[Secure-testing-team] Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name
Roberto Lumbreras
rover at debian.org
Mon Sep 8 11:50:19 UTC 2008
Package: libpam-modules
Version: 0.99.7.1-7
Severity: grave
Tags: security
Justification: user security hole
In the console login prompt entering a non-existent login you get
a "Login incorrect" message WITHOUT being asked for any password.
This is a serious security hole, because pam are revealing information
about the accounts there are in the system.
Version 1.0.1 of the pam packages seem to have the same problem.
Regards,
Roberto Lumbreras
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-modules depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-8 Berkeley v4.6 Database Libraries [
ii libpam0g 0.99.7.1-7 Pluggable Authentication Modules l
ii libselinux1 2.0.59-1 SELinux shared libraries
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list