Bug#879002: Patch for CVE-2017-12197
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 3 20:48:21 UTC 2017
Control: forwarded -1 https://github.com/kohsuke/libpam4j/issues/18
Control: tags -1 + patch upstream
Hi Raphael, Emmanuel and Markus,
On Fri, Nov 03, 2017 at 09:19:56PM +0100, Markus Koschany wrote:
> On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg <ebourg at apache.org> wrote:
> > Upstream has moved to GitHub [1] and the last update was released in
> > 2014 but the security issue is still not fixed [2].
> >
> > This was a dependency of Jenkins which is now gone. There is a slim
> > chance that this package could be useful again in the future since it's
> > a dependency of some Apache projects (Zeppelin, Atlas, Ranger and Knox).
> >
> > Emmanuel Bourg
> >
> > [1] https://github.com/kohsuke
> > [2] https://github.com/kohsuke/libpam4j/issues/18
>
> Apparently Red Hat patched their libpam4j package but they didn't
> forward the patch upstream.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1503103
It's likely that Red Hat just used the approeach as
https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
and referenced from https://github.com/kohsuke/libpam4j/issues/18 .
The issue arises because "PAM.authentication() does not call
pam_acct_mgmt(). As a consequence, the PAM account is not properly
verified. Any user with a valid password but with deactivated or
disabled account is able to log in.".
The above commit should address that.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list