ELSA-2024-11250

Опубликовано: 19 дек. 2024

Источник: oracle-oval

Платформа: Oracle Linux 9

Описание

ELSA-2024-11250: pam security update (MODERATE)

[1.5.1-21.0.1]

pam_access: clean up the remote host matching code [Orabug: 36771903]
pam_limits: fix use after free in pam_sm_open_session [Orabug: 36406534]

[1.5.1-21]

pam_unix: always run the helper to obtain shadow password file entries. CVE-2024-10041. Resolves: RHEL-62880

[1.5.1-20]

libpam: support long lines in service files. Resolves: RHEL-40705

[1.5.1-19]

pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. CVE-2024-22365. Resolves: RHEL-21244

[1.5.1-18]

libpam: use getlogin() from libc and not utmp. Resolves: RHEL-16727
pam_access: handle hostnames in access.conf. Resolves: RHEL-22300

[1.5.1-17]

pam_faillock: create tallydir before creating tallyfile. Resolves: RHEL-20943

[1.5.1-16]

libpam: use close_range() to close file descriptors. Resolves: RHEL-5099
fix formatting of audit messages. Resolves: RHEL-5100

[1.5.1-15]

pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2215007

Обновленные пакеты

Oracle Linux 9

Oracle Linux aarch64

pam

1.5.1-21.0.1.el9_5

pam-devel

1.5.1-21.0.1.el9_5

pam-docs

1.5.1-21.0.1.el9_5

Oracle Linux x86_64

pam

1.5.1-21.0.1.el9_5

pam-devel

1.5.1-21.0.1.el9_5

pam-docs

1.5.1-21.0.1.el9_5

Связанные CVE

CVE-2024-10041

Ссылки на источники

Связанные уязвимости

CVE-2024-10041

CVSS3: 4.7

ubuntu

9 месяцев назад

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.