Arch Linux alert ASA-202012-13 (pam)

From:
               Morten Linderud <foxboron@archlinux.org>
To:
               arch-security@archlinux.org
Subject:
               [ASA-202012-13] pam: authentication bypass
Date:
               Thu, 17 Dec 2020 20:21:53 +0100
Message-ID:
               <20201217192153.6eyc7vlonev43vf5@anathema>
Arch Linux Security Advisory ASA-202012-13
==========================================

Severity: High
Date    : 2020-12-09
CVE-ID  : CVE-2020-27780
Package : pam
Type    : authentication bypass
Remote  : No
Link    : https://security.archlinux.org/AVG-1297

Summary
=======

The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.

Resolution
==========

Upgrade to 1.5.0-2.

# pacman -Syu "pam>=1.5.0-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

The issue can be mitigated by setting a non-empty password for the root
user.

Description
===========

An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.

Impact
======

In some unusual configurations, a remote user might be able to bypass
authentication.

References
==========

https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd28...
https://github.com/linux-pam/linux-pam/pull/300
https://github.com/linux-pam/linux-pam/commit/30fdfb90d98...
https://security.archlinux.org/CVE-2020-27780

From:		Morten Linderud <foxboron@archlinux.org>
To:		arch-security@archlinux.org
Subject:		[ASA-202012-13] pam: authentication bypass
Date:		Thu, 17 Dec 2020 20:21:53 +0100
Message-ID:		<20201217192153.6eyc7vlonev43vf5@anathema>