[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-10963

Tue Jul 1 20:09:02 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7b9e3993 by Salvatore Bonaccorso at 2025-07-01T21:07:49+02:00
Update status for CVE-2024-10963

Technically speaking the CVE is not yet fixed with the mitigation patch.
After some disussion though it seems unlikely (for now) that other
changes land which implement fixing the root cause in any configuration
(enforce the option?).

The 1.7.1 upstream release marks as well the CVE (but conflicting with
the upstream issue which is kept open).

For now mark the CVE as fixed and extend the note explaining the
situation.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -74463,8 +74463,7 @@ CVE-2024-10965 (A vulnerability classified as problematic was found in emqx neur
 CVE-2024-10964 (A vulnerability classified as critical has been found in emqx neuron u ...)
 	NOT-FOR-US: emqx neuron
 CVE-2024-10963 (A flaw was found in pam_access, where certain rules in its configurati ...)
-	- pam <unfixed> (bug #1087019)
-	[trixie] - pam <postponed> (Minor issue, revisit when fixed upstream)
+	- pam 1.7.0-5 (bug #1087019)
 	[bookworm] - pam <not-affected> (The vulnerable code was introduced in 1.5.3)
 	[bullseye] - pam <not-affected> (The vulnerable code was introduced in 1.5.3)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2324291
@@ -74472,7 +74471,8 @@ CVE-2024-10963 (A flaw was found in pam_access, where certain rules in its confi
 	NOTE: Introduced in https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f (v1.5.3)
 	NOTE: Mitigated by: https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628 (v1.7.1)
 	NOTE: Since pam/1.7.0-5 in Debian unstable backports upstream commit to implement
-	NOTE: the nodns option to allow people to work around #1087019.
+	NOTE: the nodns option to allow people to work around #1087019, even though it doesn't
+	NOTE: fix the root cause.
 CVE-2024-10668 (There exists an auth bypass in Google Quickshare where an attacker can ...)
 	NOT-FOR-US: Google Quickshare
 CVE-2024-10526 (Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9e3993ec51474100ae136f028aa6f89bb53a51

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9e3993ec51474100ae136f028aa6f89bb53a51
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250701/69c81405/attachment.htm>
