-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-17112 2010-11-02 21:39:09 --------------------------------------------------------------------------------
Name : pam Product : Fedora 13 Version : 1.1.1 Release : 6.fc13 URL : http://www.us.kernel.org/pub/linux/libs/pam/index.html Summary : An extensible library which provides authentication for applications Description : PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policy without having to recompile programs that handle authentication. -------------------------------------------------------------------------------- Update Information: This update fixes moderate vulnerabilities in pam_env, pam_namespace, pam_mail, and pam_xauth modules. Default configurations (or configurations generated by authconfig) are not affected by the pam_mail and pam_namespace vulnerabilities. -------------------------------------------------------------------------------- ChangeLog: * Tue Nov 2 2010 Tomas Mraz <[email protected]> 1.1.1-6 - fix insecure dropping of priviledges in pam_xauth, pam_env, and pam_mail - CVE-2010-3316 (#637898), CVE-2010-3435 (#641335) - fix insecure executing of scripts with user supplied environment variables in pam_namespace - CVE-2010-3853 (#643043) * Thu Jul 15 2010 Tomas Mraz <[email protected]> 1.1.1-5 - do not overwrite tallylog with empty file on upgrade -------------------------------------------------------------------------------- References: [ 1 ] Bug #637898 - CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls https://bugzilla.redhat.com/show_bug.cgi?id=637898 [ 2 ] Bug #641335 - CVE-2010-3435 pam: pam_env and pam_mail accessing users' file with root privileges https://bugzilla.redhat.com/show_bug.cgi?id=641335 [ 3 ] Bug #643043 - CVE-2010-3853 pam: pam_namespace executes namespace.init with service's environment https://bugzilla.redhat.com/show_bug.cgi?id=643043 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update pam' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
