Security update for pam SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:1645-1 Final 1 1 2016-06-21T10:32:29Z current 2016-06-21T10:32:29Z 2016-06-21T10:32:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pam This update for pam fixes two security issues. These security issues were fixed: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - CVE-2013-7041: Compare password hashes case-sensitively (bsc#854480). This non-security issue was fixed: - bsc#962220: Don't fail when /var/log/btmp is corrupted The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-pam-12624,slessp4-pam-12624 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20161645-1/ Link for SUSE-SU-2016:1645-1 https://lists.suse.com/pipermail/sle-security-updates/2016-June/002134.html E-Mail link for SUSE-SU-2016:1645-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/854480 SUSE Bug 854480 https://bugzilla.suse.com/934920 SUSE Bug 934920 https://bugzilla.suse.com/962220 SUSE Bug 962220 https://www.suse.com/security/cve/CVE-2013-7041/ SUSE CVE CVE-2013-7041 page https://www.suse.com/security/cve/CVE-2015-3238/ SUSE CVE CVE-2015-3238 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 pam-devel-1.1.5-0.17.2 pam-devel-32bit-1.1.5-0.17.2 pam-1.1.5-0.17.2 pam-32bit-1.1.5-0.17.2 pam-doc-1.1.5-0.17.2 pam-x86-1.1.5-0.17.2 pam-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server 11 SP4 pam-32bit-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server 11 SP4 pam-doc-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server 11 SP4 pam-x86-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server 11 SP4 pam-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 pam-32bit-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 pam-doc-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 pam-x86-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 pam-devel-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 pam-devel-32bit-1.1.5-0.17.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack. CVE-2013-7041 SUSE Linux Enterprise Server 11 SP4:pam-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-32bit-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-doc-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-x86-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-32bit-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-doc-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-x86-1.1.5-0.17.2 SUSE Linux Enterprise Software Development Kit 11 SP4:pam-devel-1.1.5-0.17.2 SUSE Linux Enterprise Software Development Kit 11 SP4:pam-devel-32bit-1.1.5-0.17.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161645-1/ https://www.suse.com/security/cve/CVE-2013-7041.html CVE-2013-7041 https://bugzilla.suse.com/1123794 SUSE Bug 1123794 https://bugzilla.suse.com/1215217 SUSE Bug 1215217 https://bugzilla.suse.com/854480 SUSE Bug 854480 The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. CVE-2015-3238 SUSE Linux Enterprise Server 11 SP4:pam-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-32bit-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-doc-1.1.5-0.17.2 SUSE Linux Enterprise Server 11 SP4:pam-x86-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-32bit-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-doc-1.1.5-0.17.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:pam-x86-1.1.5-0.17.2 SUSE Linux Enterprise Software Development Kit 11 SP4:pam-devel-1.1.5-0.17.2 SUSE Linux Enterprise Software Development Kit 11 SP4:pam-devel-32bit-1.1.5-0.17.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161645-1/ https://www.suse.com/security/cve/CVE-2015-3238.html CVE-2015-3238 https://bugzilla.suse.com/1123794 SUSE Bug 1123794 https://bugzilla.suse.com/934920 SUSE Bug 934920