| Summary: | <sys-libs/pam-1.5.1: authentication bypass (CVE-2020-27780) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | critical | CC: | zlogene | ||||
| Priority: | Normal | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | https://github.com/linux-pam/linux-pam/commit/28b8c7045ac8ea4ea080bce02a2df9e3b9e98f06 | ||||||
| Whiteboard: | A1 [glsa+ cve] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
Please bump. Created attachment 674839 [details, diff]
pam-1.5.0-CVE-2020-27780.patch
Upstream fix as patch file...
Comment on attachment 674839 [details, diff]
pam-1.5.0-CVE-2020-27780.patch
I am really waiting for the release here. It is on the way.
This issue was resolved and addressed in GLSA 202012-06 at https://security.gentoo.org/glsa/202012-06 by GLSA coordinator Thomas Deutschmann (whissi). |
From the changelog at $URL: Release 1.5.1 * pam_unix: fixed CVE-2020-27780 - authentication bypass when an user doesn't exist and root password is blank According to the issue this appears to be actively exploited in the wild: https://github.com/linux-pam/linux-pam/issues/284 The only affected version is 1.5.0 accord to SUSE (https://www.openwall.com/lists/oss-security/2020/11/24/3), that version is all unstable for us so this will be a trivial bug.