Bug#879002: Patch for CVE-2017-12197
Markus Koschany
apo at debian.org
Fri Nov 3 20:57:43 UTC 2017
Am 03.11.2017 um 21:48 schrieb Salvatore Bonaccorso:
[...]
> It's likely that Red Hat just used the approeach as
> https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
> and referenced from https://github.com/kohsuke/libpam4j/issues/18 .
>
> The issue arises because "PAM.authentication() does not call
> pam_acct_mgmt(). As a consequence, the PAM account is not properly
> verified. Any user with a valid password but with deactivated or
> disabled account is able to log in.".
>
> The above commit should address that.
Hi Salvatore,
Thanks for pointing this out. I asked Red Hat for a clarification
though. It would be interesting to know why this line was commented out
in the first place.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20171103/677ef594/attachment-0003.sig>
More information about the pkg-java-maintainers
mailing list