Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-announce
Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-announce@g.o
From: Daniel Robbins <drobbins@g.o>
Subject: Security Announcement - Bug in PAM config
Date: 04 Apr 2002 16:58:11 -0700
- --------------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE        :shadow
SUMMARY        :Bug in PAM config
DATE           :2002-04-04 02:33:00

- --------------------------------------------------------------------------

OVERVIEW

 The effect of this bug is that anyone who has a valid password for any user on
 the system can login as root either from the console or via telnet. To 
 use this bug you had to login with a incorrect password 3 times
 (via console) or 4 times (via telnet) and on the 4th or 5th time you had
 to enter the correct password. Doing so would drop you to a root prompt
 with no home directory. It should be known that Gentoo does not default
 to allowing telnet access and ssh was unaffected by this bug.

DETAIL

 Recently, Gentoo started using a PAM module called pam_stack along with
 pam_pwdb. pam_stack allows for better flexibility when configuring PAM
 security settings. The combination of pam_pwdb and pam_stack caused the
 bug described above to form. In the past pam_pwdb was used by itself
 and did not exhibit this bug. When we discovered this bug we replaced
 pam_pwdb with pam_unix. The combination of pam_unix and pam_stack does
 not have this bug.

SOLUTION

 Install sys-apps/shadow-4.0.2-r2 or higher.
 
 It is recommended that all gentoo users apply the update

 Portage Auto:

 emerge rsync
 emerge --update world


 Portage by hand:

 emerge rsync
 emerge sys-libs/shadow

- --------------------------------------------------------------------------
jhhudso@g.o
- --------------------------------------------------------------------------

(forwarded by me)

-- 
Daniel Robbins                                  <drobbins@g.o>
Chief Architect/President                       http://www.gentoo.org 
Gentoo Technologies, Inc.


Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
KDE 3.0 ebuilds available
Next by thread:
Gentoo Usenet
Previous by date:
KDE 3.0 ebuilds available
Next by date:
Gentoo Usenet


Updated Jun 17, 2009

Summary: Archive of the gentoo-announce mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.