Package: pam

Web Webster

Company

Categories