Launchpad.net

CVE 2009-3232

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

Related bugs and status

CVE-2009-3232 (Candidate) is related to these bugs:

Bug #410171: pam-auth-update does not prohibit selecting an empty set of modules

		In	Importance	Status
410171	pam-auth-update does not prohibit selecting an empty set of modules	pam (Ubuntu)	High	Fix Released
410171	pam-auth-update does not prohibit selecting an empty set of modules	pam (Ubuntu Intrepid)	High	Fix Released
410171	pam-auth-update does not prohibit selecting an empty set of modules	pam (Ubuntu Jaunty)	High	Fix Released
410171	pam-auth-update does not prohibit selecting an empty set of modules	pam (Ubuntu Karmic)	High	Fix Released
410171	pam-auth-update does not prohibit selecting an empty set of modules	pam (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2009-3232

Related bugs and status

Related bugs

References