|
|
Subscribe / Log in / New account

Ubuntu alert USN-7580-1 (pam)



From:
              Marc Deslauriers <marc.deslauriers@canonical.com>


To:
              "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com>


Subject:
              [USN-7580-1] PAM vulnerability


Date:
              Wed, 18 Jun 2025 14:16:14 -0400


Message-ID:
              <0972680a-5e70-4c86-80e9-20fbd10f4b5d@canonical.com>


==========================================================================
Ubuntu Security Notice USN-7580-1
June 18, 2025

pam vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

PAM could be made to run programs as an administrator.

Software Description:
- pam: Pluggable Authentication Modules

Details:

Olivier BAL-PETRE discovered that the PAM pam_namespace module incorrectly
handled user-controlled paths. In environments where pam_namespace is used,
a local attacker could possibly use this issue to escalate their privileges
to root.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
   libpam-modules                  1.5.3-7ubuntu4.3

Ubuntu 24.10
   libpam-modules                  1.5.3-7ubuntu2.3

Ubuntu 24.04 LTS
   libpam-modules                  1.5.3-5ubuntu5.4

Ubuntu 22.04 LTS
   libpam-modules                  1.4.0-11ubuntu2.6

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7580-1
   CVE-2025-6020

Package Information:
   https://launchpad.net/ubuntu/+source/pam/1.5.3-7ubuntu4.3
   https://launchpad.net/ubuntu/+source/pam/1.5.3-7ubuntu2.3
   https://launchpad.net/ubuntu/+source/pam/1.5.3-5ubuntu5.4
   https://launchpad.net/ubuntu/+source/pam/1.4.0-11ubuntu2.6





Attachment: OpenPGP_signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmhTAm4FAwAAAAAACgkQZWnYVadEvpNN
+Q//WbTJ6L5NaDh/VjAxKl5mgeN1BOsY+sQ+qmjYIqDLiC7pov2A8yHLmfUb8Yndbh3lG3cYJlQ0
/wEh0q8r4+WJfjC2R9CPhcK/nHwAugl6nk7zxUHgws6vvSneuEx6XkbPECR6GV8CuS0/bbLO51p6
+YINPJaWCNpf1VQIW/iifFupV17tBzOFgU5zroq2XbK2YpQV81c8sM+ZFuKhOxYBTlkmXwOBaMhs
B3auP3bdY2XiOElAmidO7d1Ih/ut5/x8ICjZJClNI0y4kcy5MluHLbsag17r8U3GP9RWObG0IBAG
ETEqt0pvX4DdSN4CIDXVHaJUKK1tVPSm66p5OeoK872fOJkuqgIOpEppEpjc0oqv0H1IrA4Jv0Fq
MA2HbYUy3I593obLaQDlaOOw/onuSBFTF2s4YnZuCH8kbbjHtm4/Q6D/52/3Eikz4zCCZsZe16JT
zCf0ua+ev0NGuJm2qgrZ5vxZBT7oPbGlXvKGGuJjG0O9GCpsbI7aMgk4SRRk+Dr4u8HrFzWV1ydH
uetwRRMNpe1KOJaJXKITvHvVEcYyrbDrMOWudaKOreoRte8Lz96j9HWTAEZyhMXdzrgldv/nN2kW
jcMYJh4thI1sXIMhfw+PBdMxZESMMzdq+pql9yHEkSlRvJ+8JEwxVQrV8burBAiwJ9/yEjKpATNf
YSo=
=wqtt
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds