-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2009.0270 -- [UNIX/Linux]
       A security vulnerability has been identified and fixed in pam
                               24 March 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              pam
Publisher:            Mandriva
Operating System:     Mandriva
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Increased Privileges
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0887

Original Bulletin:    
  http://www.mandriva.com/en/security/advisories?name=MDVSA-2009:077

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Mandriva. It is recommended that administrators
         running pam check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:077
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pam
 Date    : March 21, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in pam:
 
 Integer signedness error in the _pam_StrTok function in
 libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
 configuration file contains non-ASCII usernames, might allow remote
 attackers to cause a denial of service, and might allow remote
 authenticated users to obtain login access with a different user's
 non-ASCII username, via a login attempt (CVE-2009-0887).
 
 The updated packages have been patched to prevent this.
 
 Additionally some development packages were missing that are required
 to build pam for CS4, these are also provided with this update.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 210e7f58292fc3c903b22538c2be7295  2008.0/i586/libpam0-0.99.8.1-6.1mdv2008.0.i586.rpm
 599ae39aa412bbd293b12c54c5c8105b  2008.0/i586/libpam-devel-0.99.8.1-6.1mdv2008.0.i586.rpm
 141f673610f93f1b9f26b8cb94ea38dc  2008.0/i586/pam-0.99.8.1-6.1mdv2008.0.i586.rpm
 5aea57085d3baba905a05c5d1f29d29e  2008.0/i586/pam-doc-0.99.8.1-6.1mdv2008.0.i586.rpm 
 1d9551b97e8e4eb5af65ef8c251b5f4c  2008.0/SRPMS/pam-0.99.8.1-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 bc55a9ea37c3541fdf656238b46aa8c5  2008.0/x86_64/lib64pam0-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 883efd2432eaddbc6a0421ea847c54d6  2008.0/x86_64/lib64pam-devel-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 c0947a0c7442b415a4b39423c98a1e6f  2008.0/x86_64/pam-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 7c3ec5bfc9c9ca51959345d62158013c  2008.0/x86_64/pam-doc-0.99.8.1-6.1mdv2008.0.x86_64.rpm 
 1d9551b97e8e4eb5af65ef8c251b5f4c  2008.0/SRPMS/pam-0.99.8.1-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 2c9d674a712fc6b662ce99c9ab498075  2008.1/i586/libpam0-0.99.8.1-8.1mdv2008.1.i586.rpm
 104fc3313ba8ed211850c62effe26a2b  2008.1/i586/libpam-devel-0.99.8.1-8.1mdv2008.1.i586.rpm
 82037a9570821f47da2f95a214c18f1a  2008.1/i586/pam-0.99.8.1-8.1mdv2008.1.i586.rpm
 c96cf5d1f2311bcea54601a15e64eed2  2008.1/i586/pam-doc-0.99.8.1-8.1mdv2008.1.i586.rpm 
 d27ad78a0e3691c454f11548e5135504  2008.1/SRPMS/pam-0.99.8.1-8.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 b9cf6e7e251ad97d161bea4b88fa58b5  2008.1/x86_64/lib64pam0-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 9e0818c288d1cf464e410d127bb69626  2008.1/x86_64/lib64pam-devel-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 b371e10cdd5a1e2c2a142838eccc7f34  2008.1/x86_64/pam-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 fcdffc3dfd820cdad31dbe7696126e45  2008.1/x86_64/pam-doc-0.99.8.1-8.1mdv2008.1.x86_64.rpm 
 d27ad78a0e3691c454f11548e5135504  2008.1/SRPMS/pam-0.99.8.1-8.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 354f27c6c6fe417f0d408be7f983f9c5  2009.0/i586/libpam0-0.99.8.1-16.1mdv2009.0.i586.rpm
 18c14b61195c204d707847114d043ad6  2009.0/i586/libpam-devel-0.99.8.1-16.1mdv2009.0.i586.rpm
 9fa26fe7256872ac151e1007a3d0921c  2009.0/i586/pam-0.99.8.1-16.1mdv2009.0.i586.rpm
 601c69d37b980098cdb3e626401b758c  2009.0/i586/pam-doc-0.99.8.1-16.1mdv2009.0.i586.rpm 
 69fcb3b23d5c26616ab9741276b9f2a0  2009.0/SRPMS/pam-0.99.8.1-16.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 936142c771482dc517230e105a9fc897  2009.0/x86_64/lib64pam0-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 af6bf7ba3b78ba4d1e53f819c02896cf  2009.0/x86_64/lib64pam-devel-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 919e004be5df3d39de7126b4f71d524b  2009.0/x86_64/pam-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 24f90b1d7c77b2451cbff0c094dfaba1  2009.0/x86_64/pam-doc-0.99.8.1-16.1mdv2009.0.x86_64.rpm 
 69fcb3b23d5c26616ab9741276b9f2a0  2009.0/SRPMS/pam-0.99.8.1-16.1mdv2009.0.src.rpm

 Corporate 3.0:
 bbccb95ef2d489cad5008aff0d477ad6  corporate/3.0/i586/libpam0-0.77-12.2.C30mdk.i586.rpm
 a0e07a330f09ec25341075217f38fef7  corporate/3.0/i586/libpam0-devel-0.77-12.2.C30mdk.i586.rpm
 2e3005d760e72a6222c7aa0ff3da4708  corporate/3.0/i586/pam-0.77-12.2.C30mdk.i586.rpm
 b7e31f39ccadadbb2f5444a00fff6497  corporate/3.0/i586/pam-doc-0.77-12.2.C30mdk.i586.rpm 
 293b1a6e0c32005069e5390bd6b0b3b8  corporate/3.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 7bbb844351309190676f4fbe9ce62e70  corporate/3.0/x86_64/lib64pam0-0.77-12.2.C30mdk.x86_64.rpm
 25c16ee4d718a9e260c153c6983f5d2b  corporate/3.0/x86_64/lib64pam0-devel-0.77-12.2.C30mdk.x86_64.rpm
 249311fb9fd0c43506a11f1cce32c979  corporate/3.0/x86_64/pam-0.77-12.2.C30mdk.x86_64.rpm
 309ae91641c19729263eab22709cf52e  corporate/3.0/x86_64/pam-doc-0.77-12.2.C30mdk.x86_64.rpm 
 293b1a6e0c32005069e5390bd6b0b3b8  corporate/3.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm

 Corporate 4.0:
 020800834f4ce964fae630a85cf627c5  corporate/4.0/i586/cracklib-dicts-2.8.3-1.1.20060mlcs4.i586.rpm
 8b751aa75911ff9b169812cce188e307  corporate/4.0/i586/libcrack2-2.8.3-1.1.20060mlcs4.i586.rpm
 98e07f212a2b18fcc83407ee554262f7  corporate/4.0/i586/libcrack2-devel-2.8.3-1.1.20060mlcs4.i586.rpm
 f19159f721379636f53c4266036310ec  corporate/4.0/i586/libpam0-0.77-31.1.20060mlcs4.i586.rpm
 37cf1f3f4e2765a1ca9a5869430c0a1d  corporate/4.0/i586/libpam0-devel-0.77-31.1.20060mlcs4.i586.rpm
 1e068b619020a011addb397f962a8a4d  corporate/4.0/i586/libpwdb0-0.62-2.1.20060mlcs4.i586.rpm
 3507f0ae0f11686a4607e15cc069edc2  corporate/4.0/i586/libpwdb0-devel-0.62-2.1.20060mlcs4.i586.rpm
 f29b17d7aca88aa620866e19ef1b755f  corporate/4.0/i586/libpwdb0-static-devel-0.62-2.1.20060mlcs4.i586.rpm
 949a4fcfc69cd11c7c47de603a2100c1  corporate/4.0/i586/pam-0.77-31.1.20060mlcs4.i586.rpm
 4364562c4a910a98c3d9ef678ea5be73  corporate/4.0/i586/pam-doc-0.77-31.1.20060mlcs4.i586.rpm
 9ead568ec16bb8e44d4c1f7d2a365ede  corporate/4.0/i586/pwdb-conf-0.62-2.1.20060mlcs4.i586.rpm 
 8613c335b195ec91515c7023ddca8251  corporate/4.0/SRPMS/cracklib-2.8.3-1.1.20060mlcs4.src.rpm
 fa57a88a81dc3169ab8b68c1e75db1ac  corporate/4.0/SRPMS/pam-0.77-31.1.20060mlcs4.src.rpm
 56b00aefdde6512b79bc17d2a6004036  corporate/4.0/SRPMS/pwdb-0.62-2.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 5b809c44a34936ca88509749998ebcc2  corporate/4.0/x86_64/cracklib-dicts-2.8.3-1.1.20060mlcs4.x86_64.rpm
 8345ad73abbef63e19fc6c10d721a216  corporate/4.0/x86_64/lib64crack2-2.8.3-1.1.20060mlcs4.x86_64.rpm
 30f5aa853c8e0cc5a1e3da5e88da8862  corporate/4.0/x86_64/lib64crack2-devel-2.8.3-1.1.20060mlcs4.x86_64.rpm
 1f8e87d48ca798327134a45650fddc28  corporate/4.0/x86_64/lib64pam0-0.77-31.1.20060mlcs4.x86_64.rpm
 587942a0d0d8c45b100695ad6f02f734  corporate/4.0/x86_64/lib64pam0-devel-0.77-31.1.20060mlcs4.x86_64.rpm
 549e1b91bda1bd15705f4a2c39a16cd1  corporate/4.0/x86_64/lib64pwdb0-0.62-2.1.20060mlcs4.x86_64.rpm
 f2118437e903344719a3a17a133aaabd  corporate/4.0/x86_64/lib64pwdb0-devel-0.62-2.1.20060mlcs4.x86_64.rpm
 10fbc050e5ecab37e22eb0fad9d06040  corporate/4.0/x86_64/lib64pwdb0-static-devel-0.62-2.1.20060mlcs4.x86_64.rpm
 6844a774f0011d019262871788fc3198  corporate/4.0/x86_64/pam-0.77-31.1.20060mlcs4.x86_64.rpm
 f0a1d78b5d2d4009b91b8835a10896bf  corporate/4.0/x86_64/pam-doc-0.77-31.1.20060mlcs4.x86_64.rpm
 165f252bb3803896dbb144f43bbac8b2  corporate/4.0/x86_64/pwdb-conf-0.62-2.1.20060mlcs4.x86_64.rpm 
 8613c335b195ec91515c7023ddca8251  corporate/4.0/SRPMS/cracklib-2.8.3-1.1.20060mlcs4.src.rpm
 fa57a88a81dc3169ab8b68c1e75db1ac  corporate/4.0/SRPMS/pam-0.77-31.1.20060mlcs4.src.rpm
 56b00aefdde6512b79bc17d2a6004036  corporate/4.0/SRPMS/pwdb-0.62-2.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 b22d14cb9f2fa4616f2588f7d234ee35  mnf/2.0/i586/libpam0-0.77-12.2.C30mdk.i586.rpm
 e5d1a3942552398ce1ece9a0b43036fa  mnf/2.0/i586/libpam0-devel-0.77-12.2.C30mdk.i586.rpm
 d1ac0a9dff1944381e3699a1037e2936  mnf/2.0/i586/pam-0.77-12.2.C30mdk.i586.rpm
 9ac370aa7b2ac02038a7849e8bf27942  mnf/2.0/i586/pam-doc-0.77-12.2.C30mdk.i586.rpm 
 44899571f6a74e53c97d3bf1f5ebd859  mnf/2.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJxRFhmqjQ0CJFipgRAlJkAJ40e3eBCOtkxCmUZ1plFMlZEWk/lgCeKpCG
0nfvCvq+dhD8O8v0t1Yg1dc=
=HveO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJyHhdNVH5XJJInbgRAm5CAJ9UnlziMGTCxr12GmtAc3Hx94XeqgCeIg2a
cylooSx3yG6oM5C6V+36A7M=
=ocCM
-----END PGP SIGNATURE-----