Bacheca Debian sulla sicurezza

DSA-177-1 pam -- Grave problema di sicurezza

Data della segnalazione:

17 ott 2002

Pacchetti coinvolti:

pam

Vulnerabile:

Sì

Referenze all'interno del database della sicurezza:

Nel dizionario CVE di Mitre: CVE-2002-1227.

Maggiori informazioni:

È stato trovato un serio problema di sicurezza in PAM. Le password disabilitate (cioè quelle che hanno un asterisco nel campo password) erano classificate come password vuote e quindi l'accesso a questi account era permesso tramite la normale procedura di login (getty, telnet, ssh.) Questo funziona per tutti quegli account che non hanno /bin/false come shell. Solo la versione 0.76 di PAM sembra essere affetta dal problema.

Questo problema è stato risolto nella versione 0.76-6 per la attuale distribuzione unstable (sid). La distribuzione stable (woody), la vecchia stable (potato) e la distribuzione testing (sarge) non sono affette dal problema.

Come specificato nella FAQ del Team Debian per la sicurezza, testing e unstable sono distribuzioni che cambiano molto rapidamente e il team per la sicurezza non ha le risorse necessarie per supoprtarle correttamente. Questo avviso della sicurezza è una eccezione alla regola, dovuto alla gravità del problema.

Si raccomanda di aggiornare immediatamente i propri pacchetti PAM se si sta utilizzando Debian/unstable.

Risolto in:

Debian GNU/Linux unstable (sid)

Sorgente:: http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
Componente indipendente dall'architettura:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
Alpha:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
ARM:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
Intel IA-32:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
Intel IA-64:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
HP Precision:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
Motorola 680x0:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
Big endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
Little endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
PowerPC:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
IBM S/390:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
Sun Sparc:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb

Somma di controllo MD5 per i file in elenco disponibile nella notizia originale.