Debian has issued an advisory on November 8: https://www.debian.org/security/2017/dsa-4025 Mageia 5 and Mageia 6 are also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO, MGA5TOO
We won't be fixing this type of package for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Debian pointed out in their bug that RedHat patched to fix this too. Both fixes are based on a suggested patch on github linked from here: https://security-tracker.debian.org/tracker/CVE-2017-12197
Status comment: (none) => Proposed patches available from Debian, RedHat, and github
Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libpam4j package fixes security vulnerability: It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-11721). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 https://www.debian.org/security/2017/dsa-4025 ======================== Updated packages in core/updates_testing: ======================== libpam4j-1.8-7.1.mga6.noarch.rpm libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm from libpam4j-1.8-7.1.mga6.src.rpm
Assignee: mageia => qa-bugsVersion: Cauldron => 6CC: (none) => mramboWhiteboard: MGA6TOO => (none)
(sorry - messed up the advisory - had wrong CVE in one place) Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libpam4j package fixes security vulnerability: It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-12197). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 https://www.debian.org/security/2017/dsa-4025 ======================== Updated packages in core/updates_testing: ======================== libpam4j-1.8-7.1.mga6.noarch.rpm libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm from libpam4j-1.8-7.1.mga6.src.rpm
This is curious: $ urpmq --whatrequires libpam4j $ urpmq --whatrequires-recursive libpam4j $ urpmq -l libpam4j | sort -u /usr/share/doc/libpam4j /usr/share/doc/libpam4j/README.md /usr/share/java/libpam4j /usr/share/java/libpam4j/libpam4j.jar /usr/share/licenses/libpam4j /usr/share/licenses/libpam4j/LICENSE /usr/share/maven-metadata/libpam4j.xml /usr/share/maven-poms/libpam4j /usr/share/maven-poms/libpam4j/libpam4j.pom Can we test this other than clean update? No previous updates for it.
Yeah for Java stuff like this, just test that it updates cleanly.
MGA6-32 on Dell Latitude D600 MATE No installation issues. Clean install OK
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Test updating M6/64 Installed from current repos (note *no* lib64... here): libpam4j-javadoc-1.8-7.mga6.noarch.rpm libpam4j-1.8-7.mga6.noarch.rpm From Updates Testing, updated via MCC-Update System to: libpam4j-1.8-7.1.mga6 libpam4j-javadoc-1.8-7.1.mga6 No problems. OK.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0234.html
Status: NEW => RESOLVEDResolution: (none) => FIXED