[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-pam] Web Page for PAM security compromise

On Tue, Aug 04, 2009 at 01:45:31AM +0200, Simon Paillard wrote:
> > This bug does not affect stable, so I don't believe that a DSA is likely to
> > be issued for it.  And given that this has already been posted to
> > debian-www, there's no reason to hide it now; re-adding the Cc:.

> > > Here is a skeleton and its HTML output:
> > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.wml
> > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.en.html

> > The latter link doesn't appear to work?

> A clean was perfomered in the mean time, the html output is back now.

Thanks, that makes it easier to read. :)  Filling in the blanks:

  XXX -> 1.0.1-6
  $date_X.X.X -> 28 Feb 2009
  YYY -> 1.0.1-9
  ZZZ -> 1.0.1-10

Now, as for the overall content, the first paragraph is very misleading, as
it implies that all users would have unsecured systems.  Only a very small
minority of users (mainly, those with pathological debconf setups) will be
affected by the bug.  So perhaps this is better?:

  From versions 1.0.1-6 to 1.0.1-9, the pam-auth-update utility included in
  the libpam-runtime package in Debian testing and unstable suffered from a
  bug whereby systems could be inadvertently configured to allow access with
  or without a correct password (<a
  href="http://bugs.debian.org/519927";>519927</a>).  Although the majority
  of users will not have been affected by this bug, those that are affected
  should consider their machines to be compromised, particularly if those
  machines are configured to allow access from the Internet.

We do *not* want to link to <doc/manuals/securing-debian-howto/ch4#s4.10>;
the advice there is expressly obsoleted by pam-auth-update, and some of the
recommendations there are obsolete long before.

For the next two paragraphs, perhaps this:

  Beginning with version 1.0.1-10, libpam-runtime no longer permits this
  incorrect configuration, and on upgrade will detect if your system was
  affected by this bug.  If you were shown a message on upgrade directing
  you to this webpage, you should assume that your system has been
  compromised.  Unless you are familiar with recovering from
  security failures, viruses, and malicious software <strong>you should
  re-install this system from scratch</strong> or obtain the services of
  a skilled system administrator.  The <a
  includes <a
  on recovering from a system compromise</a>.

  The Debian project apologizes that previous versions of libpam-runtime did
  not detect and prevent this situation.


Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to: