| Summary: | libpam4j new security issue CVE-2017-12197 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, mhrambo3501, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | libpam4j-1.8-7.mga6.src.rpm | CVE: | |
| Status comment: | Proposed patches available from Debian, RedHat, and github | ||
|
Description
David Walser
2017-11-10 14:41:52 CET
David Walser
2017-11-10 14:42:13 CET
CC:
(none) =>
geiger.david68210 We won't be fixing this type of package for Mageia 5. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA6TOO Debian pointed out in their bug that RedHat patched to fix this too. Both fixes are based on a suggested patch on github linked from here: https://security-tracker.debian.org/tracker/CVE-2017-12197 Status comment:
(none) =>
Proposed patches available from Debian, RedHat, and github Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libpam4j package fixes security vulnerability: It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-11721). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 https://www.debian.org/security/2017/dsa-4025 ======================== Updated packages in core/updates_testing: ======================== libpam4j-1.8-7.1.mga6.noarch.rpm libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm from libpam4j-1.8-7.1.mga6.src.rpm Assignee:
mageia =>
qa-bugs (sorry - messed up the advisory - had wrong CVE in one place) Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libpam4j package fixes security vulnerability: It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-12197). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 https://www.debian.org/security/2017/dsa-4025 ======================== Updated packages in core/updates_testing: ======================== libpam4j-1.8-7.1.mga6.noarch.rpm libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm from libpam4j-1.8-7.1.mga6.src.rpm This is curious: $ urpmq --whatrequires libpam4j $ urpmq --whatrequires-recursive libpam4j $ urpmq -l libpam4j | sort -u /usr/share/doc/libpam4j /usr/share/doc/libpam4j/README.md /usr/share/java/libpam4j /usr/share/java/libpam4j/libpam4j.jar /usr/share/licenses/libpam4j /usr/share/licenses/libpam4j/LICENSE /usr/share/maven-metadata/libpam4j.xml /usr/share/maven-poms/libpam4j /usr/share/maven-poms/libpam4j/libpam4j.pom Can we test this other than clean update? No previous updates for it. Yeah for Java stuff like this, just test that it updates cleanly. MGA6-32 on Dell Latitude D600 MATE No installation issues. Clean install OK Whiteboard:
(none) =>
MGA6-32-OK Test updating M6/64 Installed from current repos (note *no* lib64... here): libpam4j-javadoc-1.8-7.mga6.noarch.rpm libpam4j-1.8-7.mga6.noarch.rpm From Updates Testing, updated via MCC-Update System to: libpam4j-1.8-7.1.mga6 libpam4j-javadoc-1.8-7.1.mga6 No problems. OK. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0234.html Status:
NEW =>
RESOLVED |