Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1061097: pam: CVE-2024-22365: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations
29 views
Skip to first unread message
Salvatore Bonaccorso
Jan 18, 2024, 2:50:05 AM1/18/24
to
Source: pam
Version: 1.5.2-9.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1.5.2-6+deb12u1
Control: found -1 1.5.2-6
Control: found -1 1.4.0-9+deb11u1
Control: found -1 1.4.0-9
Hi,
The following vulnerability was published for pam.
CVE-2024-22365[0]:
| pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
| situations
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22365
https://www.cve.org/CVERecord?id=CVE-2024-22365
[1] https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
[2] https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
Regards,
Salvatore
Version: 1.5.2-9.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1.5.2-6+deb12u1
Control: found -1 1.5.2-6
Control: found -1 1.4.0-9+deb11u1
Control: found -1 1.4.0-9
Hi,
The following vulnerability was published for pam.
CVE-2024-22365[0]:
| pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
| situations
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22365
https://www.cve.org/CVERecord?id=CVE-2024-22365
[1] https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
[2] https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
Regards,
Salvatore
Salvatore Bonaccorso
Jan 19, 2024, 2:40:05 PM1/19/24
to
Hi Sam,
Note the issue does not warrant a DSA, but ideally we have it fixed
already in the upcoming point releases.
I have prepared debdiffs to propose to SRM, see attached.
But for that we would need first the fix to land into unstable. What
would be the plan here? Would you move 1.6.0 soonish to unstable,
1.5.3-1 + CVE patch or rather do a patch on top of 1.5.2-9.1 in
unstable? For the later I could propose based on the done work as well
a NMU to unstable.
The point release, though not yet announced, is planned for early in
February, so hope we can manage it.
Regards,
Salvatore
already in the upcoming point releases.
I have prepared debdiffs to propose to SRM, see attached.
But for that we would need first the fix to land into unstable. What
would be the plan here? Would you move 1.6.0 soonish to unstable,
1.5.3-1 + CVE patch or rather do a patch on top of 1.5.2-9.1 in
unstable? For the later I could propose based on the done work as well
a NMU to unstable.
The point release, though not yet announced, is planned for early in
February, so hope we can manage it.
Regards,
Salvatore
0 new messages