Arch Linux 811 Published by

A pam security update has been released for Arch Linux.



ASA-202012-13: pam: authentication bypass


Arch Linux Security Advisory ASA-202012-13
=========================================
Severity: High
Date : 2020-12-09
CVE-ID : CVE-2020-27780
Package : pam
Type : authentication bypass
Remote : No
Link :   https://security.archlinux.org/AVG-1297

Summary
======
The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.

Resolution
=========
Upgrade to 1.5.0-2.

# pacman -Syu "pam>=1.5.0-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
The issue can be mitigated by setting a non-empty password for the root
user.

Description
==========
An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.

Impact
=====
In some unusual configurations, a remote user might be able to bypass
authentication.

References
=========
  https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5
  https://github.com/linux-pam/linux-pam/pull/300
  https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
  https://security.archlinux.org/CVE-2020-27780