Control: forwarded -1 https://github.com/kohsuke/libpam4j/issues/18 Control: tags -1 + patch upstream
Hi Raphael, Emmanuel and Markus, On Fri, Nov 03, 2017 at 09:19:56PM +0100, Markus Koschany wrote: > On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg <ebo...@apache.org> wrote: > > Upstream has moved to GitHub [1] and the last update was released in > > 2014 but the security issue is still not fixed [2]. > > > > This was a dependency of Jenkins which is now gone. There is a slim > > chance that this package could be useful again in the future since it's > > a dependency of some Apache projects (Zeppelin, Atlas, Ranger and Knox). > > > > Emmanuel Bourg > > > > [1] https://github.com/kohsuke > > [2] https://github.com/kohsuke/libpam4j/issues/18 > > Apparently Red Hat patched their libpam4j package but they didn't > forward the patch upstream. > > https://bugzilla.redhat.com/show_bug.cgi?id=1503103 It's likely that Red Hat just used the approeach as https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d and referenced from https://github.com/kohsuke/libpam4j/issues/18 . The issue arises because "PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account is able to log in.". The above commit should address that. Regards, Salvatore
