ALT Linux Team

Package linux-pam update in p10 on 2024-06-28

ALT-PU-2024-8886-4

Package linux-pam updated to version 1.6.1-alt1 for branch p10 in task 350704.

Closed vulnerabilities

Published: 2022-10-10

BDU:2022-06184

Уязвимость функции pam_access.so модуля аутентификации Linux-PAM, позволяющая нарушителю обойти существующие ограничения безопасности

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-01-31
Modified: 2025-03-19

BDU:2024-00829

Уязвимость функции protect_dir (pam_namespace.so) модуля аутентификации Linux-PAM, позволяющая нарушителю вызвать отказ в обслуживании

Severity: LOW (3.3)Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (1.7)Vector: AV:L/AC:L/Au:S/C:N/I:N/A:P
References:
Published: 2022-09-19
Modified: 2025-05-29

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-02-06
Modified: 2025-11-03

CVE-2024-22365

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top