Bug#879001: Bug#879002: Patch for CVE-2017-12197
Markus Koschany
apo at debian.org
Tue Nov 7 12:54:24 UTC 2017
On Fri, 3 Nov 2017 21:48:21 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
[...]
> It's likely that Red Hat just used the approeach as
> https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
> and referenced from https://github.com/kohsuke/libpam4j/issues/18 .
>
> The issue arises because "PAM.authentication() does not call
> pam_acct_mgmt(). As a consequence, the PAM account is not properly
> verified. Any user with a valid password but with deactivated or
> disabled account is able to log in.".
>
> The above commit should address that.
Hi,
I haven't got a response from Red Hat or upstream yet. I will apply this
patch. It's the only hint so far that makes sense.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20171107/2765a89e/attachment.sig>
More information about the pkg-java-maintainers
mailing list