Summary: | <app-admin/salt-{2015.8.8, 2015.5.10} : insecure configuration of PAM external authentication service (CVE-2016-3176) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | chutzpah |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1320865 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-03-24 09:25:42 UTC
CVE-2016-3176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3176): This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service. Thank you to Dylan Frese <dmfrese@gmail.com> for bringing this issue to our attention. Only =app-admin/salt-2015.8.8 is in the tree. @maintainer, please bump the 2015.5.x series to: =app-admin/salt-2015.5.10 Once complete, please remove the vulnerable versions or backport any patches. @maintainer, please cleanup the vulnerable versions. |