Bug#879001: CVE-2017-12197: libpam4j: Account check bypass
Raphael Hertzog
hertzog at debian.org
Wed Oct 18 10:21:44 UTC 2017
Source: libpam4j
Version: 1.4-2
Severity: grave
Tags: security
Hi,
the following vulnerability was published for libpam4j.
CVE-2017-12197[0]: libpam4j: Account check bypass
PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the
PAM account is not properly verified. Any user with a valid password but
with deactivated or disabled account is able to log in.
https://bugzilla.redhat.com/show_bug.cgi?id=1503103
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197
Please adjust the affected versions in the BTS as needed.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list