ESB-2017.2850 - [Debian] libpam4j: Unauthorised access - Existing account 2017-11-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2850
                         libpam4j security update
                              9 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libpam4j
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12197  

Reference:         ESB-2017.2618
                   ESB-2017.2615

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4025

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4025-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 08, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libpam4j
CVE ID         : CVE-2017-12197

It was discovered that libpam4j, a Java library wrapper for the
integration of PAM did not call pam_acct_mgmt() during authentication.
As such a user who has a valid password, but a deactivated or disabled
account could still log in.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.4-2+deb9u1.

We recommend that you upgrade your libpam4j packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAloDd9gACgkQEMKTtsN8
TjaVrQ//RQwXxTdgUvxkyHCFnrWGQ0w8FSt+5C3LZ4kZ8jBgysIjsh300CCON0Ai
ueST6ERaK6b573mKFS9p4ji4VbueWOUAxVLgUUT2M1YrNSCf/omsajLNpTL719sm
YXBpzs+pTj81iWhAWrxGjYNIjCbTovt2SsJtJPdQAmJLOtQBQKR6eTpM1qGmnYjZ
y9aP0ds4M4BDybLUYlaACMp1X3fhEAZClJC7MjBwCuk19fnijpz368uu/mbrhgPy
1yLfHy0tL1W6tEriFgQcRNj536ZV/r8mdxljLg6AndSvo0uqmbtyymiYr9vFndJb
PUS/lDqulfk4OBxJeDZLO0r3EivP8i78/cSt2E4syphNWQlB+QYs7DeYTvG4fpfQ
G0+E7ynoPPTF4FVSxywqLpMiHNIRd1v1xComYoy8f9Pvk6dPwEvmBdUku6YMxeaj
U85eKqWBUa1Zx+HdUsmtnp/+nL4Fxfmqx4foupV+tpD4Fh8YrYaNdXU0WOTKjRuO
ULhgfX65ZFVqrlRhDB32cp2wCnQ+ETPZYgPKTQHROelwhMsZxTt4hex9AhJL/EKP
+csN+kshCCDFepv/TJenZQiDvBNGyDx422FCtLxdfEMsm1QZU4rRY1JpRX5pGTsL
6fnCl7cp5edmMy4Ft1UfYeaPzXsnDDGLelvOa1GCzTQdenS70+k=
=o+Xw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgO2H4x+lLeg9Ub1AQi7Ww/+LxpXOrAJ7qg3WWB8bgkfiRVuJ6lSP2Ep
euANU105swOStM2JNRtwTRJYxkL3zYsPUOlJnURv14is8EJcEnmZPYrvvHd3+bW4
Z6x+zV2fO0uvqunVVDTLWiUOwlvvhdG/v4dX/qbCVGXTYucJXf27tSn3WAb5rygN
mgZwRkCK8eh3bma7TbrY5qGnLmezAKAv5m8TPuIMS49qVqx+1Wz8hqR8o4c2TlRI
wXoDB34YDWPjnvB4boeAxPD0wKkVJSPOndleLmfmh0TZtedakEz1Z6XZ6KJxillv
vKLVT4sn2E4WGj3Ss0WzjoWRbAZWQAv+hAtwuub0WpmlZeorPAm2GWmW6gfZQOUA
CHRpDUJdvvGVzT30/32FGBv37bEyOzuALv9ayUcvlHDt+VqPH0N941vsfYjTVnDs
Tltt0iKI/CDwTlePzExxBh79WgLwaOjRtHdoG8JHOLp/SVVdwTmW5CxWMkqCCf4j
T1Zw0vVoeevJWBvyJ/Lrs/a+ekaktuJcaY6fK6DrqMoD5MX0WskxxEw3JoNHPp3N
oasOZwHfZqSQ3nYNbWQ0M20DIkKxSYsWoSKi3/ayT0s38JqcC7Mdbxa4ViwAe2Jf
ca6qqTfWtTrSYDwrn33wN1/L9/n+HW6RYQ45uihM5hTypFRhtSXxVHYDNHt+znUV
lIxgxhSJ9cI=
=YZHb
-----END PGP SIGNATURE-----

« Back to bulletins