7.5 - DSA-177

Paul Aurich and Samuele Giovanni Tonon discovered a serious security violation in PAM. Disabled passwords (i.e. those with '*' in the password file) were classified as empty password and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem.

This problem has been fixed in version 0.76-6 for the current unstable distribution (sid). The stable distribution (woody), the old stable distribution (potato) and the testing distribution (sarge) are not affected by this problem.

As stated in the Debian security team FAQ (see URL in header), testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. This security advisory is an exception to that rule, due to the seriousness of the problem.

We recommend that you upgrade your PAM packages immediately if you are running Debian/unstable.

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

Debian GNU/Linux unstable alias sid