pam-1.3.1-36.el8_10

エラータID: AXSA:2024-9040:04

Release date: 
Friday, November 29, 2024 - 14:13
Subject: 
pam-1.3.1-36.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.

Security Fix(es):

* pam: libpam: Libpam vulnerable to read hashed password (CVE-2024-10041)
* pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass (CVE-2024-10963)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-10041
A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
CVE-2024-10963
A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. pam-1.3.1-36.el8_10.src.rpm
    MD5: bfd5bfd0fdaeaeff780f1edaea0a8cec
    SHA-256: 6dbed15f8a89793e50bb8f89f575a393db7dcdb4730ba2d69c5b9b44df92ca55
    Size: 1.11 MB

Asianux Server 8 for x86_64
  1. pam-1.3.1-36.el8_10.i686.rpm
    MD5: 0e1a2c9db5ed65e6ffe62cca52277db7
    SHA-256: 3599a0466547ef412ffe04742dca2aeddfa6d3dbc493a31d42c416dcb9380d8b
    Size: 766.93 kB
  2. pam-1.3.1-36.el8_10.x86_64.rpm
    MD5: 98e0764411679b7ce29e9cdb316e6bfd
    SHA-256: 3871d32df32b7a51ca6a30dc0510577a9642ef03b299bf789548c23767dab4bb
    Size: 746.55 kB
  3. pam-devel-1.3.1-36.el8_10.i686.rpm
    MD5: 910ffc2c2f02d97ea758699ede1af6ae
    SHA-256: c5b8a2d031298d4248fe3db9b009ce86462026c1f8b41f9c52b2701ae75efb55
    Size: 211.21 kB
  4. pam-devel-1.3.1-36.el8_10.x86_64.rpm
    MD5: a7e01fd6d58ac746bae42ef7792db305
    SHA-256: ac5e499109c613583e4eff14154e8d8c69ae6cb3ad56532c6fa8937733daa051
    Size: 211.21 kB