| Message ID | 20201126192950.135871-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | [1/1] package/linux-pam: security bump to version 1.5.1 | expand |
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2020-27780 - authentication bypass when a user doesn't exist and > root password is blank > https://github.com/linux-pam/linux-pam/releases/tag/v1.5.1 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/linux-pam/linux-pam.hash | 4 ++-- > package/linux-pam/linux-pam.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash > index 15e67a5e4c..10cd7be9c4 100644 > --- a/package/linux-pam/linux-pam.hash > +++ b/package/linux-pam/linux-pam.hash > @@ -1,6 +1,6 @@ > # Locally computed hashes after checking signature at > -# https://github.com/linux-pam/linux-pam/releases/download/v1.5.0/Linux-PAM-1.5.0.tar.xz.asc > +# https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz.asc > # signed with the key 8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB > -sha256 02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8 Linux-PAM-1.5.0.tar.xz > +sha256 201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc Linux-PAM-1.5.1.tar.xz > # Locally computed > sha256 133d98e7a2ab3ffd330b4debb0bfc10fea21e4b2b5a5b09de2e924293be5ff08 Copyright > diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk > index 176830c1d3..61d9542c02 100644 > --- a/package/linux-pam/linux-pam.mk > +++ b/package/linux-pam/linux-pam.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > -LINUX_PAM_VERSION = 1.5.0 > +LINUX_PAM_VERSION = 1.5.1 Ehh, we only have 1.4.0 in master and next? It would be good to notice that this security issue only exists in pam 1.5.0.
Le jeu. 26 nov. 2020 à 17:06, Peter Korsgaard <peter@korsgaard.com> a écrit : > > >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > > > Fix CVE-2020-27780 - authentication bypass when a user doesn't exist and > > root password is blank > > > https://github.com/linux-pam/linux-pam/releases/tag/v1.5.1 > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > --- > > package/linux-pam/linux-pam.hash | 4 ++-- > > package/linux-pam/linux-pam.mk | 2 +- > > 2 files changed, 3 insertions(+), 3 deletions(-) > > > diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash > > index 15e67a5e4c..10cd7be9c4 100644 > > --- a/package/linux-pam/linux-pam.hash > > +++ b/package/linux-pam/linux-pam.hash > > @@ -1,6 +1,6 @@ > > # Locally computed hashes after checking signature at > > -# https://github.com/linux-pam/linux-pam/releases/download/v1.5.0/Linux-PAM-1.5.0.tar.xz.asc > > +# https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz.asc > > # signed with the key 8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB > > -sha256 02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8 Linux-PAM-1.5.0.tar.xz > > +sha256 201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc Linux-PAM-1.5.1.tar.xz > > # Locally computed > > sha256 133d98e7a2ab3ffd330b4debb0bfc10fea21e4b2b5a5b09de2e924293be5ff08 Copyright > > diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk > > index 176830c1d3..61d9542c02 100644 > > --- a/package/linux-pam/linux-pam.mk > > +++ b/package/linux-pam/linux-pam.mk > > @@ -4,7 +4,7 @@ > > # > > ################################################################################ > > > -LINUX_PAM_VERSION = 1.5.0 > > +LINUX_PAM_VERSION = 1.5.1 > > Ehh, we only have 1.4.0 in master and next? Indeed, the patch to bump linux-pam to version 1.5.0 was not applied yet, I'll send a v2. > > It would be good to notice that this security issue only exists in pam > 1.5.0. > > -- > Bye, Peter Korsgaard Best Regards, Fabrice
diff --git a/package/linux-pam/linux-pam.hash b/package/linux-pam/linux-pam.hash index 15e67a5e4c..10cd7be9c4 100644 --- a/package/linux-pam/linux-pam.hash +++ b/package/linux-pam/linux-pam.hash @@ -1,6 +1,6 @@ # Locally computed hashes after checking signature at -# https://github.com/linux-pam/linux-pam/releases/download/v1.5.0/Linux-PAM-1.5.0.tar.xz.asc +# https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz.asc # signed with the key 8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB -sha256 02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8 Linux-PAM-1.5.0.tar.xz +sha256 201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc Linux-PAM-1.5.1.tar.xz # Locally computed sha256 133d98e7a2ab3ffd330b4debb0bfc10fea21e4b2b5a5b09de2e924293be5ff08 Copyright diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk index 176830c1d3..61d9542c02 100644 --- a/package/linux-pam/linux-pam.mk +++ b/package/linux-pam/linux-pam.mk @@ -4,7 +4,7 @@ # ################################################################################ -LINUX_PAM_VERSION = 1.5.0 +LINUX_PAM_VERSION = 1.5.1 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.xz LINUX_PAM_SITE = https://github.com/linux-pam/linux-pam/releases/download/v$(LINUX_PAM_VERSION) LINUX_PAM_INSTALL_STAGING = YES
Fix CVE-2020-27780 - authentication bypass when a user doesn't exist and root password is blank https://github.com/linux-pam/linux-pam/releases/tag/v1.5.1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/linux-pam/linux-pam.hash | 4 ++-- package/linux-pam/linux-pam.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)