Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in PAM
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in PAM
ID: USN-1140-1
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04
Datum: Mo, 30. Mai 2011, 21:57
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3316
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4707
Applikationen: Linux-PAM

Originalnachricht


--===============8154654940834204157==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-Cseen8pEqo+kuS5DlMv1"


--=-Cseen8pEqo+kuS5DlMv1
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1140-1
May 30, 2011

pam vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

An attacker could cause PAM to read or delete arbitrary files or cause it
to crash.

Software Description:
- pam: Pluggable Authentication Modules

Details:

Marcus Granado discovered that PAM incorrectly handled configuration files
with non-ASCII usernames. A remote attacker could use this flaw to cause a
denial of service, or possibly obtain login access with a different users
username. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-0887)

It was discovered that the PAM pam_xauth, pam_env and pam_mail modules
incorrectly handled dropping privileges when performing operations. A local
attacker could use this flaw to read certain arbitrary files, and access
other sensitive information. (CVE-2010-3316, CVE-2010-3430, CVE-2010-3431,
CVE-2010-3435)

It was discovered that the PAM pam_namespace module incorrectly cleaned the
environment during execution of the namespace.init script. A local attacker
could use this flaw to possibly gain privileges. (CVE-2010-3853)

It was discovered that the PAM pam_xauth module incorrectly handled certain
failures. A local attacker could use this flaw to delete certain unintended
files. (CVE-2010-4706)

It was discovered that the PAM pam_xauth module incorrectly verified
certain file properties. A local attacker could use this flaw to cause a
denial of service. (CVE-2010-4707)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
libpam-modules 1.1.2-2ubuntu8.2

Ubuntu 10.10:
libpam-modules 1.1.1-4ubuntu2.2

Ubuntu 10.04 LTS:
libpam-modules 1.1.1-2ubuntu5.2

Ubuntu 8.04 LTS:
libpam-modules 0.99.7.1-5ubuntu6.3

In general, a standard system update will make all the necessary changes.

References:
CVE-2009-0887, CVE-2010-3316, CVE-2010-3430, CVE-2010-3431,
CVE-2010-3435, CVE-2010-3853, CVE-2010-4706, CVE-2010-4707

Package Information:
https://launchpad.net/ubuntu/+source/pam/1.1.2-2ubuntu8.2
https://launchpad.net/ubuntu/+source/pam/1.1.1-4ubuntu2.2
https://launchpad.net/ubuntu/+source/pam/1.1.1-2ubuntu5.2
https://launchpad.net/ubuntu/+source/pam/0.99.7.1-5ubuntu6.3



--Üseen8pEqo+kuS5DlMv1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJN47O2AAoJEGVp2FWnRL6TKkcQAJRruUVvkPREJNWeoVnZO4LV
hPCmb0Meb1AR0KW3CHiQcdyyK5WxxJQWpsXG2uGeodme8mAXk04uTxphxlmgR4Lh
xhsIiqp+zoXXVBu2Eg9uE6rY+/dFEIstT2R19sJ34mifyOqhOIdTtX8+i/H6QiKB
giWGz4czyiaYsadtxKjrwDpPZUwZFQ5LW4gDnkZfhuAmg9mGzWmpWfSBj8CKl8jE
EM/V9xAafl8MWLzuuU04/xw3cT3CrZNvTtUfmaQT1uZbXjAHgUqMBZNmeoM+VjyM
AmhOXXfPJdgwYvc9s/DxP6fIooyI6sobQbeg2LYBfD4+jp6kQv2lUT73XRWbsA53
CJfH/qfP/tq/zLqdBu479uWNnMgdZdLuiWXkf1PyYKUEAU9TqFpD+hNBLmwXkVXG
XQaktZRTspeFDF8TJaqNoHBPN1DSJIZollx2opQeWng6tdC9TxFjcTAtbPcuuHLz
SeyRiwi4cYV+DhorvWW+DllIrqFpt4Nvd8kIJCZWGhRgSG+on+dqF3F5Oco/RaQT
VuMhWR5KWcSlr4kEcTOZSrAfPOHXW5ax/C1+/VEph6A+YQLjDLixDrrChhVzsL4s
mLrFxsq4q5/YeYIt7T0E30pTlJ3ksnLBqiqOgdPunX1kPtix0pU4pIJSN6rWWxoU
tfw2RRCpR+RWWDQWh7RL
=L5KZ
-----END PGP SIGNATURE-----

--=-Cseen8pEqo+kuS5DlMv1--



--===============8154654940834204157==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============8154654940834204157==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung