Moderate CentOS pam Security Update

Metadata

medium
5.8
pam-1.1.1-20.el6_7.1.i686.rpm, pam-1.1.1-20.el6_7.1.src.rpm, pam-1.1.1-20.el6_7.1.x86_64.rpm, pam-1.1.8-12.el7_1.1.i686.rpm, pam-1.1.8-12.el7_1.1.src.rpm, pam-1.1.8-12.el7_1.1.x86_64.rpm, pam-devel-1.1.1-20.el6_7.1.i686.rpm, pam-devel-1.1.1-20.el6_7.1.x86_64.rpm, pam-devel-1.1.8-12.el7_1.1.i686.rpm, pam-devel-1.1.8-12.el7_1.1.x86_64.rpm
CVE-2015-3238
rhn.redhat.com, lists.centos.org, lists.centos.org
2015-08-18
2017-07-27 19:09
ALAS-2015-589
CVE-2015-3238 pam
CVE-2015-3238
2017-04-01 19:09
2017-01-05 20:13

Description


An updated pam package that fixes one security issue is now available for
Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs to handle authentication.

It was discovered that the _unix_run_helper_binary() function of PAM's
unix_pam module could write to a blocking pipe, possibly causing the
function to become unresponsive. An attacker able to supply large passwords
to the unix_pam module could use this flaw to enumerate valid user
accounts, or cause a denial of service on the system. (CVE-2015-3238)

Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for
reporting this issue.

All pam users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 pam pam-1.1.1-20.el6_7.1.i686.rpm
pam pam-1.1.1-20.el6_7.1.src.rpm
pam pam-1.1.1-20.el6_7.1.x86_64.rpm
pam-devel pam-devel-1.1.1-20.el6_7.1.i686.rpm
pam-devel pam-devel-1.1.1-20.el6_7.1.x86_64.rpm
7 pam pam-1.1.8-12.el7_1.1.x86_64.rpm
pam pam-1.1.8-12.el7_1.1.i686.rpm
pam pam-1.1.8-12.el7_1.1.src.rpm
pam-devel pam-devel-1.1.8-12.el7_1.1.i686.rpm
pam-devel pam-devel-1.1.8-12.el7_1.1.x86_64.rpm