Source: pam Version: 1.5.3-7 Severity: important Tags: security upstream Forwarded: https://github.com/linux-pam/linux-pam/issues/834 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pam. CVE-2024-10963[0]: | A vulnerability was found in pam_access due to the improper handling | of tokens in access.conf, interpreted as hostnames. This flaw allows | attackers to bypass access restrictions by spoofing hostnames, | undermining configurations designed to limit access to specific TTYs | or services. The flaw poses a risk in environments relying on these | configurations for local access control. At this time, 2024-11-08 it is unclear if upstream is going to change the behaviour and discussion is still ongoing o nthe upstream issue. This bug servers to track this upstream issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-10963 https://www.cve.org/CVERecord?id=CVE-2024-10963 [1] https://github.com/linux-pam/linux-pam/issues/834 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
