- Package:
- src:libpam-tacplus
- Source:
- libpam-tacplus
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2024-02-26 18:33:06 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerability was published for libpam-tacplus. CVE-2016-20014[0]: | In pam_tacplus.c in pam_tacplus before 1.4.1, pam_sm_acct_mgmt does | not zero out the arep data structure. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-20014 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20014 [1] https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab Please adjust the affected versions in the BTS as needed. Regards, Salvatore
https://github.com/kravietz/pam_tacplus/releases/tag/v1.7.0 libpam-tacplus (1.7.0-1) unstable; urgency=medium * libtac: Refactored the complex and overengineered TACACS+ session id generation, replacing it with getrandom(2). * libtac: gnulib now provides implementation of missing functions. * libtac: Removed legacy MD5 code and replaced it with gnulib. * libtac: Legacy data structures such as attribute lists were replaced with gnulib structures. * libtac: CHAP implementation used a fixed challenge in contradiction with the RFC 1994 requirement. This was replaced with a pseudo-random challenge generated using getrandom(2). * libtac: ABI version set to 5:0:0. From now on, this is the only way to version the library. The legacy static variables tac_ver_ were removed as confusing. * pam_tacplus: Calling process PID is now used as the task_id attribute in TACACS+ accounting session. This replaces an overengineered cryptographically random tasks identifiers. * libtac: Fix CVE-2016-20014. Closes: #1009966
Dear submitter, as the package libpam-tacplus has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1064106 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)