Linux-PAM: Multiple vulnerabilities — GLSA 201605-05

Multiple vulnerabilities have been found in Linux-PAM, allowing remote attackers to bypass the auth process and cause Denial of Service.

Affected Packages

sys-libs/pam on all architectures
Affected versions < 1.2.1
Unaffected versions >= 1.2.1

Background

Linux-PAM (Pluggable Authentication Modules) is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes.

Description

Multiple vulnerabilities have been discovered in Linux-PAM. Please review the CVE identifiers referenced below for details.

Impact

Remote attackers could cause Denial of Service, conduct brute force attacks, and conduct username enumeration.

Workaround

There is no known workaround at this time.

Resolution

All Linux-PAM users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.2.1"
 

References

Release Date
May 31, 2016

Latest Revision
May 31, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries