---

Conectiva Linux Security Announcement: Package: pam

Date: Thu, 27 Jul 2000 11:27:52 -0300
From: Security secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CONECTIVA LINUX SECURITY ANNOUNCEMENT – PAM


CONECTIVA LINUX SECURITY ANNOUNCEMENT


PACKAGE : pam
SUMMARY : Remote users being treated as local ones
DATE    : 2000-07-27
AFFECTED CONECTIVA VERSIONS : 4.0, 4.0es, 4.1, 4.2, 5.0 and 5.1

DESCRIPTION
Redhat has identified a problem with the pam_console module which
also affects Conectiva Linux.

This module incorrectly identifies remote X logins for displays
other than :0 (:1, :2, etc.) as local ones, thus giving the console
to this user. Having the console, the remote user could issue
commands like reboot to remotely reboot the system (after providing
his or her password).

Note that this vulnerability is only exploitable if the system
is running a graphical login manager (gdm, kdm, etc.), XDMCP is
enabled and remote access is granted. This is *not* the default
configuration for Conectiva Linux.

SOLUTION
All users should upgrade.

DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/pam-0.72-15cl.i386.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/pam-0.72-15cl.i386.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/pam-0.72-15cl.i386.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/pam-0.72-15cl.i386.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/pam-0.72-15cl.i386.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/pam-0.72-15cl.i386.rpm

DIRECT LINK TO THE SOURCE PACKAGES

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/pam-0.72-15cl.src.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/pam-0.72-15cl.src.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/pam-0.72-15cl.src.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/pam-0.72-15cl.src.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/pam-0.72-15cl.src.rpm


ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/pam-0.72-15cl.src.rpm


All packages are signed with Conectiva’s PGP key. The key can be
obtained at
http://www.conectiva.com.br/conectiva/contato.html


subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br

unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis