From secure@CONECTIVA.COM.BR Thu Dec 14 16:51:06 2000 From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 13 Dec 2000 17:44:05 -0200 Subject: [BUGTRAQ] [CLA-2000:358] Conectiva Linux Security Announcement - pam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - ----------------------------------------------------------------------- PACKAGE : pam SUMMARY : Buffer overflow in pam_localuser DATE : 2000-12-13 17:42:00 ID : CLA-2000:358 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, 5.1, 6.0 - ---------------------------------------------------------------------- DESCRIPTION The pam_localuser module, part of the PAM package, has a buffer overflow vulnerability in it. This module is *not* used in any default configuration and to be vulnerable an user would have to insert it manually in a configuration file in the /etc/pam.d directory. SOLUTION All users of the pam_localuser module should upgrade. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/pam-0.72-23cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/pam-0.72-23cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ---------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato - ----------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6N9GE42jd0JmAcZARAniRAKCrNrTjKkAqCGRtvnbzAw9ewKPfYwCfU5q5 RUCdr4rVEgoqB1qZaSIZugM= =Zc7t -----END PGP SIGNATURE-----