Описание
Security update for pam
This update for pam fixes two security issues.
These security issues were fixed:
- CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920).
- CVE-2013-7041: Compare password hashes case-sensitively (bsc#854480).
This non-security issue was fixed:
- bsc#962220: Don't fail when /var/log/btmp is corrupted
Список пакетов
SUSE Linux Enterprise Server 11 SP4
pam-1.1.5-0.17.2
pam-32bit-1.1.5-0.17.2
pam-doc-1.1.5-0.17.2
pam-x86-1.1.5-0.17.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4
pam-1.1.5-0.17.2
pam-32bit-1.1.5-0.17.2
pam-doc-1.1.5-0.17.2
pam-x86-1.1.5-0.17.2
SUSE Linux Enterprise Software Development Kit 11 SP4
pam-devel-1.1.5-0.17.2
pam-devel-32bit-1.1.5-0.17.2
Ссылки
- Link for SUSE-SU-2016:1645-1
- E-Mail link for SUSE-SU-2016:1645-1
- SUSE Security Ratings
- SUSE Bug 854480
- SUSE Bug 934920
- SUSE Bug 962220
- SUSE CVE CVE-2013-7041 page
- SUSE CVE CVE-2015-3238 page
Описание
The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack.
Затронутые продукты
SUSE Linux Enterprise Server 11 SP4:pam-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-32bit-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-doc-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-x86-1.1.5-0.17.2
Ссылки
- CVE-2013-7041
- SUSE Bug 1123794
- SUSE Bug 1215217
- SUSE Bug 854480
Описание
The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.
Затронутые продукты
SUSE Linux Enterprise Server 11 SP4:pam-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-32bit-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-doc-1.1.5-0.17.2
SUSE Linux Enterprise Server 11 SP4:pam-x86-1.1.5-0.17.2
Ссылки
- CVE-2015-3238
- SUSE Bug 1123794
- SUSE Bug 934920