From the changelog at $URL: Release 1.5.1 * pam_unix: fixed CVE-2020-27780 - authentication bypass when an user doesn't exist and root password is blank According to the issue this appears to be actively exploited in the wild: https://github.com/linux-pam/linux-pam/issues/284 The only affected version is 1.5.0 accord to SUSE (https://www.openwall.com/lists/oss-security/2020/11/24/3), that version is all unstable for us so this will be a trivial bug.
Please bump.
Created attachment 674839 [details, diff] pam-1.5.0-CVE-2020-27780.patch Upstream fix as patch file...
Comment on attachment 674839 [details, diff] pam-1.5.0-CVE-2020-27780.patch I am really waiting for the release here. It is on the way.
This issue was resolved and addressed in GLSA 202012-06 at https://security.gentoo.org/glsa/202012-06 by GLSA coordinator Thomas Deutschmann (whissi).