#1087019 pam: CVE-2024-10963

Package:
src:pam
Source:
src:pam
Submitter:
Salvatore Bonaccorso
Date:
2024-11-08 09:06:02 UTC
Severity:
normal
Tags:
#1087019#5
Date:
2024-11-08 09:02:22 UTC
From:
To:
Hi,

The following vulnerability was published for pam.

CVE-2024-10963[0]:
| A vulnerability was found in pam_access due to the improper handling
| of tokens in access.conf, interpreted as hostnames. This flaw allows
| attackers to bypass access restrictions by spoofing hostnames,
| undermining configurations designed to limit access to specific TTYs
| or services. The flaw poses a risk in environments relying on these
| configurations for local access control.

At this time, 2024-11-08 it is unclear if upstream is going to change
the behaviour and discussion is still ongoing o nthe upstream issue.
This bug servers to track this upstream issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-10963
https://www.cve.org/CVERecord?id=CVE-2024-10963
[1] https://github.com/linux-pam/linux-pam/issues/834

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore