linux, säkerhet

5307413 2000-07-27  22:01  /60 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11953>
Ärende: CONECTIVA LINUX SECURITY ANNOUNCEMENT - PAM
------------------------------------------------------------
From: Security <secure@CONECTIVA.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000727112752.F17869@conectiva.com.br>

----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------

PACKAGE : pam
SUMMARY : Remote users being treated as local ones
DATE    : 2000-07-27
AFFECTED CONECTIVA VERSIONS : 4.0, 4.0es, 4.1, 4.2, 5.0 and 5.1


DESCRIPTION
Redhat has identified a problem with the pam_console module which
also affects Conectiva Linux.
This module incorrectly identifies remote X logins for displays
other than :0 (:1, :2, etc.) as local ones, thus giving the
console to this user. Having the console, the remote user could
issue commands like reboot to remotely reboot the system (after
providing his or her password).
Note that this vulnerability is only exploitable if the system is
running a graphical login manager (gdm, kdm, etc.), XDMCP is
enabled and remote access is granted. This is *not* the default
configuration for Conectiva Linux.


SOLUTION
All users should upgrade.


DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/pam-0.72-15cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/pam-0.72-15cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/pam-0.72-15cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/pam-0.72-15cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/pam-0.72-15cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/pam-0.72-15cl.i386.rpm


DIRECT LINK TO THE SOURCE PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/pam-0.72-15cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/pam-0.72-15cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/pam-0.72-15cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/pam-0.72-15cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/pam-0.72-15cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/pam-0.72-15cl.src.rpm


----------------------------------------------------------------------

All packages are signed with Conectiva's PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br
(5307413) ------------------------------------------(Ombruten)