update: pam #1349

dongsupark · 2024-02-07T15:09:58Z

Name: pam
CVEs: CVE-2024-22365, CVE-2024-10041, CVE-2024-10963
CVSSs: 5.5, 4.7, 7.4
Action Needed: update to >= 1.7.0 ?

Summary:

CVE-2024-22365: linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.
CVE-2024-10041: The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. (NOTE: Enforced SELinux can mitigate the issue)
CVE-2024-10963: A vulnerability was found in pam_access due to the improper handling of tokens in access.conf, interpreted as hostnames. This flaw allows attackers to bypass access restrictions by spoofing hostnames, undermining configurations designed to limit access to specific TTYs or services. The flaw poses a risk in environments relying on these configurations for local access control.
- https://bugzilla.redhat.com/show_bug.cgi?id=2324291

refmap.gentoo:

tormath1 · 2024-10-24T13:53:49Z

dongsupark · 2024-11-08T09:05:11Z

chewi · 2025-03-03T14:17:30Z

Is there something blocking this or do we just need to get around to it? It's a forked package, so I could look at switching to upstream.

dongsupark · 2025-03-03T15:46:08Z

It would be worth verifying if the fork is still needed, please see README.
If not needed, of course we can switch to upstream.

dongsupark added security security concerns advisory security advisory labels Feb 7, 2024

dongsupark added this to Flatcar tactical, release planning, and roadmap Feb 7, 2024

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Feb 7, 2024

dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Feb 7, 2024

dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Feb 14, 2024

github-actions bot mentioned this issue Feb 22, 2024

Monthly contributions report 2024-01-22 - 2024-02-21 #1369

Closed

github-actions bot mentioned this issue Mar 22, 2024

Monthly contributions report 2024-02-22 - 2024-03-21 #1398

Closed

github-actions bot mentioned this issue Apr 22, 2024

Monthly contributions report 2024-03-22 - 2024-04-21 #1435

Closed

github-actions bot mentioned this issue May 22, 2024

Monthly contributions report 2024-04-22 - 2024-05-21 #1451

Closed

github-actions bot mentioned this issue Jun 22, 2024

Monthly contributions report 2024-05-22 - 2024-06-21 #1477

Closed

markafarrell mentioned this issue Jun 25, 2024

Upgrade to linux-pam-1.5.3-r1 flatcar/scripts#2049

Merged

2 tasks

github-actions bot mentioned this issue Jul 22, 2024

Monthly contributions report 2024-06-22 - 2024-07-21 #1497

Closed

github-actions bot mentioned this issue Aug 22, 2024

Monthly contributions report 2024-07-22 - 2024-08-21 #1519

Closed

github-actions bot mentioned this issue Sep 22, 2024

Monthly contributions report 2024-08-22 - 2024-09-21 #1547

Closed

github-actions bot mentioned this issue Oct 22, 2024

Monthly contributions report 2024-09-22 - 2024-10-21 #1568

Closed

dongsupark added cvss/HIGH > 7 && < 9 assessed CVSS and removed cvss/MEDIUM >= 4 && < 7 assessed CVSS labels Nov 8, 2024

github-actions bot mentioned this issue Nov 22, 2024

Monthly contributions report 2024-10-22 - 2024-11-21 #1585

Closed

github-actions bot mentioned this issue Dec 22, 2024

Monthly contributions report 2024-11-22 - 2024-12-21 #1603

Closed

github-actions bot mentioned this issue Jan 22, 2025

Monthly contributions report 2024-12-22 - 2025-01-21 #1618

Closed

github-actions bot mentioned this issue Feb 22, 2025

Monthly contributions report 2025-01-22 - 2025-02-21 #1658

Open

Provide feedback