From: Yury German To: gentoo-announce@lists.gentoo.org Message-ID: <9d33ce68-d078-f5b5-4a78-c18388b34003@gentoo.org> Subject: [ GLSA 201605-05 ] Linux-PAM: Multiple vulnerabilities - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201605-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Linux-PAM: Multiple vulnerabilities Date: May 31, 2016 Bugs: #493432, #505604, #553302 ID: 201605-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Linux-PAM, allowing remote attackers to bypass the auth process and cause Denial of Service. Background ========== Linux-PAM (Pluggable Authentication Modules) is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-libs/pam < 1.2.1 >= 1.2.1 Description =========== Multiple vulnerabilities have been discovered in Linux-PAM. Please review the CVE identifiers referenced below for details. Impact ====== Remote attackers could cause Denial of Service, conduct brute force attacks, and conduct username enumeration. Workaround ========== There is no known workaround at this time. Resolution ========== All Linux-PAM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.2.1" References ========== [ 1 ] CVE-2013-7041 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7041 [ 2 ] CVE-2014-2583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2583 [ 3 ] CVE-2015-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3238 [ 4 ] CVE-2015-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3238 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201605-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --6VU9icmgeIXuOB5H0r1BNdlOc7kBIb5uN