CVE-2005-2977: Vulnerable to brute forcing attacks when using SELinux

Debian Bug report logs - #336344
CVE-2005-2977: Vulnerable to brute forcing attacks when using SELinux

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2005-2977: Vulnerable to brute forcing attacks when using SELinux

Date: Sat, 29 Oct 2005 17:45:49 +0200

Package: pam
Severity: important
Tags: security

Quoting from a Gentoo advisory:
| The SELinux patches for PAM introduce a vulnerability allowing a
| password to be checked with the unix_chkpwd utility without delay or
| logging. This vulnerability doesn't affect users who do not run
| SELinux.

This does only affect testing/sid and has been assigned CVE-2005-2977.

        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message #10 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Julien Goodwin <julien.goodwin@strategicdata.com.au>

To: 336344@bugs.debian.org

Date: Mon, 27 Feb 2006 00:23:35 +1100

[Message part 1 (text/plain, inline)]

This bug should be able to be closed as fixed in version 0.79.
Ref:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-2977

Thanks,
Julien

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Julien Goodwin <julien.goodwin@strategicdata.com.au>

Cc: 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Sun, 26 Feb 2006 20:13:01 +0100

* Julien Goodwin:

> This bug should be able to be closed as fixed in version 0.79.
> Ref:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-2977

This page doesn't mention version 0.79 at all.  Why do you think it's
been fixed in our 0.79 version?

Message #20 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Julien Goodwin <julien.goodwin@strategicdata.com.au>, 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Sun, 26 Feb 2006 14:28:56 -0800

[Message part 1 (text/plain, inline)]

On Mon, Feb 27, 2006 at 12:23:35AM +1100, Julien Goodwin wrote:
> This bug should be able to be closed as fixed in version 0.79.

No, it shouldn't.  This bug is known to be present in the Debian pam 0.79
package, which includes a patch from the Debian selinux maintainers which
does indeed open this (relatively minor) security hole.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Julien Goodwin <julien.goodwin@strategicdata.com.au>

To: 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Mon, 27 Feb 2006 13:53:54 +1100

[Message part 1 (text/plain, inline)]

On 27/02/2006 6:13 AM, Florian Weimer wrote:
> * Julien Goodwin:
> 
>> This bug should be able to be closed as fixed in version 0.79.
>> Ref:
>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-2977
> 
> This page doesn't mention version 0.79 at all.  Why do you think it's
> been fixed in our 0.79 version?

From the linked page:
> The SELinux version of PAM before 0.78r3
As I'm not entirely sure of debian's version number handling
saying 0.79 is just easier.

Commit:
http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/NEWS?rev=1.6&view=markup

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Julien Goodwin <julien.goodwin@strategicdata.com.au>

Cc: 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Mon, 27 Feb 2006 13:55:10 +1100

[Message part 1 (text/plain, inline)]

On 27/02/2006 9:28 AM, Steve Langasek wrote:
> On Mon, Feb 27, 2006 at 12:23:35AM +1100, Julien Goodwin wrote:
>> This bug should be able to be closed as fixed in version 0.79.
> 
> No, it shouldn't.  This bug is known to be present in the Debian pam 0.79
> package, which includes a patch from the Debian selinux maintainers which
> does indeed open this (relatively minor) security hole.
> 

Hmm, ok then, but why is it still open several months after being
discovered if we know exactly what the problem is?

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Julien Goodwin <julien.goodwin@strategicdata.com.au>, 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Sun, 26 Feb 2006 19:37:38 -0800

[Message part 1 (text/plain, inline)]

On Mon, Feb 27, 2006 at 01:55:10PM +1100, Julien Goodwin wrote:
> On 27/02/2006 9:28 AM, Steve Langasek wrote:
> > On Mon, Feb 27, 2006 at 12:23:35AM +1100, Julien Goodwin wrote:
> >> This bug should be able to be closed as fixed in version 0.79.

> > No, it shouldn't.  This bug is known to be present in the Debian pam 0.79
> > package, which includes a patch from the Debian selinux maintainers which
> > does indeed open this (relatively minor) security hole.

> Hmm, ok then, but why is it still open several months after being
> discovered if we know exactly what the problem is?

Because it's a low-risk vulnerability (no direct privilege escalation, just
a brute-force vector) that only affects users running SELinux-enabled
kernels in non-enforcing mode, and I disagree with upstream about the
appropriate fix for the bug.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Steve Langasek <vorlon@debian.org>

Cc: Julien Goodwin <julien.goodwin@strategicdata.com.au>, 336344@bugs.debian.org

Subject: Re: Bug#336344: (no subject)

Date: Sun, 22 Oct 2006 12:15:42 +0200

Steve Langasek wrote:
> > >> This bug should be able to be closed as fixed in version 0.79.
> 
> > > No, it shouldn't.  This bug is known to be present in the Debian pam 0.79
> > > package, which includes a patch from the Debian selinux maintainers which
> > > does indeed open this (relatively minor) security hole.
> 
> > Hmm, ok then, but why is it still open several months after being
> > discovered if we know exactly what the problem is?
> 
> Because it's a low-risk vulnerability (no direct privilege escalation, just
> a brute-force vector) that only affects users running SELinux-enabled
> kernels in non-enforcing mode, and I disagree with upstream about the
> appropriate fix for the bug.

Since Etch will have solid selinux support out of the box it would be nice
to have it fixed. Has an agreement over the appropriate fix been found in
the mean time?

Cheers,
        Moritz

Message #45 received at 336344@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 336344@bugs.debian.org

Cc: Julien Goodwin <julien.goodwin@strategicdata.com.au>

Subject: Re: Bug#336344: (no subject)

Date: Tue, 31 Oct 2006 17:50:32 -0800

On Sun, Oct 22, 2006 at 12:15:42PM +0200, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> > > >> This bug should be able to be closed as fixed in version 0.79.

> > > > No, it shouldn't.  This bug is known to be present in the Debian pam 0.79
> > > > package, which includes a patch from the Debian selinux maintainers which
> > > > does indeed open this (relatively minor) security hole.

> > > Hmm, ok then, but why is it still open several months after being
> > > discovered if we know exactly what the problem is?

> > Because it's a low-risk vulnerability (no direct privilege escalation, just
> > a brute-force vector) that only affects users running SELinux-enabled
> > kernels in non-enforcing mode, and I disagree with upstream about the
> > appropriate fix for the bug.

> Since Etch will have solid selinux support out of the box it would be nice
> to have it fixed. Has an agreement over the appropriate fix been found in
> the mean time?

No, I still disagree with the upstream fix, but resolving this bug is now
one of my last blockers for pam in etch whether or not I end up having to
diverge from upstream.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #52 received at 336344-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 336344-close@bugs.debian.org

Subject: Bug#336344: fixed in pam 0.99.7.1-2

Date: Mon, 27 Aug 2007 02:47:29 +0000

Source: pam
Source-Version: 0.99.7.1-2

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.99.7.1-2_amd64.deb
  to pool/main/p/pam/libpam-cracklib_0.99.7.1-2_amd64.deb
libpam-cracklib_0.99.7.1-2_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.99.7.1-2_i386.deb
libpam-doc_0.99.7.1-2_all.deb
  to pool/main/p/pam/libpam-doc_0.99.7.1-2_all.deb
libpam-modules_0.99.7.1-2_amd64.deb
  to pool/main/p/pam/libpam-modules_0.99.7.1-2_amd64.deb
libpam-modules_0.99.7.1-2_i386.deb
  to pool/main/p/pam/libpam-modules_0.99.7.1-2_i386.deb
libpam-runtime_0.99.7.1-2_all.deb
  to pool/main/p/pam/libpam-runtime_0.99.7.1-2_all.deb
libpam0g-dev_0.99.7.1-2_amd64.deb
  to pool/main/p/pam/libpam0g-dev_0.99.7.1-2_amd64.deb
libpam0g-dev_0.99.7.1-2_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.99.7.1-2_i386.deb
libpam0g_0.99.7.1-2_amd64.deb
  to pool/main/p/pam/libpam0g_0.99.7.1-2_amd64.deb
libpam0g_0.99.7.1-2_i386.deb
  to pool/main/p/pam/libpam0g_0.99.7.1-2_i386.deb
pam_0.99.7.1-2.diff.gz
  to pool/main/p/pam/pam_0.99.7.1-2.diff.gz
pam_0.99.7.1-2.dsc
  to pool/main/p/pam/pam_0.99.7.1-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336344@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 26 Aug 2007 19:15:09 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source amd64 all i386
Version: 0.99.7.1-2
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-doc - Documentation of PAM
 libpam-runtime - Runtime support for the PAM library
 libpam-cracklib - PAM module to enable cracklib support
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 62193 119689 127931 165067 178225 181451 184270 212165 220157 241661 300773 305058 313486 328084 330545 331208 333141 336344 350620 354309 360460 362855 368100 411812 412484 416665 436005 436222 439038 439040
Changes: 
 pam (0.99.7.1-2) unstable; urgency=low
 .
   * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz
     for their extensive work in helping to prepare for this update in Debian.
     Closes: #360460.
     - now uses autoconf for library detection, so SELinux should not be
       unconditionally enabled on non-Linux archs.  Closes: #333141.
     - pam_mail notice handling has been completely reworked, so there should
       no longer be missing spaces in the messages.  Closes: #119689.
     - with libtool and autoconf, now behaves "sensibly" on unknown
       platforms.  Closes: #165067.
     - the source now builds without warnings.  Closes: #212165.
     - uses automake instead of hand-rolled makefiles with indentation
       bugs.  Closes: #241661, #328084.
     - pam_mkhomedir now creates directories recursively as needed.
       Closes: #178225.
     - pam_listfile now supports being used as a session module too.
       Closes: #416665.
     - misspelled pam_userdb log message has been corrected.  Closes: #305058.
     - the current pam_strerror manpage no longer mentions "Unknown
       Linux-PAM error".  Closes: #220157.
     - the text documentation no longer uses ANSI bold sequences.
       Closes: #181451.
     - pam_localuser now supports being used as a session module.
       Closes: #412484.
     - package no longer fails to build with dash as /bin/sh.
       Closes: #331208.
     - All modules should now be documented in the system administrator
       guide.  Closes: #350620.
     - pam_userdb now logs an error instead of segfaulting when no db=
       option is provided.  Closes: #436005.
     - pam_time now warns on a missing tty instead of erroring out,
       making it possible to use the module with non-console services.
       Closes: #127931.
     - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install
       accordingly
     - bump the shlibs
     - the 'test.c' example no longer exists
     - add /usr/share/locale to libpam-runtime.
     - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an
       arbitrary username, and then only when SELinux is active.
       Closes: #336344.
   * Mark myself as primary maintainer as previously discussed with Sam, and
     add Roger as an uploader.
   * Refactor to use quilt.
   * Update to Standards-Version 3.7.2.
   * Drop unnecessary build-dependency on patch, which is
     build-essential (and no longer invoked directly).
   * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus,
     018_man_fixes, 030_makefile_link_against_libpam,
     037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd,
     050_configure_in_gnu and 052_pam_unix_no_openlog, which have been
     superseded upstream.
   * Drop patches 005_pam_limits_099_6,
     012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes,
     048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv,
     060_pam_tally_segv and 062_c++_safe_headers, which have been integrated
     upstream.
   * Patch 057: SELinux support is merged upstream, leaving only an
     unrelated OOM check for pam_unix_passwd.  Rename as
     057_pam_unix_passwd_OOM_check.
   * Patches 006, 008, 036: update for the switch from SGML to XML.
   * Patch 007: update for the switch from SGML to XML; drop some log
     messages that were already added upstream; update for the pam_modutil
     changes; tighten the flag handling of the 'obscure' option; drop bogus
     check in unix_chkpwd for null passwords.  Also fix a grammar error
     along the way.  Closes: #362855.
   * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch
     pam_cracklib.c instead to use the default dictpath already available
     from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead
     of AC_CHECK_HEADER, so crack.h is actually included.  Also remove
     unnecessary string copies, which break on the Hurd due to PATH_MAX.
   * Patch 038: partially merged/superseded upstream; also add new Hurd
     fix for pam_xauth.
   * Patch 061: partially merged upstream
   * Use ${binary:Version} instead of ${Source-Version} in
     debian/control.
   * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm},
     debian/libpam0g.{postinst,prerm}, and
     debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these
     just fine without our help.
   * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl
     and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra,
     groff, and opensp.
   * Also build-depend on flex for libfl.a.
   * Updates for documentation handling:
     - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide,
       and invoke dh_installdocs instead of installing these by hand.
     - drop libpam-doc.{postinst,prerm}, which are no longer needed.
     - add an install target to debian/rules, and have binary-indep depend on
       it instead of trying to install doc files individually from the source
       tree
     - consequently, drop libpam-doc.dirs as well which is no longer needed
       and no longer accurate
     - add debian/libpam-doc.install for moving the docs to the right place,
       and also replace libpam-runtime.files with libpam-runtime.install;
       for the moment this means we're using both dh_movefiles and
       dh_install...
     - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further
       cleaning up debian/rules
   * Drop debian/libpam0g.links, no longer needed because upstream now has a
     working install target which creates the library symlinks
   * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so
     symlinks by hand, no longer provided upstream.
   * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage
     belongs in section 7, not in section 8.
   * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime.
   * debian/patches-applied/autoconf.patch: move all changes to autotools
     generated files into a single patch at the end of the stack.
     - don't touch configure in debian/rules, the quilt patch takes care
       of this for us.
   * New patch 064_pam_unix_cracklib_dictpath: correctly define
     CRACKLIB_DICTS, since this is not defined by configure.  Thanks to Jan
     Christoph Nordholz.
   * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable
     cracklib support in pam_unix.  Thanks to Christoph Nordholz.
   * debian/rules:
     - Rename OS_CFLAGS to CFLAGS.
     - kill off references to unused variables
     - make binary-arch also depend on the install target, and streamline the
       rules
     - fix up the clean target to not ignore errors; thanks to Roger Leigh
     - drop the local module_check target in favor of using -Wl,-z,defs
       in LDFLAGS to enforce correct linkage of all objects at build time
   * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage.
   * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally
     for consistency.
   * Update to debhelper V5.
   * Don't ship Makefiles as part of the libpam0g-dev examples.
   * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages:
     put all the manpages in the correct packages.  Closes: #411812,
     #62193, #313486, #300773, #330545, #184270.
   * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything
     because we aren't trying to ship empty directories in the packages
   * Build-Conflict with fop, to avoid unreproducible builds of pdf
     documentation from a tool in contrib.
   * libpam-cracklib should depend on a real wordlist package, per policy;
     use wamerican as the default.
   * Drop local/pam-undocumented.7 from the package, since we no longer have
     a reason to ship it
   * Add lintian overrides for known false-positives
   * Conflicts/Replaces/Provides libpam-umask, now included upstream.
     Closes: #436222.
   * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms
     by hand in debian/rules.  In the process, unix_chkpwd is now writable
     by the owner, as expected by policy.  Closes: #368100.
   * Migrate from db4.3 to db4.6; once again, no administrator action should
     be needed for upgrading on-disk database formats.  Closes: #354309.
   * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to
     Laurent Bigonville for the hint.  Closes: #439038.
   * Add a watch file for use with uscan; thanks to Laurent Bigonville for
     this patch as well.  Closes: #439040.
   * Rewrite of 031_pam_include, fixing a memory leak and letting us drop
     patch 056_no_label_at_end; thanks to Jan Christoph Nordholz
     <hesso@pool.math.tu-berlin.de> for this much-improved version!
   * New patch no_pthread_mutexes: don't use pthread mutexes in
     pam_modutil functions, they're not needed because pam handles
     themselves should not be used concurrently by multiple threads and
     using pthreads causes problems for portable linking.
   * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around
     using setreuid instead.
Files: 
 47ce3121dd65d428b69f895288a68b97 1148 libs optional pam_0.99.7.1-2.dsc
 87f644d9a98d0ffb23b41d2bf82703cc 100236 libs optional pam_0.99.7.1-2.diff.gz
 3ffaefa3f219bcb07a4ad5a68412be98 96010 admin required libpam-runtime_0.99.7.1-2_all.deb
 df109d3dc0bbce4af2d2c98918e4bbb0 264066 doc optional libpam-doc_0.99.7.1-2_all.deb
 d6ee4c373131d601aee67fdfc06bd115 75352 libs required libpam0g_0.99.7.1-2_amd64.deb
 4deb5eb055e9c2945aeae60374a4726c 262632 libs required libpam-modules_0.99.7.1-2_amd64.deb
 20a57b7bb7ce78ed68db2c509f9c5902 142020 libdevel optional libpam0g-dev_0.99.7.1-2_amd64.deb
 3c8bd6dcc2bb2fee1578ab7409cd8b22 47390 libs optional libpam-cracklib_0.99.7.1-2_amd64.deb
 d5a89de07bdf46e628504666a37b5c5d 72510 libs required libpam0g_0.99.7.1-2_i386.deb
 ed484ee0d43530fcd188d40d9fa37f7b 251012 libs required libpam-modules_0.99.7.1-2_i386.deb
 8beaca23c6fee9be550f1fdf8698136e 140032 libdevel optional libpam0g-dev_0.99.7.1-2_i386.deb
 b16208a38136b639e6bc105ae97931b3 47448 libs optional libpam-cracklib_0.99.7.1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG0jmtKN6ufymYLloRAkf3AJ9jlCq6UYS+Mg2yNVie2o8rTvMjVgCgq6f9
H6I5UQYDzYPYYf1UM0yNi8E=
=RoLY
-----END PGP SIGNATURE-----

Message #63 received at 336344-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 336344-close@bugs.debian.org

Subject: Bug#336344: fixed in pam 0.79-5

Date: Mon, 22 Oct 2007 07:56:32 +0000

Source: pam
Source-Version: 0.79-5

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.79-5_amd64.deb
  to pool/main/p/pam/libpam-cracklib_0.79-5_amd64.deb
libpam-cracklib_0.79-5_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.79-5_i386.deb
libpam-doc_0.79-5_all.deb
  to pool/main/p/pam/libpam-doc_0.79-5_all.deb
libpam-modules_0.79-5_amd64.deb
  to pool/main/p/pam/libpam-modules_0.79-5_amd64.deb
libpam-modules_0.79-5_i386.deb
  to pool/main/p/pam/libpam-modules_0.79-5_i386.deb
libpam-runtime_0.79-5_all.deb
  to pool/main/p/pam/libpam-runtime_0.79-5_all.deb
libpam0g-dev_0.79-5_amd64.deb
  to pool/main/p/pam/libpam0g-dev_0.79-5_amd64.deb
libpam0g-dev_0.79-5_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.79-5_i386.deb
libpam0g_0.79-5_amd64.deb
  to pool/main/p/pam/libpam0g_0.79-5_amd64.deb
libpam0g_0.79-5_i386.deb
  to pool/main/p/pam/libpam0g_0.79-5_i386.deb
pam_0.79-5.diff.gz
  to pool/main/p/pam/pam_0.79-5.diff.gz
pam_0.79-5.dsc
  to pool/main/p/pam/pam_0.79-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336344@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 21 Oct 2007 12:22:42 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source i386 all amd64
Version: 0.79-5
Distribution: proposed-updates
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-doc - Documentation of PAM
 libpam-runtime - Runtime support for the PAM library
 libpam-cracklib - PAM module to enable cracklib support
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 336344
Changes: 
 pam (0.79-5) proposed-updates; urgency=low
 .
   * CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an
     arbitrary username, and then only when SELinux is active.  In all other
     cases root should have privileges to access /etc/shadow directly, and
     non-root users are not allowed access under the default security policy.
     This fixes a low-impact brute-force vector when SELinux is enabled and
     running in non-enforcing mode.  Closes: #336344.
Files: 
 fb8dd31408dc01b4de4797f325390716 970 libs optional pam_0.79-5.dsc
 1fe08210ba63698b513fcd71d3add1e6 134738 libs optional pam_0.79-5.diff.gz
 5a7d3fcb4270887f917933389cffaaf7 64390 admin required libpam-runtime_0.79-5_all.deb
 f4c37b306e83babaa9d603714de62a35 731484 doc optional libpam-doc_0.79-5_all.deb
 e87e0ef694cd80679e916a8c924839a2 79792 libs required libpam0g_0.79-5_i386.deb
 d5ce492bb5fb3c4f4ee2971c29fb4609 187654 libs required libpam-modules_0.79-5_i386.deb
 3d3e54ee11622ba26d5aa1c766a6f1c0 118054 libdevel optional libpam0g-dev_0.79-5_i386.deb
 aa6ed2ce912040786cb41c2800ffc21f 59690 libs optional libpam-cracklib_0.79-5_i386.deb
 31fda3f61a23e0c413eca34eeac94e71 82152 libs required libpam0g_0.79-5_amd64.deb
 b452ab01144449d85add0e726f5a0cc4 199470 libs required libpam-modules_0.79-5_amd64.deb
 13125032cccc9323cf0f6084090e6b1e 119440 libdevel optional libpam0g-dev_0.79-5_amd64.deb
 611e606a93eeed64c396eb63b8748269 59812 libs optional libpam-cracklib_0.79-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHG6swKN6ufymYLloRArX/AKCB5MWUBFW1v0pPWPF+wlTqQGqW5ACeP1aJ
+J2aEnMvkXrw5DyWQfPYoZw=
=5T5o
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.