blob: b955f331d44647c080069cfeb57090bb3a81c225 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
#use wml::debian::template title="Details on PAM vulnerable configuration"
<p>From versions 1.0.1-6 to 1.0.1-9, the pam-auth-update utility included in
the <a href="http://packages.debian.org/libpam-runtime">libpam-runtime</a>
package in Debian <em>testing</em> and <em>unstable</em> suffered from a bug
whereby systems could be inadvertently configured to allow access with or
without a correct password (<a
href="https://bugs.debian.org/519927">#519927</a>). Although the majority of
users will not have been affected by this bug, those that are affected should
consider their machines to be compromised, particularly if those machines are
configured to allow access from the Internet.</p>
<p>Beginning with version 1.0.1-10, released on 7th August 2009, libpam-runtime
no longer permits this incorrect configuration, and on upgrade will detect if
your system was affected by this bug.</p>
<p>If you were shown a message on upgrade directing
you to this webpage, you should assume that your system has been
compromised. Unless you are familiar with recovering from
security failures, viruses, and malicious software <strong>you should
re-install this system from scratch</strong> or obtain the services of
a skilled system administrator. The
<a href="$(HOME)/doc/manuals/securing-debian-howto/">securing-debian-howto</a>
includes
<a href="$(HOME)/doc/manuals/securing-debian-howto/ch-after-compromise">information
on recovering from a system compromise</a>.</p>
<p>The Debian project apologizes that previous versions of libpam-runtime did
not detect and prevent this situation.</p>
|
